Default Passwords for World Wide Packets/Lightning Edge Equipment
Greetings, LONG VERSION: I have recently inherited the management of an undocumented network (failed FTTH provider) which utilizes World Wide Packets' LightningEdge 427 (16 port GBIC switch) and 311v (24/4 port Ethernet/GBIC switch) switches. We've swapped out a 427 so that we can rebuild it, push it back into the network, and repeat, until everything is under our control. Trouble is, the lack of documentation extends to passwords, the nature of which preclude any hope of getting in to the switch without resetting to defaults. Fortunately, I can do this without issue, since it is not in active service. I reset a spare 311v to defaults, but cannot log in to it with any of the logical default passwords. I can only assume the same will be true of the 427. Sadly, it seems World Wide Packets is now owned by a new company, who will not provide simple documentation without a full support contract. I got them to grudgingly provide the documentation for the customer premise devices (LightningEdge 47's), but my pleas for the switch documentation (and the management software that I believe WWP provided for free) has fallen on deaf ears. I don't have the budget to blow on a support contract just to get one default password (Who would?). SHORT VERSION: Does anyone know the default passwords for World Wide Packets 427 and 311v switches? I will most definitely owe anyone with an answer a beer or four next time they visit Seattle. By the way, the default username/password for the LightningEdge 47 and other WWP CPEs is su/pureethernet. Hopefully that will save someone else some pain. :-) Best Regards, Nathan Eisenberg
On Jan 6, 2010, at 3:17 PM, Nathan Eisenberg wrote:
Does anyone know the default passwords for World Wide Packets 427 and 311v switches?
One should think the fact that there are default passwords at all should be a cause for alarm, in and of itself. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
One should think the fact that there are default passwords at all should be a cause for alarm, in and of itself.
I must not have been very clear. I'm resetting these switches to factory defaults using the hardware reset button, and attempting to log in using whatever the factory default passwords are. No cause for alarm - the devices as deployed DO NOT have the default passwords on them (probably... without having the factory default passwords for the devices, it's hard to say...) Anyways, does that make sense?
On Jan 6, 2010, at 3:44 PM, Nathan Eisenberg wrote:
I must not have been very clear. I'm resetting these switches to factory defaults using the hardware reset button, and attempting to log in using whatever the factory default passwords are.
Right - what I'm saying is the fact that there are default passwords at all is horribly insecure, and that the vendor in question should be prodded to change this dangerous practice. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Right - what I'm saying is the fact that there are default passwords at all is horribly insecure, and that the vendor in question should be prodded to change this dangerous practice.
How is that a risk in any way? Considering that one must have physical access to reset the unit to factory default, having physical access pretty much trumps any other security measure.
On Jan 6, 2010, at 4:24 PM, George Bonser wrote:
having physical access pretty much trumps any other security measure.
The fact that there's a factory default means that lots of folks won't change it when they configure the unit with an IP address; they follow this with failing to implement iACLs, and it's pw3nt1me! ;> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
-----Original Message-----
having physical access pretty much trumps any other security measure.
The fact that there's a factory default means that lots of folks won't change it when they configure the unit with an IP address; they follow this with failing to implement iACLs, and it's pw3nt1me!
I suppose it is a philosophical thing with me. I don't believe in protecting people from their own stupidity. If you try to enforce that, you end up with organizations making up their own "default" passwords which can be little better than manufacturer defaults.
On Jan 6, 2010, at 4:43 AM, George Bonser wrote:
-----Original Message-----
having physical access pretty much trumps any other security measure.
The fact that there's a factory default means that lots of folks won't change it when they configure the unit with an IP address; they follow this with failing to implement iACLs, and it's pw3nt1me!
I suppose it is a philosophical thing with me. I don't believe in protecting people from their own stupidity. If you try to enforce that, you end up with organizations making up their own "default" passwords which can be little better than manufacturer defaults.
They're much better, since once guess doesn't suffice for all devices; see http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredirect... for some indication of just how bad the problem can be. And we all suffer from p0wned devices, because they get turned into bots. Roland is 100% right. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Right - what I'm saying is the fact that there are default passwords at all is horribly insecure, and that the vendor in question should be prodded to change this dangerous practice.
I don't see how there's a security problem with equipment coming from the factory with factory default passwords. In my opinion, a breach caused by a reset of equipment to default configuration/passwords would suggest far more basic security issues, which are not at all mitigated by eliminating the existence of default passwords. I generally try to mitigate the issues further down the stack. I doubt factory default passwords are going anywhere, but even if they did go away, I would still strictly control access to my management interfaces, as well as the reset holes on my equipment, and so I would argue that I would be no more or less secure than I am now. But maybe I'm missing something? Best Regards, Nathan Eisenberg
After weeks on banging my head on this, I figure it out within an hour of posting it to NANOG. You guys are good luck! For future reference/Google, the factory default password for (at least the LightningEdge 427 - not sure about the 311v yet) these switches is: su/wwp. Obviously, you should change this prior to deployment! Best Regards, Nathan Eisenberg
On Wed, Jan 06, 2010 at 08:26:25AM +0000, Dobbins, Roland wrote:
Does anyone know the default passwords for World Wide Packets 427 and 311v switches?
One should think the fact that there are default passwords at all should be a cause for alarm, in and of itself.
As much as they're a definite security risk, I can't imagine what other option there is. The closest I can come to a solution is to set a random password and flash it using a front-panel LED using morse. <grin> - Matt
On Jan 6, 2010, at 4:18 PM, Matthew Palmer wrote:
The closest I can come to a solution is to set a random password and flash it using a front-panel LED using morse. <grin>
heh No password at all, operator prompted at the console during startup unless/until he sets one. No IP address, et. al. until a password is set. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
On 1/6/2010 01:23, Dobbins, Roland wrote:
On Jan 6, 2010, at 4:18 PM, Matthew Palmer wrote:
The closest I can come to a solution is to set a random password and flash it using a front-panel LED using morse. <grin>
heh
No password at all, operator prompted at the console during startup unless/until he sets one. No IP address, et. al. until a password is set.
Yeah. And for devices with no console, only network interfaces, a default IP address, no default password, and no default route (just in case they plug it into a real LAN instead of a laptop. :p ).
On Wed, Jan 6, 2010 at 1:12 PM, Jim Burwell <jimb@jsbc.cc> wrote: [snip]
Yeah. And for devices with no console, only network interfaces, a default IP address, no default password, and no default route (just in case they plug it into a real LAN instead of a laptop. :p ).
Ah... don't worry about default routes.. Proxy ARP will "fix it".. when combined with a suitable router that does it by default, and help make sure the default-pw'ed device can still be reached by the bad guys. As murphy would have it, default device IP happens to correspond to a valid LAN IP address formerly used by a server, that the neglected perimeter firewall still forwards port 80 traffic to... You know.. an extra port isn't so expensive these days. equipment vendors could just make one of the network ports be labelled "Manage", ship the units with management access disabled, except on that port. Don't allow normal traffic forwarding to/from that port by default. On first login, require a password change to be made before all other changes, such as enabling full management are even allowed, including turning the manage port into a normal port (if it's even necessary). Device should shutdown the manage port, until reboot, via "management port security".. when the first frame is received, memorize the MAC address, as long as carrier is still detected. If later a second MAC address is detected as the source on any frame, or any multicast frame at all is received, other than an ARP for switch's default IP. Light up an orange LED for "security violation" or a "user error" light. :) -- -J
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password. I suspect this was a support nightmare for the vendor and I bet they went to a more standard (read: the same) factory password. At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing "default" security for the folks who won't change the default password. -Jeff Matthew Palmer wrote:
On Wed, Jan 06, 2010 at 08:26:25AM +0000, Dobbins, Roland wrote:
Does anyone know the default passwords for World Wide Packets 427 and 311v switches? One should think the fact that there are default passwords at all should be a cause for alarm, in and of itself.
As much as they're a definite security risk, I can't imagine what other option there is. The closest I can come to a solution is to set a random password and flash it using a front-panel LED using morse. <grin>
- Matt
- -- ======================================================================== Jeffrey I. Schiller MIT Network Manager/Security Architect PCI Compliance Officer Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu http://jis.qyv.name ======================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFLRRuk8CBzV/QUlSsRAuEEAJ4vFWYnMqK3AP1q9y46HzIIMeasoQCfSAkb CobOYgNelNkZL2ePmd6jwpM= =zBKR -----END PGP SIGNATURE-----
I think the vendor you're thinking of was Cabletron (now Enterasys). I had to call them and give them the Serial Number for them to provide me with the default password to the system after a hard reset (this was for an ELS100-24TXG 'switch'). -NH -----Original Message----- From: Jeffrey I. Schiller [mailto:jis@MIT.EDU] Sent: Wednesday, January 06, 2010 17:24 To: Matthew Palmer Cc: nanog@nanog.org Subject: Re: Default Passwords for World Wide Packets/Lightning Edge Equipment -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password. I suspect this was a support nightmare for the vendor and I bet they went to a more standard (read: the same) factory password. At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing "default" security for the folks who won't change the default password. -Jeff Matthew Palmer wrote:
On Wed, Jan 06, 2010 at 08:26:25AM +0000, Dobbins, Roland wrote:
Does anyone know the default passwords for World Wide Packets 427 and 311v switches? One should think the fact that there are default passwords at all should be a cause for alarm, in and of itself.
As much as they're a definite security risk, I can't imagine what other option there is. The closest I can come to a solution is to set a random password and flash it using a front-panel LED using morse. <grin>
- Matt
- -- ======================================================================== Jeffrey I. Schiller MIT Network Manager/Security Architect PCI Compliance Officer Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu http://jis.qyv.name ======================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFLRRuk8CBzV/QUlSsRAuEEAJ4vFWYnMqK3AP1q9y46HzIIMeasoQCfSAkb CobOYgNelNkZL2ePmd6jwpM= =zBKR -----END PGP SIGNATURE-----
On Wed, 06 Jan 2010 19:13:28 -0500, Nick Hale <nhale@softlayer.com> wrote:
I think the vendor you're thinking of was Cabletron (now Enterasys). I had to call them and give them the Serial Number for them to provide me with the default password to the system after a hard reset (this was for an ELS100-24TXG 'switch').
And their CPE gear had a 5 minute password reset window after power on. We hated the customers who'd figured that out. While we're on the subject, a lot of leibert gear has a dip switch/jumper block to turn passwords off entirely. (of course, that requires physical access and a power cycle.) --Ricky
While we're on the subject, a lot of leibert gear has a dip switch/jumper block to turn passwords off entirely. (of course, that requires physical access and a power cycle.)
So do a lot of HP/Compaq servers with integrated lights out management. Don't think you even need to power cycle (whether you're brave enough to go poking around the deep innards of an energized server is another matter). I know the DIP switch on older DL385's is a micro DIP switch and it's inconveniently located in the middle of the server behind some stuff. The good part is that you can clear out unknown passwords as long as you have access to the chassis innards. The bad part is that I've seen these left in password bypass mode (though the BIOS thoughtfully warns you of the status if you do that). ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
A password recovery method I've found very frustrating is to use the serial number or similar value that's on a label on the bottom of the equipment. It's just fine for desktop hardware - but for rack-mounted gear, it's not uncommon to find out that you need this information *after* somebody's racked and stacked the hardware, and therefore you either need to unscrew it (if it was screwed into the rack) or drag it out (if it wasn't screwed in for some reason like missing wing-brackets or 23-inch telco racks or random junk piled on top of it, etc.), and possibly uncable it as well, depending on how much slack is in the cabling, and you almost certainly want to power it down first, and you need to have enough flashlights and reading glasses to deal with reading the bottom of the equipment lying down on the floor of the data center. Yes, you *should* be able to find the serial number by looking in the accurate complete up-to-date spreadsheet of equipment inventory records, or at least the previous-user-printed Dymo-label on the front of the box. But if you had that quality of records, you probably wouldn't need to be running password recovery anyway. (Disclaimer: I'm currently working in a development lab, not operations, so ideally this doesn't reflect the state of our production data centers :-) Most of the time it doesn't reflect our lab either, but occasionally it does, and of course loaner equipment often arrives in random condition.
