Even IT pros make security mistakes sometimes, and a common error was behind a recent attack at several TV stations: using default passwords to protect systems.
The incident affected several stations in California, Michigan, Montana and New Mexico. Fortunately, the attack took the form of a humorous prank rather than a breach of sensitive data — a group of hackers used the stations’ Emergency Alert System to release a warning that the areas were being attacked by zombies that had risen from the grave.
However, the incident could have been a lot worse, as officials said a similar attack could have been used to conduct a more harmful hoax or prevent the Emergency Alert System from sending out a legitimate warning.
How did the incident occur? Representatives from the Michigan and Montana Associations of Broadcasters said the hackers were able to get into the system because the stations never changed default passwords that were set when the equipment was shipped from the manufacturer.
Apparently, a simple Google search will return the default passwords for the systems involved in the attack.
Lesson: Change default passwords, block unnecessary access
Those TV stations weren’t alone in making that serious security error. Both users and IT departments are often guilty of never changing default passwords, according to a study from Trustwave. Among the organizations studied, default passwords were still being used for:
- 28% of Apache Tomcat installations
- 10% of JBoss installations
- 9% of phpMyAdmin installations, and
- 2% of Cisco devices with an accessible administrative interface.
In addition to shoring up security, being strict about changing those default passwords will set a good example for users.
IT departments can also send an effective message about password security by assigning strong passwords when new systems are set up for users. Often a bad precedent is set because a user is given a new computer or account with “welcome” or “12345″ as the password.
In addition to the warning about default passwords, companies can learn another lesson from the zombie hack: Don’t give systems access to the Internet unless they need it.
Observers say the Emergency Alert System uses the Internet to send outgoing traffic, but is meant to be configured to block incoming access. However, the systems are often configured incorrectly or left open because engineers want to access the system remotely while they’re on call.