How is authentication performed with swiftel? Is it by the phone number from which the 'call' is established, or by the username/password supplied?

If the latter, how can I change my password (otherwise anyone could use my account since the password is very easy to derive). I am aware I can change my password for member services on the web site, but this does not change the actual ADSL password does it?

Thanks,
Ryan.

Theoretically anyone could use your account if they knew your telepnone number and used your user name and password to log on.

But for them to do that they would have to already be a Swiftel ADSL registered customer (otherwise the traffic would not be routed to our PoP).

They would also have to log on when you were not logged on.

They would also have to never have logged on before as their first log on binds the IP address to their line number.

So the chance of this happening is not regarded, at least by our engineers, as very likely.

There would also be no advantage.

"But for them to do that they would have to already be a Swiftel ADSL registered customer (otherwise the traffic would not be routed to our PoP)."

I see. In this case the threat model is greatly reduced (the only real threat in this instance would be someone trying to use the account of another use with a larger download limit etc)

"their first log on binds the IP address to their line number."

Can you please explain what you mean by this? Are you saying in all future sessions you check the line number rather than the username/password when assigning the ip? And you subsequently authenticate the user based on the ip? (i.e. all traffic to that ip is charged to the user corresponding to that ip in your database)? I would be a bit more worried in this case... since IPs are not a good authentication mechanism (easy to spoof).

Thanks for your reply.

Ryan.

One IP address is assigned to each ADSL connection. For all practical purposes this is done when the modem first connects. In actual fact, the IP address is assigned from the database when the activation advice list is uploaded from Telstra each day.

The IP address is assigned each time the modem connects based on the 'username' (which is the service number).

When a customer cancels a service, the IP address is released back into the pool, but put very last, so that if the customer should reconnect, there is a very good chance the same IP address can be maintained.

"The IP address is assigned each time the modem connects based on the 'username' (which is the service number). "

Can you clarify this - is it based simply on the username supplied, or do you actually verify the service number from which the modem is connecting?

If Alice, a swiftel customer, has used up her quota for the month and still needs to download some big files, can she simply connect using my credentials (it's not hard to find out someone's phone number and then derive the password)? In this case it seems she would get my IP address which not only allows her to download data and charge it to my account, but she also owns my IP. If I have a domain pointing to this IP she can now masquerade as me which can have very severe consequences (say hypothetically I'm running an ecommerce business, she could start grabbing credit card numbers my customers are supplying).

In summary, if you are authenticating based on the credentials supplied by the customer, then I definitely want to change my login password. Please tell me how I can do this. Or if I'm wrong in my assumptions somewhere and your system is actually secure, please explain this to me.

Sorry but I'm a security engineer, it's my job to be paranoid.

Ryan.

Can you clarify this - is it based simply on the username supplied, or do you actually verify the service number from which the modem is connecting?

Yes to the first part, no to the second.

As a Security Engineer, you would know yourself that the only absolute way of ensuring security is not to connect to anything, assuming of course the computer itself is in some impregnable location that can't be accessed by anyone.

The scenario you describe is not impossible, but would require a number of specific circumstances to be fulfilled before it could occur, which are:

- the thief would have to know that the target was a Swiftel customer (as opposed to every other ADSL provider).
- they would have to be a Swiftel ADSL subscriber themselves.
- the thief would have to know the target ADSL line number.
- ADSL is an 'always on' connection, so the thief would have to know or guess the time the target was not connected.

We log all connection attempts and it is easy to see attempted connections from duplicate account names - if that were ever to occur.

We only allow one connection per service number, so if the thief did manage to connect when the target was not connected, it would be quickly obvious via our monitoring system

If the thief did know or guess a time when the target was not connected, they would also have to know how long the target would be likely to be disconnected for, otherwise that again would be obvious to us.

You note I use the word 'thief' a lot. Because anyone attempting such an action is stealing our product and we would not hesitate to bring criminal prosecution to bear on them.

We are presented with enough information to uniquely identify the calling line for each ADSL connection. We simply need to match that information to the line number and tell the police the address of the culprit.

So, in developing the ADSL product, we weighed up the operational efficiency of a derived username and password, versus:

- an improbable set of events
- easy identification of any theft
- the rule of law

PS: In the event such a situation should occur, we would not bill the customer for any excess usage for that period.

What if a Swiftel adsl customer knows my username and guessed my password (since it is so similar to their own) and uses it before I do? My line has not been activated yet so I can't connect, but if someone knew then would they be able to connect using my username and password since I have never used it before? Would they be able to get away with it?

Yes, that _could_ happen, but no, they would not get away with it. We can uniquely identify each ADSL physical circuit. We can map that circuit to a calling line identifier (the telephone number of that line).

