[ISN] DSL vulnerability: Alcatel re{d}acts

From: InfoSec News (isnat_private)
Date: Mon Apr 16 2001 - 03:51:26 PDT

  • Next message: InfoSec News: "[ISN] The Laptop Shambles"

    Forwarded by: Gary Stock <gstockat_private>
    Here's a slightly stilted representation of the hidden Word revision
    history, using [CUT} and {ADD}, along with {NEW // OLD}.  (It turns out
    that HTML is better than ASCII, too :-)   I encourage you to see the
    original here:
    Alcatel Fu - [filter kilter] - cks Up Bigtime
    posted by spatula on Apr. 14, 2001
    Hidden in the bowels of their media update on the security vulnerability
    in their DSL modems, Alcatel makes some very revealing statements...
    Alcatel recently came under fire over a security vulnerability in one of
    their DSL modem products that could potentially allow a hacker to gain
    full control over a user's Internet experience.
    Many were shocked by Alcatel's subsequent remarks, especially that the
    company had no plan to release a patch for the flaw, suggesting only
    that users run firewall software.
    We have been informed that Alcatel's media update on the situation is a
    Microsoft Word document with its revision history still intact, although
    hidden. To see the full revision history, download the document, select
    "Track Changes" from the "Tools" menu in Word, choose "Accept or Reject
    Changes" and then click "Changes with Highlighting". The most
    interesting comments are in parenthesis in blue text. Alcatel is likely
    to remove this document as soon as word gets out about its contents, so
    we've saved a copy of it.
    Here are some interesting quotes from the document's hidden history:
    As a result, Alcatel has started an initiative to qualify firewall
    software that will provide users with the highest possible degree of security.
    (When and where will the firewall software be available? CERT has said
    that they don’t believe that installing a firewall is the answer. What
    are you doing to provide a legitimate fix?)
    To increase the security of its products, 
    , in particular for the more information sensitive Small Office / Home
    Office market,
    Alcatel [had previously//already] implemented additional security
    measures to avoid direct interference with its modems by remote users.
    This Firmware Protection is available in Alcatel Speed Touch [Home and
    PRO // modems]. 
    Alcatel ships the modems from its [F//f]actories with the [FP //
    Firmware Protection enabled]
    , {PRO with Firewall….. It is switched on by default when the modems
    leave the Alcatel factories. . (This paragraph worries me a bit. It
    could be taken as us favoring a segment of customers (SOHO). There’s an
    argument to be had that everyone’s information is sensitive. Why don’t
    we provide this level of security to all of our customers? Why don’t we
    switch on firewalls by default for all of our customers?)
    Why indeed? Why don't you provide this level of security to all your
    customers? Why don't you switch on firewalls by default for all your customers?
    It sounds an awful lot like Alcatel knows that it has a lot more trouble
    than it is willing to let the public know about.
    [and this is yet another reason not to post MS Word documents on the
    web. Use HTML! Honestly!]---Nick
    Gary Stock                                       gstockat_private
    UnBlinking                                      http://unblinking.com/
      "The first thing you'll notice is, when the camera's plugged in..."
      Bill Gates, launching Windows XP Earthquake, Seattle, 28 Feb 2001
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 02:31:29 PDT