BeThere ISP vulnerability

Started by Docproc, Apr 18, 2007, 08:16:28

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Docproc


Lance

I wouldn't have thought so!
Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

I saw the story and wondered at the motives of the hacker. TBH, I'm not surprised that his account was closed, it's hardly responsible to publish how to hack the system! :(
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Docproc

Quote from: rikbean on Apr 18, 2007, 11:33:28
I saw the story and wondered at the motives of the hacker. TBH, I'm not surprised that his account was closed, it's hardly responsible to publish how to hack the system! :(

I wondered too, but I think it's a case of him being naive rather than anything else.

The article was painting Be as the bad guys, but I'm not sure what else they were supposed to do in the circumstances.

Glenn.

Rik

I don't think they could do anything else, Glenn. I'd expect any ISP to take pretty much the same action.

It would be nice to see them sorting the security issues a bit more quickly though.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Adam

This was an accident waiting to happen. I have seen a number of ISPs add their own accounts on routers they give away in order to be able to help users; it won't just be limited to BeThere. Many of the other ISPs however do allow for disabling of such accounts.

A sensible thing for the ISPs who need such functionality would be to limit remote telnet to IPs only authorised people have access to. Another possible solution would be to randomly generate passwords and simply label the routers with them, then the end user could supply the ISP with the password when they require access.
Adam

Rik

I'm assuming Simon or Tim will be aware of the story, Adam, but from what you say, would it be advisable to draw their attention to it?
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Adam

Quote from: rikbean on Apr 18, 2007, 18:16:25
I'm assuming Simon or Tim will be aware of the story, Adam, but from what you say, would it be advisable to draw their attention to it?

I don't think IDNet used to ship their Speedtouch routers with an account for themselves enabled by default, and the Netgear routers don't even offer such functionality, so I don't believe there is any real need to bring their attention to it.
Adam

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon_idnet

The key difference here between IDNet and Be is that we do not insist that our customers use hardware that we supply.

Where we do supply hardware we default to password-protecting remote access using the password that is requested by our customers (or randomly generated if not supplied).
Simon


Rik

Thanks for filling us in on this issue, Simon. :)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.