Monday, February 25, 2008

Default Security

So, I was browsing the SANS top 20 security risks of 2007 here and noticed they mentioned the weak or complete lack of default passwords, and/or prompting for new passwords. I also ran into this discussion on the backtrack.org forums.

The essential problem is that manufacturers add setup wizards which either skip the subject of passwords and security, or only touch on the default password. Everyone in networking knows that a linksys router has the user name and password of admin, for example.

So why can't manufacturers:

A) Enable high security features by default (IE WPA)?
B) Randomly generate a 16 character password with upper and lower case letters, and numbers?
c) Ask users if they want to enable low security features, such as wireless communication or auto-form completion?

Don't manufacturers have that responsibility? Now, it is understandable that companies like Cisco do not add any programming to their high end equipment, as only certified professionals are expected to purchase and implement the equipment anyway. But an employee with a poorly configured PDA could pose a huge security risk to the company.

That's not to mention bluetooth devices that still have the default code of 0000.

While it's true that the ultimate responsibility is that of the end user, manufacturers should not be promoting products that are easy to use and "easy to install" if they are not equally easy to secure.

No comments: