O2 owned ISP customers still exposed by router snafu
O2-owned ISP Be is fighting a constant battle to stay one step ahead of hackers because of a router vulnerability exposed back in February.
Be subscribers were exposed when London student Sid Karunaratne demonstrated it was possible to gain remote root access using poorly concealed telnet backdoors. Admin usernames and passwords had been left accessible by Be.L33tdawg: This situation I'm sure is pretty similar to other ISPs around the world - where the modem/routers have a default username and password that nobody bothers to change.
In Malaysia, this issue is made even more interesting by the fact that in the past a certain ISP used to use a default password for all new registrants (which most people would not change). The main problem with this was that you could telnet to the customers modem which would show you the username@service-provider. Once you had the username, it would be trivial to login to the web management / billing system in order to retrieve juicy personal details regarding the account, including the physical address, name of the registrant, outstanding bill amount, identification card number (aka social security number in the US) and other interesting bits. Scary stuff.
