[Dshield] Covad security attitude

Johannes Ullrich jullrich at euclidian.com
Thu Jul 24 12:40:43 GMT 2003

> Wow - I guess I really *am* lucky.  My ISP gave me the router password
> (though if I shoot myself in the foot, they will tell me to go back to
> the defaults they set up ;-)  

Well, I can somewhat understand that they don't give you the password.
The installer mentioned that they had a few 'mishaps' with customers
messing up routers and as a result, they had to send technicians out
to fix it (each trip to customer costs them about $300)

> Just curious, what is the 'odd' configuration? 

The one that bugged me the most was that they left the snmp community
string at 'public'. While I don't think this is an easy 'get root'
issue, its bad practice and does allow for some information
disclosure (e.g. IP configuration, overall router stats.)

If would be nice if they at least limit access to the web/telnet admin
interface or turn off whatever they don't need. With my old ISP, I just
turned off all remote admin and only left the console port for admin
open. Never had an issue with that (of course, if something would go
wrong, I would need to open it up for them)

> However, Johannes, you're actually in a pretty good place here.  You
> might want to send a nice letter to their marketing folks, introducing
> yourself and using words like "SANS Institute" and "IT Security expert"

yes. I was thinking about pulling that card. Maybe I will resort to
that. But I rather have them fix it for all customers.

> and I were to use the incident as a case study at one of the next
> Conferences?"

it already made it into the 'margin notes' for my next talk ;-)

> Of course, a more pragmatic approach would be to set up a Smoothwall on
> your side of the router, and then "firewall" your network off from the
> beastie.  This is what I was looking at, when I asked my question late
> last week.

Yes. I do not rely on the router for any protection as far as my systems
are concerned. But it still leaves me open to simple DOS attacks (e.g. 
random people shutting down my router), privacy issues (anybody can see
how much data I am transmitting, and for example guess at what times I
am up/asleep by looking at the traffic patterns), and some 'man in the
middle' issues, which are not all that severe as I assume every byte
leaving my firewall is 'broadcast' anyway.

Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS

More information about the list mailing list