Re: Cisco 675 password nonsense

[brian () CITILINK COM (Brian Elfert)]

On Sat, 31 Jul 1999, DeMoNx wrote:

> switching all non-business/special adsl accounts over to using PPP rather
> than bridging mode for 'security reasons', I got a little suspicious. With

With good reason.  In bridging mode with a Windows 9x/NT box, your network
neighborhood will show everyone else's PC that has any file/print sharing
enabled.  So, it's trivially easy to connect to a non-passworded share.

Now, ideally, all these shares would be passworded, but we know that'll
never happen.  Not having the shares show up in network neighborhood is a
bit of security by obscurity, but it's harder to connect to a share if
it's not in your network neighborhood.

> them. The problem is, *most* of these guys don't set passwords on the
> 675's. It is very simple to compromise an unpassworded 675. simply hit
> 'enter' at the password prompt after telnetting in, if you get a cbos>
> promt you are half way there, NOT GOOD. If there is no exec mode password
> set, then there most likely won't be an enable(superuser) mode password

Cisco has recognized this as a problem.  This is fixed in 2.1.0a or in
2.2.0 (2.2.0 out shortly).  The 675 will react like classic IOS and not
allow telnet if a exec password is not set.

BTW, in US West land at least, 90 to 95% of all installs are self install
where a tech never visits the customer.

Brian