Vulnerability Development mailing list archives
Re: Phone Switches + telephone banking etc
From: Dave Booth <dbooth () carlson com>
Date: Fri, 07 Jun 2002 14:09:41 -0500
Vachon, Scott wrote:
In a past occupation, I worked with phone switches. Most have a bare minimum OS that runs on them but, for full functionality they are used with a separate host (or hosts).
Indeed, and that has been the source of a major burr in my hide. In various jobs I've more than once encountered the scenario where the separate host is an out-of-the-box install of the OS, unpatched, every service in the book running and with the telephony app thrown in there with a default install just before its shipped to the customer site along with a support and maintenance contract. This app, of course, usually remains something of a black box even when glared at with extreme prejudice by an experienced sysadmin. When that same sysadmin starts tallking about locking down some unnecessary services or even (horrors!) reimposing the default setup of most *nix variants that prevent root logins anywhere but the physical console the immediate response is usually "Change our default config and you void your maintenance contract - install any other software and we will no longer support the app. No, our remote support techs must be able to make a root login over the dialup line or we wont support the system at all..."
Needless to say, most businesses balk at the thought of having their phone system unsupported if it goes down and so the system remains wide open. One vendor who I wont trouble to name even went so far as to forbid the installation of backup client software but at the same time handed the root password to anyone who asked for it "so that they could run the commands that control the switch connection" Thankfully the disaster waiting to happen there didnt occur on my watch and I wasnt put in the position of having to find a diplomatic way to tell my employer that I'd told them so...
-- Dave Booth, CWT-IT dbooth () carlson com +---------------------------------------------------+ | Catapultam habeo. Nisi pecuniam omnem mihi dabis, | | ad caput tuum saxum immane mittam. | +---------------------------------------------------+
Current thread:
- Phone Switches + telephone banking etc quentyn (Jun 06)
- RE: Phone Switches + telephone banking etc Kit (Jun 06)
- <Possible follow-ups>
- RE: Phone Switches + telephone banking etc Kayne Ian (Softlab) (Jun 07)
- Re: Phone Switches + telephone banking etc quentyn (Jun 07)
- Re: Phone Switches + telephone banking etc hellNbak (Jun 07)
- Re: Phone Switches + telephone banking etc KF (Jun 10)
- Re: Phone Switches + telephone banking etc digitalFX (Jun 07)
- Re: Phone Switches + telephone banking etc quentyn (Jun 07)
- RE: Phone Switches + telephone banking etc ash (Jun 08)
- RE: Phone Switches + telephone banking etc Jacek Lipkowski (Jun 10)
- RE: Phone Switches + telephone banking etc Vachon, Scott (Jun 07)
- Re: Phone Switches + telephone banking etc Dave Booth (Jun 07)
- RE: Phone Switches + telephone banking etc Tony Camp (Jun 07)
- RE: Phone Switches + telephone banking etc Mike Theriault (Jun 09)
- RE: Phone Switches + telephone banking etc ash (Jun 09)
- RE: Phone Switches + telephone banking etc Kayne Ian (Softlab) (Jun 10)
- RE: Phone Switches + telephone banking etc Stuart Adamson (Jun 12)