[EAS] Password cracking basics

[David Turnmire]

On 2/25/2013 11:20 PM, Richard_Rudman wrote:
> Tim/All:
>
> The more I talk to security experts about this the more I am convinced that EAS messages must carry secure end-to-end digital signatures.
>
I agree.  It is hard to imagine that it would be that difficult or 
expensive to implement by vendors of the associated equipment.  It would 
be one more thing to configure at the time of installation (for the 
non-IPAWS sources), but that is a one-time scenario and shouldn't be 
that hard to deal with.

Of course... that doesn't help with the scenario that brought all of 
this topic up in the first place... which apparently didn't involve a 
CAP message at all, but rather access through the "management 
interface".  The CAP boxes I have seen have more than one NIC so you can 
conceivably have one on the internal LAN and one exposed to the public.  
IF you trust your internal LAN (which may be a mistake!), you could 
leave it more-or-less as is. And then have add built-in VPN support to 
the public internet side that required an associated app on the remote 
end, all secured with digital signatures.

That starts adding some more complexity for the vendor to do, but maybe 
not too much as I imagine the software pieces are available as 
open-source products.  The engineer then continues to have remote access 
without needing to spend money on fancier routers.  And while it 
wouldn't require much IT skills for him to install whatever app on the 
devices he will be using for that remote access.  You could make that 
VPN access a configurable option on the internal LAN so you can add the 
extra security with the click of a button if deemed prudent in your 
circumstances.

If you combine something along the lines of the above, plus the box 
design requiring the factory default password to be changed, and you 
start making it rather difficult to hack without an inordinate of added 
expense or IT skills required by broadcasters.

Dave