CRIME ISP Password Security Practices Follow-up

From: Lyle Leavitt (lylel@private)
Date: Thu Jun 13 2002 - 11:01:27 PDT

  • Next message: Don Park: "CRIME hacker's challenge"

    I want to thank everyone for your insightful comments. I think we may
    have hit a vulnerable spot on the security landscape.
    
    Now I need your help with some follow-up.
    
    Brian McWilliams, a reporter with SecurityFocus Online, has picked up
    on this story and is trying to run with it. Here is what he gathered
    from Earthlink's PR spokes person.
    
    A. She confirmed that they do store customer passwords and that reps
    have 
    access to the passwords.
    
    B. She claimed there is no security or privacy threat because reps'
    access to 
    customers' accounts would be logged.
    
    C. She acted surprised to hear that other major ISPs doesn't follow
    this same practice, or that security experts thinks it's dangerous.
    
    Brian is trying to contact other top ISPs (see list below) to confirm
    their practices regarding password security. If you can speak
    officially or can put him in contact with someone please contact him
    off list. His email is on the CC line in this post.
    
    Top U.S. ISPs by Subscriber: Q1 2002
    [Updated May 29, 2002] 
    http://www.isp-planet.com/research/rankings/usa.html
    
    1. America Online (Dial-Up)
    2. MSN (Dial-Up)
    3. United Online (Dial-Up) [NetZero + Juno Online]
    4. EarthLink (Dial-Up)
    5. SBC/Prodigy (SBC& Prodigy DSL & Dial-Up)
    6. CompuServe (Dial-Up) [AOL Owned]
    7. Road Runner (Cable) [AOL Owned]
    8. AT&T Broadband (DSL)
    9. AT&T WorldNet (Dial-Up)
    10. Verizon (DSL)
     
    I'll keep this group posted as the story develops.
    Your comments are always welcome.
    
    -Lyle
    



    This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 11:39:41 PDT