In message <[EMAIL PROTECTED]>, eric writes:
>
>On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...
>
>>
>> How much entropy is there in a such a serial number? Little enough
>> that it can be brute-forced by someone who knows the pattern? Using
>> some function of the seri
>
>
> On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...
>
> >
> > How much entropy is there in a such a serial number? Little enough
> > that it can be brute-forced by someone who knows the pattern? Using
> > some function of the serial number and a vendor-known secret
On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...
>
> How much entropy is there in a such a serial number? Little enough
> that it can be brute-forced by someone who knows the pattern? Using
> some function of the serial number and a vendor-known secret key is
> better
In message <[EMAIL PROTECTED]>, Martin Hannigan writes:
>
>>
>>
>>
>> > Actually, and fairly recently, this IS a default password in IOS. New
>> > out-of-box 28xx series routers have cisco/cisco installed as the default
>> > password with privilege 15 (full access). This is a recent develop
On Thu, 12 Jan 2006, Jay Hennigan wrote:
What should really be done (BCP for manufactures ???) is have default
password based on unit's serial number. Since most routers provide this
information (i.e. its preset on the chip's eprom) I don't understand
why its so hard to just create simple func
>
>
>
> > Actually, and fairly recently, this IS a default password in IOS. New
> > out-of-box 28xx series routers have cisco/cisco installed as the default
> > password with privilege 15 (full access). This is a recent development.
>
> This is hardly only cisco's problem. Most office rout
william(at)elan.net wrote:
Actually, and fairly recently, this IS a default password in IOS. New
out-of-box 28xx series routers have cisco/cisco installed as the
default password with privilege 15 (full access). This is a recent
development.
This is hardly only cisco's problem. Most of
Actually, and fairly recently, this IS a default password in IOS. New
out-of-box 28xx series routers have cisco/cisco installed as the default
password with privilege 15 (full access). This is a recent development.
This is hardly only cisco's problem. Most office routers I've dealt with
al
Rob Thomas wrote:
Hi, NANOGers.
] On the other hand, the most common practice to hack routers today, is
] still to try and access the devices with the notoriously famous default
] login/password for Cisco devices: cisco/cisco.
This is NOT a default password in the IOS. The use of "cisco" as
[ SNIP ]
>
> It is true Cisco's PSIRT is one of the best to work with among vendors,
> even Mike Lynn said that Cisco PSIRT are some of the more decent people
> he worked with - "I've never had a problem with PSIRT".
PSIRT is great. After marketing and legal approval. This is why
they can't
On Fri, 2006-01-13 at 01:30:52 +0200, Gadi Evron proclaimed...
> Checking into new investments security-wise, especially with security
> products and external QA may help solve such issues in the future.
Thank you for this interruption. We now returned to our scheduled
programming, already in p
This reminds me of Ciscogate but not for obvious reasons. That was a bad
event for everybody involved.
It reminds me of the very issue Mike Lynn discussed:
Remote exploitation for Cisco is possible, while so far Cisco disclosed
all these problems as DoS vulnerabilities.
I am not saying Cisco did
>
>
> On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
> >
> > Hi, Matthew.
> >
> > ] Cisco Router and Security Device Manager (SDM) is installed on this
> > device.
> > ] This feature requires the one-time use of the username "cisco"
> > ] with the password "cisco".
> >
> > Inter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yo Rob!
On Thu, 12 Jan 2006, Rob Thomas wrote:
> This is NOT a default password in the IOS.
Uh, wrong. Check out the doc for the Cisco AIR-AP1220. Ver 12.01T1
RGDS
GARY
- --
I've been pretty happy with Cisco ACS - fairly solid, good reporting,
once set up it seems to Just Work.
John
On Thu, Jan 12, 2006 at 11:00:10AM -0800, Bill Nash wrote:
>
>
> Just as an offshoot discussion, what's the state-of-the-art for AAA
> services? We use an modified tacacs server for m
On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
>
> Hi, Matthew.
>
> ] Cisco Router and Security Device Manager (SDM) is installed on this device.
> ] This feature requires the one-time use of the username "cisco"
> ] with the password "cisco".
>
> Interesting. Is it limited to one
Just as an offshoot discussion, what's the state-of-the-art for AAA
services? We use an modified tacacs server for multi-factor
authentication, and are moving towards a model that supports
single-use/rapid expiration passwords, with strict control over when and
how local/emergency authentica
ses as the combination, I have no
sympathy for your missing items... ;)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jared Mauch
Sent: Thursday, January 12, 2006 12:39 PM
To: Rob Thomas
Cc: NANOG
Subject: Re: Cisco, haven't we learned anything? (te
On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
>
> Hi, Matthew.
>
> ] Cisco Router and Security Device Manager (SDM) is installed on this device.
> ] This feature requires the one-time use of the username "cisco"
> ] with the password "cisco".
>
> Interesting. Is it limited to one
Hi, Matthew.
] Cisco Router and Security Device Manager (SDM) is installed on this device.
] This feature requires the one-time use of the username "cisco"
] with the password "cisco".
Interesting. Is it limited to one-time use? Are the network login
services (SSH, telnet, et al.) prevented fr
Hi, NANOGers.
] On the other hand, the most common practice to hack routers today, is
] still to try and access the devices with the notoriously famous default
] login/password for Cisco devices: cisco/cisco.
This is NOT a default password in the IOS. The use of "cisco" as
the access and enable
Very good points, BTW.
And these are certainly factors which, I'm sure, other
companies are also susceptible. :-)
- ferg
-- Hank Nussbacher <[EMAIL PROTECTED]> wrote:
[re:
http://www.cisco.com/en/US/products/products_security_advisory09186a00805e3234.shtml]
[snip]
Cisco acquired Protego in
On Thu, 12 Jan 2006, Gadi Evron wrote:
> In this
> (http://blogs.securiteam.com/wp-admin/post.php?action=edit&post=207) recent
> Cisco advisory, the company alerts us to a security problem
> with Cisco MARS (Cisco Security Monitoring Analysis and Response System).
>
> The security issue is basica
In this
(http://blogs.securiteam.com/wp-admin/post.php?action=edit&post=207) recent
Cisco advisory, the company alerts us to a security problem
with Cisco MARS (Cisco Security Monitoring Analysis and Response System).
The security issue is basically a user account on the system that will
give you
24 matches
Mail list logo