|
Penetration Testing
mailing list archives
Re: [PEN-TEST] PBX Security
From: Ben Grubin <Ben.Grubin () GUARDENT COM>
Date: Wed, 4 Oct 2000 14:08:19 -0400
More importantly, I believe this can be considered a vendor security bug.
Any resetting of top-level administrative passwords in software, hardcoded
or not, is just plain wrong. Physical access to the hardware should be
required to reset a top-level administrative password. Software backdoors
are *never* known by only the right people. This has been proven time and
time again.
Cheers,
Ben
-----Original Message-----
From: Loschiavo, Dave [mailto:DLoschiavo () FRCC CC CA US]
Sent: Wednesday, October 04, 2000 12:19 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: PBX Security
<quote> It's unfair to use a known back-door when pen-testing. The
back-door on Norstar is pretty hard to stumble across, but it
is nice to
know the default passcodes, and test for things like that. Good luck!
</quote>
If it is known (heck, or even if you are the only one who
knows it), why is
it unfair? If you were able to find it, via social
engineering, why can't a
hacker. The way I look at, if a back-door has a hard coded
(or unchanged
default) method for allowing access, then it is a security
hole. Isn't that
what a Pen-Test is supposed to uncover?
Thoughts? Comments?
 By Date 
By Thread
Current thread:
- Re: [PEN-TEST] PBX Security, (continued)
|
Intro
