ISP pursued over chat blab

[InfoSec News <isn () c4i org>]

http://www.nzherald.co.nz/storydisplay.cfm?storyID=3521177&thesection=business&thesubsection=technology

02.09.2003
By CHRIS BARTON 

IT solutions company ITCTS has laid a complaint with the Privacy
Commissioner against Iconz after one of the internet provider's former
employees divulged ITCTS' login names and passwords on an open
chatroom.

ITCTS director Daniel Kinross said he had to go to considerable
lengths to ensure none of his customers was put at risk by the
password breach.

"None of our systems was compromised, but the potential to cause
damage with that information was enormous."

The administration passwords gave full access to ITCTS databases,
accounts and internal and external networks, which meant the company
had to change all its customers' internet and web accounts.

Kinross sought compensation from Iconz for the time it took to make
the changes, plus for loss of business during the changeover and for
the stress involved, but was rebuffed by Iconz general manager Sean
Weekes.

In a letter to Kinross, Weekes said: "Iconz sincerely regrets that the
actions of [a former employee] have apparently caused you
inconvenience and distress."

But he also said Iconz was not responsible for its former employee's
actions and that ITCTS should raise its concerns directly and seek
redress from him.

"Also, even if Iconz were responsible, our lawyers advise us that the
terms of our contract with you will preclude you from successfully
bringing the types of claims that you have raised in your letter."

Kinross said that being a small company with just six staff, including
contractors, he did not want get into a legal battle.

"Ideally I'd like to see Iconz accountable for their actions. As a
business we're out of pocket."

Weekes said the former employee was not an employee of Iconz when the
chatroom incident occurred, but admitted it slipped up in procedure
when the employee left the company.

"We have a responsibility. We failed to change our password at the
time. That was overlooked."

But Weekes said the terms and conditions of the Ezysurf contract with
ITCTS limited Iconz's liability. He has also written to Privacy
Commissioner Bruce Slane seeking guidance over the incident.

"I don't condone what he's done. It was a disgusting abuse of trust.  
He's no longer a customer of ours either."

Weekes said he was happy to discuss the matter further but talks had
broken down when Kinross threatened to go to the commissioner and the
press.

Kinross said he had no option but to act when Weekes failed to attend
a meeting on the matter.

Weekes said he had sent the former employee's supervisor to the
meeting because he knew more about the subject.

The password breach occurred in early July when an ITCTS contractor
and subsequently Kinross had a conversation on internet relay chat
with a person using the online name "nny_" .

A transcript of the session shows taunting and bravado on both sides,
leading to nny_ threatening to compromise ITCTS' network security.

"I will seriously **** your net connection," nny_ said at one point.

During the session he typed ITCTS' password, login names and Kinross'
mobile and home phone number.

The Herald was unable to contact the former employee.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.