Buy Cialis Professional Online - Cheap Price

We have outlined security issues that concern home users in the past, such as:

- Threat - sniffing out Fon users’ password

We come across vulnerabilities from time-to-time, however, when a cross-European telecommunication service provider has one of those we look twice. Tele 2 has gone through a bit of reshuffling recently. 2006-08-16 Tele2 and Versatel announced that the latter would take over Tele2’s Benelux operations.

- 06-08-16 Press release Tele2 and Versatel

Tuesday (2006-10-03) Tele2 announced that it had sold its fixed line and high-speed Internet activities in France to Vivendi unit SFR for €350 million.

- 2006-10-03 Tele 2 selling its French business except wireless assets to Vivendi

Tele2 will retain control of its mobile phone operations in France.

Tele 2 has a slogan posted on its Webpage that goes something like this:

“Tele2 has a key mission. Simple and cheap telecoms
Tele2 is Europe’s leading alternative telecom operator. Our mission is to offer cheap and simple telecoms. Tele2 always strives to offer the market’s best prices. “

- Tele 2 touting its own virtues

So inquiring minds what to know how well the firm does with security regarding data protection, confidentiality and privacy when giving telephone, mobile, fixed-line as well as broadband Internet access.

Well you might have guessed things are not that well. We have bee informed about a vulnerability that allows one to find most subscribers’ system on the net and shut down the following:

a) phone line
b) Internet connection
c) turn on or off the firewall installed on the router Tele 2 offers its broadband customers

HOW CAN ONE SHUT DOWN A SUBSCRIBER’S TELE2 SERVICE

A) go to Google and search … using the words something similar to what is the password Tele 2.

B) You will find the login name published (you can guess it is something we tell our clients in security 101 not to use as a username), as well as the password for country A or B

C) You type in the IP address out of the range Tele 2 has been assigned for a particular country….. and voila

- Example of what information a hacker can obtain regarding a Tele2 subscriber

Now you can do some rather not so nice things to the Internet and phone connection of this subscriber.

Incidentally, in Belgium this vulnerability can be exploited in by a malicious user to take control of your router.

We do wonder how Veritas’ due diligence regarding IT infrastructure and security affected the price it paid for the Tele 2 assets. Did its due diligence people find this vulnerability? In fact, this vulnerability applies across several European countries that Tele2 provides these type of services in. Accordingly, a malicious user that finds the right password (or uses a cracker program to do so) puts in

Username

Password

and gains administrator priviliges pertaining to a particular IP address from one of Tele2’s customers.

Depending on how evil the hacker might be and how much time he or her friends want to spend doing malice, the following can be accomplished:

- de-activate the router firewall - and start taking control of the PC….

- turn off the internet connection

- turn off the fixed phone line service

and yes one has to go through the right assigned IP numbers and it works - one client after the other. This exploit is publicly available on the net.

MEANING AND QUESTIONS

1) Did Versatel and Vivendi do a proper IT security due diligence before agreeing to the takeover price for Tele2’s Benelux and/or France fixed-line and broadband assets?

2) Are there other security wholes in Tele2’s security posture that warrant regulators to ask some questions in order to make sure that home users and enterprises are not exposed to unnecessary risks due to Tele2’s carelessness (e.g., identity theft)

3) What and when will Tele2 do something about it since they do not even answer and respond properly to advice from the security community (see Timeline below)?
– Disclosure Timeline

2006-09-15 - Vulnerability reported to vendor - acknowledged receipt of email
2006-09-19 - Workaround released to CyTRAP Labs customers
2006-09-28 - Vulnerability reported 2nd time to vendor - phone call
2006-10-04 - Coordinated public release of advisory

– Credit:
This vulnerability was discovered by various researchers that wish to remain anonymous.

– About CyTRAP Labs

CyTRAP Labs follows a collaborative model whereby researchers may disclose vulnerabilities to us and we contact vendors or coordinate work-around solutions.

Researchers interested in getting involved may contact us directly

PS. A researcher’s comment about Tele 2’s behavior

‘I am not surprised that Tele2 does not react. Legally they did not make any mistake and so far nothing really happened.For them it is absolutely not simple to change all their configurations.They will probably keep this quiet as long as they can and hope for the best, meaning nothing happens. If they are lucky it won’t, if not their customers may suffer as well…’.

This entry was posted on Wednesday, October 4th, 2006 at 10:47 and is filed under