Virgin Media failed to fix encryption issue in parts of its telco website
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
March 30, 2015
It is reported today that Virgin Media has failed to upgrade its weak encryption software that it uses for sensitive parts of its telco's website, despite several complaints from customers who claim to have repeatedly flagged their security worries to the company.
And while all of this is happening, Mozilla, which recently told its users that it planned to end support for the RC4 stream cipher used by some virtual machines has an open tracking bug about the cable company's website.
Also, Google's browser Chrome has been spitting out security warnings about various Virgin Media pages because the connection has to first be retired to use an older version of the TLS (transport layer security) protocol.
However, Virgin Media has yet to upgrade its service, even though it first heard about the potential security headache late last year. A spokesman at the company said-- ``Although there are no practical exploits ofthe algorithm, we have a new program which is well underway that will address the security issue.``
Software engineer Nick Lowe got in touch with a correspondent earlier this month to highlight his concerns about the RC4 and TLS issue.
As he noted, some software firms recently called for the RC4 cipher to be outlawed by companies, after new research appeared to show that some attacks against the scheme were becoming easier.
Lowe told us this morning that he was disappointed with the response to his concerns about the obsolete and insecure cryptography that the firm continues to use on its website.
"I think that's a disingenuous and rather meaningless thing for them to say," he said. "Yes, the RC4 problem isn't particularly exploitable based on the information that is known publicly, but as pointed out before, the service is also TLS 1.2 intolerant, which means that the software they use can't have been patched and is therefore, by definition, going to be security vulnerable to other issues."
"No SSL/TLS stack has remained secure over that passage of time since this has been resolved so it's a serious vulnerability issue," he added.
"Google's Chrome for example notes in its details about the connection that it has had to retry using an insecure protocol downgrade to establish a connection. This reveals that the infrastructure it has to provide the encryption has not been maintained properly," he added.
Furthermore, an SSL analysis of various sensitive VM web pages shows how low Virgin Mobile scores on security.
The firm's identity, billing and payments pages all come up short when tested from various locations. And Lowe isn't the only one complaining over this issue.
A British inmate used a bogus website and fake identities in tricking prison officers to releasing him from prison.
Jailed for fraud worth £1,819,000, Neil Moore used a smuggled mobile phone to post a website mimicking that of the Southwark Crown Court.
He then emailed prison officers with instructions for his release, according to various reports.
Prosecutor Ian Paton says Moore, who turned himself in three days after escaping, showed extraordinary deviousness, according to the BBC.
"A lot of criminal ingenuity harbours in the mind of Mr Moore," Paton said. "The case is one of extraordinary criminal inventiveness, deviousness and creativity, and all the developed expertise of this defendant, it appears initially".
Moore followed the social engineering/phishing playbook to the letter, using legitimate personal details (including registering the Website in the name of Detective Inspector Chris Soole) in a bid to make the scam look real legitimate.
His email, which replaced periods with hyphens, appeared to be sent from a senior court clerk containing bail instructions to prison staff.
Jail officers failed to notice the hyphens and missed a potentially scam-busting typo after Moore misspelled 'Southwark'. He was released March 10, but only noticed as missing three days when after solicitors turned up to meet him in prison.
Moore was charged with escaping lawful arrest and eight counts of fraud. He was initially arrested in 2012 after swindling large companies including Thomas Exchange Global into handing over cash as he posed as staff from Bank of America, Lloyds and Barclays.
The targets were tricked into moving cash into what Moore says were 'safe' accounts under his control. His mimicry of a female voice was so convincing police initially arrested his partner.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!