|TA13-175A: Risks of Default Passwords on the Internet|
25/06/13, TA13-175A: Risks of Default Passwords on the Internet|
From: "US-CERT" <US-CERT@public.govdelivery.com>
Generated by MHonArc
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Subject: TA13-175A: Risks of Default Passwords on the Internet
From: "US-CERT" <US-CERT@public.govdelivery.com>
Date: Mon, 24 Jun 2013 15:32:27 -0500
Authentication-results: mail.cs.ait.ac.th (amavisd-new); dkim=pass (2048-bit key) header.d=public.govdelivery.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=public.govdelivery.com; s=13q2; email@example.com; h=Content-Transfer-Encoding: Content-Type:x-subscriber:X-AccountCode:Errors-To:Reply-To: MIME-Version:Message-ID:Subject:Date:To:From; bh=Nd0nF3ljCnLspVl 01zGSTe7po8s=; b=YxSwPag3YUYqFOHptiNjNo4Dn1wQrCLiJNqGTd72B4mcl7V Xe+31sDfCl2Z+xS2TLq1yQz7mabl6WnQeGPu31+oConULrKxzs7TKjLvKHndFwDq JQWLVddmFhErKwVCsq2VFgvMljPOpMc2k0WT/eoeVPP2AdcJ/j+AVw6hP/oMHKQc n+g/7V//WQkFc4yatbwhwVXfva/UYTT47/A/spN1xy0rjjs0HCbuSESGpF6S+Lg2 gs9Gs+TcZcstlLYefnGZdpcZCVzuuMzbJ9dfZmcfp/Vq8bRt3fYM8nOjNTGn3zsJ 5NSLZGaEV5rwtqsCneqb7L9AIxDIciOPxX/qMHQ==
National Cyber Awareness System:
06/24/2013 03:11 PM EDT
Original release date: June 24, 2013
Any system using password authentication accessible from the internet may be affected. Critical infrastructure and other important embedded systems, appliances, and devices are of particular concern.
Attackers can easily identify and access internet-connected systems that use shared default passwords. It is imperative to change default manufacturer passwords and restrict network access to critical and important systems.
What Are Default Passwords?
Factory default software configurations for embedded systems, devices, and appliances often include simple, publicly documented passwords. These systems usually do not provide a full operating system interface for user management, and the default passwords are typically identical (shared) among all systems from a vendor or within product lines. Default passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the default password before deploying the system in a production environment.
What Is the Risk?
Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in product documentation and compiled lists available on the internet. It is possible to identify exposed systems using search engines like Shodan, and it is feasible to scan the entire IPv4 internet, as demonstrated by such research as
Attempting to log in with blank, default, and common passwords is a widely used attack technique.
An attacker with knowledge of the password and network access to a system can log in, usually with root or administrative privileges. Further consequences depend on the type and use of the compromised system. Examples of incident activity involving unchanged default passwords include
Change Default Passwords
Change default passwords as soon as possible and absolutely before deploying the system on an untrusted network such as the internet. Use a sufficiently strong and unique password. See US-CERT Security Tip ST04-002 and Password Security, Protection, and Management for more information on password security.
Use Unique Default Passwords
Vendors can design systems that use unique default passwords. Such passwords may be based on some inherent characteristic of the system, like a MAC address, and the password may be physically printed on the system.
Use Alternative Authentication Mechanisms
When possible, use alternative authentication mechanisms like Kerberos, x.509 certificates, public keys, or multi-factor authentication. Embedded systems may not support these authentication mechanisms and the associated infrastructure.
Force Default Password Changes
Vendors can design systems to require password changes the first time a default password is used. Recent versions of DD-WRT wireless router firmware operate this way.
Restrict Network Access
Restrict network access to trusted hosts and networks. Only allow internet access to required network services, and unless absolutely necessary, do not deploy systems that can be directly accessed from the internet. If remote access is required, consider using VPN, SSH, or other secure access methods and be sure to change default passwords.
Vendors can design systems to only allow default or recovery password use on local interfaces, such as a serial console, or when the system is in maintenance mode and only accessible from a local network.
Identify Affected Products
It is important to identify software and systems that are likely to use default passwords. The following list includes software, systems, and services that commonly use default passwords:
Running a vulnerability scanner on your network can identify systems and services using default passwords. Freely available scanners include Metasploit and OpenVAS.
Previous message sorted by date:
TA13-168A: Microsoft Updates for Multiple Vulnerabilities
Next message sorted by date: TA13-088A: DNS Amplification Attacks
Previous message sorted by thread: TA13-168A: Microsoft Updates for Multiple Vulnerabilities
Next message by thread: TA13-088A: DNS Amplification Attacks
|Contact us: Olivier Nicole||Last update: Jul 2013|