Connect Internet Solutions Ltd MerseyMail Mersey Mail shut down shutdown closed hack hacking user accounts email broken vulnerability

Posted on | August 14, 2009 | Comments Off

OH DEAR! Message to all Mersey Mail users:
Connect Internet (MerseyMail) now lie to users and call me a HACKER! As ever, these inept companies LIE and BLAME others to cover up their own ACTIONS!

View full TRUE information HERE

There is also a Liverpool community forum here: YO! LIVERPOOL!
Connect Internet issued the following completely inaccurate and plain WRONG statement to their MerseyMail users:

“GENERAL MESSAGE TO ALL USERS REGARDING THE CLOSURE OF THE MERSEYMAIL SERVICE

INCIDENT SUMMARY

A vulnerability has been identified within MerseyMail, possibly affecting a small number of users in a specific set of circumstances. A hacker attacked our system using this vulnerability and then posted a guide on how to do this on their website. We therefore had to respond quickly and, as soon as we were aware of the problem, temporarily suspended the website while we investigated. As a result of this investigation, Connect has taken a business decision to close down the MerseyMail service. We will continue to provide access to any messages within the service using standard mail programs (such as Microsoft Outlook) until 5.00pm BST on Tuesday 8th September 2009, to allow users to retrieve any messages they have stored in the MerseyMail system. The vulnerability has been closed and is no longer exploitable.

Connect has provided MerseyMail as a free service to the Merseyside community for a number of years and hopes that it has been useful to many people in that time. However, we feel that the Web has moved on since the introduction of MerseyMail and there are now many other free e-mail services (such as GoogleMail and Microsoft’s Hotmail) which offer many benefits to users. We therefore feel that it is appropriate to close down MerseyMail. Ideally, we would have liked to close the service in a more structured way (indeed as the first step in this process we stopped new registrations some time ago), but the actions of this hacker have made this impossible.

THE VULNERABILITY

This vulnerability could possibly have affected a small number of users in a specific set of circumstances:

1) The hacker must have somehow obtained your MerseyMail “session ID”
2) You would have to had be logged in to MerseyMail while the hacker was trying to gain access to your account
3) Even if you were still logged in, you would have had to have been active within the “session timeout period”

The hacker only has a few of ways of obtaining the “session ID”. They can somehow see it in your browser (e.g. if you send them a screen shot including your browser’s address bar) or they need to own a web server and actively obtain it from within their system.

If a hacker were to have obtained such access to the system, they would have only been able to access information about that user. They would not have been able to access information about other users.

Connect is not aware of any active attempts to exploit this vulnerability. The only known exploit has been the original hack mentioned earlier.

SENSITIVE INFORMATION

Although there is only a small possibility that your e-mail could have been seen by someone and we have no evidence of that being the case, as a precautionary measure we would suggest changing your password on any account where your current password has been sent to your MerseyMail address. This could be for a forum, or some other type of site requiring membership.

This is only an issue if you received an e-mail including your password in plain text and you have not changed the password since then. It will not affect you if the e-mail was an “activation e-mail” which did not contain the password or if you have subsequently changed that password.

We are really sorry for the inconvenience this has caused, however we feel that this is the appropriate course of action.

mail.team@merseymail.com”

***NOTE: they send and have a reply address to a “closed” service – utterly stupid – Ling

So now I am “a hacker”!!!

Let me deal with this, and these fools and idiots at Connect.

I am not a “hacker”. I am a website owner who sells cars. I have a fantastic personal reputation as anyone can see by reading the 1,350 customer testimonials on my website here: CUSTOMER LETTERS.

MerseyMail freely and knowingly passed MerseyMail user session IDs to websites (being visited by MM users) when links to websites were clicked through in emails, and did not check IPs if the session IDs were used by the website to gain reverse access to MM user email accounts.

Connect (aka MerseyMail) gave away the entry key to users email accounts in a widespread fashion and did not (and were not planning to) inform users until I blew the whistle.

This does not make me a “hacker”. Their use of the term is completely incorrect. Connect were acting as if they were like the Royal Mail posting your front door key to any business that send you a letter to which you respond.

If I was a “hacker”, the police would have arrested ME. Instead, I am the complainant! Connect’s choice of language is astonishing. It is CONNECT who were the subject of police action!

This whole saga is completely and utterly a faux-pas by Connect. A shooting in the foot by them. It was an own-goal in football terms (people in Merseyside will get that).

Now, Connect are lying. I deal with their points – It is not “affecting a small number of users in a specific set of circumstances” it is affecting EVERY user in a very common circumstance. They are being blatantly disingenuous and are misleading.

What they should say is:
“Connect have been giving away your privacy every time every user clicked a website link in an email”

Damn right the actions of the “hacker” (ME) caused them to shut down the service in an “unstructured manner”. The service was giving away every user’s full personal information! How long would they have allowed this to continue in a “structured” manner???

One question is, how many of their users have been exposed to abuse and invasion of privacy and malice by Connect’s criminal condoning of this vulnerability?

Yes, it is criminal. It is a criminal offence under the Data Protection Act.

I did not “somehow” obtain the session ID. – Connect gave it away in plain text with the click through.

It is true that you would have had to have been logged in (ie the session still active), But, knowing the vulnerability, this would have made it easy for criminals. It is easy to act while people are still logged in. Few people click links and then close the program immediately. You click to a website and keep your email program OPEN, to read other messages. Once I logged in, I took over the session, the user could have logged out and I would have still been inside, squirrelling away.

As any link to a website goes to the website owner’s server, every website visited can grab the plain text session key (and plain text username). It is easy. Connect make it sound unlikely. It appeared in front of my eyes like a neon sign saying “rob me, come on in”!

True, the intruder could only compromise (the whole email account) of one user at a time. Connect are saying “don’t worry, the malicious intruder can only break into YOUR house”.

Users will have to change (or should change) lots of passwords to different services. As many people tend to use the same password for many services, giving a thief a good guess at what password the user has for everything, Connects statement about passwords is false. It would only be true if users used unique strings for every account password of theirs. People do not act in that way. We all know that.

Also, an intruder can read ALL user mail, see what you services you are signed up for and hammer away at them all, if they know one typical password.

The intruder can also access a user’s whole address book, raising the issue of the heavy use of MerseyMail by schools and kids.

In their statement Connect are utterly and irresponsibly minimising the danger to users.

I will say to Connect, you are acting diabolically. I am that “Hacker”. Come and get me arrested!!!!

The problem Connect have, is that the police decided Connect were in the wrong and went and knocked on THEIR door, not mine.

I disclosed everything, immediately, to a) the MerseyMail user, b) Connect (who ignored me), c) the police, d) the BBC… all to cover myself, as well as e) on my website here www.lingscars.com/merseymail.php , and f) here on this forum, as well as on my blog and on Twitter. I was completely open.

Questions:

1. Have they informed the Data Commissioner of the scale and their complicity in this scandal?

2. When will they tell the truth to users, including saying that there was no “hacker” in this instance and that the police told CONNECT to close the service down, it was so bad?

3. When will they say it is widespread and happened with EVERY click through, therefore EVERY user has MASSIVE risk?

4. When will the Managing Director/CEO of Connect resign?

Comments

Comments are closed.

About

I am Ling Valentine as seen on Dragons' Den I lease cheap cars in the UK!. Have a look at my Cheap car leasing website

Subscribe to my feed!

My Twitter page!

Search

Admin

Log in
XHTML

MINI BLOG

MY SISTER'S (CHINESE) SKODA!

Posted: 08/07/10

Comments ( 4 )

Although I only lease cars in the UK, my sister Shan asked me to help her buy a brand-new car in China!
She looked at quite a... READ MORE

HIDING VAT

Posted: 02/07/10

Comments ( 0 )

Can you believe prices you see on the web? I've gotta say, how annoyed it makes me that so many websites break the law, also known... READ MORE

THE 3 DEGREES - MY IT CROWD

Posted: 18/07/10

Comments ( 0 )

Just to say that Mark, Jamie and Jonny have graduated. Fantastic!
All have got FIRSTS in Computer something or other from Sun... READ MORE

WHY HYDROGEN NO GOOD 4 CARS

Posted: 15/12/10

Comments ( 1 )

I have a BSc in Applied Chemistry and an MSc in Environmental Management, so have some qualification to comment on this issue. Sor... READ MORE

CHEAPER THAN PENDRAGON

Posted: 02/08/10

Comments ( 0 )

I've just delivered a new car to a senior manager (for his personal use) in PENDRAGON PLC, the UK's largest dealer group. The grou... READ MORE

NO FM CAR RADIO IN 2015

Posted: 04/03/10

Comments ( 3 )

Listening to the radio in our cars is something we all take for granted. Every car these days comes with a good quality radio, and... READ MORE

Don't run, little customers! I'm friendly...

I am the Viz UK business ambassador!
Post me Ferrero-Rochers! Yum Yum!

