Default Passwords and the Anatomy of a Cyber Attack

When I was writing about the accessibility of a critical infrastructure with default passwords in the previous chapter of these series, I had no idea I would come across this phenomenon in my own experience.

Along with the specialized data and data transfer security orders, I also accept “disobedient box taming” orders, otherwise known as special embedded device development and analysis, particularly from clients with whom I have been working for some time.

In my case, it was an atypical employment of standard produced active elements. As the very first step after the analysis sample physical delivery and after being prompted to enter the username and password once I started running it, I asked the customer what the username and password were. I was met with an astonished reaction: “But it’s written in the manual!” When I apologized it had not occurred to me that the default username and password would work in a sample taken from an actual workplace, another shock followed: “Whatever you do, do not change them, we are using them in all active devices to prevent problems with educating our service technicians and remembering new passwords.”

So even though I was against forcing overly restrictive password rules in the previous chapter, today I want to stress that paying no attention to the problem of access rights and used passwords would be a dangerous mistake as well. Based on the global statistics, a common, home-based computer of no interest to an attacker is exposed to unwanted program installment or unauthorized data access attempts on average once every twenty minutes. Naturally, the attack frequency and sophistication increase with the growing importance of the computers or active elements in question. Every guarantor of both the network and individual computer data security should be therefore continuously aware of the intense external pressure on his network.

Can you imagine how may such an attack look in real life? Most operating systems provide various network services allowing a remote access to their functions, in case of the public internet virtually from anywhere. In many cases, as a result of a historical development, it is permissible, as a default, to sign in (activate these services) with a username and password belonging to any of the users registered on the computer in question. Despite the fact that some of these services (e.g. ssh) allow the user to perform via the remote access virtually anything he could do if he were physically sitting at the computer. Users, on the other hand, often select some word or a word combination to make it easy to remember the password. (Again, any formal restriction, such as presence of lowercase and capital letters or at least three numerals will in this case solve nothing because the password will most likely be a name with the first capital letter and the four numerals the year of birth.) To indicate which service we require from the computer, we enter a number of the so-called port to which we are connecting – you may picture it as an office building where we know the door number behind which certain applications are processed. Openly published common service standards also define default port numbers for the respective services.

One type of an attack therefore usually happens the following way: the attacker will select a random computer anywhere in the world and try to open a known port number of some service which would allow him to control the computer independently of its owner. If the connection is successfully established and he is prompted to enter a username and password, he will try to select a random name from the calendar (first names), from the list of common surnames (there are global lists, but it is more efficient to use the IP address to determine the country where the computer is operating and try the list of surnames typical for that country) or possibly try combinations such as namesurname, name_surname, name.surname, etc. A password can be obtained in a similar way by trying one word or a word combination from the respective country’s dictionary.

Naturally, the chance that I will succeed at the first attempt is very small, however, (usually) nothing prevents me from trying “a little bit” later – depending on the circumstances, from a millisecond to several minutes – the next word in line and so on until I succeed. The computer can do this guessing work for me and is armed with inexhaustible patience. Moreover, if the attack is directed at a specific target, I can limit the attempted names and words in respect to, for instance, the employee list published on the internet or words related to the business subject. I can first try, for instance, default passwords published in various device manuals (which can be, of course, quickly accessed on the internet).

What conclusions do we then draw from our observations? It is vital to follow the “golden mean”. Do not restrict unnecessarily the users’ creativity during the password set up process (it is, after all, primarily in their interest and their responsibility to prevent their password from being misused), but at the same time, do not downplay the need to use some password wherever a wider access to any active element (including the computers themselves) is present, and definitely avoid passwords published in publicly available documents. In short, almost always demand an access password, but in most cases let the user select it.

The most important part is education, communicate with users, demonstrate the principle of the simplest attacks described above, and warn them about possible consequences.   Technocratically enforced rules with no further details, on the other hand, in a combination with efforts to easily remember, lead to the creation of dangerously simple passwords, as well as a false sense of security.

Wherever possible, it is also advisable (all programs allow it these days) to change the access port number from the default to “any other” number. Imagine how much you will complicate a visitor’s orientation in the office building from the initial model by changing the service layout on individual doors compared to the established practice.

And any problems related to maintenance and device interchangeability can then be easily solved for instance by a uniform, but not default, password published in manuals issued solely for the specific company’s needs.

The approach of an unnamed Czech bank president serves as an anecdote illustrating an exception to the rule when it comes to users’ responsibility during the password creation process. Following a massive “live money” (account status) database breach, the investigation revealed that the access was conducted by utilizing the president’s (obviously authorized) personal computer and later it was also revealed that the user password for that computer was “1234’.

The president was naturally fired on the spot (and probably blocked from the entire banking and adjacent fields), however, the “password 1234” term became instantly a popular technical term in the Czech data security community.