E-mail user details left exposed

July 12, 2001

A security breach has left the personal details of hundreds of e-mail accounts exposed online at an Internet service provider on the Isle of Man.

Computer Weekly was shown evidence last week that user account details at IofM.net could be downloaded, and details of users' passwords revealed. The breach occurred at Telford-based Entanet, the ISP that hosts IofM.net, which is a "virtual" ISP.

A list of IofM's e-mail accounts was freely accessible via the Web browser. The user list allowed access to .ins files, which are used to configure dial-up software on users' PCs. The .ins files contained details of user access controls, including passwords and could be read in text format.

Computer Weekly was alerted to the breach by a reader, who did not wish to be named. He alleged that the security hole had been in existence for two months. We immediately contacted the hosts and the breach was closed within two hours.

Entanet, which hosts 150 virtual ISPs - essentially re-sellers of Internet access - said, "As a result of an oversight in creating the IofM.net service some .ins files were stored in a temporary directory for a longer period than is normal." Entanet said it had received no complaints about the breach.

Malcolm Macdonald, managing director of IofM.net, said it was "regrettable" that the fault had occurred but added that he was totally confident that measures had been taken to prevent it happening again.

Neil Barrett, technical director of security specialist Information Risk Management, said the security breach could have put the hosts in breach of the Data Protection Act.

He warned that indivi-duals running virtual ISPs should make sure legal liability remained with the host - or have the technical expertise to secure the virtual service themselves. "If they have neither, then - I am sorry to be harsh - but they have no business being in that business," he said.

Barrett said stopping breaches of this type is "very easy" and they are "by no means rare". The problem lies in misconfiguration of handling routines or insecure defaults, he said.