166816 (Z66816): A post-RSA Conference recap

After several hours in the airport, followed by several more on a plane, all while being fueled by caffeine, here’s the post-RSA Conference wrap-up from Salted Hash.

This year’s show seemed bigger, crowd-wise at least, but smaller when it came to everything else.

After the reports were released, many of the attendees I spoke to while walking around were focused on the ISACA [source] and (ISC)2 [source]  studies about jobs and skills (or the lack thereof) in InfoSec.

For example, most organizations say they need to acquire or strengthen their staffing when it comes to risk assessment and management, or IR programs. Yet, the skilled talent to perform those tasks are few and far between.

Both reports are decent reads, but as I mentioned earlier last week; Leviathan Security examined the problems with staffing in InfoSec earlier this year, pointing out that there are more than a million positions unfilled globally. If security is as “mainstream” as the people at this year’s RSA Conference seem to think it is, we’re going to need to see about increasing the talent pool.

The other thing I noticed on the floor this year were the products on display. It seems like the vendors are trending towards what the public wants; and sadly what they’re looking for are boxes with blinking lights that you can plug-in and walk away from. In short, most products could be compared to a big button that eliminates attacks (or attackers) and offers “threat intelligence” as a bonus.

On the plus side, that big blinking box can generate pretty reports. So along with eye candy and lights, the boxes on display also promise to help organizations meet several regulatory and compliance requirements. Oh joy!

This checkbox-driven mindset for security is nothing but trouble. Has the industry really reached a point where service agreements and 1/2/3U rack mounts are cheaper than training and actually hiring staff? I hope not.

Z66831 (Z66816) and other default passwords you should know about

Default credentials: Ignored by those who should be paying attention, and collected by everyone else, they’re the reason most breaches don’t need to be too technical.

The other news from RSA last week that got a good deal of attention centered on POS research. Given that several high profile retailers were breached in 2014, this topic was a given at this year’s show.

During their talk last week, David Byrne (Bishop Fox) and Charles Henderson (Trustwave), outlined some of the common security problems with POS implementations, and said that one of the world’s largest POS vendors had used the same default credentials for more than twenty years.

IDG News was one of the first to single out the vendor, and discovered their identity with little more than a Google search.

The default password, as presented on stage, is 166816 or Z66816 depending on keyboard layout. The vendor is VeriFone, a company from Silicon Valley that claims to connect 27 million payment devices with operations in 150 countries.

The researchers didn’t name VeriFone in their talk, and that’s odd because their slides show what looks to be a VeriFone MX 850 when discussing the issue.

This default password has been known for years – to criminals and administrators. In fact, a research paper from Hacker Factor outlined the default credential problem in 2007.

However, VeriFone confirmed to IDG News that they were the vendor in question, admitting to the default password, and referencing another – Z66831- in a statement. The company said that their default credentials could be located on the Internet along with terminal manuals.

“The important fact to point out is that even knowing this password, sensitive payment information or PII (personally identifiable information) cannot be captured. What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords,” VeriFone told IDG News.

Ignoring the misdirection, because getting a signed binary to work with default credentials is child’s play for a focused criminal (such as those targeting the likes of Target, Best Buy, Home Depot, etc.) VeriFone isn’t the story here.

Moreover, the story isn’t about the fact that the RSA Conference allowed a talk based on data points known to the public since 2007 either. Though, to be far the researchers did have current data points to work with. No, the story is that default credentials and their use happens all the time, in and out of retail. VeriFone is just one small part of the problem.

A quick Google search turns up several examples of default credentials – or worse – devices and services that use blank authentication. One researcher keeps a blog on default access, including SCADA and HVAC devices, routers, and more.

VeriFone said they ship products with pre-expired passwords and encourage customers to change defaults, but that doesn’t do anything for the devices already in the market, or the fact that default works out of the box so customers are fine with that.

Again, VeriFone is just one small part of a very large problem. No one can pretend that default credentials are something new, they’re not, and criminals have been using them against their victims for decades.

Given the breaches last year, it’s clear why the research made headlines the way it did. But was it completely news worthy? No, because default credentials are not news.

In fact, in my opinion, the best part was when IDG News named the vendor (a key point missing from dozens of articles on the talk) – but I freely admit that I’m biased. -Steve

So if default credentials aren’t news, what are they? They’re a tool, something to help with implementation (and admins are supposed to change them). But they’re also a sign of laziness, which is why criminals target them.

Why kick in the door when you already have the key?