Home page logo

nanog logo nanog mailing list archives

Re: Cisco, haven't we learned anything? (technician reset)y
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 12 Jan 2006 21:56:01 -0500

In message <20060113023430.GI22251 () catastrophe net>, eric writes:

On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...

How much entropy is there in a such a serial number?  Little enough 
that it can be brute-forced by someone who knows the pattern?  Using 
some function of the serial number and a vendor-known secret key is 
better -- until, of course, that "secret" leaks.  (Anyone remember how 
telephone credit card number verification worked before they could do 
full real-time validation?  The Phone Company took a 10-digit phone 
number and calculated four extra digits, based on that year's secret.  
Guess how well that secret was kept....)

Hi Steven,

I believe the Netscreen default password of a serial number can only be
entered over the console (and possibly modem/aux) port(s).

That works for me.  But note William Leibzon's issue:

  That works too and is most secure way.

  But its often enough that small offices would not have person who can fix 
  the system and its not always possible to get network guy to come in right
  a way. It is good for those cases to be able to ask somebody onsite to just
  look at the back and dictate the serial# by phone.

If you have physical access, the root password matters a lot less (and 
if it's the serial number, the local attacker can just peer at the 
back).  If you need secure remote access -- well, it's not easy with 
clueless local administrators.  But there's much less excuse for
clueless developers, like the ones who created the login/password pair 
that started this thread -- credentials that, according to one posting, 
are acceptable for remote access.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]