• Get involved.
    We want your input!
    Apply for Membership and join the conversations about everything related to broadcasting.

    After we receive your registration, a moderator will review it. After your registration is approved, you will be permitted to post.
    If you use a disposable or false email address, your registration will be rejected.

    After your membership is approved, please take a minute to tell us a little bit about yourself.
    https://www.radiodiscussions.com/forums/introduce-yourself.1088/

    Thanks in advance and have fun!
    RadioDiscussions Administrators

EAS Security

O

oldiesstation

From the FCC, February 12, 2013.

Urgent Advisory: Immediate actions to be taken regarding CAP EAS device security.

All EAS Participants are required to take immediate action to secure their CAP EAS equipment, including resetting passwords, and ensuring CAP EAS equipment is secured behind properly configured firewalls and other defensive measures. All CAP EAS equipment manufacturer models are included in this advisory.

All Broadcast and Cable EAS Participants are urged to take the following actions immediately

1. EAS Participants must change all passwords on their CAP EAS equipment from default factory settings, including administrator and user accounts.

2. EAS Participants are also urged to ensure that their firewalls and other solutions are properly configured and up-to-date.

3. EAS Participants are further advised to examine their CAP EAS equipment to ensure that no unauthorized alerts or messages have been set (queued) for future transmission.

4. If you are unable to reset the default passwords on your equipment, you may consider disconnecting your device’s Ethernet connection until those settings have been updated.

5. EAS Participants that have questions about securing their equipment should consult their equipment manufacturer.
 
Mom & Pop find out they have to buy a new EAS box.
They might spend just enough time on it programming it to relay the mandated alerts then plug it into the DSL/Cable modem & forget about it.

Then again as the FCC NAL list shows maybe not.

How about having the default password that comes with each EAS box a random & strong one you have to copy from the units front panel just like the XDS recievers. 20/20
 
Agreed... The first time I had to grab that XDS password, I thought (being an IT guy)... 'This was a good idea from a security standpoint.'

Subsequently, I heard many peers complaining of how 'hard' it was to grab that password each time they needed to do something to the unit. Of course, I responded by asking why they had not set a friendly password or read the manual for that matter.

Security is taken far too lightly in the broadcast environment. I know a group of folks on an infected network right now. They had me look at something today and I said 'Have you plugged in any drives or done anything?' I got that 'pause' and then the 'No' I was expecting.

Of course, we all know it was 'Yes'. Even my little dwarf of a network gets hit every other day by some enterprising Chinese hacker trying to whack my router or FTP server. You need to be on your toes or your automation will be playing uncut Iron Maiden tracks with Chinese propaganda popping up for your metadata.
 
I'm grateful I don't have to deal with EAS anymore. What a PITA...

R
 
Here is what I received from TFT on this subject:

This was an FCC advisory that was hastily disseminated to thwart an imminent threat to EAS. The details were not thoroughly vetted.
The 3320 does not give you the ability to change usernames or passwords, and I am not sure that the ability to change them will offer any additional security. If a username and password exist, they can be hacked. If we give you the ability to change the username and password, then we will have to have some sort of "backdoor" when you forget them. Now the "backdoor" is vulnerable to hacking. We do not want to give users a false sense of security by just having the ability and confusion of changing usernames and passwords.
 
ncfradio said:
Here is what I received from TFT on this subject:

This was an FCC advisory that was hastily disseminated to thwart an imminent threat to EAS. The details were not thoroughly vetted.
The 3320 does not give you the ability to change usernames or passwords, and I am not sure that the ability to change them will offer any additional security. If a username and password exist, they can be hacked. If we give you the ability to change the username and password, then we will have to have some sort of "backdoor" when you forget them. Now the "backdoor" is vulnerable to hacking. We do not want to give users a false sense of security by just having the ability and confusion of changing usernames and passwords.
Click to expand...

The 1980s called. They want their IT advice back. Geez.

Here's the solution to TFT's problem:
(a) allow users to change the username and/or password from the web interface
(b) put one of those paper-clip reset buttons in the back of the unit.

Forget the password? Unbend a paper clip, push the button, wait ten seconds. Voila, you've just prevented a bunch of support requests from stations with no IT expertise, should someone decide to explicitly try sending zombie alerts en masse.
 
All of my former TFT EAS stuff is in a landfill somewhere. That should tell you all you need to know.
 
Status
This thread has been closed due to inactivity. You can create a new thread to discuss this topic.


Back
Top Bottom