We Make Hacking Too Easy: The Scourge of Default Passwords

Featured Resource:

How was convicted hacker Micheal Moore able to so many corporate computers and networks? He told InformationWeek "It's so easy. It's so easy a caveman can do it". It's true you don't have to be the inventor of polymorphic viruses to hack in, but I have to admit to being a bit surprised at the percentages Moore threw out about insecure systems:

Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.
"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to aCisco (NSDQ: CSCO) box with enabled access so you can do whatever you want to the box. ...

Keith Rhodes, chief technologist at the U.S. Government Accountability Office says in the same article:

"Default passwords are a silly problem," said Rhodes, who is widely considered to be the federal government's top hacker. "But they were able to take a silly flaw and turn it into a business. ... It disappoints me, but I'm not surprised."

He doesn't lay the blame on security professionals though:

"I have nothing but empathy for all the security personnel I've ever worked with," he said. "I've never met one yet who had enough people, enough time, enough support. ... It would take nothing to change a default password, but you need to actually have people who have the job to do that."

Avoiding the "silly problem" as Rhodes describes is is like eating vegetables and getting enough exercise - we all know what to do but carving out the time to do it is the problem. Moore does seem to say that he wouldn't spend too much time trying to break into any one site and basic measures were enough to keep him out:

"We came across only two or three boxes that actually had access lists in place," he added. "The telecoms we couldn't get into had access lists or boxes we couldn't get into because of strong passwords."

Some how we have to find the time. Moore's hacking and theft of resource drove one company out of business:

[Assistant U.S. Attorney Erez] Liebermann noted that one small telecom went out of business because of expenses the company incurred during the break-in. The company legitimately routed its own VoIP traffic through a larger telecom and was forced to pay the other company for the calls that Pena and Moore fraudulently sent through their network. "They had to eat the bill and were unable to remain in business," added Liebermann.

Recent Posts

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net

Site Sponsor:

Now Available:

Featured Resource:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert