Friday, July 23, 2010

Hard-coded default passwords? The Ostrich for the rescue!

Some days I feel the world will be a much easier place to live in if we simply adopt the ostrich approach. If something looks slightly challenging, let’s just stick our head in the ground for a while and the problem will simply go away.

Those of you who enjoy tracking threats, attacks, malware and the likes probably heard about the Stuxnet worm by now. For the rest of you it is malware targeting windows environments running Siemens software used by industrial companies. Once on systems, it uses Siemens default passwords to connect to the database and collect information.

Does not sound like a big deal. Nobody is using default passwords these days and even in case they foolishly did, just change the password and have a good night sleep, right?

ahmmm… unfortunately in that case I had to look for a different topic for my post…

Those of you who follow my blog know by now that I’m not really a security radical, but rather moderate and open minded when it comes to the way security specialist grasp the world. But I can tell you that this incident is mind boggling even for me.

Sin #1: using hard-coded passwords – happens from time to time, irresponsible behavior, slap on the wrist.

Sin #2: sin #1’s hard-coded passwords are the default ones and are similar for all customers – doh!

Sin #3: these passwords cannot be change (per Siemens) or the systems will stop working – what were these guys thinking? It is even worse than creating a system with no authentication mechanism at all, zip, open to the public, web 2.0 like... You communicate a FALSE sense of security that there are controls in place to secure usage of the system (i.e. authentication), yet the passwords are known to the public and cannot be changed?!

Top it with Siemens’ response (reportedly advised customers not to change their default passwords, arguing it “may impact plant operations.”), leaving customers out there in the cold having to choose between bad and worst…

There are many articles describing this incident, an example:

I’m positive Siemens will snap out of their current state of mind and resolve it, but the unfortunate part is the fact that this phenomenon and state of mind is not limited to Siemens. Some still use hard-coded passwords, some still use default passwords and some don’t change passwords.


1. Authentication between systems should be externalized and governed by processes/tools that can rotate and secure credentials.

2. Default passwords might be good for the initial bootstrap/setup procedure, however should be changed and should definitely be unique per customer

3. There are tools designed to address the whole privileged accounts challenge regardless whether it is performed by humans or non carbon based entities (such as application, services, or devices).

Unlike the common belief that vulnerability of internal, powerful credentials are a target for internal threat only, the reality is privileged accounts are a gem for external attackers. More frequently than you imagine external attacks target these powerful accounts, as hijacking these accounts makes external hackers’ life/job much easier.

Next week is Burton Group’s Catalyst week, stay tuned for my take-aways/insights from the conference and sunny San Diego!

1 comment:

  1. May I please use your ostrich sign to express the un-control, rising cost of commonly prescribed pharmaceuticals and health care procedures? I would like to get those people "un-concerned" because "it does not concern them at this time", to start noticing and possibly taking action if they have such connections to get this under control.