|
UPDATE: 12 August 2009 SUCCESS! MerseyMail has been shutdown, but Connect have still not mentioned the vunerabilities to users and have not warned that they are exposed to hacking! Click here |
UPDATE: 14 August 2009 ...OR IS IT? MerseyMail/Connect deny and lie to users and publicly call me a "hacker"! Read more here... |
7th Aug 2009 - Mersey Mail are tonight exposing THOUSANDS of their Liverpool-based clients to scammers by leaving their customers email accounts open to being hacked. Any intruder who gets a click-through to their website from a MerseyMail customer can IMMEDIATELY access all the mail and information in the private or business MerseyMail account. This security hole probably applies to ALL businesses and private individuals who use Mersey Mail!
I exposed the open-door policy of Mersey Mail when I was monitoring a website customer visiting to check progress of his new car. I always monitor visitors to ensure my car supply (and customers) are not exposed to fraud. For instance, if the customer purports to be British but is logging on from a Russian server, I want to know why!
My customer "George" who is a teacher in a Merseyside college, clicked on a normal email I sent him (he logged on from his MerseyMail account), to let him know he had a new message on my secure LINGO server. But I noticed something was wrong! The customer was passing his session ID and his IP address was not being checked.
By pasting the information into a web browser, I had immediately accessed all George's private emails including a loan application from a major bank, plus details of bank statements and many other messages. I was totally horrified! This is the first time I have seen this back-door access from a private email account.
I immediately phoned the customer to tell him, and also tried to phone Mersey Mail and their parent company. No one was available to speak to me at Mersey Mail despite me telling the receptionist that all their customers are currently exposed to hackers. The problem still hasn't been fixed, so I have informed the police, the local BBC, and informed the Information Commissioner's office.
Mersey Mail are owned by Connect Internet Solutions.com in Liverpool, who claim on their website "To ensure that what we build is best of breed, a solution that is both robust and future-proof." - what a laugh!
Connect claim to be accredited to ISO 27001 in Information Security. That's complete nonsense in my opinion, a first-year student could do better than this! Mersey Mail should be shut down and every customer informed. All passwords and private account details need to be changed, as soon as possible!
My own customer has been totally compromised. It's a good job LINGsCARS.com checks the provenance of incoming customer connections. If I was a scammer, I could have taken this customer to the cleaners. George was checking on his new Nissan Qashqai, but could have ended up being hacked for thousands of pounds.
08 Aug 2009: I have been visited by the Police to help sort this foolish email hosting company out, but it turns out that Connect Internet Solutions.com also built the Intranet for the Serious Fraud Office (below), LOL! What a joke.
The Serious Fraud Office investigates and prosecutes cases of serious fraud in England, Wales and Northern Ireland. It deals with cases of suspected fraud which are complex, require specialist knowledge, are likely to give rise to national publicity and widespread public concern and those having a signifcant international dimension.
Now the SFO can learn that they may be using systems built by fools who allow this very fraud to happen!
The Police now have to go away check their own systems for the same badly-coded bug!!!
THE RESULT:
|
UPDATE: 12 August 2009 SUCCESS! MerseyMail has been partly shutdown, but Connect have still not mentioned the vunerabilities to users and have not warned that they are exposed to hacking! |
Connect Internet have shut down the service! They say "Due to a technical issue, we will be permanently shutting down the MerseyMail service at 5.00pm BST on Tuesday 8th September 2009."
THEY HAVE DISABLED WEB-ACCESS TO MAIL
Now, the problem is, MerseyMail/Connect Internet have not disclosed to any user the potential exposure of ALL their private documents and sensitive information, or that 3rd parties could have ALREADY accessed all their mail. This means that users are ignorant about taking security measures (such as changing passwords on bank accounts, and changing login details to private areas they may have mentioned in previous mails) to avoid the use of malicious information that has already been gathered about them, by hackers.
Connect make no reference at all to any SECURITY ISSUES to users, instead they talk about "TECHNICAL ISSUES"
This hiding of problems for MerseyMail users is disgraceful!
THIS PROBLEM WILL STILL AFFECT THOUSANDS OF MERSEYSIDE EMAIL USERS, INCLUDING SOME OF MY CUSTOMERS!
