BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

iiNet suffers two security vulnerabilities, users spammed

From: security curmudgeon <jericho () attrition org>
Date: Tue, 9 Oct 2012 10:54:31 -0500 (CDT)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.zdnet.com/au/iinet-suffers-two-security-vulnerabilities-users-spammed-7000005219/

By Michael Lee
ZDNet
October 4, 2012

iiNet experienced a breach of its 3FL gaming forums in June this year, 
just prior to its merger with Internode's games.on.net site, but failed to 
inform its customers.

iiNet is alleged to have attempted to cover up the breach, with an unnamed 
source forwarding to Australian tech news site Delimiter an internal iiNet 
email sent by iiNet Operations Centre Supervisor Paul Guidera, which 
instructed staff to put in place a communications block-out. It is not 
clear whether this was meant to only apply while an investigation was in 
place, but iiNet never publicly came forward to announce a breach of its 
systems.

iiNet declined ZDNet's invitation to respond to allegations of a cover up, 
and when asked for an official statement about the breach of the systems, 
we were instead pointed to a comment made by iiNet CTO John Lindsay on 
Delimiter.

Lindsay's comments confirm that a breach took place, stating that the 
attacked gained entry via "an unpatched hole in PHP."

"Upon finding this, we shut down the forum immediately. No financial 
information was stored on this database. We didn't handle the external 
communications well after this incident, and have made changes to our 
internal policies," he said.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: