Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Not a good look there, Optus

March 27th 2015 in safety and privacy on the Internet, Security

Enforceable Undertaking offer by Optus to the Office of the Australian Information Commissioner:

What did Optus do wrong?…

  • In February 2013, Optus made a change to its website. Due to a coding error that occurred during this change, between February 2013 and April 2014, when Optus customers who had elected not to have their details listed in a telephone directory completed a rate plan change via Optus’s website, Optus’s systems erroneously changed the White Pages listing preferences for those customers from ‘No’ to ‘Yes’. As a result, the names, addresses and mobile phone numbers of approximately 122,000 Optus customers were listed in the White Pages online directory without the consent of those customers. The information of the majority of those customers was also published in various print editions of the White Pages.  The problem came to their attention via a customer complaint.
  • Optus made a change to its network in relation to particular Netgear and Cisco modems, which it began deploying in November 2008 and March 2009 respectively. As part of the change, Optus deliberately left the management ports for these models of modems open, incorrectly assuming they were only accessible for network management purposes. In addition, Optus issued 197,000 of the Netgear modems and 111,000 of the Cisco modems to its customers with factory default settings, including user default names and passwords in place. Optus also did not conduct connectivity testing. These two issues in combination meant that Optus customers using the equipment who did not change the default user name and passwords were left vulnerable, potentially allowing a person to make and charge calls as though they were the Optus customer.  Optus were apparently oblivious to the issue until the media got wind of it.
  • Between September 2013 and 13 May 2014, a flaw in Optus’s security processes led to certain customers not being prompted for their password when attempting to retrieve voicemail information from outside the Optus network. Optus did not identify the issue during testing. Consequently, where customer voicemail accounts were not password protected, some Optus customers were vulnerable to ‘spoofing’ attacks, where an unauthorised party could potentially access and use customer voicemail accounts messages, including being able to listen to recorded messages and change settings and preferences.  The problem was reported to Optus by a third party <sigh>

Comments are closed.

Yes, I know, Microsoft stopped supporting Windows XP a long time ago. However, users of XP should still go to *Microsoft Update* to check for updates to other Microsoft software on their computer.

Anyway, I saw this error in a couple of XP virtual machines today. The fix is to change your computer’s clock to a date […]

Previous Entry

I just saw the following when visiting the news.com.au website using a Windows 8.1 phone and an Australian IP. news.com.au is a very popular website in Australia, but I’m not set up at the moment for mobile site analysis, so feel free to take a look-see and report…

It may be that the full site is affected to. […]

Next Entry