After lying dormant for a few months, NullCrew, the hacktivist collective, is back in action with back-to-back hacks of Bell Canada and Comcast (News - Alert) last week. Unfortunately, the news didn’t prompt aggressive action from either provider.

                             

The group, which has now amended its name to NullCrew FTS (News - Alert), said that it reported the hacks to both victims’ support services but claims that it failed to get a response.

NullCrew FTS first carried out what it says was an SQL injection attack against telco Bell Canada on Feb. 1, accessing account login and password details for more than 22,000 small business customers of Bell's Internet service. They said they contacted Bell customer support two weeks before disclosing the information but that the issue was never escalated to where it could be investigated and handled properly.

Bell Canada acknowledged that "22,421 user names and passwords and five valid credit card numbers of Bell small-business customers were posted on the Internet this weekend,” but the company said that the perpetrators didn’t actually breach its systems. Rather, they were "posting results from illegal hacking of an Ottawa-based third-party supplier." It has been mum since then on the situation.

A few days later, NullCrew exploited an unpatched security vulnerability, CVE-2013-7091, to gain access to usernames, passwords and other sensitive details from Comcast's servers. It said that 34 Comcast mail servers are victims of the vulnerability found in Zimbra (News - Alert), the groupware used by the No. 1 cable MSO. The flaw, which allows local file inclusion and thus compromise, was actually disclosed in December 2013, indicating that Comcast was negligent in failing to patch its systems.

In this case, the hackers said that it contacted the company via its @NullCrew_FTS Twitter (News - Alert) handle: "Fix the vulnerabilities in your mail servers before we pwn them? Zimbra sucks, didn't you know?"

"NullCrew exploited an unpatched security vulnerability […] to gain access to usernames, passwords and other sensitive details from Comcast's environment," wrote Chester Wisniewski (News - Alert) in the Sophos NakedSecurity blog. "None of us can assume that it will take time, especially 60 days, for criminals to determine they can take advantage of flaws in our programs," adds Wisniewski.

A posting on the popular hacker-friendly message board Pastebin contained information from NullCrew FTS on the hack, including the list of the vulnerable Comcast servers running Zimbra. The posting has since been removed.

In addition to the apparent failing of the customer service organizations at play and Comcast’s lack of patching attention, neither company has been particularly responsive to media enquiries asking about those allegations. Comcast finally came out with a simple statement on its breach:

"We're aware of the situation and are aggressively investigating it. We take our customers' privacy and security very seriously, and we currently have no evidence to suggest any personal customer information was obtained in this incident."


Edited by Blaise McNamee