Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] PBX Security

From: Ben Grubin <Ben.Grubin () GUARDENT COM>
Date: Wed, 4 Oct 2000 14:08:19 -0400
More importantly, I believe this can be considered a vendor security bug.
Any resetting of top-level administrative passwords in software, hardcoded
or not, is just plain wrong.  Physical access to the hardware should be
required to reset a top-level administrative password.  Software backdoors
are *never* known by only the right people.  This has been proven time and
time again.

Cheers,
Ben



-----Original Message-----
From: Loschiavo, Dave [mailto:DLoschiavo () FRCC CC CA US]
Sent: Wednesday, October 04, 2000 12:19 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: PBX Security


<quote> It's unfair to use a known back-door when pen-testing.  The
back-door on Norstar is pretty hard to stumble across, but it
is nice to
know the default passcodes, and test for things like that.  Good luck!
</quote>

If it is known (heck, or even if you are the only one who
knows it), why is
it unfair? If you were able to find it, via social
engineering, why can't a
hacker. The way I look at, if a back-door has a hard coded
(or unchanged
default) method for allowing access, then it is a security
hole. Isn't that
what a Pen-Test is supposed to uncover?

Thoughts? Comments?
Previous By Date Next
Previous By Thread Next

Current thread: