Friday, June 12, 2009

Change Those Default Passwords, People!

We have another shining example of how firms spend billions on security products in an attempt to harden their infrastructure, and then fritter it all away by not having two things in place:

  1. Established processes to change default passwords on hardware and applications purchased from third parties
  2. A program of regular assessments to check and remediate defaults that are discovered
The latest fraud was outlined during the unsealing of Justice Department indictments of three Filipinos accused of hacking PBX phone systems by using the default passwords and then re-routing long distance calls through those gateways using call centers in Italy.

Initial estimates put the fraud loss at $55 million. You can change a lot of passwords for $55M.

Does your firm have an established process for changing vendor defaults when you get new hardware and software? If so, is that processes followed and audited to ensure compliance?

Ideally, this should occur while the system is in dev and/or UAT, long before the system ever enters production, but a better rule of thumb would be to replace default passwords and configurations before the system is ever connected to your prod network.

The same is true for home users. How many stories have we seen where wireless routers and access points were compromised by simply providing the factory-default login credentials for the administrator account? Same with cell phones, handheld devices, and your new Internet-ready refrigerator that will send you a text message when you're running low on cheese.

AT&T was one of the companies named as being victimized in this case, and you know they spend millions each year on infrastructure security. I'm guessing they are doing some password assessment tests now, and it's better late than never, but they really missed an opportunity here.

Sometimes in our sophisticated technological world, we overlook the simplest of threats.

Default Passwords Led to $55 Million in Bogus Phone Charges , via Security Fix

No comments:

Post a Comment

Please tell me what you think.