Story image

DSL lines vulnerable to attack

18 Nov 09

For just $1000 a corporate spy can buy equipment to hack into a business’s DSL connection and access – even change – highly confidential information.
That’s according to Carl Purvis from Security-Assessment.com, a company that’s affiliated with Datacraft. It has released a media statement today claiming the scale of network vulnerability is “enormous”, with 1.1 million DSL connections in New Zealand potentially at risk.
“Purvis believes this vulnerability should be of particular concern to the thousands of New Zealand companies that communicate daily data via corporate networks that utilise DSL as an access mechanism. These companies include banks, government departments and retailers as well as many of the country’s largest organisations,” the statement reads.
Security-Assessment general manager Doug Browne says the company is the first in the world to discover the security risk to DSL lines, and he believes they are acting responsibly by releasing the information to the media. He wouldn’t say if the company had taken its information to Telecom, the owner of the DSL infrastructure in New Zealand.
“We’ve disclosed to communities the research we have, I can’t tell you if we’ve directly dealt with Telecom or not.”
In the course of his research Purvis used a DSLAM and “home-built kit, a mini server platform” to hack into six different home and business connections. The media release claims this attack can be carried out by a malicious users parked outside a premise. Although Purvis didn’t try this, he believes it could be done by breaking into a juncture box.
Purvis describes the security risk as a “man in the middle” attack, where the spy physically attaches his or her own network infrastructure to a company’s DSL line. The attack then mimics the user’s ISP, forcing the user’s personal DSL modem to pass all traffic through an inspection tool running on a portable server platform.
“A malicious attacker could, for example, connect to a branch office of a large company, gain access to its customer database and use the information within that database to contact the customers with competing product offerings.”
Purvis says that at this stage there are no effective security controls which can be implemented en masse to reduce the risk from this attack.

Opinion: Critical data centre operations is just like F1
Schneider's David Gentry believes critical data centre operations share many parallels to a formula 1 race car team.
MulteFire announces industrial IoT network specification
The specification aims to deliver robust wireless network capabilities for Industrial IoT and enterprises.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Schneider Electric's bets for the 2019 data centre industry
From IT and telco merging to the renaissance of liquid cooling, here are the company's top predictions for the year ahead.
China to usurp Europe in becoming AI research world leader
A new study has found China is outpacing Europe and the US in terms of AI research output and growth.
Google says ‘circular economy’ needed for data centres
Google's Sustainability Officer believes major changes are critical in data centres to emulate the cyclical life of nature.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.