On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:
A password recovery method I've found very frustrating is to use the serial number or similar value that's on a label on the bottom of the equipment.
Related pet peeve: Inventory and asset control people that stick a sticker on hardware and then expect to be able to scan the barcode at a later date. Works fine if the barcode sticker actually ends up facing the front or the back of the rack. But occasionally, the sticker ends up stuck on an empty space on the printed circuit board of a upgrade blade that's plugged into a chassis...
On January 12, 2010 at 23:03 Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu) wrote:
On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:
A password recovery method I've found very frustrating is to use the serial number or similar value that's on a label on the bottom of the equipment.
Related pet peeve: Inventory and asset control people that stick a sticker on hardware and then expect to be able to scan the barcode at a later date. Works fine if the barcode sticker actually ends up facing the front or the back of the rack. But occasionally, the sticker ends up stuck on an empty space on the printed circuit board of a upgrade blade that's plugged into a chassis...
Sounds like RFID FTW! Actually, I have no idea if it'd work, maybe someone else does. Seems like it'd be nice to be able to just wand a rack and poof out comes a list of everything in it. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
That would be excellent for both the administrator, and anyone walking down the row with a wand in their pocket. On Wed, Jan 13, 2010 at 12:21 PM, Barry Shein <bzs@world.std.com> wrote:
On January 12, 2010 at 23:03 Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu) wrote: > On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said: > > A password recovery method I've found very frustrating is to use the > > serial number or similar value that's on a label on the bottom of the > > equipment. > > Related pet peeve: Inventory and asset control people that stick a sticker on > hardware and then expect to be able to scan the barcode at a later date. Works > fine if the barcode sticker actually ends up facing the front or the back of > the rack. But occasionally, the sticker ends up stuck on an empty space on the > printed circuit board of a upgrade blade that's plugged into a chassis... >
Sounds like RFID FTW!
Actually, I have no idea if it'd work, maybe someone else does. Seems like it'd be nice to be able to just wand a rack and poof out comes a list of everything in it.
-- -Barry Shein
The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-- LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
On Wed, 13 Jan 2010 12:55:00 EST, Matt Simmons said:
That would be excellent for both the administrator, and anyone walking down the row with a wand in their pocket.
Barry's right, for at least some scenarios. If I have an unauthorized somebody walking down the row with a wand in their pocket, the fact they have a wand in their pocket is the least of my problems. It's of course different if your biggest competitor is colo'd in the same room, two cages over.
There seem to be a lot of misconceptions about RFID tags. I'm hardly an expert but I do know this much: RFID tags are generic, you don't put data into them unique to your application. All they are is a range of long serial numbers guaranteed to be globally unique, like ethernet macs more or less. You get an RFID tag, associate it with a piece of equipment, enter the tag serial number and other info INTO YOUR OWN INVENTORY DATABASE, and stick it on the equipment. Then you can later use a wand which can retrieve the RFID tag number at some distance, a few feet, think: supermarket checkout. The big advantage of RFIDs is that you don't need line of sight access like you do with bar codes, they use RF, radio frequency. Think: anti-shoplifting tags, most of them are basically RFID tags tho older ones don't have a unique id which is why they had to be physically removed or disabled. More modern anti-shoplifting systems wand the tag id (possibly via an externally printed bar code because point of sale (POS) systems aren't quite there yet) into the POS system so the anti-shoplifting exit system can look it up to see if the item has been paid for. A system which also used these to track equipment being removed from an area or building would be a relatively straightforward plus. It may not stop someone but it might know exactly what time it passed out the door to help with any investigation, or in a more secure environment one might have to mark the RFID tag as authorized to go out the door via some security process, or at least associate its leaving with a security badge or whatever id is used. It's much better than sliced bread for some apps except that they make for really lousy BLTs. On January 13, 2010 at 11:23 lyndon@orthanc.ca (Lyndon Nerenberg (VE6BBM/VE7TFX)) wrote:
Barry's right, for at least some scenarios. If I have an unauthorized somebody walking down the row with a wand in their pocket, the fact they have a wand in their pocket is the least of my problems.
Encrypt the data?
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Wed, 13 Jan 2010, Barry Shein wrote:
The big advantage of RFIDs is that you don't need line of sight access like you do with bar codes, they use RF, radio frequency.
Which is also a big disadvantage in a datacenter. Ever tried to use a radio in one? The RF noise generated by digital equipment seriously erodes signal quality. Considering the relatively weak signal returned from RFID tags, I'd be surprised if you'd get any kind of useful range. Has anybody tried it out?
On Wed, Jan 13, 2010 at 01:51:41PM -0500, George Imburgia wrote:
On Wed, 13 Jan 2010, Barry Shein wrote:
The big advantage of RFIDs is that you don't need line of sight access like you do with bar codes, they use RF, radio frequency.
Which is also a big disadvantage in a datacenter. Ever tried to use a radio in one?
The RF noise generated by digital equipment seriously erodes signal quality. Considering the relatively weak signal returned from RFID tags, I'd be surprised if you'd get any kind of useful range.