Only if someone had been given the same phone number as you by their service provider (which as far as I know in 100 years of telephony in Australia has never happened), it would mean they would get away with it for only as long as it took to sort out the unheard of duplicate number assignment.

Oh good... I was getting worried because I think I've posted my phone number up a couple of times in the forum before.

Thankyou for help.

>The scenario you describe is not impossible, but would require a number of specific circumstances to be fulfilled before it could occur, which are:

> - the thief would have to know that the target was a Swiftel customer (as opposed to every other ADSL provider).
Perhaps they took offense to a posting in one of these forums?
> - they would have to be a Swiftel ADSL subscriber themselves.
Don't you expect/hope that Swiftdsl will grow to >100k subscribers?
> - the thief would have to know the target ADSL line number.
Look me up in the phone book......
> - ADSL is an 'always on' connection, so the thief would have to know or guess the time the target was not connected.
Most people turn it off at night when they go to bed.....

I am concerned by the potential for this to be a denial of service attack, not just a theft of service. I disagree with your design decision to use a guessable password without locking it to the DSL line. Telstra claimed they would provide DSLAM,slot and port numbers in a RADIUS attribute when I raised this with back in 2001 while negotiating ADSL wholesaling for one of the "gang of 4" ISPs. If you want to have a fixed password, you should at least use this to lock my account to my ADSL service.

Perhaps DSL_Tech will like to look up my details in the database and email me or ring me to discuss?

Originally posted by forumadmin
They would also have to never have logged on before as their first log on binds the IP address to their line number.


Can we please get confirmation on this point as there has been some debate and concern at Whirlpool:

http://forums.whirlpool.net.au/forum-replies.cfm?t=133063&p=2

I'm only very new to swiftel. Everything is set for ADSL, just waiting for my modem to arrive and I'll be online.

I was testing the user facilities and I thought the first thing it said was that I should change my logon password,actually it asked me to do it 3 times for 3 different things so I assume the first one was for my ADSL logon.

Do I now understand you guys saying that ADSL logon password can't be changed?

That's a bit of a worry because it wouldn't be too hard for anyone to get the login name from the phonebook and from that the password.

Surely it can't be that hard to make the logon password changeable like it is for email.

It sounds like it's hard-coded into the system... thus the reluctance to change it...

Can we confirm this..

I too don't like the idea of an authentication username/password that I don't have control over. :eek:

Especially when there can be a $$$ effect no matter how slight.
:(

Cheers,

Matt.

I too don't like the idea of an authentication username/password that I don't have control over.

No, the password is easily changed and Swift seems to encourage you to do so. When I first alterd mine it suggested that the chosen password was too simple and refused to accept it.

Silver.

Originally posted by Silverman
No, the password is easily changed

Are you sure this was the ADSL login password you changed? I think you are refering to the "user facilities" password.

This thread concerns the username/password for the ADSL login - the ones you use to connect to the service. These can't be changed, for the reasons mentioned earlier in the thread.

"Are you sure this was the ADSL login password you changed? "

The user name and password for the adsl service can't be changed by the user and will almost never be changed by Swiftel at the user's request except under exceptional circumstances.

The user name and password for the adsl service can't be changed by the user and will almost never be changed by Swiftel at the user's request except under exceptional circumstances.

No, it wasn't the login password I was referring to but the site access password initially assigned by Swift. I prolly got the wrong impression if it was the login password being queried, if so I'll go and stand in the corner for an hour or so :>)

Silver.

"if so I'll go and stand in the corner for an hour or so"

No need. The point is that any clarification of the processes is valuable to everyone who reads the thread.

Originally posted by DSL_Tech on 14-05-2003 05:26 PM
Can you clarify this - is it based simply on the username supplied, or do you actually verify the service number from which the modem is connecting?

You note I use the word 'thief' a lot. Because anyone attempting such an action is stealing our product and we would not hesitate to bring criminal prosecution to bear on them.

We are presented with enough information to uniquely identify the calling line for each ADSL connection. We simply need to match that information to the line number and tell the police the address of the culprit.

So, in developing the ADSL product, we weighed up the operational efficiency of a derived username and password, versus:

- an improbable set of events
- easy identification of any theft
- the rule of law

PS: In the event such a situation should occur, we would not bill the customer for any excess usage for that period.


Originally posted by rjunee on 14-05-2003 10:59 AM
(say hypothetically I'm running an ecommerce business, she could start grabbing credit card numbers my customers are supplying).


This to me is no assurance! Yes you can catch the thief and may be prosecute him/her, however, going back to above comment from Ryan the fact remains my ecommerce site could be compromised (say I already have an ecommerce site and an insider knows I am moving to Swiftel).

