Change your passwords: Comcast hushes, minimizes serious hack
Are you a Comcast customer? Please change your password.
On February 6, NullCrew FTS hacked into at least 34 of Comcast’s servers and published a list of the company’s mail servers and a link to the root file with the vulnerability it used to penetrate the system on Pastebin.
Comcast, the largest internet service provider in the United States, ignored news of the serious breach in press and media for over 24 hours — only when the Pastebin page was removed did the company issue a statement, and even then, it only spoke to a sympathetic B2B outlet.
During that 24 hours, Comcast stayed silent, and the veritable “keys to the kingdom” sat out in the open internet, ripe for the taking by any malicious entity with a little know-how around mail servers and selling or exploiting customer data.
Comcast customers have not been not told to reset their passwords. But they should.
Once NullCrew FTS openly hacked at least 24 Comcast mail servers, and the recipe was publicly posted, the servers began to take a beating. Customers in Comcast’s janky, hard-to-find, 1996-style forums knew something was wrong, and forum posts reflected the slowness, the up and down servers, and the eventual crashing.
The telecom giant ignored press requests for comment and released a limited statement on February 7 — to Comcast-friendly outlet, broadband and B2B website Multichannel News.
The day-late statement failed to impress the few who saw it, and was criticized for its minimizing language and weak attempt to suggest that the breach had been unsuccessful.
From Comcast’s statement on Multichannel’s post No Evidence That Personal Sub Info Obtained By Mail Server Hack:
Comcast said it is investigating a claim by a hacker group that claims to have broken into a batch of the MSO email servers, but believes that no personal subscriber data was obtained as a result.
“We’re aware of the situation and are aggressively investigating it,” a Comcast spokesman said. “We take our customers’ privacy and security very seriously, and we currently have no evidence to suggest any personal customer information was obtained in this incident.”
Not only is there a high probability that customer information was exposed — because direct access was provided to the public for 24 hours — but the vulnerability exploited by the attackers was disclosed and fixed in December 2013.
Just not by Comcast, apparently.
Vulnerability reported December 2013, not patched by Comcast
NullCrew FTS used the unpatched security vulnerability CVE-2013-7091 to open what was essentially an unlocked door for anyone access to usernames, passwords, and other sensitive details from Comcast’s servers.
NullCrew FTS used a Local File Inclusion (LFI) exploit to gain access to the Zimbra LDAP and MySQL database — which houses the usernames and passwords of Comcast ISP users.
“Fun Fact: 34 Comcast mail servers are victims to one exploit,” tweeted NullCrew FTS.
If you are a Comcast customer, you are at risk: All Comcast internet service includes a master email address.
Even if a customer doesn’t use Comcast’s Xfinity mail service, every Comcast ISP user has a master email account with which to manage their services, and it is accessible through a “Zimbra” webmail site.
This account is used to access payment information, email settings, user account creation and settings, and any purchases from Comcast’s store or among its services.
With access to this master email address, someone can give up to six “household members” access to the Comcast account.
NullCrew taunted Comcast on Twitter, then posted the data on Pastebin and taunted the company a little bit more.
Because there were “no passwords” on the Pastebin, some observers believed — incorrectly — that there was no serious risk for exploitation of sensitive customer information.
NullCrew FTS: 2 — big telecoms: 0
On the first weekend of February 2014, NullCrew FTS took credit for a valid hack against telecom provider Bell Canada.
In the first strike of what looks like it’ll be a very successful campaign to cause pain and humiliation to big telecoms, NullCrew FTS accessed and exposed more than 22,000 usernames and passwords, and some credit card numbers belonging to the phone company’s small business customers.
Establishing a signature game of cat and mouse with clueless support staff, NullCrew FTS contacted Bell customer support two weeks before its disclosure.
Like Comcast’s robotic customer service responses to NullCrew FTS on Twitter, Bell’s support staff either didn’t know how to report the security incident upstream, had no idea what a hacking event was, or didn’t take the threat seriously.
Bell also tried to play fast and loose with its accountability in the security smash and grab; it acknowledged the breach soon after, but blamed it on an Ottawa-based third-party supplier.
However, NullCrew FTS announced the company’s insecurities in mid January with a public warning that the hackers had issued to a company support representative about the vulnerabilities.
NullCrew FTS followed up with Bell by posting a Pastebin link on Twitter with unredacted data.
A page from Snapchat’s playbook
Just over a month ago, popular social media sharing app Snapchat was the subject of headlines and the target of public scorn when hackers (Gibson Security) posted multiple known exploits after warning the company about its security holes, and having the problems ignored.
Snapchat further attempted — badly — to ignore press and public when the hackers later published details about Snapchat’s security holes (some which still call into question the validity of Snapchat’s userbase) and released to the world a few very active Snapchat database exploits.
On Christmas Day 2013, headlines reported: Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored.
Less than a week later, the database exploits and recipes for access were used maliciously against Snapchat customers when the world read: Predictably, Snapchat user database maliciously exposed.
Snapchat hung its userbase out to dry.
It look like Comcast has, too.
It’s a reprehensible playbook, void of accountability and rife with risk for the only people involved who can’t do a damn thing to protect themselves.
I think the situation demands we ask the question: What else isn’t Comcast doing?
Perhaps Comcast should change its tagline.