o2 BB - Security Issues

Just got myself an o2 connection after many years on Zen (first at 2MB
then the 8MB package). o2 Speed and reliability seems ok so far
however, their ideas on security are scary.

First, they give out your o2 username on every outgoing email sent via
their smtp servers (which require authentication), it goes something
like this...

>Received: from main.lan (93.96.21.112) by mail.o2.co.uk (8.0.013.3) (authenticated as MYUSERNAME) id 47EBD0F803123B21 for (E-Mail Removed); Thu, 10 Apr 2008 10:10:13 +0100

Next, the router they provide (speedtouch) shows up an "unknown"
device as the first device on the Lan. Here's the divice listing
complete with mac and IP addresses.

> Unknown-00-03-fa-a9-d7-4a 93.96.16.1

So I have an actual networked device attached to my network from
outside. This is not a node, or a gateway, it's a network device
complete with Mac addy and fixed IP. here's the network whois info
(trimmed) on the IP...

>Network Whois record
>
>Queried whois.ripe.net with "-B 93.96.16.1"...

>% Information related to '93.96.0.0 - 93.96.255.255'
>
>inetnum: 93.96.0.0 - 93.96.255.255
>netname: UK-AVATARBROADBAND-20080125
>descr: Be Un Limited


>% Information related to '93.96.0.0/16AS35228'
>
>route: 93.96.0.0/16
>descr: Entire 3rd New block for BeUnlimited
>source: RIPE

So, if they just grab my "workgroup" ID they can have a good poke
around my "shared" files. Great eh?

Looks like I'll have to crawl back to Zen and beg forgiveness.

On Tue, 15 Apr 2008 15:33:50 +0100, Paul <(E-Mail Removed)> wrote:

> So I have an actual networked device attached to my network from
> outside. This is not a node, or a gateway, it's a network device
> complete with Mac addy and fixed IP. here's the network whois info
> (trimmed) on the IP...
>
>> Network Whois record
>>
>> Queried whois.ripe.net with "-B 93.96.16.1"...
>
>> % Information related to '93.96.0.0 - 93.96.255.255'
>>
>> inetnum: 93.96.0.0 - 93.96.255.255
>> netname: UK-AVATARBROADBAND-20080125
>> descr: Be Un Limited
>
>
>> % Information related to '93.96.0.0/16AS35228'
>>
>> route: 93.96.0.0/16
>> descr: Entire 3rd New block for BeUnlimited
>> source: RIPE
>
> So, if they just grab my "workgroup" ID they can have a good poke
> around my "shared" files. Great eh?

What packet types or protocols can "they" use to pass through the NATting
router with no forwards to access your LAN hosts that are sharing files?

> Looks like I'll have to crawl back to Zen and beg forgiveness.

Tony

Paul wrote:
> Just got myself an o2 connection after many years on Zen (first at 2MB
> then the 8MB package). o2 Speed and reliability seems ok so far
> however, their ideas on security are scary.
>
> First, they give out your o2 username on every outgoing email sent via
> their smtp servers (which require authentication), it goes something
> like this...
>
>> Received: from main.lan (93.96.21.112) by mail.o2.co.uk (8.0.013.3) (authenticated as MYUSERNAME) id 47EBD0F803123B21 for (E-Mail Removed); Thu, 10 Apr 2008 10:10:13 +0100

Well, that's interesting. I'm a pre-O2 Be customer. I'm on a different
email system (OutBlaze). I'd choose a very strong password if I were you.

>
> Next, the router they provide (speedtouch) shows up an "unknown"
> device as the first device on the Lan. Here's the divice listing
> complete with mac and IP addresses.
>
>> Unknown-00-03-fa-a9-d7-4a 93.96.16.1

<snip>

It's the gateway port... Same IP

> Looks like I'll have to crawl back to Zen and beg forgiveness.

Please do that. It'll mean a little more bandwidth for me :-p
Got 12mbps, could always do with a little more :-)

--
Adrian C

Paul wrote:

> Looks like I'll have to crawl back to Zen and beg forgiveness.

Unless things have changed if you wanted a /29 fron Zen they insisted on
registering it in your name which I found strange given the normal
advice to children not to give out personal details...

Andy.

PS I know I post from a server that gives out my ip address - but my
kids grew up, so I don't care anymore and it's not quite as "on a plate"
for anyone who uses msn and wants to get the details of who they are
talking to.

Paul wrote:
[snip]
> First, they give out your o2 username on every outgoing email sent via
> their smtp servers (which require authentication), it goes something
> like this...
>
>> Received: from main.lan (93.96.21.112) by mail.o2.co.uk (8.0.013.3) (authenticated as MYUSERNAME) id 47EBD0F803123B21 for (E-Mail Removed); Thu, 10 Apr 2008 10:10:13 +0100

There are countless email systems where the email address (or local-part
of the email address) is the username. Is it any worse to give away the
username part of the ADSL connection details?

> Next, the router they provide (speedtouch) shows up an "unknown"
> device as the first device on the Lan. Here's the divice listing
> complete with mac and IP addresses.
>
>> Unknown-00-03-fa-a9-d7-4a 93.96.16.1
>
> So I have an actual networked device attached to my network from
> outside.

It sounds likely that this is the remote gateway of the PPP connection.
In any case, I would be very surprised if it was anything to worry about.

Alex

Alex Fraser wrote:

>Paul wrote:
>[snip]
>> First, they give out your o2 username on every outgoing email sent via
>> their smtp servers (which require authentication), it goes something
>> like this...
>>
>>> Received: from main.lan (93.96.21.112) by mail.o2.co.uk (8.0.013.3) (authenticated as MYUSERNAME) id 47EBD0F803123B21 for (E-Mail Removed); Thu, 10 Apr 2008 10:10:13 +0100
>
>There are countless email systems where the email address (or local-part
>of the email address) is the username. Is it any worse to give away the
>username part of the ADSL connection details?

They tell their users to keep their username/password safe then give
out half of that info to every email recipient. Seems a tad daft to
me, but that aside, the main worry is that the breach is hidden, so
most users won't even know. Christ, I only checked myself because I
was being nosey.

>> Next, the router they provide (speedtouch) shows up an "unknown"
>> device as the first device on the Lan. Here's the divice listing
>> complete with mac and IP addresses.
>>
>>> Unknown-00-03-fa-a9-d7-4a 93.96.16.1
> >
>> So I have an actual networked device attached to my network from
>> outside.
>
>It sounds likely that this is the remote gateway of the PPP connection.

I agree.

>In any case, I would be very surprised if it was anything to worry about.

I wouldn't.

Andy Furniss wrote:

>Paul wrote:
>
>> Looks like I'll have to crawl back to Zen and beg forgiveness.
>
>Unless things have changed if you wanted a /29 fron Zen they insisted on
>registering it in your name which I found strange given the normal
>advice to children not to give out personal details...

Yes, the 8-IP addy option, not good.

>PS I know I post from a server that gives out my ip address - but my
>kids grew up, so I don't care anymore and it's not quite as "on a plate"
>for anyone who uses msn and wants to get the details of who they are
>talking to.

Can one's IP addy still be grabbed via msn these days?

Anthony R. Gold wrote:

>On Tue, 15 Apr 2008 15:33:50 +0100, Paul <(E-Mail Removed)> wrote:
>
>> So I have an actual networked device attached to my network from
>> outside. This is not a node, or a gateway, it's a network device
>> complete with Mac addy and fixed IP. here's the network whois info
>> (trimmed) on the IP...
>>
>>> Network Whois record

>>> inetnum: 93.96.0.0 - 93.96.255.255
>>> netname: UK-AVATARBROADBAND-20080125
>>> descr: Be Un Limited

>> So, if they just grab my "workgroup" ID they can have a good poke
>> around my "shared" files. Great eh?
>
>What packet types or protocols can "they" use to pass through the NATting
>router with no forwards to access your LAN hosts that are sharing files?

They can do what they like, they are connected to the router with as
much control as I have, if not more (hidden service menu?). O2 openly
claim to be able to access the router for service and update (firmware
etc.) issues. How hard would it be to configure their connection as
part of my local network via NAT on "their" router?

Adrian C wrote:

>Paul wrote:
>> Just got myself an o2 connection after many years on Zen (first at 2MB
>> then the 8MB package). o2 Speed and reliability seems ok so far
>> however, their ideas on security are scary.
>>
>> First, they give out your o2 username on every outgoing email sent via
>> their smtp servers (which require authentication), it goes something
>> like this...
>>
>>> Received: from main.lan (93.96.21.112) by mail.o2.co.uk (8.0.013.3) (authenticated as MYUSERNAME) id 47EBD0F803123B21 for (E-Mail Removed); Thu, 10 Apr 2008 10:10:13 +0100
>
>Well, that's interesting. I'm a pre-O2 Be customer. I'm on a different
>email system (OutBlaze). I'd choose a very strong password if I were you.

I use an alternative smtp server, much easier and safer.

>> Next, the router they provide (speedtouch) shows up an "unknown"
>> device as the first device on the Lan. Here's the divice listing
>> complete with mac and IP addresses.
>>
>>> Unknown-00-03-fa-a9-d7-4a 93.96.16.1
>
><snip>
>
>It's the gateway port... Same IP
>
>> Looks like I'll have to crawl back to Zen and beg forgiveness.
>
>Please do that. It'll mean a little more bandwidth for me :-p
>Got 12mbps, could always do with a little more :-)

No nntp server though eh? Forgot to ask that one *before* I subbed.

On Wed, 16 Apr 2008 16:56:40 +0100, Paul <(E-Mail Removed)> wrote:

> They can do what they like, they are connected to the router with as
> much control as I have, if not more (hidden service menu?). O2 openly
> claim to be able to access the router for service and update (firmware
> etc.) issues. How hard would it be to configure their connection as
> part of my local network via NAT on "their" router?

Sure they can log in to help you configure or update the router, but only
if you give them your router's administrative password.

Hidden service menu?

Attach to your LAN from the WAN side?

A wild guess - did you make your foil pyramid hat with the shiny side
facing inwards? I read somewhere they don't work properly that way around.

:-)

Tony