Posts Tagged: security

news / photos / wtf2 Comments
2
Nov 09

Just in case the wall, spikes, barbed wire, electrified fence, and security cameras were not enough

We will go ahead and add some anti-climb paint.

Buckingham Palace Outer Wall

Buckingham Palace Outer Wall

Photo taken from Buckingham Palace.

Cheers,
Jonathan

newsNo Comments
23
Apr 09

Know thy enemy

DISCLAIMER: I did not take this photo. Please see the original.

I am pretty sure this is from the RSA Expo.  I am at RSA again this year. So, I thought this was appropriate.

I think there is an enamy in our midst.

I think there is an enemy in our midst.

news / technicalNo Comments
31
Dec 08

Embarq does not care about your safety

Last month I was able to finesse my way into naked DSL. I know, a lot of ISPs offer this but here in Jefferson City Missouri, no one openly admits that it is possible. In fact, you have to talk to a special level of customer support called the “save desk” to get it. But this article is not about naked DSL. This article is about Embarq’s inadequate security measures.

In my prior DSL usages, the ADSL modem has more or less behaved as a bridge by default. This sucks because most users will just plug the device directly into their windows based PC, thus allowing the world to view their C$ share or other obvious Microsoft vulnerabilities (assuming you use Microsoft Windows). But Embarq did something different. Their device came configured more as a router. Typically, I would praise this type of behavior. However, I would soon change my mind.

I host this website over my DSL connection. So, I needed to test my configuration under the new ISP. I found my public IP and navigated to it. To my disgust this form came up.

embarq-1

Wow, this is bad. So, it appears that I have a remotely accessible administrative console on my new ADSL modem. So, I’m already pretty upset. But then I notice that the password is PRE-POPULATED for me. So without changing the password, I click “Login”. , I am now presented with a screen that tells me what the default password is (“1234″). This screen also prompts me to change my password. So, I change my password and press “Login”.

embarq-2

So, lets see what we can do now…

embarq-3

Ok, it looks like I can now modify any of the settings that a normal consumer grade router provides me.

There are many attacks that may be performed with this console, so many that I can not even begin to think about the possibilities.

After a beer or 2, I calmed down and convinced myself that a warning to change your password must have been included in the documentation. So, I read though all the documents that came with the ADSL router. Sure enough, there is no mention of this administrative console, nor is there mention that you need to change this password.

This all leads me to one conclusion… Embarq does not care about your safety.

Cheers,
Jonathan Forck