Who is going to pay for damages to my business (bad publicity, privacy breach, customer confidence, etc)?

Moreover this is not far fetched; Here is another scenario:
Say I am hosting an ecommerce site (www.mysite.com) on swifttel adsl connection. Alice would be able to get the IP address of my site (many ways to do this, which I will not go into details here). Once she has the IP address she continuously monitors my site for downtime. The moment the site goes down she spoofs my IP address to connect to swiftel and hosts a look alike site. Yes Swiftel will be eventually able to get hold of Alice, but what about me? The damage to my business is already done!

Originally posted by DSL_Tech on 14-05-2003 09:03 PM
Yes, that _could_ happen, but no, they would not get away with it. We can uniquely identify each ADSL physical circuit. We can map that circuit to a calling line identifier (the telephone number of that line).

There are hole in not being able to stop the fraudulent connection in real time based on caller ID or whatever. Security is not easy.... Swiftel need to think about this and also able to protect there customers or we may see some interesting litigation, sooner rather then later.

Till then hopefully everone connected to Swiftel can be trusted to not do such a thing!

rukpat

I think the risk is so little it wouldn't be worth losin sleep over. As anyone will tell you the internet aint safe and never will be. You dont think Billy gates wants to get security right..it cost him billions every year but yet Windoze aint safe is it. I think the best you can hope for is to eliminate obvious and easily exposed security holes. If you are really worried about your ecommerce site shut it down for bricks and motar. Do you think a hacker would go to all the trouble of stealing your connection. Ha ha your a funny man. If they want in they will find many other ways in and it won't be through your connection. So in summary let us reflect on the huge projects that are supposed to be hacker proof but were wrong

- Microsoft software
- Linux kernal modifcation/exploit
- US national secrets are not netwroked because they can not be secured
- DvD's ( didn't a kid from NZ crack these)
- Playstation, xbox etc
- Foxtel (I wonder how long digital will last before it is cracked)

Would you like me to continue?

If they want your site ...you shall be owned

Seann,

Your assessment of security is woeful.

Just because systems can be broken, doesn't mean one shouldn't at least put some protections in place.

Remember... I'm sure you will also note that any decent burgular that really wants to get into your house can, but I guess you still lock your doors and close your windows every night...

Security should never be an after thought... it should be past of the design... that's normally what fails... traditionally it is normally plugged in at the end....

Whilst all systems designed by man will be breakable by man, it should be the nivarna designers aim for...

You might find this interesting reading: Programmers told to put security over creativity (http://zdnet.com.com/2100-1105_2-5183634.html)

Cheers,

Matt.

well thanks for the assignment there teach, and sorry I failed my security assignment.

I never said anything about putting no security in place?

My point was just incase you missed it or I didn't explain it too well was that the security in place for your connection would appear to be ample. So the risk/gain to a potential hijacker would not be worth it. And in reference to ecommerce the vast majority of OS systems, shopping carts, servers etc have exploits publicly available so even a beginner could break in, although a good hacker will get in and out and you won't know he has been there...because he has no interest in damaging the site.

Agree with me that if someone wants into your site...there are easier ways in than hijacking your connection.

I am not saying passwords for connections should not be able to be changed , just that the arguement of ecommerce is abit extreme and in reality not worth it.

Originally posted by seann
well thanks for the assignment there teach, and sorry I failed my security assignment.No problem Jnr. :p
I never said anything about putting no security in place?
Nope it was implied... by stating current levels are enough.

My point was just incase you missed it or I didn't explain it too well was that the security in place for your connection would appear to be ample.

Actually the security in place isn't ample... basically under the current system I can presumably become anyone else in my state if I know their Swiftel ADSL telephone number.

As pointed out earlier... there is many to pick from just looking through the member listing on the forum.

The password system used by Swiftel fails the BASIC definition given by FOLDOC (http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=password&action=Search)

I quote from it:... used to authenticate the user when he attempts to log on, in order to prevent unauthorised access to his account. ...
A known password DOESNT prevent unauthorised access.

How will Swiftel trace who accessed it if Caller-ID is off on that line? By definition Caller-ID must be able to be turned off at the end-users point, else it fails the Telecommunications Act and will have far and wide-reaching effects.

Without Caller-ID the user is able to hide well, sure they can check lines and ports on exchanges, but it's likely not be able to be pulled easily out of Telstras database (if at all).

What provisions are in place that if such a breatch occurs how is it investigated and resolved?

I will be calling Swiftel and demanding that my chosen password is set... failure to do so will be raised appropriately through 3rd party channels...
So the risk/gain to a potential hijacker would not be worth it. And in reference to ecommerce the vast majority of OS systems, shopping carts, servers etc have exploits publicly available so even a beginner could break in, although a good hacker will get in and out and you won't know he has been there...because he has no interest in damaging the site.

I want some of the stuff you're on! :p
You obviously also see wonderful flying cars, talking pigs and fairy-floss free for everyone!

There isn't a thing as a good hacker. You're on drugs!
Any system not owned by the individual by law is not allowed to be accessed without permission.

In addition, the 'hacker' should be referred to as a cracker (http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=cracker) as the definition of a hacker is something else (http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=hacker) You'll notice it's been Deprecated (as it was an incorrecly used term).

Whilst every man made system has a potentilal for vulnerabilities (computer related and elsewise), a system can be made relatively secure.... refer to items like SE Linux (http://www.nsa.gov/selinux/) .. under such models even ROOT does not have access to much of the system. This avoids many potential flaws.

Having a 'known' exploit doesn't always mean you can get in... many such exploits need to have local access to the machine to be possible, in addition they are only relevant until the system is patched...Agree with me that if someone wants into your site...there are easier ways in than hijacking your connection.

I am not saying passwords for connections should not be able to be changed , just that the arguement of ecommerce is abit extreme and in reality not worth it.

No it's not extreme. As a connection has a static IP it is quite likely that many E-Commerce site rely on the fact that they can utilise their static IP as a form of authentication. Whilst it shouldn't be the only one, it is something that should be unique.

As such areas such as HTTP Admin sections are often setup to allow only certiain IP ranges through.

The user is thereby justified in his assessment.

This has gone WAAAAYYY off topic... if you really wanna discuss Zen and the art of Security, please start a new thread under Anything goes, I'm more than happy to contribute.

Cheers,

Matt.

Originally posted by seann
If they want your site ...you shall be owned spoken like a true teenager... :p

I OWN several commercial sites.... in particular one that is often attacked due to it's name (look at my profile).

To date, none of these attempts have been successful, this is not to say that it isn't possible, but to date it hasn't been breatched.

How do I know this is that case? Due to the fact there are multiple levels of security built in, in addition I have hard-wired traps built in that go off like booby traps. :D

I have seen 1-2 levels been breatched previously, though never the full set....

Security ISNT about one level or system, it's a methodology. The sooner the general public and vendors appreciate this fact the better we all will be!

Cheers,

Matt.

Matt your right the thread has gone way off topic, and I agree that the end user probably risks little if his account is highjacked,

but keep going, its interesting learning the theories behind internet security. Mr. Bottrell you know a poo load about Security, and your opinions should be well respected IMHO. Maybe you should work for Swiftel :D


Regards

Wildcat

their first log on binds the IP address to their line number.
************************************************

?????

If this were the army I'ld be Private First Class Tech Knownothing. Perhaps some of you Majors and Generals can answer this question:

If, as the quote above says, "their first log on binds the IP address to their line number" does that not mean that any subsequent log on that DOESN'T match both the initial IP and line ID is a fake log on? Thereby alerting Swiftel security?

Even with a "thief's" caller ID turned off surely there must be a frequency 'signature' in each phone line??? Or am I mistaken?

I appreciate feed back from anyone with a sensible yet straightforward answer. (Seann - this means you) :D

Originally posted by 0297731218

If, as the quote above says, "their first log on binds the IP address to their line number" does that not mean that any subsequent log on that DOESN'T match both the initial IP and line ID is a fake log on? Thereby alerting Swiftel security?


By my reading the IP is bound to your user name. The first time you log on you user name does not have an IP so it "grabs" one out of the "IP pool". Then each night each user name is check to make sure it is still vaild, if it is invalid the IP assigned to that username is dropped back in the pool

the call ID issue is a totally different issue. (a note for all with "hidden number", telstra admit that if you call a number that is hosted by another provider the number my not be blocked, this is because it is set by a flag, if a phone with caller id recieves this flag it will hide the number, this is set to assist in 000 calls who ignore this flag)

call me crazy but can someone tell me the password naming convention.. i assume it's the same for everyone... ie has something like XXXXXXXX = phone number and a certain number of other digits...

I for the life of me have forgotten / lost the password to re-logon using RASPPPOE and cant take down my firewall/router to test straight thru speed without it...

Thx,
Miyagi

Username: <10DigitTelephoneNumber>@swiftdsl.com.au
Password: PWD<10DigitTelephoneNumber>T


Regards,
Ryan.

can anyone tell me why its all of a sudden telling me my username and/or password is wrong......ive been using the exact thing above and have retyped it many times exactly like above.....

You should contact tech support - 1300 55 88 88.

Try <10 digit phone number>@people.net.au for username
and
PWD<10 digit phone number>T for password

If what Anne advised does not work, you should contact our support department.

Regards,
Ryan.