Sprint DSL's Security Hole Easy As 1,2,3,4 373
An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.
DMCA (Score:1, Interesting)
Home users (Score:5, Interesting)
How are they supposed to know? (Score:5, Interesting)
So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?
Local vs. National ISP (Score:5, Interesting)
What is the big deal for Sprint to fix this? (Score:5, Interesting)
Re:Not Sprint's fault... (Score:5, Interesting)
I've had DSL for over a year and this is the first I hear about my modem even HAVING a password. For what?
And I'm in the upper n-th percentile of computer litteracy. Unless verizon and sprint differ significantly in how they do DSL, there's no WAY that Sprint's customers would have even known this password existed.
I don't understand how hard it could be.... (Score:2, Interesting)
xDSL passwords (Score:2, Interesting)
All of your big boy companies have crappy passwords. PacBell (now SBC say their commercials) I have found to be the worst... When I notify the customer they all have the same reaction *blank_look*what password*/blank_look*.
In contrast some of the smaller xDSL providers seem to be more on the ball with these things.
I usually change the password and write down the password and network info then tape it to the top of the modem with my company tech support number. What really gets me mad is the big boy providers never even bother to tell their clients about the need to change the password... I mean how goddamn hard is it to tell em that.
One more thing... one more luggage joke and I'm going to have to kill someone...
Vidomi [vidomi.com] Killer media player and network distributed video encoder.
Wired is polling modems? (Score:5, Interesting)
Isn't this wrong?
Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.
When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.
They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.
I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.
Anyone care to comment?
Spammers Love 'Em! (Score:5, Interesting)
Re:Isn't anyones fault. (Score:2, Interesting)
Why not use the serial number? (Score:5, Interesting)
A strange loosening in my bowels... (Score:2, Interesting)
and I wonder...
Interesting non-scientific Password Surevey (Score:2, Interesting)
Results collected:
30% used 123 or abc equivalent depending on length*
19% used their name or combo (like JDoe or JohnD)
16% used a date or part of (not b-day)
9% used their birthday (or part of)
6% used their name backwards
5% used a pet name
15% other**
* 63% of the people who used 123(4) used it on their luggage.
** 3% of this other was something like "asdf" or "qwerty" or "jkl;" (presumably for computer related passwords). other also included stuff like phone numbers, names of other people, street addresses, and just some checked the box 'other' with no explanation.
100% used a xx-xx-xx type numerical combination for their lockers. not including those who jam theirs always open
Re:This is a suprise to everyone? (Score:5, Interesting)
My question is, why are these things even listening on the external interface? I set one of these boxes up for a friend recently, and I couldn't find a single way to block tftp/telnet/http from the outside. What's worse, is that these modems are quite clearly running Netgear firmware, which by default doesn't not allow conections externally So, someone at either ZyXEL or Sprint actively decided that these boxes should allow administrative control from anywhere.
This is nothing new (Score:5, Interesting)
Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.
Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!
Re:obligatory reference (Score:3, Interesting)
Sprint Install Techs say "no need" (Score:2, Interesting)
Greaaaaaaaaat.
Re:How are they supposed to know? (Score:3, Interesting)
So let me get this straight. You're supposed to administer your own DSL modem ... but if you administer your own cable modem, you run the risk of the police busting down your door. Do I have it right?
What a confusing world we live in.
Re:Totally unprofessional (Score:3, Interesting)
I did NOT give them permission to access my network.
Your network? You're the one accessing Sprint's network. Does the modem even belong to you? I was under the impression that DSL customers leased modems.
It would have been suficient to take Sprint's word for it and post the story. There was no need to go snooping where they don't belong.
Um, are you familiar with the phrase "investigative journalism"? If they had heard about this default passowrd from some other source, and Sprint had issued a denial, would it have been sufficient to take Sprint's word for it?
My former DSL ISP was even more stupid (Score:4, Interesting)
Re:1234 (Score:3, Interesting)
Oh boy, how much do I agree. The difference however seems to be that Sybase makes it excessively clear that you must change the sa password after installation (even better: create an account with appropriate privileges and lock down sa) in their installation/configuration manual for the respective platform.
Evenb though I think Microsoft is a deeply unethical and dishonest company, which screws its customers from front, back and the side and have an abyssimal track record regarding security they didn't deserve the bad press regarding this "hole".
The Sprint issue seems very different though, from what I read they provide the DSL modem as an applicance, which they own and maintain and should be held responsible for their incompetence or lazyness.
If I as a database consultant set up SQL Server (or any other database engine for that matter) it is my professional responsibilty to apply basic industry standard security practices to the product, which I installed. If I ship you a CD with postgresql on it it's your responsibility to read the installation manual and apply such fundamental changes yourself. It's that simple.
duh (Score:2, Interesting)
its not like this type of stuff is uncommon.