RE: Comcast Cable Setup Security Issue

["Herman F. Ebeling Jr." <hfebelingjr () lycos com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas,

     That's what I did when I "set-up" my laptop for Road Runner. 
The only differance being that I wasn't given the option of doing a
self-install of the hardware.  And I just read somewhere that Road
Runner is still handing out copies of a vulerable version of IE, so I
guess it's a good thing that most of us know that we don't need
either "instalation CDs" to get on-line with a cable modem.  As I
have an RCA broadband modem and I didn't run that CD either.

Herman
- ----- Original Message -----
From: tbishop () micron com
Date: Tue, 20 Jul 2004 09:00:43 -0400
To: <security-basics () securityfocus com>
Subject: RE: Comcast Cable Setup Security Issue

> I am not sure why you had to go through such hoops to get a Comcast
> installation working.  I have performed a dozen or so Comcast
> installations for friends and family without a hitch.  The CD that
> you used is completely unnecessary.  All you have to do is hookup
> your equipment, call Comcast to register your modem's MAC, and
> poof, you're done.  I am not writing this to insult you (or your
> intelligence), but instead to hopefully save you time should you
> need to perform a Comcast installation in the future. 
>
> -Thomas
>
> -----Original Message-----
> From: Gandalf The White [mailto:gandalf () digital net] 
> Sent: Sunday, July 18, 2004 10:14 PM
> To: security-basics () securityfocus com
> Subject: Comcast Cable Setup Security Issue
>
> Greetings and Salutations:
>
> I am beginning to get a feel for why Comcast is at the top of the
> list for
> zombie spam boxes.
>
> I just set up an account for a friend who had a connection on the
> Comcast
> cable network.
>
> The instructions on the included CD-ROM (as soon as the CD started
> up) was
> to turn off all Anti-Virus and Firewall software on the computer. 
> I called
> up Comcast tech support and told them that I was I was nervous
> about doing
> this, but I was assured that my computer would *only* be talking to
> the Comcast activation server.  Lets just ignore that the computer
> would be talking to all the other machines on my local cable
> segment also.
>
> I had a router with firewall in between the computer and the
> Comcast network
> so I went ahead and deactivated the anti-virus and firewall
> software on the
> computer.
>
> I got half way through the activation and all of the sudden the
> process dies.  Claimed I could not reach the HTTPS server or that I
> had not activated within the time allowed.  I tried everything to
> start up the process again with no success.
>
> Called Comcast tech support.  The tech (he was very efficient and
> nice) told
> me to DISCONNECT THE COMPUTER FROM THE ROUTER AND PLUG THE COMPUTER
> DIRECTLY
> INTO THE CABLE MODEM.  This made me EXTREMELY nervous.  I now have
> a computer (that was patched and up to date of course) ... BUT ...
> The antivirus and personal firewall software was PURPOSEFULLY
> turned off. By
> Comcast instructions.  He walked me through connecting to the
> Comcast website and finishing up the activation steps.  I tried (in
> the middle of
> his instructions) to ask if I could hook back into my router for a
> modicum
> of protection and was told no, I had to finish the setup.
>
> When I finished the setup (again, he was very nice and pleasant) I
> rebooted,
> hooked the computer back to the router/firewall, verified my
> antivirus and
> firewall were working and indeed everything worked fine.
>
> Being a computer / security professional I was (of course) thinking
> about
> all the very bad things that could happen to this computer while
> following
> Comcast's instructions.
>
> I know (and I think it is almost criminal) that many cable
> companied hook
> PC's up to a cable modem *all the time* without antivirus /
> firewall / updates / any kind of protection.  But you would think
> that an
> installation
> would not require you to take away any kind of protection that a
> computer
> has.  I can see some overzealous PC owner deleting the anti-virus
> and firewall software just to get their cable modem working.
>
> Ken
>
> ---------------------------------------------------------------
> Do not meddle in the affairs of wizards for they are subtle and
> quick to anger.
> Ken Hollis - Gandalf The White - gandalf () digital net - O- TINLC
> WWW Page - http://digital.net/~gandalf/
> Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
> Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
>
>
> --------------------------------------------------------------------
> ---- ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get
> $545 off 
> any course! All of our class sizes are guaranteed to be 10 students
> or less 
> to facilitate one-on-one interaction with one of our expert
> instructors.  
>
> Attend a course taught by an expert instructor with years of
> in-the-field 
> pen testing experience in our state of the art hacking lab. Master
> the skills 
> of an Ethical Hacker to better assess the security of your
> organization.  
>
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
> l
> --------------------------------------------------------------------
> ---- ----
>
>
>
> --------------------------------------------------------------------
> ------- Ethical Hacking at the InfoSec Institute. Mention this ad
> and get $545 off any course! All of our class sizes are guaranteed
> to be 10 students or less to facilitate one-on-one interaction with
> one of our expert instructors. Attend a course taught by an expert
> instructor with years of in-the-field pen testing experience in our
> state of the art hacking lab. Master the skills of an Ethical
> Hacker to better assess the security of your organization. Visit us
> at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
> l
> --------------------------------------------------------------------
> --------  

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com

iQA/AwUBQP3E+R/i52nbE9vTEQIc1QCfWKgPxaE/vjgkA7zknBK1BHEUBKQAoMZc
olPc60bFprcuCSTN+jLmtFjO
=/rBf
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------