Has anybody tried it out?
I have something akin to experience in this arena at least as it applies to the ambient RF environment and the security of the data transferred. As a matter of fact the two usually go hand in hand. The issue that I usually see is how to protect your new drivers license / passport / ID badge (with embedded RFID) from someone stopping next to you at a subway station with an RFID reader hidden in their briefcase, although densely populated CoLo's wouldn't be much different. The preferred standard is usually the FIPS 201 standard and is deployed at 13.56Mhz which ensures you have to be pretty darn near the transceiver to "get a read" but also makes the problem of ambient (RF) noise pretty much a non-issue. The issue arises in tags placed so close together that they are in the read field at the same time causing multiple emitters in the same channel. Recent implementations have a built in collision avoidance mechanism that eliminates the issue entirely in my testing (understanding channel contention for this exercise is at most dozens of transmitters, and wouldn't scale up to anything larger). These same recent implementations use 3DES to secure the open-air channel, reducing prevalence of man-in-the-middle type attacks. Finally, it is common now to retrieve the encrypted contents of the RFID tags and require that a CA hierarchy validate both sides of the transaction prior to decryption which can contain 4K in the data sectors or more. Brandon L. -----Original Message----- From: George Imburgia [mailto:nanog@armorfirewall.com] Sent: Wednesday, January 13, 2010 12:52 PM Cc: nanog@nanog.org Subject: RFID in datacenter (was Re: Default Passwords for World WidePackets/Lightning Edge Equipment) On Wed, 13 Jan 2010, Barry Shein wrote:
The big advantage of RFIDs is that you don't need line of sight access like you do with bar codes, they use RF, radio frequency.
Which is also a big disadvantage in a datacenter. Ever tried to use a radio in one?
The RF noise generated by digital equipment seriously erodes signal quality. Considering the relatively weak signal returned from RFID tags, I'd be surprised if you'd get any kind of useful range.
Has anybody tried it out?
I have something akin to experience in this arena at least as it applies to the ambient RF environment and the security of the data transferred. As a matter of fact the two usually go hand in hand. The issue that I usually see is how to protect your new drivers license / passport / ID badge (with embedded RFID) from someone stopping next to you at a subway station with an RFID reader hidden in their briefcase, although densely populated CoLo's wouldn't be much different. The preferred standard is usually the FIPS 201 and is deployed at 13.56Mhz which ensures you have to be pretty darn near the transceiver to "get a read" but also makes the problem of ambient (RF) noise pretty much a non-issue. The issue arises in tags placed so close together that they are in the read field at the same time causing multiple emitters in the same channel. Recent implementations have a built-in collision avoidance mechanism that eliminates the issue entirely in my testing (understanding channel contention for this exercise is at most dozens of transmitters, and wouldn't scale up to anything larger). These same recent implementations use 3DES to secure the open-air channel, reducing prevalence of man-in-the-middle type attacks. Finally, it is common now to retrieve the encrypted contents of the RFID tags and require that a CA hierarchy validate both sides of the transaction prior to decryption which can contain 4K in the data sectors or more. Brandon L.
On Wed, Jan 13, 2010 at 12:51 PM, George Imburgia <nanog@armorfirewall.com>wrote:
On Wed, 13 Jan 2010, Barry Shein wrote:
The big advantage of RFIDs is that you don't need line of sight access
like you do with bar codes, they use RF, radio frequency.
Which is also a big disadvantage in a datacenter. Ever tried to use a radio in one?
The RF noise generated by digital equipment seriously erodes signal quality. Considering the relatively weak signal returned from RFID tags, I'd be surprised if you'd get any kind of useful range.
Has anybody tried it out?
FYI: Looked into this in my previous job-project, and bookmarked this as a positive record of such: http://www.datacenterknowledge.com/archives/2008/11/03/rfid-in-the-data-cent... think it works. ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius
On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
There seem to be a lot of misconceptions about RFID tags. I'm hardly an expert but I do know this much:
RFID tags are generic, you don't put data into them unique to your application.
Part of the original (or at least early) context for this thread was recovery of default passwords. If the password is F(ser#), it's only learnable if you know both F() and ser#. The vendor knows F() -- who knows ser#? If it's in an RFID tag, or is DBlookup(tag#,vendor_db), being able to read this admittedly-arbitrary number may indeed be a threat. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Not if you change the default password like any sane admin does... -----Original Message----- From: Steven Bellovin [mailto:smb@cs.columbia.edu] Sent: Wednesday, January 13, 2010 11:26 AM To: Barry Shein Cc: nanog@nanog.org; nonobvious@gmail.com Subject: Re: Default Passwords for World Wide Packets/Lightning Edge Equipment On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
There seem to be a lot of misconceptions about RFID tags. I'm hardly an expert but I do know this much:
RFID tags are generic, you don't put data into them unique to your application.
Part of the original (or at least early) context for this thread was recovery of default passwords. If the password is F(ser#), it's only learnable if you know both F() and ser#. The vendor knows F() -- who knows ser#? If it's in an RFID tag, or is DBlookup(tag#,vendor_db), being able to read this admittedly-arbitrary number may indeed be a threat. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Jan 13, 2010, at 2:47 PM, Nathan Eisenberg wrote:
Not if you change the default password like any sane admin does...
