Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Backdoor passwords generate security flaw

CyberArk Software : 01 July, 2013  (Technical Article)
Hardcoded passwords on hardware represent built-in vulnerability on microprocessor controlled equipment warns Cyber-Ark
Backdoor passwords generate security flaw

Last week, Hewlett Packard issued a bulletin on a potential security issue impacting the older version of its StoreOnce de-duplication appliance.
The security issue, brought to light by a blogger, is an existing default password in the appliance that would allow anyone with an Internet connection to potentially access the appliance through a previously unknown administrative account.  This is the latest example of one of the most pervasive security vulnerabilities facing businesses – hardcoded and default passwords that are supposed to ‘secure’ administrative and privileged accounts.   

John Worrall, CMO, at Cyber-Ark, the leader in privileged account security and compliance, has made the following comments on the news:
 
“Vendors build backdoor privileged and administrative accounts into their appliances so they can easily administer updates and troubleshoot any issues that arise with the product itself.  The problem is that they often ‘secure’ these accounts with hardcoded or default passwords that are easily discovered in manuals, on the vendor websites, or through a simple internet searches.  Cyber-attackers know this – which is why they target these backdoors.  The problem for businesses is that they often don’t know these accounts even exist because they’re not always disclosed by the vendors.  As a result, businesses are sitting on a vulnerability known only to attackers.  As these backdoors are improperly protected with default and hardcoded passwords, they provide soft targets for attackers to gain control of privileged and administrative accounts.   
 
“Last week, it was the ICS-CERT warning about hardcoded passwords in medical devices.  Prior to that, we’ve seen hardcoded and default password breaches lead to attacks as big as the Stuxnet attack.  This is an all too common issue that has plagued the industry for years.  These backdoors have been found to exist in all types of devices, including PCs, databases, networked devices like copiers, operating systems, operational technology (ICS, SCADA) and more.  These backdoors need to be considered and managed as privileged accounts because of the wide ranging access they provide to an organisation’s most sensitive data.

“Businesses should assume that hardcoded or default passwords exist in any device with a microprocessor – working with their vendors to identify and secure these access points before they’re leveraged in an attack.”

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo