Please excuse the redundancy regarding this topic, but I can’t help publisizing this.
A few weeks ago I came across a rather odd opening regarding a certain ISP and its Cayman’s DSL routers. Oddly enough I found 19 open routers actually telling/publisizing that there was no password set for the admin account using little more than a web browser (of course one of them being mine). A bit concerned I contacted the ISP in question, their NOC to be exact, and told them of this. During the conversation it was pretty clear that the NOC person didn’t really care, and that “The customer is responsible for that security” or better said (not my job) applied within this situation. A bit concerned I contacted a sales rep from that same ISP and got this “wow, really, can you send me those IP addys and we’ll look into it right away!”. With some strange sense of helpfulness I sent those items to him and heard not a word. That was about 2 weeks ago, and I again checked on the nodes I had seen them open and found the same openings. I thought perhaps it was just a honey pot, but after changing two of the routers then restarting them and seeing the changes I knew nothing had been done. On a whem, and sort of a bet, I did a scan of the ISP’s net and found over 100 Cayman routers open, as well some odd 20 SpeedStream routers (simple password/login just give it admin and you have the keys to the kingdom so to speak). To me, and perhaps I am missing something here, This seems a bit odd, in that a major ISP deploying these items would in fact leave routers, ok junior routers, this wide open. I really don’t want to name the ISP in question openly for the obvious reasons, but has it really gotten to the point that Broadband for businesses is slapped in with no security and no education to the persons getting it?
Sorry for the rant
-Joe
* Joe Blanchard <jblanchard@wyse.com> [20010516 03:29]:
and seeing the changes I knew nothing had been done. On a whem, and sort of
a bet, I did a scan of the ISP's net and found over 100 Cayman routers open,
as well some odd 20 SpeedStream routers (simple password/login just give it
admin and you have the keys to the kingdom so to speak). To me, and perhaps
I am missing something here, This seems a bit odd, in that a major ISP
deploying these items would in fact leave routers, ok junior routers, this
wide open. I really don't want to name the ISP in question openly for the
obvious reasons, but has it really gotten to the point that Broadband for
businesses is slapped in with no security and no education to the persons
getting it?
Yep. Although this is nothing new. The heavier deployment of xDSL and Cable
to unsuspecting end-users has only made it more obvious. What do you expect
when a new CPE (router or bridge) is handed to Joe Blow by their ISP with
minimal security measures in place? He's certainly not going to know how to
lock it down! The next several years are going to be interesting. Some
ISPs are going to get bitten in the ass as their customers' networks are
compromised. This has already happened in some cases but the ISPs are not
yet feeling the costs from fixing the situations afterwards. Perhaps when
they begin to they'll start working on being more pro-active. Or perhaps
they are already feeling it..
Sorry for the rant
I'd rant at your ISP. It is their customers and, ultimately, them that will
feel the pain.
This industry isn't going away but we've still got a LOT of work to do. 
-jr
What you're going to see, barring intervention from Big Brother in the
US, is this:
Over the next few years, business customers will begin demanding that
their provider have insurance that covers hacker damage, both of the ISP's
equipment and of customer equipment that's compromised due to compromised
ISP equipment.
The insurance companies that offer this will do security surveys (mostly
perfunctory) to set premiums.
Those ISPs that don't ensure customers are protected will pay huge premiums,
which will raise their costs enough that competitors who do the right
thing will be able to undercut them.
Market forces will take over, and the balance will begin to shift over to
ISPs filtering inbound by default, and only opening it up upon request.
This will not cause increasing headaches for those of us with clue, however,
because we'll know to tell the salesdroid upfront that we're firewalling,
and salesdroid will know who to pass that information along to so somebody
with clue on his end can give us a couple of quick questions to make sure
we're running a config that the insurance company will grok.