Cybersecurity debate won't amount to a hill of default passwords

Cybersecurity debate won't amount to a hill of default passwords

Summary: The black hats are getting more sophisticated, but unfortunately the white hats are making the same old rookie mistakes

SHARE:
TOPICS: Security, Networking
6

Maybe even easier to understand than the iconic computing phrase "Hello World" has to be these clear instructions from computer hardware manufacturers - change the default password.

Yet, as Capitol Hill twists itself around new cybersecurity pronouncements from President Obama to protect critical infrastucture, the FCC is busy ordering all U.S. TV stations to change the passwords on their Emergency Alert System (EAS), which are used to broadcast warnings to the general public via the most watched communications medium on the planet.

Not because the stations didn't do a good job the first time around, but because they didn't set them at all.

By now you likely have heard the snickers about the handful of television stations in Montana, Michigan, California and New Mexico that broadcast bogus warnings of a zombie attack on the United States after their EAS's were hacked.

Now Karole White, president of the Michigan Association of Broadcasters, and Greg MacDonald, who heads the chapter in Montana, have told Reuters they believe the hackers succeeded because TV stations had not changed the default passwords that were installed when the EAS hardware was shipped by the manufacturer.

And it wasn't just a single password, in an official communiqué the FCC told TV stations to immediately change "the default factory settings, including administrator and user accounts."

We are talking about default passwords that are available to any hacker who can work a search engine and read English. Passwords are frail enough. Maybe some IT administrators have just thrown in the towel.

While EAS, a national system first installed in 1997, is mostly used for weather warnings and Amber Alerts, a bogus message more serious than Zombies, say a terrorist drone attack on major cities, could have touched off widespread panic.

We hear the preaching about cybersecurity, we read about the million-dollar loses of a Sony or Citigroup, but it boggles the mind to think even steps as simple as changing factory passwords continue to slip through the cracks, a bone-headed maneuver as old as computing itself.

Today, hackers are toying with major websites and perfecting corporate espionage, and for the most part the victims are defenseless unless you count the post-hack marketing spin.

It's not that we don't have elite computer security pros, it's that details (re: default passwords) get skipped.

Hackers need but one avenue of entry while companies need to find, understand and check every hole they need to plug. The modern network is a long chain of command. It's not a fair fight, but it gets even harder when systems are not protected in the most basic ways.

But the EAS story gets even deeper. The systems, some say, shouldn't even be on the network in the first place.

Mike Davis, a hardware security expert at IOActive Labs, told Reuters he warned the Department of Homeland Security's U.S. Computer Emergency Readiness Team that there are still "multiple undisclosed authentication bypasses" in the EAS boxes. "I would recommend disconnecting them from the network until a fix is available."

That recommendation was not in the FCC communiqué.

So we are about to hear cybersecurity debates for months on end. We're going to get more CISPA churn, more acronyms, more political rhetoric, we're going to try to protect our civil liberties and our privacy, we're going to try to share sensitive data between governments and law enforcement organizations.

We're going to lock it all down and lock it all up.

And then someone who can't be bothered is going to leave the key in the lock, turn off the lights and go home.

Seems we could do better, regardless of legislation.

Topics: Security, Networking

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Default PizzWorms

    If manufacturers and suppliers had default passwords such as "Im An |diot" or "Fo0L u5es this piszpHra5e" or even "|?þ+
    Agnostic_OS
  • Default PizzWorms

    If manufacturers and suppliers had default passwords such as "Im An |diot" or "Fo0L u5es this piszpHra5e" or even "|?þ+
    Agnostic_OS
  • Default PizzWorms

    If manufacturers and suppliers had default passwords such as "Im An |diot" or "Fo0L u5es this piszpHra5e" or even "|?þ+
    Agnostic_OS
    • Defaults

      And other phrases designed to nudge (annoy) the customer into changing the default. If the customer finds the default password unacceptable they will change it, so stop making them nice and/or simple.
      Agnostic_OS
  • Lazy designers?

    How hard is it to add a little code that requires you to enter a strong password before the software will operate?
    Sqrly
    • Re: enter a strong password before the software will operate?

      Then your support centre will get deluged with calls from users complaining that the software will not operate.
      ldo17