iiNet suffers two security vulnerabilities, users spammed

[InfoSec News <alerts () infosecnews org>]

http://www.zdnet.com/au/iinet-suffers-two-security-vulnerabilities-users-spammed-7000005219/

By Michael Lee
ZDNet
October 4, 2012

iiNet experienced a breach of its 3FL gaming forums in June this year, 
just prior to its merger with Internode's games.on.net site, but failed 
to inform its customers.

iiNet is alleged to have attempted to cover up the breach, with an 
unnamed source forwarding to Australian tech news site Delimiter an 
internal iiNet email sent by iiNet Operations Centre Supervisor Paul 
Guidera, which instructed staff to put in place a communications 
block-out. It is not clear whether this was meant to only apply while an 
investigation was in place, but iiNet never publicly came forward to 
announce a breach of its systems.

iiNet declined ZDNet's invitation to respond to allegations of a cover 
up, and when asked for an official statement about the breach of the 
systems, we were instead pointed to a comment made by iiNet CTO John 
Lindsay on Delimiter.

Lindsay's comments confirm that a breach took place, stating that the 
attacked gained entry via "an unpatched hole in PHP."

"Upon finding this, we shut down the forum immediately. No financial 
information was stored on this database. We didn't handle the external 
communications well after this incident, and have made changes to our 
internal policies," he said.

[...]


--
Certified Ethical Hacker and CISSP with ExpandingSecurity.com gives the best
training and support. Last 2012 CISSP and CEH starts Oct. 1! Take action now
and be done before 2012 ends. Best program, best price.
CISSP info signup
http://www.expandingsecurity.com/product/cissp-live-online-10-week-course/
CEH info signup
http://www.expandingsecurity.com/product/ceh-certified-ethical-hacker-online/
Our Live Online classes will not wreck your schedule.