Posted by: David Schneier
cyber security, firewall, information security, network, penetration test, penetration testing, Regulatory Compliance, vulnerability
A few weeks back, I went online to pay my cable bill. There’s a long story behind the struggles I’ve had in doing so since becoming a customer, but I’ll save that for another time. Part of the longer story, though, involves my bookmarking the sign-on page where I can access my account and make payments.
I clicked on the link and instead of being directed to the desired page was instead routed through to a Websphere Administration panel.
But that’s not even the best part of the story.
After confirming that in fact I was somehow through their firewall security and at some point along the way into their infrastructure, I decided to be a good citizen and let them know. I tried calling their customer support department twice and both times, after being routed through some crazy series of automated menus, wound up being treated as someone who was simply having trouble accessing his online account. One customer support representative had no clue what I was describing to them and the other one seemed to grasp what I was saying conceptually but didn’t have a page in his playbook to manage the call and so he defaulted to trying to help me pay my bill.
The funny thing is that once I navigated from their homepage through to the payment page it worked just fine, but if I selected the bookmark it deposited me right back at Websphere Central. And as of 30 seconds ago it still does.
Now I know that bashing the local cable company is a popular thing to do and has fast become one of our nation’s favorite pastimes. But I’m not so much picking on them as I’m amazed that they have such an obvious flaw in their network security. My firm conducts basic penetration tests all the time and this is the sort of thing that would be flagged without much of an effort. Why haven’t they found it yet? And if I’ve found it entirely by chance what about the hackers who go hunting for these sort of things? Or have they discovered it and are currently feeding large while it remains available?
It’s amazing any of us are ever willing to conduct business online, when you get right down to it.