Change your default passwords

Seems obvious doesn’t it but I guess some people don’t get it, change default passwords.

There’s a ‘good’ article in this past weeks Computer World by Frank Hayes on the topic. I say ‘good’ because I like his writing style and in this case the story as well. What made this weeks article more appealing, well amusing, was the repeated refrain of ‘change your default passwords’ in it’s may variations sprinkled throughout the article. You really need to read the whole article to get the context of the refrain but I’m going to excerpt that refrain below, just incase you don’t want to go and read the whole article;

Moral of the story: Change your default passwords.

Moral of the story: No kidding, change those default passwords.

Moral of the story: Really, change those default passwords. And pray you get an attacker this hapless

Moral of the story: Honest, you should change your default passwords. And apply your vendors’ security patches. And when in doubt, call the FBI.

And never, ever get your security advice from YouTube.

 

So, how many of you haven’t change your home cable modem, DSL modem, firewall, Wireless access points password?

Go a networked printer? have you changed it’s default password? For a good reason to not only change it’s default password but also to erase it’s local disk before disposal see the YouTube video at;

http://www.youtube.com/watch?v=iC38D5am7go

Principles of Quantum Security

There is an article in this months TechNet magazine called ‘Principles of Quantum Security‘, written by Jesper Johansson.

I found this quite an interesting read. It’s targeted for for IT Security pros but it does contain some scientific analogies that are probably more meaningful for readers with a science/engineering background.

You need to read the whole article to get the full impact however the key argument/discussion point of the article is that when we implement some sort of IT Security mitigation we change the system that we’ve implemented the mitigation against. This means that the mitigation becomes part of the system and we should be re-evaluating the security posture of the system to see what, if anything, the mitigation has had. That is, what’s the ripple effect. An example Jesper uses is that of IDSes. If you implement IDSes to mitigate a risk in all likelihood you’re going to be having the logs go to a central system. In doing so it probably means that some sort of privileged account is used. Therefore you now have additional systems/services that if they’re compromised could give access to a privileged account …. etc. Hence the law of unintended consequences.