Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?)

  • From: Roland Dobbins
  • Date: Fri Apr 28 17:32:58 2000


OK, I've had just about enough of this.  I was subscribed read-only, but
this latest brouhaha has motivated me to post the following semi-diatribe:

First of all, there -is- a bug in the Catalyst Supervisor software revision
5.4.1 which basically disables the functionality of the enable password.  If
someone has the login password to the router, they can use the same password
to get to enable mode.  Yes, someone has to either a) get his password
sniffed internally or b) re-use the password on some external network which
allows it to get sniffed or c) use a weak and/or easily-guessable password
for this exploit to be used.  But your blanket statement about the enable
password on Cisco switches is incorrect.  And while shared segments are
generally a Bad Thing, there are certain instances in which they make sense.

See http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml for
more details.

Secondly, there's also a bug in the Cisco telnet daemon for IOS 11.3AA,
12.0(2)-12.0(6) and 12.0(7), excluding 12.0(7)S, 12.0(7)T, and 12.0(7)XE,
which allows a very easy DoS attacks against routers and switches running
those revs.  The bug ID is CSCdm70743, and more information can be found at
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml .

Thirdly, 12-series IOSes can make use of ssh, but there are a lot of other
issues with the 12.x revs (see the above paragraph for an example) which
have prevented their wide-scale adoption.  Kerberos is certainly an option,
and a good one, but Monday-morning quarterbacking is really easy, especially
when one doesn't have direct knowledge of all the various factors involved,
nor any responsibility for maintaining the network in question.

Fourthly, being abrasive and condescending certainly isn't a way to get your
point across.  There is a huge amount of collective talent on this list;
Paul Vixie, in particular, has made enormous contributions to the Net
community as a whole, and therefore is someone who is, I think, deserving of
a more respectful tone than your previous posts on this subject.  He's a
really smart guy, and he's donated a lot of time and effort and sheer
technical know-how towards making the entire Internet more usable and useful
for -everyone-.

Whilst I'm not privy to Mr. Vixie's schedule, I doubt very seriously that he
configures every single router and switch in his network himself, by hand.
Most of the real operators here have, at one time or another, had an
employee or a group of employees who violated security policy in the name of
expediency, and thereby caused a security breach, potential or otherwise.  

I have no knowledge of the incident at above.net other than the rumors which
been bandied about in the public domain, but I wouldn't be surprised if
something of this latter sort played a role in their problems, which have
long since been resolved.

If you have views to contribute, you're going to get far more attention and
thought paid to them by refraining from condescension and patronizing
rhetoric.  You're not going to educate or enlighten anyone my implying that
they're stupid or incompetent; and, if you'll think about it, you're
probably not perfect, yourself.  

I think Gary Kasparov summed it up best when he said that he's never learned
anything from a chess game he -won-.

-----------------------------------------------------------
Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice
 

-----Original Message-----
From: Exiled Dave [mailto:exiled_dave@yahoo.com]
Sent: Friday, April 28, 2000 1:10 PM
To: nanog@merit.edu
Subject: Re: ABOVE.NET SECURITY TRUTHS?




Ive had some private messages asking if i was involved
in this. I wasnt. I was asked to write this initial
email by someone who KNOWS the real truth of what
happened at above, and why they are being so
tight-lipped.

Lets think about this, cisco in no way has such a flaw
that would allow someone to 'root' and erase all the
info on switches. The password was sniffed.

Unless above has some employee who felt the need to do
do this. But, my Above rep laughling CONFIRMED that
this was the problem. COMMON PASSWORDS. 

Cant we make it a LITTLE tougher on the script
kiddies?
And not make EVERY MAJOR switch the same password?

This is safe to post, because my above sales rep told
me what the old password was. God. THATS SECURITY.
Sales reps telling Clients OLD PASSWORDS.
So, if we wanna verify my authenticity, Here's what
she told me:
whY2Ghay/1Pee-Fr331y

Sound framiliar Above? Im suprised by lack of comment
from you. 

Im out to HELP. Not to hurt.




__________________________________________________
Do You Yahoo!?
Talk to your friends online and get email alerts with Yahoo! Messenger.
http://im.yahoo.com/





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.