Once sensitive data is lost, you cannot get it back. Plugging the hole is only half the answer. Users should be told!
Connect Internet have a DUTY OF CARE to inform all their customers, in full. I wonder if they have reported the BREACH OF DATA SECURITY to the Data Commissioner?
12/08/2009 - I have contacted Connect Internet AGAIN (never any reply) and said: I notice Connect have shut down MerseyMail service due to my campaign about my customer who was exposed by terrible security, BUT, you make no attempt to disclose to customers the extent of the potential problems. Instead you talk about "technical issues". Customers should be told all their sensitive information has been at risk and may already be in the hands of hackers, so they can take steps to change passwords etc. Can you please let me know you have done this. The notice should also be posted clearly on the MERSEYMAIL WEBSITE. You should offer free technical assistance for users who have concerns. Can you please confirm this has been done and also please confirm that you HAVE INFORMED THE DATA COMMISSIONER of the extent of the problems, the length of time of the problems and the number of users of MerseyMail exposed. You are legally obliged to do this. Please reply with clear answers for me. Ling Valentine
|
|
UPDATE: 14 August 2009 OH DEAR! Connect Internet now lie to users and call me a HACKER! As ever, these inept companies LIE and BLAME others to cover up their own ACTIONS! |
Connect Internet issued the following completely inaccurate and plain WRONG statement to their MerseyMail users:
"GENERAL MESSAGE TO ALL USERS REGARDING THE CLOSURE OF THE MERSEYMAIL SERVICE
INCIDENT SUMMARY
A vulnerability has been identified within MerseyMail, possibly
affecting a small number of users in a specific set of circumstances. A
hacker attacked our system using this vulnerability and then posted a
guide on how to do this on their website. We therefore had to respond
quickly and, as soon as we were aware of the problem, temporarily
suspended the website while we investigated. As a result of this
investigation, Connect has taken a business decision to close down the
MerseyMail service. We will continue to provide access to any messages
within the service using standard mail programs (such as Microsoft
Outlook) until 5.00pm BST on Tuesday 8th September 2009, to allow users
to retrieve any messages they have stored in the MerseyMail system. The
vulnerability has been closed and is no longer exploitable.
Connect has provided MerseyMail as a free service to the Merseyside
community for a number of years and hopes that it has been useful to
many people in that time. However, we feel that the Web has moved on
since the introduction of MerseyMail and there are now many other free
e-mail services (such as GoogleMail and Microsoft's Hotmail) which offer
many benefits to users. We therefore feel that it is appropriate to
close down MerseyMail. Ideally, we would have liked to close the
service in a more structured way (indeed as the first step in this
process we stopped new registrations some time ago), but the actions of
this hacker have made this impossible.
THE VULNERABILITY
This vulnerability could possibly have affected a small number of users
in a specific set of circumstances:
1) The hacker must have somehow obtained your MerseyMail "session ID"
2) You would have to had be logged in to MerseyMail while the hacker
was trying to gain access to your account
3) Even if you were still logged in, you would have had to have been
active within the "session timeout period"
The hacker only has a few of ways of obtaining the "session ID". They
can somehow see it in your browser (e.g. if you send them a screen shot
including your browser's address bar) or they need to own a web server
and actively obtain it from within their system.
If a hacker were to have obtained such access to the system, they would
have only been able to access information about that user. They would
not have been able to access information about other users.
Connect is not aware of any active attempts to exploit this
vulnerability. The only known exploit has been the original hack
mentioned earlier.
SENSITIVE INFORMATION
Although there is only a small possibility that your e-mail could have
been seen by someone and we have no evidence of that being the case, as
a precautionary measure we would suggest changing your password on any
account where your current password has been sent to your MerseyMail
address. This could be for a forum, or some other type of site
requiring membership.
This is only an issue if you received an e-mail including your password
in plain text and you have not changed the password since then. It will
not affect you if the e-mail was an "activation e-mail" which did not
contain the password or if you have subsequently changed that password.
