I think I'm going back to paper cups and string.....

I think I'm going back to paper cups and string.....

Post by Susan Bradley, CPA/CITP - aka E-bit » Thu, 12 Apr 2001 14:07:08



They can hack into our computers, get around our firewalls, and
apparently now can attack our ADSL modems.......

you think two paper cups and string might be secure?

Susan Bradley

The San Diego Supercomputer Center (SDSC) has recently discovered
   several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital

   Subscriber Line (ADSL) modem. These vulnerabilities are the result of

   weak authentication and access control policies and exploiting them
   will lead to one or more of the following: unauthorized access,
   unauthorized monitoring, information leakage, denial of service, and
   permanent disability of affected devices.

   The SDSC has published additional information regarding these
   vulnerabilities at

          http://security.sdsc.edu/self-help/alcatel/

 
 
 

I think I'm going back to paper cups and string.....

Post by SuperGumb » Thu, 12 Apr 2001 15:33:45


Quote:>you think two paper cups and string might be secure?

only if you can see the other end.

 
 
 

I think I'm going back to paper cups and string.....

Post by Steve Foste » Thu, 12 Apr 2001 17:02:36


Depends on whether we're talking wet or dry string...

Steve Foster



Quote:

> you think two paper cups and string might be secure?

 
 
 

I think I'm going back to paper cups and string.....

Post by Andri ?rvar Baldvinsso » Thu, 12 Apr 2001 21:19:36


I'm wondering what opinions you have about ISP that refuse to disclose
passwords to owner/users as stated in the url provided by Susan.

Is it a good or bad thing ?

Any good urls, with insight into this matter

Andri



Quote:> They can hack into our computers, get around our firewalls, and
> apparently now can attack our ADSL modems.......

> you think two paper cups and string might be secure?

> Susan Bradley

> The San Diego Supercomputer Center (SDSC) has recently discovered
>    several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital

>    Subscriber Line (ADSL) modem. These vulnerabilities are the result of

>    weak authentication and access control policies and exploiting them
>    will lead to one or more of the following: unauthorized access,
>    unauthorized monitoring, information leakage, denial of service, and
>    permanent disability of affected devices.

>    The SDSC has published additional information regarding these
>    vulnerabilities at

>           http://security.sdsc.edu/self-help/alcatel/

 
 
 

I think I'm going back to paper cups and string.....

Post by Jeff Middleton [SBS-MVP » Thu, 12 Apr 2001 22:39:29


This is a pretty simple matter, really.

If the ISP provides you with the device in order to facilitate connecting
you to their service, you can take the implication that it's there to make
the wires meet.  If the ISP provides you with a contract which *guarantees*
you will not be hacked because they have provided this same device as a
firewall, then you have a security device, not a device that connects wires.
If the ISP is taking responsibility for this device, then they have the
right to secure it from you or anyone else.

In the event that you want to have control of your own firewall, then you
simply purchase one and put it between their device and yours.  I don't
really consider that I have the right to TELL the ISP that they must give me
control of their interconnecting hardware. However, if the ISP fails to
provide me adequate protection in a reasonable manner, you can take a legal
course from there, at least in the US.



> I'm wondering what opinions you have about ISP that refuse to disclose
> passwords to owner/users as stated in the url provided by Susan.

> Is it a good or bad thing ?

> Any good urls, with insight into this matter

> Andri



> > They can hack into our computers, get around our firewalls, and
> > apparently now can attack our ADSL modems.......

> > you think two paper cups and string might be secure?

> > Susan Bradley

> > The San Diego Supercomputer Center (SDSC) has recently discovered
> >    several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital

> >    Subscriber Line (ADSL) modem. These vulnerabilities are the result of

> >    weak authentication and access control policies and exploiting them
> >    will lead to one or more of the following: unauthorized access,
> >    unauthorized monitoring, information leakage, denial of service, and
> >    permanent disability of affected devices.

> >    The SDSC has published additional information regarding these
> >    vulnerabilities at

> >           http://security.sdsc.edu/self-help/alcatel/

 
 
 

I think I'm going back to paper cups and string.....

Post by John Ashle » Thu, 12 Apr 2001 23:19:25


A not to be named xDSL ISP I have worked with often never wanted to give me
access to the clients routers...one day there was an emergency situation and
they could not telnet to it...I could telnet locally so they grudgingly gave
me the password.   It was ADMIN.  Real secure.



> I'm wondering what opinions you have about ISP that refuse to disclose
> passwords to owner/users as stated in the url provided by Susan.

> Is it a good or bad thing ?

> Any good urls, with insight into this matter

> Andri



> > They can hack into our computers, get around our firewalls, and
> > apparently now can attack our ADSL modems.......

> > you think two paper cups and string might be secure?

> > Susan Bradley

> > The San Diego Supercomputer Center (SDSC) has recently discovered
> >    several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital

> >    Subscriber Line (ADSL) modem. These vulnerabilities are the result of

> >    weak authentication and access control policies and exploiting them
> >    will lead to one or more of the following: unauthorized access,
> >    unauthorized monitoring, information leakage, denial of service, and
> >    permanent disability of affected devices.

> >    The SDSC has published additional information regarding these
> >    vulnerabilities at

> >           http://security.sdsc.edu/self-help/alcatel/

 
 
 

I think I'm going back to paper cups and string.....

Post by Dave Nickaso » Thu, 12 Apr 2001 23:49:07


I have the basic adsl service from our telco, which is really
residential-class service.  However, I consistently connect at over 700k,
and the cost is $40 per month.  They don't want to support anything at all
other than their standard configuration, and they will not give out the
router password.  I even tried to bribe or cajole it out of a tech guy who
was here one day, but he said they wouldn't even give it to him.  They
configure them at their office before they deploy them, and the
configurations are never changed, so no one needs the password.

When I got a little hot about this (because of their highly annoying dhcp
configuration), they suggested that I get sdsl, business-class service.
It's 256k guaranteed, instead of my current 700-1100k, and it's $180 instead
of my current $40.  But I can use static IP, and configure the router any
way I want to.



> I'm wondering what opinions you have about ISP that refuse to disclose
> passwords to owner/users as stated in the url provided by Susan.

> Is it a good or bad thing ?

> Any good urls, with insight into this matter

> Andri



> > They can hack into our computers, get around our firewalls, and
> > apparently now can attack our ADSL modems.......

> > you think two paper cups and string might be secure?

> > Susan Bradley

> > The San Diego Supercomputer Center (SDSC) has recently discovered
> >    several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital

> >    Subscriber Line (ADSL) modem. These vulnerabilities are the result of

> >    weak authentication and access control policies and exploiting them
> >    will lead to one or more of the following: unauthorized access,
> >    unauthorized monitoring, information leakage, denial of service, and
> >    permanent disability of affected devices.

> >    The SDSC has published additional information regarding these
> >    vulnerabilities at

> >           http://security.sdsc.edu/self-help/alcatel/

 
 
 

I think I'm going back to paper cups and string.....

Post by Gary Karasi » Fri, 13 Apr 2001 00:57:06


I think there's a distinction to made between whether I buy or
rent/lease the device. If the ISP requires me to buy it, then I should
have full access to it. If it remains the possession of the ISP, and
they are responsible for maintaining it, i.e. they repair/replace it if
it breaks, then they can call the shots.

GaryK


> This is a pretty simple matter, really.

> If the ISP provides you with the device in order to facilitate connecting
> you to their service, you can take the implication that it's there to make
> the wires meet.  If the ISP provides you with a contract which *guarantees*
> you will not be hacked because they have provided this same device as a
> firewall, then you have a security device, not a device that connects wires.
> If the ISP is taking responsibility for this device, then they have the
> right to secure it from you or anyone else.

> In the event that you want to have control of your own firewall, then you
> simply purchase one and put it between their device and yours.  I don't
> really consider that I have the right to TELL the ISP that they must give me
> control of their interconnecting hardware. However, if the ISP fails to
> provide me adequate protection in a reasonable manner, you can take a legal
> course from there, at least in the US.



> > I'm wondering what opinions you have about ISP that refuse to disclose
> > passwords to owner/users as stated in the url provided by Susan.

> > Is it a good or bad thing ?

> > Any good urls, with insight into this matter

> > Andri



> > > They can hack into our computers, get around our firewalls, and
> > > apparently now can attack our ADSL modems.......

> > > you think two paper cups and string might be secure?

> > > Susan Bradley

> > > The San Diego Supercomputer Center (SDSC) has recently discovered
> > >    several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital

> > >    Subscriber Line (ADSL) modem. These vulnerabilities are the result of

> > >    weak authentication and access control policies and exploiting them
> > >    will lead to one or more of the following: unauthorized access,
> > >    unauthorized monitoring, information leakage, denial of service, and
> > >    permanent disability of affected devices.

> > >    The SDSC has published additional information regarding these
> > >    vulnerabilities at

> > >           http://security.sdsc.edu/self-help/alcatel/

 
 
 

I think I'm going back to paper cups and string.....

Post by Dan Harmo » Fri, 13 Apr 2001 01:17:40



Quote:> I have the basic adsl service from our telco, which is really
> residential-class service.  However, I consistently connect at over 700k,
> and the cost is $40 per month.  They don't want to support anything at all
> other than their standard configuration, and they will not give out the
> router password.  I even tried to bribe or cajole it out of a tech guy who
> was here one day, but he said they wouldn't even give it to him.  They
> configure them at their office before they deploy them, and the
> configurations are never changed, so no one needs the password.

Have you tried "ADMIN?" ;)
 
 
 

I think I'm going back to paper cups and string.....

