Default Passwords for World Wide Packets/Lightning Edge Equipment
sean at donelan.com
Thu Jan 7 14:33:00 UTC 2010
On Thu, 7 Jan 2010, Dobbins, Roland wrote:
>> Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
> Actually, should be 'default password'.
Default credentials may be a more generic description of the problem
(although "default password" is a better search term). A problem with
default credentials is history has demonstrated even an expert (i.e.
the vendors own technical support) aren't always certain they've
found and changed every default credential possible on complex devices.
Its not just the usual console access, but also snmp protocals
public/private, http protocols admin, ldap cn=admin, postscript none,
decnet mop, and so on. Even if you think you know every possible
protocol, some vendors have had the habit of adding new protocols in
updates with its own set of defaults for new remote access protocols.
Multiple protocols, using multiple authorization sources, with defaults.
Its not a suprise why old-timers get annoyed with vendor gear with
default remote access methods enabled before the user configured the
access credentials for the access method. Eventually you'll get bit by
some device, some protocol, that has something enabled without your
knowledge. If you require your vendors not to ship stuff with remote
access enabled by default, its not a substitute for your own due
dilgence, but in practice it helps reduce unexpected incidents.
More information about the NANOG