lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8043.1262108348@localhost>
Date: Tue, 29 Dec 2009 12:39:08 -0500
From: Valdis.Kletnieks@...edu
To: Cilia Pretel Gallo <cpretelgallo@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: security hole on local ISP

On Tue, 29 Dec 2009 02:23:24 PST, Cilia Pretel Gallo said:
> Also, connections on ports 23 and 80, from any IP address, will access the
> modem configuration options. Last year that could be done only from private
> IP addresses (i.e. 192.168.0/24), but now it can be done, as I said, from
> anywhere.

Apparently somebody forgot to do regression testing on the distributed
config file, because they *used* to do it at least semi-right.

The annoying part is that it's a real pain in the butt for the ISP to fix
correctly. You need to first use the hole you created to get the current
config, and verify whether or not *anything* has been changed from the
as-shipped defaults.  It's only safe to automagically push a new config if the
user hasn't screwed around with it.  If anything's been changed, you need to do
a setting-by-setting audit to tell if there's any way they could *possibly*
interact - and it's not always obvious.  If the user has changed the default
password, it *may* indicate that he uses access from the "outside" to check the
modem status at home when he's at the office or on the road. So changing the
allowed address ranges might hose the user.

At that point, you pretty much bought a support call for every single user
you aren't able to automagically migrate, either to talk to the user beforehand,
or they call you when you break their config.

>>From the admin side of the boat, trying to push an update to 50,000 users
is *always* a scary prospect.  You have to realise that at many ISPs, the
profit margin per subscriber is actually so slim that if they call the
support desk *once* in a year, the resulting costs can easily wipe out any
profit they've made on that user. It doesn't take much - if you're paying
a guy $7/hour for level 1 tech support, the encumbered cost paying for the
seat he's sitting in, the office space, benefits (Social Security and
unemployment at least), etc means an encumbered cost of $10 to $15 hour.

If you're billing this guy $30/mo and making $1/mo profit, that means if the
guy calls in and has a problem that takes an hour to resolve, you're starting
to lose money on that user. (This is why most support desks try to get rid of
you as fast as they can, whether or not your problem is actually fixed).

So there's a real dis-incentive for the ISP to spend a lot of effort and
money to fix the problem - at best, making sure new modems they deploy are
set correctly might happen.  Adding to that is the fact that it usually
doesn't cost the ISP anything if a customer gets pwned, unless the pwner then
starts sucking down bandwidth like crazy.

And if the ISP charges "$30/mo for first 50G, and $1 for each G after", then
there's *no* incentive for the ISP to actually fix it.

This probably won't get fixed unless somebody finds a way to make it actually
*cost* the ISP.  In the US, a class-action lawsuit for reckless endangerment
might work. Don't know about Columbia.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