Post by Barry Munr » Fri, 13 Apr 2001 07:52:15


Exactly.
In Oz, buy ADSL from our only telco, you gotta use their Alcatel modem.
Accreditation list slowly grows through alternative modems/routers though.
It's young here, this xDSL thing.
But, with few users yet, bandwidth is huge & quick, uploads from boxes
excellent.
IP addressing for sites nearly impossible, a few ISP's are offering it, but
passthru their systems at bandwidth penalty.
Mebbe sense will shine through mid year ??
ISDN ($$$$'s) still the only way to serve out stuff, so far.
We wait in hope.



> This is a pretty simple matter, really.

> If the ISP provides you with the device in order to facilitate connecting
> you to their service, you can take the implication that it's there to make
> the wires meet.  If the ISP provides you with a contract which
*guarantees*
> you will not be hacked because they have provided this same device as a
> firewall, then you have a security device, not a device that connects
wires.
> If the ISP is taking responsibility for this device, then they have the
> right to secure it from you or anyone else.

> In the event that you want to have control of your own firewall, then you
> simply purchase one and put it between their device and yours.  I don't
> really consider that I have the right to TELL the ISP that they must give
me
> control of their interconnecting hardware. However, if the ISP fails to
> provide me adequate protection in a reasonable manner, you can take a
legal
> course from there, at least in the US.



> > I'm wondering what opinions you have about ISP that refuse to disclose
> > passwords to owner/users as stated in the url provided by Susan.

> > Is it a good or bad thing ?

> > Any good urls, with insight into this matter

> > Andri



> > > They can hack into our computers, get around our firewalls, and
> > > apparently now can attack our ADSL modems.......

> > > you think two paper cups and string might be secure?

> > > Susan Bradley

> > > The San Diego Supercomputer Center (SDSC) has recently discovered
> > >    several vulnerabilities in the Alcatel Speed Touch Asymmetric
Digital

> > >    Subscriber Line (ADSL) modem. These vulnerabilities are the result
of

> > >    weak authentication and access control policies and exploiting them
> > >    will lead to one or more of the following: unauthorized access,
> > >    unauthorized monitoring, information leakage, denial of service,
and
> > >    permanent disability of affected devices.

> > >    The SDSC has published additional information regarding these
> > >    vulnerabilities at

> > >           http://security.sdsc.edu/self-help/alcatel/

 
 
 

I think I'm going back to paper cups and string.....

Post by Robert D. Mays, Jr » Fri, 13 Apr 2001 23:34:52


Or possibly no password, or the name of the router manufacturer?  I know of
at least one xDSL provider that has a mixture - some of their DSL modems
(not really routers) have no password on them, others simply use cisco - I
sure hope they've got a good firewall/filter in place.
   -Bob




> > I have the basic adsl service from our telco, which is really
> > residential-class service.  However, I consistently connect at over
700k,
> > and the cost is $40 per month.  They don't want to support anything at
all
> > other than their standard configuration, and they will not give out the
> > router password.  I even tried to bribe or cajole it out of a tech guy
who
> > was here one day, but he said they wouldn't even give it to him.  They
> > configure them at their office before they deploy them, and the
> > configurations are never changed, so no one needs the password.

> Have you tried "ADMIN?" ;)

 
 
 

1. Okay.... I'm going back to paper cup and a string.....

Officials say al-Qaida cyberattack 'a question of when, not if'
Imagine this: a major terrorist attack carried
out on American soil just as emergency dispatch
systems or the power grid go down. That may be
where al-Qaida is heading. The Washington Post
reports that analysts are becoming increasingly
concerned about an attack that uses the Internet
either to cause real bloodshed on its own, or
to make a conventional attack even worse.
http://www.nandotimes.com/technology/story/448989p-3593144c.html

Worries Mount Over Terrorist Cyber Assault
Worries about terrorist cyber attacks were
reinforced this week by surveys indicating that
IT professionals believe attacks on government
and cyber infrastructure are likely. U.S.
officials reportedly are concerned by clues
that al Qaeda terrorists have accessed and
studied critical infrastructure systems, such
as power, communications, water and nuclear,
as well as those systems' digital controls
and interconnects.
http://www.newsfactor.com/perl/story/18426.html

U.S. reportedly fears al-Qaeda cyber attacks
http://www.usatoday.com/life/cyber/tech/2002/06/27/cyber-attacks.htm
http://www.vnunet.com/News/1133033

2. Wanted: TARGA+ Cards (16/32 or 64)

3. FYI - I think this is the longest I've gone without a Security bulletin

4. W2K + Asus V6800 geforce256 + K7V

5. Jeff's 'Moving Machine Paper'

6. Freeware relational table viewer "FOCUS" now available

7. How to change the Samba Print lpr-cups owner to %m instead of 'user'

8. Urgent help needed on bibliography

9. cups/cups.h file not found

10. Thinking of going Broadband

11. If you think I am going to buy anthing

12. Anyone besides me think backing up server with imaging software is a bad idea?

13. Help with Client Installs I'll think you're a god!