[EAS] ALERT: EAS Device passwords

Wed Feb 13 15:51:02 CST 2013

On 2/13/2013 1:42 PM, ray at electronicstheory.com wrote:
> ...
> The two big concerns to me are:
> 1) How did they find the IP addresses of all these DASDECS? ...
I have other things to occupy myself than being an expert on this topic, 
but it seems to me that this would likely be pretty easy. The internet 
is full of free "port scanning" utilities.  So... it is simple to scan 
for devices that have web servers associated with them.  Especially if 
you are using the default "port 80" normally used for web servers.  
Beyond that, there are multiple products readily available for not only 
automated scanning, but looking for clues as to the brand and version of 
software involved.  My university campus routinely uses such software to 
identify security vulnerabilities from outdated software on their 
networks (which, by the way, includes a substantial portion of the 
broadcast "hardware" out there).

I'm told that in addition to above, there are products that take it one 
step further and have an internal database that knows that "Apache web 
server version x.y has this known vulnerability..." and then probes for 
it.  All very automated.  So we have the term "script kiddy" to refer to 
people who have limited hacking skills, but have such a tool in their 
possession.   It would seem like a short step from that point to someone 
identifying the relative handful of EAS boxes out there and which 
operating systems and web server software they are using and restricting 
their search for those devices.  And of course, for stations that host 
their own on-site web server or email server or other such publicly 
known device, their IP address (or block of addresses) is essentially 
public knowledge.

A zillion years ago I read a book about hacking whose intended audience 
was IT guys wanting to know their vulnerabilities and how to defend 
against them.  One of the basic concepts was for your server NOT to 
identify itself in regards to software.  As I understood it, that was a 
basic concept for computer security.  So, if you telnet into an email 
server, instead of saying "Hi.  Welcome to Microsoft's Exchange xxx, the 
most wonderful email server in the world"... you get something like 
"hello".

Now... think about how your broadcast equipment behaves.  Go to the web 
interface, and BEFORE you login, the web site identifies the product 
involved... and quite possibly provides a helpful link to the vendor's 
support website.  Essentially, in the interest of promoting their 
product as well as perhaps thinking they are making their product more 
friendly or aesthetically pleasing... they have made it awful easy for 
the bad guys to identify the product and thus any known vulnerabilities.

Dave