CNET tech sites: Price comparisons | Product reviews | Tech news | Downloads | Site map
Front PageEnterpriseE-BusinessCommunicationsMediaPersonal TechnologyInvestor

News.context: Special Reports | Newsmakers | Perspectives
 
US West customers vulnerable to hackers
By Brian Livingston
April 7, 2000, 12:00 PM PT


What if you hired a private butler, only to discover that the nice old gentleman was quietly giving away copies of the keys to your house?

That's the experience some people are having with high-speed Internet access service on a digital subscriber line.

Customers using DSL from providers such as US West, which provides Internet access and local telephone service in 14 western states, may be open to attack from hackers.

US West allows home subscribers to install the DSL equipment themselves. The company supplies people with a router, a device made by Cisco Systems, that helps connect subscribers' computers to US West's network.

In most cases, subscribers to the DSL service, called US West.net, fail to set a password, a process that isn't mentioned in the US West "Quick Start" manual and is on page 19 of the main users guide.

Without password protection in the router, hackers can easily access it from anywhere on the Internet. This leaves a customer's US West Internet account wide open.

"This is a huge hole," says Bill Watts, a US West subscriber in Helena, Mont. "You can grab a US West.net user's login and password."

A hacker can use this account information to disable the DSL service entirely, read the customer's email, or take over the account to launch remote denial-of-service attacks that inundate a target computer system with packets of useless information.

A reporter watched as a 20-year-old computer programmer, who requested anonymity, easily discovered unguarded equipment in the homes and businesses of numerous US West customers.

When US West's equipment operates in this way, it suffers from all of the following problems:

  The equipment gives out the user's US West.net account name and password to any intruder who asks.

  With a subscriber's login name and password, an impersonator can access a victim's US West account, can try out the same password at banking sites, and more.

  Because a US West login name is usually made up of a person's first initial and last name, it's easy to determine the real name, address and phone number of most individuals. This can further help a hacker impersonate a victim.

Executives at WatchGuard Technologies, an Internet security firm, say protective "firewall" devices won't help in this case. The router must be installed outside of a firewall's security perimeter to work.

The problem has been brought to the attention of Colorado-based US West numerous times in recent months, as documented in Internet discussion groups that deal with this subject.

In an interview, the executive director of US West's MegaBit Services division, Matthew Rotter, said, "The end user is responsible for putting in that user ID and password."

He added that in newer versions of the Cisco router, "a default password is in there" to protect subscribers.

US West could end the risk from its wide-open routers via remote control. A small program run on the Internet by US West could find and re-program any of its unprotected equipment, according to WatchGuard Technologies' Steve Fallin.

Instead, the company mailed a letter to subscribers last fall that speaks in general terms about security issues but says nothing specific about setting passwords.

The letter refers customers to the US West.net Web site, but the site doesn't spell out the password problem, although it does provide a detailed fix if you know to look for it. Customers can fix the problem by following the directions at this site.

You may think you're safe using DSL because you haven't noticed a problem. But a hacker may already be enjoying total access to your Internet account.

Do you know of a problem affecting consumers? Send info to tips@brianlivingston.com. He'll send you a free book of high-tech secrets if you're the first to submit a tip he prints.

 
More Perspectives


about the writer
Brian Livingston has published 10 books, including "Windows 2000 Secrets" and "Windows Me Secrets." He has been a contributing editor at PC World, Windows Magazine, InfoWorld and other magazines for more than 10 years. Before his work as an author, Livingston was a management consultant advising financial institutions on computer technologies. In 1991, he received the Award for Technical Excellence from the National Microcomputer Managers Association for his efforts to develop standards in the computer industry.


 Search
 
   

Latest Headlines
display on desktop
GE sparks market rally
Loss grows for Corel
Microsoft puts a price on IM features
Prices fall for CD rewritable drives
Homestore execs agree to plead guilty
Hotwire double-bills customers
Penguin on the prowl
Web leak of Linux lets Hat out of the bag
PayPal goes international
Who's living large at Terra Lycos?
Crooks will still be crooks
Handspring lays off 20 percent
Nvidia chips grease faster PC link
Bell Labs fires researcher
Enron auction hampers DoveBid site
China arrests Web writer for subversion
Vivendi lays out new strategy
Study: Stop trying to lock out pirates
Computer makers gird for holiday battle
Ulead updates photo software
This week's headlines

News Tools
Get news by PDA
Get news by mobile
Listen live to CNET Radio

CNET newsletters

News.com Daily Dispatch

News.context (weekly)

Investor Daily Dispatch

Week in Review





All newsletters | FAQ
Manage my newsletters

Send us news tips | Contact Us | Corrections | Privacy Policy

   Featured services: CNET SearchBar | Hosting Providers | IT Resources | Back to School Guide | Tech Jobs   
  CNET Networks: Builder.com | CNET | GameSpot | mySimon | TechRepublic | ZDNet About CNET  

Copyright ©1995-2002 CNET Networks, Inc.All rights reserved. CNET Jobs