On Thu, 7 Jan 2010, Dobbins, Roland wrote:
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
Actually, should be 'default password'.
Default credentials may be a more generic description of the problem (although "default password" is a better search term). A problem with default credentials is history has demonstrated even an expert (i.e. the vendors own technical support) aren't always certain they've found and changed every default credential possible on complex devices. Its not just the usual console access, but also snmp protocals public/private, http protocols admin, ldap cn=admin, postscript none, decnet mop, and so on. Even if you think you know every possible protocol, some vendors have had the habit of adding new protocols in updates with its own set of defaults for new remote access protocols. Multiple protocols, using multiple authorization sources, with defaults. Its not a suprise why old-timers get annoyed with vendor gear with default remote access methods enabled before the user configured the access credentials for the access method. Eventually you'll get bit by some device, some protocol, that has something enabled without your knowledge. If you require your vendors not to ship stuff with remote access enabled by default, its not a substitute for your own due dilgence, but in practice it helps reduce unexpected incidents.