[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Braillenote] Warning: BrailleNote Apex Offers Read/Write FTP And Telnet Access To All Comers
- To: Sabahattin Gucukoglu <mail-dated-1288560723.1b3802@xxxxxxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [Braillenote] Warning: BrailleNote Apex Offers Read/Write FTP And Telnet Access To All Comers
- From: "crazy-shawty aka everything you're muther wanted you to be but you aint quite turned out like me?" <crazy-shawty@xxxxxxxxxxxxxxx>
- Date: Sat, 02 Oct 2010 11:56:28 +0100
I dont no y u r so stressed out. my home network has never been secure
and i have never!!! had a problem.
Louise.
On 01/10/2010 22:31, Sabahattin Gucukoglu wrote:
> BrailleNote Apex offers telnet and FTP access on the standard ports, with
> read/write privilege on the entire file system, to all comers. No
> authentication is required. BrailleNote is unsafe on any network whose
> devices you are not in full charge of, and which (by NAT or firewall) does
> not protect BrailleNote from the Internet.
>
> I am happy and sad. In a chance port scan of my entire network looking for
> interesting services and protocols that were not accounted for by visible
> configuration options in all my devices, I found this disaster staring me in
> the face on the least likely candidate of them all. On the one hand, now I
> don't need ActiveStink in order to access my files, over the network, from my
> Mac. I want these services running, for sure (maybe just FTP) but dammit,
> authentication first! On the other hand, there is no doubt my trust in
> HumanWare is badly dented, as I was clearly optimistic that they would, and
> did, do the right thing and secure the device firmware before shipping it.
> Anonymous FTP and telnet are obvious, easily found and effectively exploited.
> If it isn't configurable, it shouldn't be enabled. I am quite sure this was
> the case before now. The most likely explanation is a build with a test
> configuration and services for development still in use on the newest model; t
he USB vendor string is further evidence of this. Note to self: that popular
expression about assumptions turns out to be true.
>
> KeySoft version 9.0.2 build 756, Windows CE 6.0, with telnet and FTP services.
>
> While we await an update that either disables the services or allows the user
> to specify the authentication credentials, do not use your BrailleNote Apex
> on any untrusted network, or if you are network administrator, temporarily
> prohibit these devices from connecting to your networks. If "Bad guys" are
> on your network, the BrailleNote Apex is, alas, easy meat.
>
> Cheers,
> Sabahattin
>
> ___
> Replies to this message will go directly to the sender.
> If your reply would be useful to the list, please send a
> copy to the list as well.
>
> To leave the BrailleNote list, send a blank message to
> braillenote-unsubscribe@xxxxxxxxxxxxxxxxxx
> To view the list archives or change your preferences, visit
> http://list.humanware.com/mailman/listinfo/braillenote
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/