Netgear's Non-Fix: Another Black Eye for Off-the-Shelf WAPs

By Michael Hall | Jun 8, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3365461/Netgears-NonFix-Another-Black-Eye-for-OfftheShelf-WAPs.htm

Main     Elsewhere     The Week in CrossNodes     The Week in Network News

Just last week we noted the relative difficulty with which a consumer-grade wireless access point can be configured for secure operation, then the next day we pointed out another problem with a common bit of Linksys gear , then on Friday ran a tip that recommend how to start thinking about hunting down and eliminating a rogue WAP on your network.

So perhaps we shouldn't have gotten too verklempt when we woke up this morning and discovered one of the more boneheaded security moves a vendor's pulled in, oh, several days: Netgear, one of the more popular off-the-shelf vendors, recently "patched" a backdoor vulnerability in one of its wireless access point products not by removing the back door, but by changing the password used from "super" to "superman" and calling it a day. (That link's in German, by the way. We used Babelfish to straighten it out.)

If it seems like we've been harping on this topic recently, well, it's because we are. If you're not taking active steps to keep an eye out for this sort of gear on your net, or worse are depending on it as part of a makeshift convenience, you're endangering your network. As the Netgear issue demonstrates, there are potential problems beyond simple "users don't bother to configure WEP/WPA because it won't work across vendors."

Elsewhere:

» Cisco and Trend Micro announced a partnership wherein Trend Micro will supply anti-virus tech to an array of Cisco gear. In a press release, Richard Palmer, vice president and general manager of Cisco's VPN and security business unit said "The first step in our new collaboration will be to integrate Trend Micro's network virus and worm signatures into the software we use for intrusion detection. This code is used in Cisco routers, Catalyst switches, and security appliances."

» Domain registrar Verisign says domain registrations hit an all-time high during Q1 2004. More than 4.7 million domains were registered. According to VeriSign's press release:

"The profile reveals that more than 63 million domain names have now been registered, approximately one for every 100 people living in the world today. This number is greater than at any time in the Internet's history, surpassing even the heights that were seen during the Internet "bubble." Moreover, data reveal that the current base of domain names is being utilized more actively than ever before, as measured by renewal rates, look-up rates, and the percentage of domain names tied to live sites."

» Apple's 802.11G-based AirPort Express looks like both a lot of fun and a real potential headache for net admins. It allows users to plug a small, unobtrusive unit into a wall jack where it acts as a wireless repeater, iTunes music streaming service, wireless print server, and 'net connection multiplier.

» CIO Update reports on the establishment of a Compliance Consortium. As we reported a few weeks ago, if archiving regulation compliance isn't on your radar, it soon will be.

» Gartner, never ones to get the vapors over new things, says spam-fighting authentication tech sounds like a good idea but isn't offering much relief in the short-term.

The Week in Network News

» Monday: Microsoft to Make XP SP2 Free for All

Microsoft says it's going to release XP ServicePack 2 for everybody... even the pirates. Also: Wi-Max standards in more depth, software to help with messaging archive compliance, a wardriver is faced with prison time, and why server authentication isn't the be-all, end-all of anti-spam measures.

The Week in CrossNodes

» Simple Configuration Tips Put Squid on the Menu

If you need to get a handle on your bandwidth with Web caching, but several thousand lines of configuration files make you queasy, here's a step-by-step guide to making Squid more appetizing.

» Three LDAP Browsers for the Asking

Getting your information in a directory is just half the battle: The other half is finding it. Here are three LDAP browsers, free of charge and up to the task of digging through your data.

» FaceTime Makes IM as Safe as Talking Face-to-Face

With IM use at critical mass and growing, security and privacy challenges abound. FaceTime's enterprise-grade server suite monitors, archives, and analyzes IM traffic for thousands of users without requiring thousands of admin hours.

» Scripting Clinic: Dissecting a Live Python... Script

By examining a working script line by line, this edition of the Scripting Clinic shows you how to put your own scripts together and exposes a few Python quirks along the way.

Network News Break is CrossNodes' daily summary of networking news and opinion, served up fresh daily. Please send your comments and suggestions to the editor.