Aardvark Daily

Please visit the sponsor!

Telecom's response to their email woes

After what has almost certainly been the biggest email fiasco in the history of the internet in New Zealand, perhaps it's now time to do a postmortem of the way this situation was handled.

Perhaps we can start by documenting the timeline...

Back in November 2012, the world was alerted to a cross-site scripting vulnerability in the YahooMail system.

By December, the exploit was for sale online, with its author making code available online to any hacker that wanted it for a reasonably small amount.

In January of this year, Yahoo eventually announced that they'd patched the hole.

Unfortunately, they hadn't -- and the exploits continued.

A week or so later, they announced that *this time* they'd fixed the problem.

Unfortunately, they hadn't -- and the exploits continued.

A couple of weeks later, I got hit by this and wrote a column about my experiences.

Soon it was February and, despite the ongoing exploits and the fact that Yahoo must have been aware that they still had a problem, there was still *no* warning from the company. Indeed, quite the opposite. They continued to deny the problem and swear that all was well because they'd patched the hole.

Then, a week or so later, Telecom's customer-base was hit by the very same XSS exploit -- because Xtra outsources its email service to Yahoo.

Now you'd think that Yahoo would have stepped in, belatedly briefed the technically naive people at Telecom and fessed-up to the problems -- but no!

Instead, victims and potential victims were given a whole lot of BS about "phishing" attacks and told that it was *their* fault. Based on what they were told, many people rushed out and spent hundreds of dollars on new anti-virus software to supposedly "secure" their systems.

Unfortunately for them (and to their financial cost), the problem wasn't *their* computers but the systems at Yahoo -- and still people were being treated like mushrooms, with nobody prepared to accept that the fault was solely Yahoo/Xtra's.

And now, tens of thousands of Xtra/Yahoo mail users have been forced to change their passwords, by spending *hours* on hold and then negotiating the process with a call-centre operator.

What a stuff-up of the most gargantuan proportions!

So what have we learned from this:

Firstly, Yahoo's role in this is reprehensible. They have tried to deflect criticism by denying fault and repeatedly claiming to fix a problem that has persisted for several months now. It would also appear (although I could be wrong) that when approached by Xtra, they fed them a line of BS too -- once again denying any fault on their part when they must have known the exact opposite was true.

Secondly, Telecom/Xtra has become a clerical and sales operation -- seemingly completely lacking anyone with even the most basic technical skills. Surely, given the size of their customer-base and the profits generated, they could afford to hire someone (even if just as a consultant on a retainer) who keeps an eye on the industry and warns them in advance of potential vulnerabilities that could affect their users. Hell, they could even read this column from time to time to get a "heads-up" -- and it's FREE!

So where to from here?

Well Telecom are sabre-rattling and suggesting they'll outsource their email to some other more trustworthy provider. Given Yahoo's outrageous unwillingness to own this problem that is probably not a silly idea. However, I have no doubt at all, given the proven lack of tech-nous on the part of Xtra, that they'd simply be jumping from the frying pan into the fire.

Who remembers "the good old days" when ISPs actually had people who knew a phishing attack from an XSS vulnerability and where the help desk had tech-savvy people instead of someone with an Indian accent who starts the conversation by reading "please be rebooting your mouse" from the first line of their script?

Please visit the sponsor!

Have your say on this...

PERMALINK to this column

Oh, and don't forget today's sci/tech news headlines

Rank This Aardvark Page

Change Font