Before I start, I would like to emphasize that i am not a “hacker”, neither a security expert. I am just another judgmental, pretty-disappointed Cyta subscriber, who enjoys messing around 🙂
It hasn’t been long since CYTA received a serious security blow, when all of their subscribers’ DSL Access and Cytanet credentials, including email passwords leaked to the public. Oh wait…actually that has been a while ago, back in 2001! Damn time flies by! :/
Back then the chaos began with the Code Red worm, affecting IIS of Windows NT/2K servers, which allowed attackers to easily gain access to a server and browse around its files. So their server affected by the worm, was the DSL Access authentication portal and all subscribers’ credentials, were stored in its log files! Oh the joy!
“Shit happens” you might think. Security is an infinite game of vulnerabilities and patches.
The sad thing though, was that the specific server wasn’t patched until almost TWO (2) YEARS LATER!!! The response time was UNACCEPTABLE!
This insecurity was affecting me as well. My email accounts’ passwords were in public view and there was nothing I could do! I tried notifying them, also escalating to their management with proofs etc, but nothing! Nobody seemed to care. Their only response was that the people supporting their platform from Israel, were notified and they will handle this issue!
Out of their SO MANY overpaid employees, an outsourced Israeli technician was needed to install a *bleep* Windows update for them? So so so sad, making me wonder where our hard earned money go!
Anyhow, the past is the past. I’ve been one of the first a Cyta DSL subscribers, and they remain my ISP, although I strongly believe they are not worth it.
On the way, other security issues came up… eg. the weak Wireless encryption (WEP) set by default on their modems. Also the easily calculatable Thomson/Speedtouch wireless keys (thanks to Thomson’s leaked algorithm).
These are clearly not Cyta’s fault, but there are many things they could do to secure their devices! But yet, recent subscribers get a modem preset with WEP encryption and the typical SSID; therefore anybody with minimum knowledge can obtain the default wireless key! In other words, your modem can serve the neighborhood with free internet, making your connection crawl if you are lucky. Taking a more extreme case, someone might perform illegal activities through your Internet connection, leaving you responsible for the consequences.
And finally, we come to the present! Just recently, Cyta has started forcing its subscribers to MANUALLY upgrade their modems’ firmware, by blocking all of their http requests to an internal site with upgrade instructions! So… no “upgrade” = no internet!
I have worked in an ISP’s network department for several years, and I know for sure that this is not how it’s supposed to be done 😐
Obviously they have no central management of their devices… but let’s live with it! No harm done, other than showing some level of unprofessionalism and lack of organization on their behalf, and wasting some of the average user’s time (“some”, if everything goes well with the upgrade), and confusing the less skilled users.
So, what is this “upgrade” about? Do they fix the “free” Internet access points they have spread all over Cyprus? Sadly… NO!
This messy upgrade procedure is performed so they can just change their modems’ WAN_Admin password!!! And even this task, is performed as poorly as it can be done! Once again the insecurity masters have done it!
By simply viewing the contents of their compressed installer, you can see all the source code, the various firmware’s libraries along with their their customized “patch”!
Thousands of subscribers have to carry out this task, because many people got to know the modems’ original admin password. But the newly set password is thrown in clear text in an archive??? Unbelievable! WTF is happening here? In a multi-million semi-governmental company, there wasn’t a single person to say that THIS IS A MISTAKE?
What’s wrong Cyta? You are not paying your employees enough, to be bothered to work? (I highly doubt this last statement…. just its first part though) 🙂
I know from first hand that the Authority employs some knowledgeable and worthy people. But on the other hand, this small amount of people in such a huge company, can’t be everywhere. The point of this post, was just a quick roadmap of failures of the Authority, and to express my bitter disappointment of how things work in such organization in Cyprus. I “suspect” that the situation is similar in most (semi/)governmental organizations on the island.
Ever since I came back to Cyprus, I’ve been checking Cyta’s vacancies for a decent position, hoping I could live the “Cypriot Dream” some day, but had no luck.
<sarcasm> Apparently they are fully staffed and doing great! </sarcasm> 🙂
UPDATE: if you get stuck at the “need to upgrade” screen, and you are not willing to go through this ridiculous password-resetting process, simply visit: http://upgrademodem.cytanet.com.cy:81/?modem=ECI
By visiting this link, Cyta will register that you are using one of the old ECI brand modems, and allow you resume your browsing.
UPDATE (months/years later after this problem has been known):
Subject: Important Announcement – Σημαντική Ενημέρωση
Date: Tue, 21 Jun 2011 07:42:08 +0300
English message follows
Η CYTANET ΕΝΗΜΕΡΩΝΕΙ ΚΑΙ ΣΥΜΒΟΥΛΕΥΕΙ
Για την ασφάλεια της ασύρματης Wi-Fi σύνδεσής σας στο διαδίκτυο αλλάξτε τον εργοστασιακό κωδικό WPA του αποδιαμορφωτή σας
Αν χρησιμοποιείτε την ασύρματη σύνδεση Wi-Fi για να συνδέεστε στο διαδίκτυο, πρέπει να αλλάξετε τον εργοστασιακό κωδικό WPA του αποδιαμορφωτή σας για την ασφάλεια της σύνδεσής σας.
Οι οδηγίες για αλλαγή του κωδικού WPA (PSK ENCRYPTION KEY) βρίσκονται στην ιστοσελίδα της υπηρεσίας DSL Access της Cytanet στο www.cytanet-dslaccess.com.cy. Για ευκολότερη πρόσβαση Πατήστε εδώ.
Αν κατά τη διάρκεια της αλλαγής του κωδικού αντιμετωπίσετε πρόβλημα ή χρειάζεστε βοήθεια, παρακαλούμε όπως επικοινωνήσετε, χωρίς χρέωση, με το Κέντρο Τηλεφωνικής Εξυπηρέτησης της Cyta στον αριθμό 132, επιλέξτε Τεχνική Υποστήριξη (επιλογή 3) και μετά Υπηρεσία DSL Access (πάλι επιλογή 3).
Σας ευχαριστούμε που επιλέξατε την υπηρεσία Cytanet για την πρόσβαση σας στο Διαδίκτυο
Σκεφτείτε πριν να τυπώσετε
Cyta © 2011. All Rights Reserved.
INFORMATION AND ADVICE FROM CYTANET
For maximum security of your Wi-Fi wireless Internet connection,
change the modem’s factory settings for the WPA code
If you connect to the Internet using the Wi-Fi wireless facility of your modem, you must change the factory settings of the WPA code to ensure maximum security for your connection.
Instructions on how to change the WPA (PSK ENCRYPTION KEY) code of your modem may be found on Cytanet’s DSL Access website at http://www.cytanet-dslaccess.com.cy/. For easier access Click here.
For assistance, please contact the Cyta Call Centre, free of charge, on 132, select Technical Support (press 3) and then DSL Access (again, press 3).
The Cytanet Team
Thank you for choosing Cytanet as your Internet Service Provider
Think before you print
Cyta © 2011. All Rights Reserved.