E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: InterenetNews.com

Posted on May 17, 2001

      Cayman Systems confirmed Wednesday that a potentially serious security vulnerability exists in the DSL equipment it supplies to many leading providers, including SBC Communication's numerous subsidiaries such as Pacific Bell and Southwestern Bell, as well as to Verizon and Nortel Networks.

      At the request of its service provider customers, Cayman ships its Cayman 3220 DSL Router without setting an administrator password on the devices. Without such an access control, a remote attacker could take over the device and gain access to any equipment connected to it, according to the Massachusetts-based company.

      "If you have somebody's IP address, then you can go in and access that system in many ways. If you have enough stick-tuitiveness, you can go in and do all kinds of things," said Marilyn Maquire, a senior product manager for Cayman.

      Cayman estimates that nearly 100,000 of the devices have been installed by DSL providers on behalf of their subscribers. Only a small percentage of users have not properly set up an administrative password, according to Maquire.

      But Andrew Siverly, an Internet security expert who discovered the vulnerability, said he recently identified hundreds of Cayman routers on networks operated by SBC that are exposed. A similar report was independently posted Wednesday on a mailing list for network operators.

      Among the SBC customers confirmed to be vulnerable by InternetNews Wednesday were a Ford dealer and an insurance company, both located in the Houston, Texas area. Using the router's web-based interface, or a telnet connection, a remote attacker could perform a number of administrative functions on the company's routers, potentially denying service, re-routing traffic, or monitoring data flowing through the network.

      SBC officials were not available to explain why the company specifies that its supplier ship routers without password protection enabled.

      SBC has known about the vulnerability since early 2000, according to Siverly, who said he discussed the issue with the senior IT staff at the telecommunications firm.

      "They told me to go away, and if I published my bug they would give me a big headache," said Siverly, who eventually posted an advisory about the vulnerability on the Bugtraq security mailing list.

      Because of potential liability issues, many ISPs are reluctant to be proactive in notifying subscribers about security issues, according to John Navas, a California-based telecommunications analyst.

      "There's an honest dilemma here. I'm disappointed that most providers tell users that its their responsibility to deal with security issues. But the questions of their liability are not insignificant," said Navas.

      Cayman last year added a function to its router software that warns users if they have not established a password. But the company said ISPs, which have direct, front-line service contact with the end-user, must take responsibility for seeing that the security hole is closed.

      "We've done everything we can to educate out customers about what this particular password is and why it's important to set. If people are receiving the gateway and not setting the password, we're in an awkward situation. We can't force our customers to set the password," said Maquire.

      While the Cayman unit is based on a chipset from Alcatel, the password vulnerability is not related to a recent security issue with Alcatel DSL modems recently reported by the San Diego Supercomputer Center.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.