http://www.wired.com/news/infostructure/0,1377,57342,00.html
Sprint DSL's Gaping Security Hole
Story location: http://www.wired.com/news/infostructure/0,1377,57342,00.html
02:00 AM Jan. 23, 2003 PT
Sprint DSL customers are at risk of having their e-mail addresses and passwords stolen -- even when their computers are powered off -- due to weak security controls on their DSL modems.
Experts warned this week that the security problem could enable Internet vandals to wreak havoc from afar with the ZyXel Communications DSL modems issued by Sprint to tens of thousands of its FastConnect broadband customers.
Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of "1234." But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password.
"We recommend that customers change the (administrative) password to increase security, but we recognize that not all customers change the password as recommended," said Sprint FastConnect spokeswoman Laura Tigges.
Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.
Sprint could not say how many of its more than 110,000 DSL customers might be affected by the security issue. But a scan of a sample of Internet addresses used by Sprint DSL customers revealed that more than 90 percent of the ZyXel DSL modems found had the widely known default administrative password.
Not to be confused with the Sprint DSL account password, the administrative password allows a remote user to access the modem's configuration software over the Internet.
While many DSL users turn off their computers when not in use, their DSL modems often remain powered on. The ZyXel modems -- which support a protocol called PPPoE and store a Sprint user's e-mail address, password and DSL configuration files -- could prove a treasure trove for attackers, experts said.
"The bare minimum here is a serious privacy issue. But with the information (stored in the modem), all hell could break loose," said the security analyst and founder of the security-information site Malware.com, who first identified the Sprint security problem, but declined to provide his name.
Representatives of Taiwan-based ZyXel did not respond to interview requests. According to ZyXel's user guide (PDF) for the Prestige 645, "the first thing you should do is to change the default system password."
Kenneth Rhodes, a Sprint DSL customer who runs a printing shop in Florida, said the Sprint technician who installed his service late last year did not mention the modem's system password, which was set to the default until this week.
Tigges said Sprint will post instructions on its support website for disabling the remote administration feature, and customers can also get assistance from Sprint's technical support staff. The company also plans to begin shipping DSL modems without the feature beginning in February, she said.
Sprint's proposed fix "borders on negligence," according to the Malware.com founder.
"The remedy, I think, is actually pathetic," he said. "No one's going to see Sprint's Web page and fix this themselves. Ninety percent of the populace simply is not capable of setting up their own e-mail clients, let alone reconfiguring a modem."
Derek Chen-Becker, a computer science graduate student at Washington University who has studied the ZyXel 645's programming, said malicious attackers could remotely render the device inoperable by deleting its firmware. They could also potentially mine the user's Sprint login information from the configuration files, he said.
Lawrence Baldwin, operator of the myNetWatchman security service, said the incident shows that some ISPs aren't doing enough to protect customers.
"If you believe that ISPs have some responsibility for the security of their customers, then shipping a modem with a default password is just a major, egregious oversight," he said.
Sprint should proactively scan its network for DSL equipment that is incorrectly configured, and notify users by telephone or e-mail, according to John Navas, an independent telecommunications analyst.
According to David Blumenthal, a spokesman for Earthlink, which provides e-mail service to Sprint FastConnect customers, "there is not a security question involving Earthlink."
Do you Yahoo!?
<A HREF="">www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, mis- directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="">Archives of [EMAIL PROTECTED]</A>
http:[EMAIL PROTECTED]/ <A HREF="">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om Yahoo! Mail Plus - Powerful. Affordable. Sign up now
