The Password Is... Vulnerability

9:00 AM -- After dozens of high profile network penetration tests, what do you think is the one thing that almost every company gets wrong?

If you guessed default passwords, you're right. It's one of the simplest things in a hacker arsenal, but it's also one of the most dangerous things to get wrong, because of it's simplicity. There are even sites devoted to this very concept to aid hackers in their exploitation.

At the network level, there are several good Websites out there that help administrators and hackers alike. CIRT.net, phenoelit.de, and cyxla.com all offer lists that can aid in both finding and exploiting this commonly overlooked vulnerability.

Many people feel that networks are secure from this issue because the only people who could exploit this are people from within the company. But due to session riding and malicious JavaScript, that's no longer the case. All a user has to do is get someone at the company that has a physical route to the device with the default configuration to visit a page that is under their control.

Wireless networks are also highly subject to this sort of issue. Not only do they have default passwords, but they have default SSIDs that can help identify which default username and password to start with. War driving and using default usernames and passwords is a clear and present danger to corporations, and it's often overlooked by adding additional layers of encryption, or by disabling the broadcasting of SSIDs. While that can slow down an attacker, it doesn't do much to prevent the attack itself.

Lastly, Web applications are also vulnerable. Not only do people tend to use the same passwords for out-of-the-box applications, but often times there are other components that can be subverted. One such issue is default credit card numbers. There is a list of default credit card numbers that can be used to buy items from Websites without paying. This sort of issue is exacerbated by the fact that security systems often ignore default credit cards as they are supposed to be only used for testing.

Companies that don't go through the exercise of insuring that their applications, and equipment have changed their default configuration are taking a huge risk.

If you haven't had your security team do this, you haven't taken one of the most critical steps in securing your critical infrastructure.

Go do it. Right now.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading