Re: [Braillenote] Warning: BrailleNote Apex Offers Read/Write FTP And Telnet Access To All Comers

[crazy-shawty aka everything you're muther wanted you to be but you aint quite turned out like me? <crazy-shawty () ukfreeisp co uk>]

I dont no y u r so stressed out. my home network has never been secure 
and i have never!!! had a problem.
Louise.

On 01/10/2010 22:31, Sabahattin Gucukoglu wrote:
> BrailleNote Apex offers telnet and FTP access on the standard ports, with read/write privilege on the entire file 
> system, to all comers.  No authentication is required.  BrailleNote is unsafe on any network whose devices you are 
> not in full charge of, and which (by NAT or firewall) does not protect BrailleNote from the Internet.
>
> I am happy and sad.  In a chance port scan of my entire network looking for interesting services and protocols that 
> were not accounted for by visible configuration options in all my devices, I found this disaster staring me in the 
> face on the least likely candidate of them all.  On the one hand, now I don't need ActiveStink in order to access my 
> files, over the network, from my Mac.  I want these services running, for sure (maybe just FTP) but dammit, 
> authentication first!  On the other hand, there is no doubt my trust in HumanWare is badly dented, as I was clearly 
> optimistic that they would, and did, do the right thing and secure the device firmware before shipping it.  Anonymous 
> FTP and telnet are obvious, easily found and effectively exploited.  If it isn't configurable, it shouldn't be 
> enabled.  I am quite sure this was the case before now.  The most likely explanation is a build with a test 
> configuration and services for development still in use on the newest model; t
he USB vendor string is further evidence of this.  Note to self: that popular expression about assumptions turns out to 
be true.
> KeySoft version 9.0.2 build 756, Windows CE 6.0, with telnet and FTP services.
>
> While we await an update that either disables the services or allows the user to specify the authentication 
> credentials, do not use your BrailleNote Apex on any untrusted network, or if you are network administrator, 
> temporarily prohibit these devices from connecting to your networks.  If "Bad guys" are on your network, the 
> BrailleNote Apex is, alas, easy meat.
>
> Cheers,
> Sabahattin
>
> ___
> Replies to this message will go directly to the sender.
> If your reply would be useful to the list, please send a
> copy to the list as well.
>
> To leave the BrailleNote list, send a blank message to
> braillenote-unsubscribe () list humanware com
> To view the list archives or change your preferences, visit
> http://list.humanware.com/mailman/listinfo/braillenote

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/