It's perhaps one of the biggest problems with using computers, security. Even in the early days of computers people still experimented with using other people's information and hacking into systems in order to gain control. Now some twenty years on and computers have gone global, linking themselves into a massive mesh of wires and information.

As such the security of various systems have been put through the test time and time again, there are now whole groups devoted to hacking and harming sensitive data and some governments fear this so much that they are building special protections against attack by their own people. For the UK the most open area of attack also happens to be the most important and ironically, least defended.

One Serious Oversight

A great majority of people signing up with free or commercial ISPs seem to come from pre-existing Internet connections. By that we mean that they sign up on-line for an ISP rather than over the phone because it's a lot easier. So essentially, before anybody can use the Internet for themselves, they first have to sign up and it is at this point where you are most vulnerable. Or rather your personal data is most vulnerable.

For the past month, ISPreview editors (Daniel and myself [mark]) have been investigating the situation and came up with information that shows quite a serious lack in security with at least 90% of currently existing ISPs. Specifically focusing on ISPs that have already had such security issues, namely CallNet0800, Internet HyperGate and the old 08004u. All these ISPs failed to issue their sign up systems with proper security and fell foul of hacker attacks.

In order to give you an idea of just how serious this is, before we handed them over to the authorities we had in our possession files from some of the aforementioned ISPs that contained thousands of people's personal details. From credit card details to names and addresses, it was all there. Had we been hackers that information could have been sold for hundreds of pounds to businesses across the county. Worse still the financial information could have been miss-used, I'm sure everybody has experienced that before at some level or another.

The Fault

The fault was simple and you didn't even need to be a top hacker in order to make use of it, tools are available that automate the tasks and in some cases you can even get in quite by chance. It happens when an ISP develops an On-Line sign up form that simply assumes moving the data into an unsecured directory on your website that users can see is enough.

Even simple tools can be found on the Internet for encoding information, providing a password secured dir or even using more advanced methods such as SSL to secure the information, yet they are not used. Around 90% of current ISPs are guilty of using exactly the same methods (usually simple HTML Forms) that 08004u, IHG and CallNet0800 did. The worse part is that they might never know they were hacked because the security is so poor that in some cases you only need to guess the output DIR and suddenly you have all the details.

The above was the case with 08004u, insensibly their web server was so poor that when they updated, they erased all their files before uploading the new ones. Most sites would cease to operate without an index file but not 08004u, the moment it happened, all it took was one user to come at exactly that middle interval and then to enter the dir displayed and download the file. On other sites where this doesn't happen but basic forms are used, all it takes is a modest hacker to intercept the automated processes and de-compile the information to find the output source.

There are even tools that can be used to visually see what other users are typing into a form on a website in real time, although these are not publicly available. The point being that unless a sign up form contains the need for credit card details, almost all ISPs consider it an 'unneeded cost'. Some ISPs like CallNet0800 didn't even bother to have a secure form during the early days even when they required credit card details.

More serious than you think

Perhaps the thing that's most criminal is that ISPs are allowed to get away with a simple, "We are sorry.. etc.". Can we just re-iterate how serious this really is, these people have YOUR personal details and can do whatever they like with them. They could somehow end up in the hands of a serial murderer (laugh if you will, it's deadly serious), your only lucky if it just gets sold on. One reason so many people wonder where SPAM suddenly starts coming from could be to do with this, that your details have somehow escaped their confines without your permission.

The problem escalates when you realise that potentially, almost every ISP in the country could have this exact same problem. In fact many could be getting hacked at this very moment without anybody even knowing it. We are shortly to start out are own plan of action, the idea is to inform any and all ISPs if their service doesn't meet up to specific security guidelines and any such ISPs that don't will have that marked on their review or be reported.

It only takes a tiny amount of intelligence to secure a site and yet even the people that call themselves 'professionals' ignore or just get away with it on a daily basis. Another 'follow up' report will come on this subject in the future after further investigation.