Unlike most other internet car leasing sites, I publish all my contact information openly!
...so, you know who I am - Ling

THE UK's FAVOURITE
CAR LEASING WEBSITE!

Boss: Ling Valentine MSc IoD
LING World Headquarters
Vance Business Park
Gateshead, NE11 9NE
Tel 0191 460 9444
Fax 0870 486 1130
sales@LINGsCARS.com
I prefer email to phone - Ling
VAT No: 866 0241 30
Co Reg No: 6178634
Consumer Credit Licence: 624022
Data Protection No: Z1098490
Best Before: 17/08/2007

Latest BBC NEWS from LING in CHINGLISH!

Wah! LATEST: A lodger accused of murdering male gender human bleing's landlady and flemale human person's mother in Southport is found hanged in prison. Sweet sour chicken feet time! - news replorted 09:10

Wah! LATEST: A woman is hurtee-hurtee in gas explosion at house in Warrington. Sweet sour chicken feet time! - news replorted 09:00

Wah! The former deputy prime dodgy minister Lord Prescott says bloody man wantings to stand as old bill bobbys and crime (shoud shoot them) Commissioner for Humberside Police. What the hell I mean??!! - news replorted 08:50

Wah! Rising energy prices kept German inflation high at 2.1% in first number-one-month 2012, lah, according to official figures from Destatis. Eating rice!! - news replorted 08:35

Wah! A number of explosions rock Syria's second city of Aleppo, lah, reportedly causing number of casualties. Eating rice!! - news replorted 08:25

Wah! Malaysian old bill bobbys detain Saudi journalist who left male gender human bleing's country after being accused of insulting Prophet Muhammad in tweet. Pass chopsticks!! - news replorted 08:22

Wah! The Jagluar Academy of Sport is delighted to announce that Special Recognition Award Winner Rhys Walker will receive one-to-one mentoring from British swimmer Adam Whitehead. I read you little red book! - news replorted 08:00

Wah! Pakistan's Prime dodgy minister Yousuf Raza Gilani will appear before Supreme Court next week after it dismisses male gender human bleing's appeal against contempt charges. Eating rice!! - news replorted 07:44

Wah! More than 40 firefighters tackle blaze at Aberdeenshire home, lah, but being hampered by lack of water. Hahahaha! Laughing like bloody hell! - news replorted 07:40

Wah! The influential ConservativeHome website calls planned NHS (wonderfulling free human fixing service) overhaul in Province of Engrish running-dogs "an unexploded bomb" (Ai-yaa!!! Bloody Bloardcasting Corporation quotee-quotee!) under Tory electoral prospects. Eating rice!! - news replorted 07:28

Wah! Barclays reports 3% fall in annual profits to RMB Yuan #5.9bn, lah, and cuts bonus pool at its investment banking division by 32%. - news replorted 07:17

Wah! There reports of hazardous driving conditions in parts of Welsh land of sheep and more sheep due to icy roads with only "dusting" (Ai-yaa!!! Bloody Bloardcasting Corporation quotee-quotee!) of snow despite predictions of more. What the hell I mean??!! - news replorted 07:13

Wah! Papers examine Province of Engrish running-dogs prospects for Harry Redknapp - news replorted 06:53

Wah! Trustees of controversial race relations charity meet to consider how to wind up organisation's affairs. Eating rice!! - news replorted 06:46

Wah! The toddler who's great at table tennis, lah, runaway rhino and presenter not quite ready for flemale human person's live broadcast - week's weird and wonderful video stories in Newsbeat's Odd Box with Dominic Byrne. What the hell I mean??!! - news replorted 06:28

Wah! Eurozone finance you tellibly lovely custlingmer wan' borrow many Yuan dodgy ministers say more work must be done before they'll give Greece another 130bn euro bailout. Pass chopsticks!! - news replorted 05:28

Wah! Sainsbury's is removing advice to freeze food "on day of purchase" (Ai-yaa!!! Bloody Bloardcasting Corporation quotee-quotee!) from its labels and informing clustomlers it can be done up until use-by date. What the hell I mean??!! - news replorted 04:40

Wah! Three million background checks were carried out in Province of Engrish running-dogs and Welsh land of sheep and more sheep last year, lah, according to privacy campaign group Big Brother Watch. - news replorted 04:16

Wah! Tata Steel, lah, largest producer in India, lah, unexpectedly reports loss of 6.03bn rupees ($122m; RMB Yuan #77m) ni ni ni ni Hao, lah, Zai-Jian! hit by weak demand. I read you little red book! - news replorted 03:54

