Insecure Routers on IOL

eth0_

Originally posted by ronoc


Why on earth would I want to scan the FBI?

JESUS! It was a hypothetical example!
Portscanning can get you into a lot of trouble, as I found out when I was a 15 year old n00b.

bk

Originally posted by kida
I must say I'm with eth0_ on this. If you go into Maplins or compustore and bought the same router would you blame them for not disabling this.

Modems and routers are usually sold with remote administration turned off by default. This looks like the guys who configure the routers messed up.

Xcellor

Portscanning....

It's like the force it can be used for good or for the darkside...

Valid point being made by rbnoc.

Question: Without portscanning would we even be aware of the fact soooooooo many IOL users have not changed their default settings.

Answer: No

Question: Would the problem still have existed without being brought up here?

Answer: Yes. and undoubtedly anyone who hacks would already have known about it. So therefore saying it out in the open like this is harmless. It is beneficial because most of the people posting on here are at this moment saying "CRAP I've got to change my password...." and the rest who don't... Well is believe that is IOL's responsibility because they shipped poorly configured hardware..

Xcellor

meatball

Don't leave us hanging eth0...

Xcellor

Originally posted by bk
Modems and routers are usually sold with remote administration turned off by default. This looks like the guys who configure the routers messed up.

Yes but IOL preconfigured the router. But in their wisdom decided to leave Remote Access on. Regardless of whether ZyXel are to blame... I got my router from IOL, it was configured by IOL and therefore I hold IOL responsible....

Xcellor

Xcellor

Originally posted by eth0_
JESUS! It was a hypothetical example!
Portscanning can get you into a lot of trouble, as I found out when I was a 15 year old n00b.

How did you get in trouble? I can't think of too many ISP's that would fuss about a portscan... Unless of course you ran into an over zealous systems administrator that believes he is God...

Portscanning gives you info. It's what you do with that info that determines the validity for getting that info.

Xcellor

Well its like the advice to turn on your firewall.
You get one but it may not be on by default.
I just think there are ppl here who may have no Idea that their routers are not configured properly.

meatball

"I can't think of too many ISP's that would fuss about a portscan..."

LOL Why, how many have you worked for?

bk

Originally posted by Xcellor
Yes but IOL preconfigured the router. But in their wisdom decided to leave Remote Access on. Regardless of whether ZyXel are to blame... I got my router from IOL, it was configured by IOL and therefore I hold IOL responsible....

Xcellor

Ehm, yes, that is exactly what I'm saying, obviously not clearly.

I would expect that the manufacturer of the modem/router had remote administration disabled by default, but IOL (or whoever it gets to configure these) messed up and enabled it.

Xcellor

Speaking from personal experience....

I was bloody shocked when I saw that I could access my router from outside my LAN... I simply couldn't believe it. That means for the first week my router was completlely open to anyone who knew my IP. I'm no expert but I know my stuff about computers... and I probably never would have checked only that I was bored one day.

I never thought for a second that when I tried to log onto my IP I would get a username and password box popping up. Even with the way I feel about IOL... I didn't think they were *that* incompetant.

I bet there are still people out there saying that it is the users responsibility. Just think of a bank though, do they make it so easy for people to access your bank details. Take your money etc etc. Nope. A bank is a service institution. An ISP is likewise...

Xcellor

Xcellor

Originally posted by meatball
"I can't think of too many ISP's that would fuss about a portscan..."

LOL Why, how many have you worked for?

No but i've portscanned many times and never had a problem with it. There seems to be this notion that portscanning can only be used for hacking... That is completely out of line....

Xcellor

MrPinK

Originally posted by kida
I also think it very irresponsible to publish such a security loophole on a public forum - I am sure as we speak havoc is being wreaked. There should even be a case for a mod to delete this post.

How do you think most security problems are found and fixed? All he did was warn IOL users that they may be at risk and what they should do if they are. I'd want to know if there was a possible secuirty problem with my setup. How can it be better if this thread be deleted and many users remain oblivious to such a big security hole in their system?

Xcellor

Originally posted by MrPinK
How do you think most security problems are found and fixed? All he did was warn IOL users that they may be at risk and what they should do if they are. I'd want to know if there was a possible secuirty problem with my setup. How can it be better if this thread be deleted and many users remain oblivious to such a big security hole in their system?

Finally!! Someone who sees the sense in what he did.... I think 90% that have posted here would rather be ignorant to the fact people could be screwing around with their router... But I bet you that they'd be the ones moaning when they were locked out. And im sure they would be less than happy if they knew people knew about it and didn't warn them....

Truth is... anyone who looks at Broadband forum will see this topic and make the adjustments to their router. So it's done it's job despite the negative viewpoints and the "stick the head in sand" attitude of some here...

Xcellor

If I hadn't mentioned scanning I'd say this thread would have drifted into obsurity.
I almost wish it had :rolleyes:

secret_squirrel

This thread prompted me to re-examine my router settings to double check this...fortunately remote admin is off.

Kudos to ronoc. I cant believe there are so many people are getting on their high horse about portscanning, the only way you can prevent security holes is through education, which involves telling people about risks not keeping silent.

And I'd lay good odds that the record of his port scan is lying on a IOL log somewhere in amoungst millions of others. They are as common as muck ffs.

Xcellor

A bit of lively debate is good...

It's worrying though. I feel some here have a very strange attitude to a serious problem.