We are really sorry for the inconvenience this has caused, however we
feel that this is the appropriate course of action.
mail.team@merseymail.com"
***NOTE: they send and have a reply address to a "closed" service - utterly stupid - Ling
So now I am "a hacker"!!!
Let me deal with this, and these fools and idiots at Connect.
I am not a "hacker". I am a website owner who sells cars. I have a fantastic personal reputation as anyone can see by reading the 1,350 customer testimonials on my website here: CUSTOMER LETTERS.
MerseyMail freely and knowingly passed MerseyMail user session IDs to websites (being visited by MM users) when links to websites were clicked through in emails, and did not check IPs if the session IDs were used by the website to gain reverse access to MM user email accounts.
Connect (aka MerseyMail) gave away the entry key to users email accounts in a widespread fashion and did not (and were not planning to) inform users until I blew the whistle.
This does not make me a "hacker". Their use of the term is completely incorrect. Connect were acting as if they were like the Royal Mail posting your front door key to any business that send you a letter to which you respond.
If I was a "hacker", the police would have arrested ME. Instead, I am the complainant! Connect's choice of language is astonishing. It is CONNECT who were the subject of police action!
This whole saga is completely and utterly a faux-pas by Connect. A shooting in the foot by them. It was an own-goal in football terms (people in Merseyside will get that).
Now, Connect are lying. I deal with their points - It is not "affecting a small number of users in a specific set of circumstances" it is affecting EVERY user in a very common circumstance. They are being blatantly disingenuous and are misleading.
What they should say is: "Connect have been giving away your privacy every time every user clicked a website link in an email"
Damn right the actions of the "hacker" (ME) caused them to shut down the service in an "unstructured manner". The service was giving away every user's full personal information! How long would they have allowed this to continue in a "structured" manner???
One question is, how many of their users have been exposed to abuse and invasion of privacy and malice by Connect's criminal condoning of this vulnerability?
Yes, it is criminal. It is a criminal offence under the Data Protection Act.
I did not "somehow" obtain the session ID. - Connect gave it away in plain text with the click through.
It is true that you would have had to have been logged in (ie the session still active), But, knowing the vulnerability, this would have made it easy for criminals. It is easy to act while people are still logged in. Few people click links and then close the program immediately. You click to a website and keep your email program OPEN, to read other messages. Once I logged in, I took over the session, the user could have logged out and I would have still been inside, squirrelling away.
As any link to a website goes to the website owner's server, every website visited can grab the plain text session key (and plain text username). It is easy. Connect make it sound unlikely. It appeared in front of my eyes like a neon sign saying "rob me, come on in"!
True, the intruder could only compromise (the whole email account) of one user at a time. Connect are saying "don't worry, the malicious intruder can only break into YOUR house".
Users will have to change (or should change) lots of passwords to different services. As many people tend to use the same password for many services, giving a thief a good guess at what password the user has for everything, Connects statement about passwords is false. It would only be true if users used unique strings for every account password of theirs. People do not act in that way. We all know that.
Also, an intruder can read ALL user mail, see what you services you are signed up for and hammer away at them all, if they know one typical password.
The intruder can also access a user's whole address book, raising the issue of the heavy use of MerseyMail by schools and kids.
In their statement Connect are utterly and irresponsibly minimising the danger to users.
I will say to Connect, you are acting diabolically. I am that "Hacker". Come and get me arrested!!!!
The problem Connect have, is that the police decided Connect were in the wrong and went and knocked on THEIR door, not mine.
I disclosed everything, immediately, to a) the MerseyMail user, b) Connect (who ignored me), c) the police, d) the BBC... all to cover myself, as well as e) on my website here www.lingscars.com/merseymail.php , and f) here on this Liverpool community forum, as well as on my blog and on Twitter. I was completely open.
Questions:
1. Have they informed the Data Commissioner of the scale and their complicity in this scandal?
2. When will they tell the truth to users, including saying that there was no "hacker" in this instance and that the police told CONNECT to close the service down, it was so bad?
3. When will they say it is widespread and happened with EVERY click through, therefore EVERY user has MASSIVE risk?
4. When will the Managing Director/CEO of Connect resign?
|
There is a full thread to read on Liverpool community forum Yo! Liverpool
|