Enoela

Password

E’ di questi giorni una levata di scudi contro un emendamento alla normativa sulla privacy che, sollevando le aziende dall’obbligo di applicare una serie di accorgimenti “minimi” per la sicurezza dei sistemi, avrebbe, a parere di molti, privato di efficacia la normativa stessa.
Da qui emergono alcuni spunti di riflessione che mi riprometto di approfondire in altri post. Adesso, invece, vorrei citare un’intervista riportata su InformationWeek, ad un “hacker”, Robert Moore, nei guai per aver violato alcuni sistemi VoIP.

Default Passwords: A Hacker’s Dream

Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0′ as passwords on them. We could get full access to aCisco (NSDQ: CSCO) box with enabled access so you can do whatever you want to the box. … We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I’d write a scanner for Mera boxes and we’d run the password against it to try to log in, and basically we could get in almost every time. Then we’d have all sorts of information, basically the whole database, right at our fingertips.”

Anche un cavernicolo ci sarebbe riuscito, dice Moore, visto che moltissimi sistemi avevano la password di amministrazione ancora impostata sul default: “admin” o “Cisco0″. Altro che documenti programmatici sulla sicurezza.