lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20090109205610.GA2490@honey.hogyros.de>
Date: Fri, 9 Jan 2009 21:56:10 +0100
From: Simon Richter <Simon.Richter@...yros.de>
To: Steve Shockley <steve.shockley@...ckley.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: Leak of SNMP write password via SNMP read community in NETGEAR
	WG102 - Prosafe 802.11g Access Point

Hi,

On Fri, Jan 09, 2009 at 03:25:44PM -0500, Steve Shockley wrote:

>> SNMP communities are a safety, not a security measure. I know of very few
>> SNMP implementations that have protections against brute force or
>> dictionary attacks.

> srsly?  Passwords don't have much in the way of brute-force or  
> dictionary attack protection, but I wouldn't put my password in my  
> out-of-office message.

Most password authentication systems have a rate limit which is pretty
effective against dictionary attacks -- however SNMP implementations don't
do the same for community strings. My point is that community strings are
not passwords in the strictest sense, and people should stop treating them
as such.

   Simon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