Wah! China's exports and imports fall in first number-one-month raising fresh concerns about impact of global economic slowdown on its economy. You give me happy happy luck luck. - news replorted 03:42

Wah! Patrick Helly shows Bloody Bloardcasting Corporation News how hand-made Bafta trophies produced. I read you little red book! - news replorted 03:40

Wah! Origami dresses, lah, London (capital of Great England) 2012 Olympic torch and wind-propelled landmine detonator among nominations for 2012 Designs of Year Awards. Eating rice!! - news replorted 03:36

Wah! The Mexican Tommy Atkins Liberation Army has seized 15 tonnes of drugs in western state of Jalisco. Ai-yaa!!! - news replorted 03:20

Wah! President "I da man! Yes I can!" Obama condemns as "outrageous bloodshed" (Ai-yaa!!! Bloody Bloardcasting Corporation quotee-quotee!) continuing onslaught aimed at crushing rebels in Syrian city of Homs. Eating rice!! - news replorted 03:13

Wah! South Dakota's Oglala Sioux tribe has sued major beer makers for $500m for fuelling chronic alcohol abuse in one of poorest communities in Us. Eating rice!! - news replorted 03:07

Wah! Problem drinkers in London (capital of Great England) to be given American-style sobriety tests aimed at keeping them away from alcohol. You understanning yet? Paying more attention! - news replorted 03:03

Wah! Driving huge freight trains up and down Andes mountains in Peru, lah, on second highest railway in world, lah, requires great skill and courage. What the hell I mean??!! - news replorted 02:57

Wah! Burmese monk U Gambira, lah, one of leaders of 2007 protests, lah, has been taken away by authorities, lah, eyewitnesses tell Bloody Bloardcasting Corporation Burmese service (???) I wan' service , I wan' you tellibly lovely custlingmer give me damn velly damn good service - news replorted 02:42

Wah! A former senior old bill bobbys officer billed old bill bobbys authority for thousands of pounds for training despite getting cash to pay for this, lah, report says. Eating rice!! - news replorted 02:35

Wah! The Ministry of Defence may be "over-optimistic" (Ai-yaa!!! Bloody Bloardcasting Corporation quotee-quotee!) about how much its military equipment budget is under control, lah, influential group of Membling Partiamentary expense cheaters says. Eating rice!! - news replorted 02:28

Wah! A project is to look at whether following set of systematic movements for 10 minutes day in class can boost pupils' results. Eating rice!! - news replorted 01:56

Wah! Drivers who using cannabis before driving double their chances of causing collision, lah, research suggests. Eating rice!! - news replorted 01:51

Wah! Who has FBI kept tabs on and why? - news replorted 01:43

Wah! The head teacher who criticised multiculturalism - news replorted 01:42

Wah! Canada and China reach government deals in uranium exports and other sectors, lah, as two countries deepen trade ties. Eating rice!! - news replorted 01:29

Wah! The soaring cost of wasted medicines - news replorted 01:27

Wah! Making movie music for new film - news replorted 01:23

Wah! The creator of V for Vendetta on how it became hacktivist icon - news replorted 01:03

Wah! The government announces RMB Yuan #1.2 million of funding to help girls involved with gangs who raped by male members. Eating rice!! - news replorted 00:41

Wah! What did Liam Neeson to upset animal lovers? - news replorted 00:35

Wah! The British Bloody foreign Secretary, lah, William Hague, lah, says Britain will using diplomacy with Syria, lah, not weapons. Eating rice!! - news replorted 00:22

Wah! The Great Satan military announces plans to relax curbs on women serving in combat roles, lah, but advoacy group says policy does not go far enough. - news replorted 00:02

Wah! A man, lah, believed to be from Londonderry, lah, dies after shooting at house in Buncrana, lah, County Donegal. You understanning yet? Paying more attention! - news replorted 00:01

Wah! HM Revenue & Customs tells Bloody Bloardcasting Corporation that rumours it spent RMB Yuan #8m on trials into alleged tax dodging involving Harry Redknapp "nonsense". - news replorted 00:00


	1.3 IMA 88bhp 5dr hybrid, cvt auto, met Insight £215.87 per month, inc VAT
	1.6 DRIVe 113bhp 5dr diesel, man, met V50 Sports £310.80 per month, inc VAT
	2.2 CDi Blu... 167bhp 4dr diesel, man, met C-Class Sa £318.00 per month, inc VAT
	2.2 d 187bhp 4dr diesel, auto, non-met XF £449.99 per month, inc VAT
	2.2 eD4 147bhp 5dr diesel, man, non-met Range Rove £446.47 per month, inc VAT