This is from the OP: I have recently inherited the management of an undocumented network (failed FTTH provider) which utilizes World Wide Packets' LightningEdge 427 (16 port GBIC switch) and 311v (24/4 port Ethernet/GBIC switch) switches. ... Does anyone know the default passwords for World Wide Packets 427 and 311v switches? Lots of gear has a button/jumper/pop_the_CMOS battery/other_physical_presence_magic to reset things to factory state, including the default pw. The threat went on to why default passwords are bad, to passwords on the bottom of the device, to RFIDs because the devices of interest to this community are racked and stacked -- and back to theme #2: default passwords are bad... --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Wed, 2010-01-13 at 15:12 -0500, Steven Bellovin wrote:
Lots of gear has a button/jumper/pop_the_CMOS battery/other_physical_presence_magic to reset things to factory state, including the default pw. The threat went on to why default passwords are bad, to passwords on the bottom of the device, to RFIDs because the devices of interest to this community are racked and stacked -- and back to theme #2: default passwords are bad...
And somewhere in the dim and distant past (Jan 6th), Nathan announced that he'd sorted out his original problem and now had the defaults. What a peculiar bunch we are. And this from the group lauded as anonymously and peacefully co-existing to hold the Internet together, eh? Graeme
From: Graeme Fowler [mailto:graeme@graemef.net] And somewhere in the dim and distant past (Jan 6th), Nathan announced that he'd sorted out his original problem and now had the defaults.
What a peculiar bunch we are. And this from the group lauded as anonymously and peacefully co-existing to hold the Internet together, eh?
Graeme
I think the impulse to challenge and question assertions probably tends to be a common personality feature in (good) network admins. The resulting conversations are often lively, oddly passionate arguments - but I firmly believe that there is a friendly nature behind it all. Nathan
On Wed, 13 Jan 2010 12:50:03 PST, Nathan Eisenberg said:
I think the impulse to challenge and question assertions probably tends to be a common personality feature in (good) network admins.
Something to keep in mind is that this list is, by and large, comprised of people who are paid large sums of money for their ability to have meaningful conversations with inanimate objects made of melted sand. You gotta expect their people skills will be.... different. :)
Steven Bellovin wrote:
On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
There seem to be a lot of misconceptions about RFID tags. I'm hardly an expert but I do know this much:
RFID tags are generic, you don't put data into them unique to your application.
Not true, the simplest rfid tags are energized and play back whatever string is embedded, passive tags, however, plenty of device that fall under the moniker rfid are at a minimum field programmable. Moreover when you get beyond passive tags, the devices can be found with full on java stacks, challenge response system, fips certified crypto engines, flash for stored value etc.
Part of the original (or at least early) context for this thread was recovery of default passwords. If the password is F(ser#), it's only learnable if you know both F() and ser#. The vendor knows F() -- who knows ser#? If it's in an RFID tag, or is DBlookup(tag#,vendor_db), being able to read this admittedly-arbitrary number may indeed be a threat.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
On Wed, 13 Jan 2010 11:23:59 MST, "Lyndon Nerenberg (VE6BBM/VE7TFX)" said:
Barry's right, for at least some scenarios. If I have an unauthorized somebody walking down the row with a wand in their pocket, the fact they have a wand in their pocket is the least of my problems.
Encrypt the data?
That's a possible solution to the wand, which is the least of my problems. My *big* problem at that point is I have an unauthorized person in my server room. ;)
We have an internally written app that allows us to either find where in the data center a server is, or pull up a rack and see what's in it. It wouldn't be a very big leap to assign each rack a bar code and have an app (you could even write it as a smartphone app) that scans the bar code and looks up what's in the rack. Of course, without access to (authentication is required) the web app front end for the database of what's where, just scanning the bar code wouldn't get you anything but a rack serial number...so you don't have to worry about random people scanning the rack bar code. BTW...a friend who works for a mostly failed .com patented something like this some years ago. I think his patent was actually for a system in which a bar code on the front of a server could be scanned by a portable device, and you'd get current system health information for that system. On Wed, 13 Jan 2010, Matt Simmons wrote:
That would be excellent for both the administrator, and anyone walking down the row with a wand in their pocket.
On Wed, Jan 13, 2010 at 12:21 PM, Barry Shein <bzs@world.std.com> wrote:
On January 12, 2010 at 23:03 Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu) wrote: > On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said: > > A password recovery method I've found very frustrating is to use the > > serial number or similar value that's on a label on the bottom of the > > equipment. > > Related pet peeve: Inventory and asset control people that stick a sticker on > hardware and then expect to be able to scan the barcode at a later date. Works > fine if the barcode sticker actually ends up facing the front or the back of > the rack. But occasionally, the sticker ends up stuck on an empty space on the > printed circuit board of a upgrade blade that's plugged into a chassis... >
Sounds like RFID FTW!
Actually, I have no idea if it'd work, maybe someone else does. Seems like it'd be nice to be able to just wand a rack and poof out comes a list of everything in it.
-- -Barry Shein
The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
--
LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
-----Original Message----- From: Matt Simmons [mailto:standalone.sysadmin@gmail.com] Sent: Wednesday, January 13, 2010 9:55 AM To: Barry Shein Cc: nanog@nanog.org; Bill Stewart Subject: Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
That would be excellent for both the administrator, and anyone walking down the row with a wand in their pocket.
I'm not sure there's an attack vector utilizing inventory ID numbers. Even if there is, they can just as easily scan a barcode or read a label from that distance, so I'm not sure there's a huge difference. Best Regards, Nathan Eisenberg
On January 13, 2010 at 12:55 standalone.sysadmin@gmail.com (Matt Simmons) wrote:
That would be excellent for both the administrator, and anyone walking down the row with a wand in their pocket.
All an RFID wand would give you is a unique id number for each tag in range which someone with access to an inventory database would look up to find the associated record for other info. It would be mostly useless info to "anyone...with a wand." I suppose my question is more in the realm of whether the environment is too RF noisy for RFIDs to be reliable, do such systems exist at that scale (can I buy 1,000 RFID tags and a wand? I'd think so but I don't know.) Also, would RF shielding in racks make it tricky to get a good wanding? Anyhow, just a thought.