Ignorance isn't bliss when your router is locked and you don't have the expertise to fix it. I would hazard to guess 90% of the people on BB now have never used a router before they received theirs from whatever ISP. Therefore it really should have been dummy proof with the most basic of security options already predefined.

In their help guide they say,

"We strongly recommend that you set all three forms of management to LAN only"

So they were aware of the situation but still decided to keep it as ALL...

I question their logic...

Xcellor

meatball

You come home, there is a stranger poking around your door. You confront him, and he says he was only trying to make sure your door was locked so your house was safe. How would you react? Would you thank him for his valuble service? Or call the police?

Nice Analogy.
But what port is the door of the house??;)

MrPinK

Originally posted by meatball
You come home, there is a stranger poking around your door. You confront him, and he says he was only trying to make sure your door was locked so your house was safe. How would you react? Would you thank him for his valuble service? Or call the police?

Don't you just love it when people try to compare these things to real world examples?

You are leaving your home, a stranger comes up to you as you walk out of your garden. He tells you that he's noticed that you've left your front window wide open. How would you react? Would you thank him for his valuble service and close the window? Or tell him to piss off and not be so nosey?

meatball

Flawed. He didn't *notice* that these ports were open in the course of normal activity.

Ripwave

Originally posted by eth0_
That's no concern of Esat's. They supply you with the router, they don't configure it.

Don't be stupid - they're sending this thing out to people who barely know how to turn on their computers! They damn well should be configuring them first (And I'd be really surprised if Zyxel are shipping them from the factory with remote admin enabled).

True.
I noticed it when my router was initially setup.
And I decided to see how widespread it was.

MrPinK

Flawed. He didn't *notice* that these ports were open in the course of normal activity.

My actual point was that all such analogies are flawed.

Make the stranger a good samaritan who walks the streets looking out for open windows so he can warn the owners. He didn't *notice* the open window, he was looking out for it. Does this make the analogy make more sense with regard to portscanning? Of course not.

eth0_

Originally posted by Ripwave
Don't be stupid - they're sending this thing out to people who barely know how to turn on their computers! They damn well should be configuring them first (And I'd be really surprised if Zyxel are shipping them from the factory with remote admin enabled).

Read my other posts, skip! I retracted that statement when someone proved that IOL do, in fact, configure these routers...

Iago

IOL don't configure the routers, they're sent out directly from the supplier.

I was reading through this thread and took out my manual, it does clearly state that you should

1. change your password straight away
2. change your remote management settings to Lan Only

and it clearly explains how to do it and why you should do it in the configuration/Router Security configuration section

blah blah blah....can be restricted to being accesssed from the LAN only (i.e. from your PC), from the WAN only (from the internet - NOT a good idea!), from both of these ("All") or from neither ("Disable")

"We STRONGLY RECOMMEND that you set all three forms of management to "LAN Only". This permits you to configure the unit if required, but blocks anyone outside on the internet from doing so."

Xcellor

Well if you are dealing with inexperienced people who do not know much about computers. Which would account for 90% of the people out there. How many of that 90% is going to sit down... take the time to read each page of the User Guide and then make changes to the router.. Remember these are not technical people and will have the opinion "If I change it I will break it...".

So common sense for an ISP would be: Let's make it as secure as possible. If more advanced users wish to adjust settings they can. But the average user is protected....


They did not do this. That is incompetant. The router was preconfigured... whether on behalf of IOL or not. They catered the router for IOL subscribers. It was not off the shelf....

Xcellor

MrPinK

I'd have to disagree with that. If they were changing the default settings and thereby making it less secure then that's a big problem, but I don't think it's IOL's job to secure your system for you. They are only required to supply you with the equipment and the service. If you don't know what you are doing, as I'm sure many of their customers don't, then you should RTFM. IOL shouldn't be held responsible for customer negligence.

Xcellor

I believe a product should be customized for its market. For the average end user. If the majority are technically inept then I believe as a supplier of hardware I am obliged to offer a level of protection to these ones with the option of turning it off for the more advanced users.

Now there is a careful balance that has to be met. One of not annoying advanced users with "Are you sure" all the time. However I feel with something as fundamental as this which is potentially a major security problem for the average user, the choice is clear cut. Disable it.

No questions. Sorry for repeating myself but it is just another instance of Esats complete displacement from what the customer needs. We have seen it in so many other aspects of the way they conduct business why should we expect anything less in their provision of hardware?

Xcellor

secret_squirrel

Of course they should be held responsible - just as most people hold microsoft responsible for the XP firewall being disabled by default - the situations are virtually identical imo. They have a good idea about the techinical competence of their users, they should make sure they have taken all reasonable steps to make their routers secure -which they patently have not done.

My (non-IOL) router shipped with remote admin switched off - why shouldnt theirs?

Its negligent of them to assume a non-computer literate is even gonna rtfm. Its partially due to the fact of companies like IOL and MS that there are so many compromised pc's spewing viruses and spam out there.

Xcellor

Isn't this fun? Im having immense fun debating the issues contained within here. Fueled with the desire to kick Esat any chance I get.

I do wish some of the IOL technicians would take an active role on this discussion board. I see UTV has representatives here. I guess IOL are too spineless and really on what basis could they debate? Their superior service? Excellent support? Reliability? Can we put IOL beside either of the above words?

Xcellor