Dark Reading today has an article worth reading "The Password Is... Vulnerability". It outlines how one of the most common thing that enterprises get wrong in penetration testing is the use of default passwords.
As the article says "Many people feel that networks are secure from this issue because the only people who could exploit this are people from within the company. But due to session riding and malicious JavaScript, that's no longer the case. All a user has to do is get someone at the company that has a physical route to the device with the default configuration to visit a page that is under their control."
The article further states:
"Wireless networks are also highly subject to this sort of issue. Not only do they have default passwords, but they have default SSIDs that can help identify which default username and password to start with. War driving and using default usernames and passwords is a clear and present danger to corporations, and it's often overlooked by adding additional layers of encryption, or by disabling the broadcasting of SSIDs. While that can slow down an attacker, it doesn't do much to prevent the attack itself.
"Lastly, Web applications are also vulnerable. Not only do people tend to use the same passwords for out-of-the-box applications, but often times there are other components that can be subverted. One such issue is default credit card numbers. There is a list of default credit card numbers that can be used to buy items from Websites without paying. This sort of issue is exacerbated by the fact that security systems often ignore default credit cards as they are supposed to be only used for testing. "
All of which is excellent advice. Enterprise security is only as good as the weakest link in the chain. Change those default passwords or your enterprise may be at high risk of a successful security breach.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us