Although not all stories in the tech press are directly related to security, they often highlight issues that can be excellent educational material. A recent story in The Register about a researcher who wanted to map the Internet caught my attention.
The researcher had a Herculean task to complete: to scan billions of IP addresses using the few computers he had at his disposal. He obviously needed help but where does one find that level of assistance? The researcher gave this some thought and decided to try and exploit insecure systems connected to the Internet. That surely would help.
He didn’t access these systems using a complex attack but simply sought to gain access by trying to authenticate two very common user accounts – Root and Admin. He didn’t use a brute force attack but just three passwords: root, admin and a blank entry.
You may think that his attempt had very little success; after all, more and more people know that they should not use insecure passwords, correct? Not only, but most systems will never allow a user to set a blank password. So, really, how effective could this scheme be?
Well it was very effective 420,000 times over!
Many people, including administrators, pay a lot of attention to secure physical machines but generally tend to neglect devices connected to the network. These are a hidden threat too often ignored. Ease-of-use and user-friendly technology have been the driving force behind this.
When you purchase a new device, router, printer and so on, you expect to plug in that device and it works. That’s all it takes. Yet, we often fail to realize that each device can be a small computer system that allows remote access and logging. Nearly all come with default usernames/passwords that users should change once they are deployed. However, this simple step is often skipped because that device is doing what it needs to do out of the box and there is no reason to play around with it.
Just because these devices are working does not mean that they are also secure. Unsecured devices or those running with default usernames and passwords are a gold mine for those with malicious intent. These devices, once connected internally, are a channel to your network and if a hacker can gain access to the device, he or she has gained access to even more systems.
The attackers can run code that can sniff traffic entering and leaving the network; that means they have access to login credentials and any other secrets sent over in plain text. In more advanced attacks, configuration settings on routers, for example, could be changed to redirect traffic through a malicious gateway allowing for man-in-the-middle attacks.
Every new device that is connected to the network should be seen as a possible security threat and the administrator will take it as a must-do task to change the default configuration immediately. This advice is not exclusive to administrators alone. Every computer enthusiast should be aware of the dangers of connecting new devices to their network, even at home. Always read the documentation that comes with the device because it will contain information about its configuration settings and how to change the defaults. Critical data is not only found in a business. Every household computer contains important files and data that would be useful to an attacker. Remember that.
Emmanuel Carabotton May 29, 2013