Finding Fault with Default Passwords
One of the most overlooked IT security threats was thrust into the spotlight recently by the U.S. government’s leading cybersecurity agency, The United States Computer Readiness Team (US-CERT). On June 24, US-CERT, which works in conjunction with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), issued an alert regarding the dangers of leaving default passwords in place for any Internet-connected system, appliance, or device.
The threat stems from the fact that software configurations for many systems, devices, and appliances often are shipped by the manufacturer with simple, publicly documented passwords. Cybercriminals can easily identify Internet-connected devices and systems that rely on these default passwords and break into them, quickly gaining access to a network, often with root or administrative privileges.
To help hit home the fact that this is a very real threat, US-CERT cited several recent incidents that were initiated by taking advantage of unchanged default passwords, including the Carna Botnet Internet Census of 2012 and the fake Emergency Alert System warning about zombies that was issued by a Montana television station back in February.
US-CERT offers several suggestions for addressing this threat. Obviously, organizations need to change these default passwords before deploying new systems, appliances and devices. They are only meant to be used in a testing and configuration capacity. Making this a best practice prior to any deployment will go a long way toward alleviating this threat. Before connecting to the Internet, default passwords need to be changed.
Another suggestion is for vendors to start using unique default passwords for their products. Such unique passwords would be based on some inherent characteristic of the system, such as a MAC address. US-CERT also suggests organizations make use of alternative authentication mechanisms, such as Kerberos, x.509 certificates, public keys or multifactor authentication.
To help organizations easily identify software and systems that likely use default passwords, US-CERT provided the following list:
- Routers, access points, switches, firewalls, and other network equipment
- Web applications
- Industrial Control Systems (ICS) systems
- Other embedded systems and devices
- Remote terminal interfaces such as Telnet and SSH
- Administrative web interfaces