On Wed, Jan 13, 2010 at 12:21 PM, Barry Shein <bzs@world.std.com> wrote:
On January 12, 2010 at 23:03 Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu) wrote:  > On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:  > > A password recovery method I've found very frustrating is to use the  > > serial number or similar value that's on a label on the bottom of the  > > equipment.  >  > Related pet peeve:  Inventory and asset control people that stick a sticker on  > hardware and then expect to be able to scan the barcode at a later date. Works  > fine if the barcode sticker actually ends up facing the front or the back of  > the rack.  But occasionally, the sticker ends up stuck on an empty space on the  > printed circuit board of a upgrade blade that's plugged into a chassis...  >
Sounds like RFID FTW!
Actually, I have no idea if it'd work, maybe someone else does. Seems like it'd be nice to be able to just wand a rack and poof out comes a list of everything in it.
-- Â Â Â Â -Barry Shein
The World        | bzs@TheWorld.com      | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD     | Dial-Up: US, PR, Canada Software Tool & Die   | Public Access Internet   | SINCE 1989   *oo*
--
LITTLE GIRL: But which cookie will you eat FIRST? COOKIE MONSTER: Me think you have misconception of cookie-eating process.
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Wed, Jan 13, 2010 at 12:55:00PM -0500, Matt Simmons wrote:
That would be excellent for both the administrator, and anyone walking down the row with a wand in their pocket.
So... someone has a list of the "barcodes" on all my equipment. ONOES! Without access to the asset database that backs it, I'm not sure what damage they're going to do. It's not as though one of my core switches is going to try and get through airport security with it. - Matt
Dymo-style solutions are somewhat lacking when it comes to some complex boxes. Equipment configs, mods, firmware versions, etc can all be fitted onto a nice big sheet that can be slipped back into the rack without much problem in most <pun> cases </pun> A nifty solution I often claim to have invented in the last century is to spray-adhesive an A4 (or equivalent US size) plastic pocket/"punched pocket" on the TOP face of the equipment before you slide it in, such that a single piece of A4 just protrudes from the front of the rack when you use a self-adhesive tab on it's TOP edge. (the TOP 's above are emphasized, ignore them at your peril; in the first <pun> case </pun> the plastic will be destroyed the first time the equipment is de-racked and in the second the tab will pull off easily. Problems can be prevented by placing two tabs on the paper, one on each side, exactly over each other.) The trick, to ensure subsequent re-insertion (which is much harder than it seems if you don't) is to also firmly stick a tab to the UPPER INSIDE of the plastic wallet opening. To re-insert, gently lift the plastic tab up. All of this takes up under a millimeter and (unless the equipment designer was drunk) doesn't affect ventilation. On rolling ships, however, the papers require a bit of insulation tape across adjacent case-fronts after each use. /end_stationary_geek_mode pics off-list on request if that doesn't make sense. Gord On Tue, 2010-01-12 at 17:50 -0800, Bill Stewart wrote:
A password recovery method I've found very frustrating is to use the serial number or similar value that's on a label on the bottom of the equipment. It's just fine for desktop hardware - but for rack-mounted gear, it's not uncommon to find out that you need this information *after* somebody's racked and stacked the hardware, and therefore you either need to unscrew it (if it was screwed into the rack)
On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password.
I suspect this was a support nightmare for the vendor and I bet they went to a more standard (read: the same) factory password.
At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing "default" security for the folks who won't change the default password.
The MyFi apparently does this. According to http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html "The network password is printed right there on the bottom of the MiFi itself." --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Wed, Jan 6, 2010 at 8:26 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password.
I suspect this was a support nightmare for the vendor and I bet they went to a more standard (read: the same) factory password.
At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing "default" security for the folks who won't change the default password.
The MyFi apparently does this. According to http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html"The network password is printed right there on the bottom of the MiFi itself."
At least it's not "0000". But yes, my Mifi *had* the password on the bottom. -- Joel Esler
At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing "default" security for the folks who won't change the default password.
The MyFi apparently does this. According to http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html"The network password is printed right there on the bottom of the MiFi itself."
At least it's not "0000".
But yes, my Mifi *had* the password on the bottom.
In a lot of cases, physical access = you're screwed anyway. What's the difference if the password is printed on the box? If you can't physically protect your kit, that's something else, but aside from things like WAP's which are routinely in 'the open' surely you protect your equipment inside secure racks/cabinets/datacentres such that the physical labelling is inaccessible to those who aren't authorised... ?
On Wed, Jan 06, 2010 at 08:41:14PM -0500, Joel Esler wrote:
On Wed, Jan 6, 2010 at 8:26 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote:
An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password.
I suspect this was a support nightmare for the vendor and I bet they went to a more standard (read: the same) factory password.
At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing "default" security for the folks who won't change the default password.
The MyFi apparently does this. According to http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html"The network password is printed right there on the bottom of the MiFi itself."
At least it's not "0000".
But yes, my Mifi *had* the password on the bottom.
As long as the passwords are reasonably secure (ie not generated to a simple pattern that can be easily brute forced) and they can be changed, I'd consider that to be pretty reasonable security. As has been mentioned in this thread already, if someone's got physical access to your equipment you're dead in the water, security wise, so having the device-specific "factory" default password on the equipment is far more secure than having a single factory default password, whilst being *far* more user friendly than a hash-the-serial-number approach -- or even a "prompt for a password before I'll do anything" (which, I agree, is the most secure, but is still not very usable). For the record, all of my personal networking gear has the admin credentials (and whatever else I need to get into them, like IP addresses, etc) written on it. I don't trust myself to remember those over the years, and assuming that anything else is going to be working when I *need* to get into them seems awfully optimistic. - Matt
I've been in training with the WWP folks for the last two days (VERY GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread. They say if a customer is willing to pay they can change the initialization method. But I'm guessing that anyone willing to pay would be the type to actually secure the box once it's turned-up. If you got some serious layer 2 stuff to do, these boxes have a really interesting architecture and some trick features (unix type shell, for one.) -Joe -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
On Jan 7, 2010, at 10:12 AM, Joe Hamelin wrote:
they got quite a chuckle out of this thread.
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials': <http://www.cisco.com/en/US/products/products_security_advisories_listing.html#advisory> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
On Jan 7, 2010, at 10:19 AM, Dobbins, Roland wrote:
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
Actually, should be 'default password'. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
-----Original Message----- From: Dobbins, Roland Sent: Wednesday, January 06, 2010 7:23 PM To: NANOG list Subject: Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
On Jan 7, 2010, at 10:19 AM, Dobbins, Roland wrote:
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
Actually, should be 'default password'.
One of the problems I have seen is an organization where someone uses something stupid just to get something up and running (say a password of "password" or "foo" or something) with every intention of coming back to fix it later but forgets to. That is what I meant yesterday about an organizational "default" password that can be just as bad as the manufacturers default. At least with some manufacturers you can log in from the console with the factory "default" password but can't log in over the network unless you have set one.
On Thu, 7 Jan 2010, Dobbins, Roland wrote:
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
Actually, should be 'default password'.
Default credentials may be a more generic description of the problem (although "default password" is a better search term). A problem with default credentials is history has demonstrated even an expert (i.e. the vendors own technical support) aren't always certain they've found and changed every default credential possible on complex devices. Its not just the usual console access, but also snmp protocals public/private, http protocols admin, ldap cn=admin, postscript none, decnet mop, and so on. Even if you think you know every possible protocol, some vendors have had the habit of adding new protocols in updates with its own set of defaults for new remote access protocols. Multiple protocols, using multiple authorization sources, with defaults. Its not a suprise why old-timers get annoyed with vendor gear with default remote access methods enabled before the user configured the access credentials for the access method. Eventually you'll get bit by some device, some protocol, that has something enabled without your knowledge. If you require your vendors not to ship stuff with remote access enabled by default, its not a substitute for your own due dilgence, but in practice it helps reduce unexpected incidents.
I kind of liked the way the Symantec Vraptor (piece of junk) firewalls used to do it. Factory reset from the front panel, set addressing and it generates new passwords displayed on the LCD. Jason *** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
Roland, this isn't the home wi-fi market we're talking about. Anyone that's going to buy one of these puppies is going to have a clue about putting their password in. BTW: You have to be on the console or the management port on them to use the default password (ok, you could get on the right VLAN too.) Problem solved, except for those cases where the operator is a total idiot. Trust me, the shop I'm working for isn't that way, not with the size of the roll-out we're doing (25k+ switches.) I liked what you said about firewalls vs. servers but, to be honest, in this thread you're really beating a dead horse. -Joe -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
Roland, this isn't the home wi-fi market we're talking about. Anyone that's going to buy one of these puppies is going to have a clue about putting their password in.
You apparently missed the recent thread on NANOG where this guy was asking for some help with "Default Passwords for World Wide Packets/Lightning Edge Equipment" ... apparently not everyone has the "clue" you expect them to. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, Jan 06, 2010 at 10:45:32PM -0600, Joe Greco wrote:
On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
Which goes to show that they just really don't get it when it comes to security. ?Maybe they should look here at all the entries for 'default credentials':
Roland, this isn't the home wi-fi market we're talking about. Anyone that's going to buy one of these puppies is going to have a clue about putting their password in.
You apparently missed the recent thread on NANOG where this guy was asking for some help with "Default Passwords for World Wide Packets/Lightning Edge Equipment" ... apparently not everyone has the "clue" you expect them to.
To be fair, he was just asking about factory resetting the device because the current password was unknown, then reconfiguring the device (I'm willing to be generous and assume that the reconfiguration included setting a new, secure password). - Matt
On Wed, Jan 06, 2010 at 10:45:32PM -0600, Joe Greco wrote:
On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
Which goes to show that they just really don't get it when it comes to security. ?Maybe they should look here at all the entries for 'default credentials':
Roland, this isn't the home wi-fi market we're talking about. Anyone that's going to buy one of these puppies is going to have a clue about putting their password in.
You apparently missed the recent thread on NANOG where this guy was asking for some help with "Default Passwords for World Wide Packets/Lightning Edge Equipment" ... apparently not everyone has the "clue" you expect them to.
To be fair, he was just asking about factory resetting the device because the current password was unknown, then reconfiguring the device (I'm willing to be generous and assume that the reconfiguration included setting a new, secure password).
But that's my point. Someone who is presumably reasonably clueful had a problem determining what a predefined default password for a given device is. If it's difficult to determine THAT, what sort of chance does an engineer/admin have when he doesn't even possess the manual for the device, and it requires some more clever and sophisticated serial- number based method? The fact that someone has purchased some extremely expensive device does not guarantee that the next guy who has to run it will magically be able to figure it all out. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Matthew Palmer [mpalmer@hezmatt.org]
To be fair, he was just asking about factory resetting the device because the current password was unknown, then reconfiguring the device (I'm willing to be generous and assume that the reconfiguration included setting a new, secure password).
Thank you - You're correct. The administration and security of these devices is hardly magic - but one has to be able to access them in order to secure them. The devices haven't even left my hotel room for the production site, and you would already be SOL if you didn't have access to the either the (management interface AND the Very Long Password) or the (reset button AND the management interface AND (the default password)). Dobbins, Roland [rdobbins@arbor.net]
Which goes to show that they just really don't get it when it comes to security.
So are you specifically opposed to globally default passwords, or are you opposed to being able to reset a device to factory defaults and somehow get into the device? Because while I still maintain there's no real security issue with the former (if there is, there's a bigger issue), all that I'm really gung ho for is the ability to get into a piece of equipment I need to operate, even if I don't have credentials to it. Nothing grinds my gears more than equipment that has to be thrown out because there is no recovery mechanism. I frankly don't much care if the default password on my WWP LE427 is 'wwp' or 'wwp[serial-number-which-is-printed-on-the-back]' - as long as I can get it so I can get in and change it, I'm happy. Steven Bellovin [smb@cs.columbia.edu]
And we all suffer from p0wned devices, because they get turned into bots. Roland is 100% right.
Eh... I think this is confusing cause and effect. We all suffer, but the fact that a device is compromised because of a default password is, at the root of the chain, the result of a faulty Operator. Why was the password left at default? Why was it possible to access the management interface to utilize the default password? I would argue that the solution is to replace or modify the defective operator, rather than replacing, eliminating, or modifying the tool they misused. Joe Hamelin [joe@nethead.com]
I've been in training with the WWP folks for the last two days (VERY GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.
Are they still around, or are they Ciena employees? My understanding was that they were completely acquired.
If you got some serious layer 2 stuff to do, these boxes have a really interesting architecture and some trick features (unix type shell, for one.)
Yep, they're rock solid devices. Every deployment I've seen of them as worked very well. Ciena certainly got a good deal out of buying them! I'm actually not sure how much of the WWP gear is still manufactured. Thank you all again for helping me sort out what the factory default WWP passwords are so that I can now have a secure and documented deployment out here! I've received a couple offers of technical assistance from WWP veterans that I may well take up moving forward. Best Regards, Nathan Eisenberg
On Jan 6, 2010, at 11:38 PM, Joe Hamelin wrote:
On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
Roland, this isn't the home wi-fi market we're talking about. Anyone that's going to buy one of these puppies is going to have a clue about putting their password in.
Again, look at http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredirect... -- while consumer devices were much worse, there was a noticeable problem on enterprise devices and a significant problem with VoIP devices, and I suspect that those latter are largely enterprise-based. --Steve Bellovin, http://www.cs.columbia.edu/~smb
"Jeffrey I. Schiller" <jis@MIT.EDU> writes:
An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password.
I suspect this was a support nightmare for the vendor and I bet they went to a more standard (read: the same) factory password.
Another class of devices, but the Compaq OOM management cards for servers ("RILOE") used to do this. Really nice when the serial number is placed on a sticker on a PCI card... You would usually have to shut down the server and pull out the card to read the sticker. Unless it had fallen off. Did I mention that the cards had a number of stickers with similar numbers on them with no indication which was the real serial number? Well, I'm not going to claim this was the reason why there is no Compaq anymore, but it must have cost them *a lot* in support and frustrated users. For what passible gain? It was still a default password, just a tiny bit more obscure. Bjørn
On Wed, 06 Jan 2010 18:24:26 -0500, Jeffrey I. Schiller <jis@mit.edu> wrote:
An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't have physical access, you were not in a good position to learn the password.
Gadzoox used to do that... the management modules for their hubs had factory set random passwords. It's provided on a sticker with the card, so you can put it where you want -- just don't lose it, because that's only place it exists (without breaking out a JTAG debugger.) Yes, their later gear has standard default passwords. --Ricky
Did you try to get in touch with Ciena people? I'm sure they will be comprehensive about how you get their products (not being exactly a customer). You could maybe even get an access to products' documentation without providing S/N: https://portal.ciena.com/AccountRequest/index.aspx?mode=MgsZFb3Brzo= I didn't try myself, but I guess getting the full documentation is worth it. Ben Nathan Eisenberg a écrit :
Greetings,
LONG VERSION:
I have recently inherited the management of an undocumented network (failed FTTH provider) which utilizes World Wide Packets' LightningEdge 427 (16 port GBIC switch) and 311v (24/4 port Ethernet/GBIC switch) switches. We've swapped out a 427 so that we can rebuild it, push it back into the network, and repeat, until everything is under our control.
Trouble is, the lack of documentation extends to passwords, the nature of which preclude any hope of getting in to the switch without resetting to defaults. Fortunately, I can do this without issue, since it is not in active service.
I reset a spare 311v to defaults, but cannot log in to it with any of the logical default passwords. I can only assume the same will be true of the 427.
Sadly, it seems World Wide Packets is now owned by a new company, who will not provide simple documentation without a full support contract. I got them to grudgingly provide the documentation for the customer premise devices (LightningEdge 47's), but my pleas for the switch documentation (and the management software that I believe WWP provided for free) has fallen on deaf ears. I don't have the budget to blow on a support contract just to get one default password (Who would?).
SHORT VERSION:
Does anyone know the default passwords for World Wide Packets 427 and 311v switches?
I will most definitely owe anyone with an answer a beer or four next time they visit Seattle. By the way, the default username/password for the LightningEdge 47 and other WWP CPEs is su/pureethernet. Hopefully that will save someone else some pain. :-)
Best Regards, Nathan Eisenberg
participants (31)
-
Barry Shein -
Benjamin BILLON -
Bill Stewart -
Bjørn Mork -
Brandon M. Lapointe -
Brett Frankenberger -
Dobbins, Roland -
George Bonser -
George Imburgia -
gordon b slater -
Graeme Fowler -
James Hess -
Jason Shearer -
Jeffrey I. Schiller -
Jim Burwell -
Joe Greco -
Joe Hamelin -
Joel Esler -
Joel Jaeggli -
Jon Lewis -
Lyndon Nerenberg (VE6BBM/VE7TFX) -
Mark Foster -
Matt Simmons -
Matthew Palmer -
Nathan Eisenberg -
Nick Hale -
Ricky Beam -
Sean Donelan -
Stefan -
Steven Bellovin -
Valdis.Kletnieks@vt.edu