Last week, Hewlett Packard issued a bulletin on a potential security issue impacting the older version of its StoreOnce de-duplication appliance.
The security issue, brought to light by a blogger, is an existing default password in the appliance that would allow anyone with an Internet connection to potentially access the appliance through a previously unknown administrative account. This is the latest example of one of the most pervasive security vulnerabilities facing businesses – hardcoded and default passwords that are supposed to ‘secure’ administrative and privileged accounts.
John Worrall, CMO, at Cyber-Ark, the leader in privileged account security and compliance, has made the following comments on the news:
“Vendors build backdoor privileged and administrative accounts into their appliances so they can easily administer updates and troubleshoot any issues that arise with the product itself. The problem is that they often ‘secure’ these accounts with hardcoded or default passwords that are easily discovered in manuals, on the vendor websites, or through a simple internet searches. Cyber-attackers know this – which is why they target these backdoors. The problem for businesses is that they often don’t know these accounts even exist because they’re not always disclosed by the vendors. As a result, businesses are sitting on a vulnerability known only to attackers. As these backdoors are improperly protected with default and hardcoded passwords, they provide soft targets for attackers to gain control of privileged and administrative accounts.
“Last week, it was the ICS-CERT warning about hardcoded passwords in medical devices. Prior to that, we’ve seen hardcoded and default password breaches lead to attacks as big as the Stuxnet attack. This is an all too common issue that has plagued the industry for years. These backdoors have been found to exist in all types of devices, including PCs, databases, networked devices like copiers, operating systems, operational technology (ICS, SCADA) and more. These backdoors need to be considered and managed as privileged accounts because of the wide ranging access they provide to an organisation’s most sensitive data.
“Businesses should assume that hardcoded or default passwords exist in any device with a microprocessor – working with their vendors to identify and secure these access points before they’re leveraged in an attack.”