We've probably all done it. I have. You know you have too. Go on, admit it!
Done what you ask? Scrounged around for some free WiFi when travelling. With data roaming costs being so high, free wifi can be a blessing - except when it's a curse!

Here's a fun article from tripwire highlighting how easy it can be to capture credentials from unwitting travellers at an airport and how poor the information security practices in some hotels can be.

What Nabil describes in his article about default passwords and poorly segmented networks pretty much matches some of the stuff I've seen when travelling. What makes it worse is when the place is charging a small fortune for daily internet access - where is that money going? Not on security apparently!

Long story short - don't let down your guard even when connected to 'safe' networks and VPN is your friend!

Oh and Nabil's http://www.toolswatch.org/ page is pretty cool too. Go check it out!

There is simply no excuse for this appalling display of security ignorance by (I assume) Netcomm

Hardcoded passwords leave Telstra routers wide open - Networks - SC Magazine Australia - Secure Business Intelligence

It's been widely reported that an Australian man has developed the new iphone virus that 'rickrolls' owners of jailbroken iphones.

The virus spreads via ssh using the iphone's default password of 'alpine'. Normally ssh access is not available on a standard iphone, but enabling access is a requirement of jailbreaking the iphone to get around restrictions placed on the device by Apple.

This comes hot on the heels of a ransonware scam with a dutch hacker holding jailbroken iphones 'hostage' for €5 which uses the same method to gain access to jailbroken phones. (The dutch hacker has since apparently stopped asking for money and has now provided instructions on how to undo his changes).

Does this represent a big security hole for Apple? Not really, as both attacks only affect jailbroken iphones. If you are jailbreaking an iphone, or modifying any device against the manufacturer's instructions, then the onus of providing a secure device has passed from the manufacturer to the end user - something which most end users probably don't think about.

While both 'hackers' have claimed the release of their viruses was a educational 'wake up call' for users with jailbroken iphones to ensure they change their default passwords, the simplicity of the attacks could mean something more sinister is on the horizon.
The pair of them may be in hot water as even a relatively harmless change like rickrolling can have unintended legal consequences (the attempted extortion from the dutchman aside).

If you have a jailbroken iphone, change the default password asap!

*edit* I just came acoss this post from Sophos which has a screenshot of some of the virus source code:

A young queenslander has been charged with hacking* offences after 'hacking' several ATMs to withdraw $30,000 dollars in cash.

The article is short on detail about how these 'hacks' occured, but they do suggest he "found information on the internet and in an ATM manual that allowed him to change the machines' settings so he could make huge withdrawals of cash"

What sort of information in a product manual would allow you to do something like this? I'm betting it was some kind of default password.

It isn't stated what bank owned the ATMs or if they were all from the same bank - I'm guessing they may have been. After all if you have a trick to do something like this it probably only works on one model of ATM, and if it worked on one ATM from a particular bank, it probably works on another!

Default passwords and misconfigured devices are unfortunately all too common. I suspect the practice is even worse when people are with specialized, unusual devices like an ATM. This seems to be an example of security by obscurity at work, the incorrect assumption that the default password didn't need changing because only authorized personnel have access to the product manual. A quick google for ATM Manuals and default passwords shows plenty of results!

Security by obsucurity can be a controversial topic in security circles. At it's core is the idea of being secure by design, rather than secure because of secrecy. In a recent discussion I was part of with a group of security professionals from different backgrounds there were mixed opinions on the topic. Should your security design have no secrets? Should you publish it on the internet? Well to me the common sense answer there is no, as obscurity or secrecy does have a place in security design and implementation. The important thing is your security should not rely on the design being kept secret.

While I'm certainly not condoning or encouraging this type of crime and there is a degree of supposition on my behalf to assume default passwords were the cause, it would seem to fit. While the young man deserves the punishment for the crime, what about the failure of duty of care on behalf of the bank? The lax security procedures?

*I don't know if being able to google for an ATM manual makes you a 'hacker'....

In case you need any more reasons to change default passwords on your systems...

A separate IT department in the company a friend works for had, while attempting to configure a new SAN which they had just purchased, managed to accidentally access the management interface to the SAN that hosts the main file server (the management tool apparently auto discovers all matching devices on the network). Upon discovering several existing LUNS and being true intellectual giants, they assumed that said LUNS must be factory defaults and deleted them... All of them...

Thankfully the file server is part of a DFS pair so the impact was minimal, but it could have been one of those incidents that keeps sys admins at work 'til the wee small hours running restorathons.