CYTA… Insecuring people

Posted in Blogs,Sys Admin Corner by admin on May 20th, 2011

Before I start, I would like to emphasize that i am not a “hacker”, neither a security expert. I am just another judgmental, pretty-disappointed Cyta subscriber, who enjoys messing around :)


 

It hasn’t been long since CYTA received a serious security blow, when all of their subscribers’ DSL Access and Cytanet credentials, including email passwords leaked to the public. Oh wait…actually that has been a while ago, back in 2001! Damn time flies by! :/

Back then the chaos began with the Code Red worm, affecting IIS of Windows NT/2K servers, which allowed attackers to easily gain access to a server and browse around its files. So their server affected by the worm, was the DSL Access authentication portal and all subscribers’ credentials, were stored in its log files! Oh the joy!

“Shit happens” you might think. Security is an infinite game of vulnerabilities and patches.

The sad thing though, was that the specific server wasn’t patched until almost TWO (2) YEARS LATER!!! The response time was UNACCEPTABLE!
This insecurity was affecting me as well. My email accounts’ passwords were in public view and there was nothing I could do! I tried notifying them, also escalating to their management with proofs etc, but nothing! Nobody seemed to care. Their only response was that the people supporting their platform from Israel, were notified and they will handle this issue!

Out of their SO MANY overpaid employees, an outsourced Israeli technician was needed to install a *bleep* Windows update for them? So so so sad, making me wonder where our hard earned money go!

Anyhow, the past is the past. I’ve been one of the first a Cyta DSL subscribers, and they remain my ISP, although I strongly believe they are not worth it.
On the way, other security issues came up… eg. the weak Wireless encryption (WEP) set by default on their modems. Also the easily calculatable Thomson/Speedtouch wireless keys (thanks to Thomson’s leaked algorithm).

These are clearly not Cyta’s fault, but there are many things they could do to secure their devices! But yet, recent subscribers get a modem preset with WEP encryption and the typical SSID; therefore anybody with minimum knowledge can obtain the default wireless key! In other words, your modem can serve the neighborhood with free internet, making your connection crawl if you are lucky. Taking a more extreme case, someone might perform illegal activities through your Internet connection, leaving you responsible for the consequences.

And finally, we come to the present! Just recently, Cyta has started forcing its subscribers to MANUALLY upgrade their modems’ firmware, by blocking all of their http requests to an internal site with upgrade instructions! So… no “upgrade” = no internet!

1

I have worked in an ISP’s network department for several years, and I know for sure that this is not how it’s supposed to be done :|
Obviously they have no central management of their devices… but let’s live with it! No harm done, other than showing some level of unprofessionalism and lack of organization on their behalf, and wasting some of the average user’s time (“some”, if everything goes well with the upgrade), and confusing the less skilled users.

So, what is this “upgrade” about? Do they fix the “free” Internet access points they have spread all over Cyprus? Sadly… NO!

This messy upgrade procedure is performed so they can just change their modems’ WAN_Admin password!!! And even this task, is performed as poorly as it can be done! Once again the insecurity masters have done it!
By simply viewing the contents of their compressed installer, you can see all the source code, the various firmware’s libraries along with their their customized “patch”!

 

 

Thousands of subscribers have to carry out this task, because many people got to know the modems’ original admin password. But the newly set password is thrown in clear text in an archive??? Unbelievable! WTF is happening here? In a multi-million semi-governmental company, there wasn’t a single person to say that THIS IS A MISTAKE?
What’s wrong Cyta? You are not paying your employees enough, to be bothered to work? (I highly doubt this last statement…. just its first part though)  :)

I know from first hand that the Authority employs some knowledgeable and worthy people. But on the other hand, this small amount of people in such a huge company, can’t be everywhere. The point of this post, was just a quick roadmap of failures of the Authority, and to express my bitter disappointment of how things work in such organization in Cyprus. I “suspect” that the situation is similar in most  (semi/)governmental organizations on the island.

Ever since I came back to Cyprus, I’ve been checking Cyta’s vacancies for a decent position, hoping I could live the “Cypriot Dream” some day, but had no luck.
<sarcasm> Apparently they are fully staffed and doing great! </sarcasm> :)

 

 

UPDATE: if you get stuck at the “need to upgrade” screen, and you are not willing to go through this ridiculous password-resetting process, simply visit: http://upgrademodem.cytanet.com.cy:81/?modem=ECI

By visiting this link, Cyta will register that you are using one of the old ECI brand modems, and allow you resume your browsing.

 

UPDATE (months/years later after this problem has been known):

 

From: support@cytanet.com.cy
Subject: Important Announcement – Σημαντική Ενημέρωση
Date: Tue, 21 Jun 2011 07:42:08 +0300

English message follows

Η CYTANET ΕΝΗΜΕΡΩΝΕΙ ΚΑΙ ΣΥΜΒΟΥΛΕΥΕΙ

Για την ασφάλεια της ασύρματης Wi-Fi σύνδεσής σας στο διαδίκτυο αλλάξτε τον εργοστασιακό κωδικό WPA του αποδιαμορφωτή σας

Αγαπητοί μας,
Αν χρησιμοποιείτε την ασύρματη σύνδεση Wi-Fi για να συνδέεστε στο διαδίκτυο, πρέπει να αλλάξετε τον εργοστασιακό κωδικό WPA του αποδιαμορφωτή σας για την ασφάλεια της σύνδεσής σας.
Οι οδηγίες για αλλαγή του κωδικού WPA (PSK ENCRYPTION KEY) βρίσκονται στην ιστοσελίδα της υπηρεσίας DSL Access της Cytanet στο www.cytanet-dslaccess.com.cy. Για ευκολότερη πρόσβαση Πατήστε εδώ.
Αν κατά τη διάρκεια της αλλαγής του κωδικού αντιμετωπίσετε πρόβλημα ή χρειάζεστε βοήθεια, παρακαλούμε όπως επικοινωνήσετε, χωρίς χρέωση, με το Κέντρο Τηλεφωνικής Εξυπηρέτησης της Cyta στον αριθμό 132, επιλέξτε Τεχνική Υποστήριξη (επιλογή 3) και μετά Υπηρεσία DSL Access (πάλι επιλογή 3).

Ομάδα Cytanet

Σας ευχαριστούμε που επιλέξατε την υπηρεσία Cytanet για την πρόσβαση σας στο Διαδίκτυο
Σκεφτείτε πριν να τυπώσετε
Cyta © 2011. All Rights Reserved.
INFORMATION AND ADVICE FROM CYTANET

For maximum security of your Wi-Fi wireless Internet connection,
change the modem’s factory settings for the WPA code

Dear customer,
If you connect to the Internet using the Wi-Fi wireless facility of your modem, you must change the factory settings of the WPA code to ensure maximum security for your connection.
Instructions on how to change the WPA (PSK ENCRYPTION KEY) code of your modem may be found on Cytanet’s DSL Access website at http://www.cytanet-dslaccess.com.cy/. For easier access Click here.
For assistance, please contact the Cyta Call Centre, free of charge, on 132, select Technical Support (press 3) and then DSL Access (again, press 3).

The Cytanet Team

Thank you for choosing Cytanet as your Internet Service Provider
Think before you print
Cyta © 2011. All Rights Reserved.

5 Responses to “CYTA… Insecuring people”

  1. Stefanos Demetriou Says:

    What are you saying? That there are people at Cyta who can write code? Amazing

  2. Geo Says:

    It is not a CYTA problem, as much as it is a Cyprus problem. You think these bright Cypriot graduates coming from the top universities in the UK and US with a Phd or Masters degree should want to come to Cyprus? Hell no, what’s the point of wasting all that knowledge in companies which can’t make use of them. What’s the point of working for a company just because it is in your home country of Cyprus but pays you peanuts for all the time you spent at university slaving your ass off to get that top grade just to come back and find out that you are earning below what the rest of the developed world earns. Not only that, Cyprus is expensive or at least not any cheaper to live in in proportion to salaries as let’s say Germany or the UK, where salaries are not only higher but things generally cost cheaper and standards of living are higher. Economies of scale? Yes of course, I am not blaming Cyprus for being small. But even so, and most important, how does that bright person benefit himself by being in Cyprus when his hard earned knowledge is of no use to companies which cannot turn it into money. Instead they sit that bright person in front of a computer doing customer support which any uneducated person could do in his sleep when really that person cries inside wondering why he took on the stupid job or why he was promised something far better than what it really is. Yes, Cyprus with its beautiful beaches and tasty tavernas sounds like paradise, but not in the real world. Take it from someone who is well-traveled and well-educated and has seen the reality of things from myself and other top Cypriot graduates of my generation.

    is that more or less answer your question as to why Cyta sucks?

  3. Frank Says:

    You are right Geo.
    I guess my expectations were set too high. It must be the millions of Euros they profit every year, that tricked me into that! :)

  4. DSi owner Says:

    I’ve been trawling the web for clues as to what blunderous changes Cyta has been making more recently – I noticed that inexplicably and without my knowledge or consent the security on my connection has gone from WEP to WPA, and yes I’ve read everywhere that it’s better but unfortunately it renders my Nintendo DSi incapable of connecting to the outside world. According to Nintendo sites the only way to go is to change security back to WEP. I will eventually find a solution but was wondering if anyone knew why and how this happened in the first place? I sure wish I had security against Cyta themselves…

  5. Fotis Says:

    “it must be the millions of Euros they profit every year.”

    As they be the most expencive while at the same time are the chipest in Greece. !

Leave a Reply

You must be logged in to post a comment.