Sunday, July 15, 2007

A backdoor in a VPN? What were they thinking...

Our company uses the Nortel Contivity VPN (no link on this because I think it's one of the buggiest, crappiest VPNs in the world). I just came across this security advisory from Secunia, which shows you how screwed up it is, apparently

Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. These can be exploited to gain unauthorized access to the private network.

And there's more. The developers probably left it behind during tests, that's my guess. The stupidest backdoor I've ever seen in ANY software, and this is a Security Product.
On this the Romans used to say "Sed quis custodiet ipsos custodes?" (who watches the watchmen?)

No comments: