You’re currently reading “Changing Default Passwords,” one of the entries in the Bright Launch collection of articles and resources.
As a consultant to many individuals and businesses, I am always wondering why people choose weak passwords. Ryan Naraine of eWEEK recently wrote about an individual using a simple four-word Google search query to locate step-by-step instructions on how to hack into and take control of thousands of ATMs scattered around the United States.
The episode underscores how easy it is to use the power of search engines to find sensitive security information. In the past, Google queries have been used to find security flaws in Web-facing applications, default passwords in Oracle databases and even live malware samples seeded on forums and other malicious sites. Changing the default passwords on any application is just common sense, and if people don’t know how they should hire a knowledgeable consultant.
“Following up on a CNN report out of Virginia Beach, Va., that a man reprogrammed an ATM at a gas station to dispense $20 bills instead of $5 bills, a New York-based security researcher did some old-fashioned online sleuthing and discovered that the operator manual for that specific model of ATM could be legally obtained in about 15 minutes.
Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual - which contains master passwords and other sensitive security information about the cash-dispensing machines - but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack.
Goldsmith, a respected researcher who co-founded @Stake and previously led Symantec’s Security Academy, said he traced clues from a YouTube video to identify the make and model of the ATM, a Tranax Mini-Bank 1500 Series, and started an experiment to see how easy it would be to legally obtain an operator manual. In an interview with eWEEK, Goldsmith said he first dug around on Tranax Technologies’ Web site and found a knowledge base article that mentioned that the ATM is programmed with passwords that can be found in the operator’s manual. (…)
“If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,” Goldsmith said. (…) “This isn’t a vulnerability,” Goldsmith explained. “It’s someone exploiting a policy weakness, where ATM owners install these things and never change the default password.”
XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Bright Launch provides web & print design as well as business consulting services for everything you need to succeed online. With core expertise in design & programming (websites, e-commerce, bulletin and blog applications), our experts can also advise you on related legal, marketing, and advertising matters.
Whether you want a redesign for your existing website or just starting the journey: We will guide you from concept development to website launch, and help you grow your business with a clean, attractive and accessible internet presence at affordable prices.
More about Bright Launch ...
Older posts are archived under the appropriate category listed on the right.
No Comments Yet
Jump to comment form | comments rss [?] | trackback uri [?]