How hard would you judge a food service worker who leaves the restroom without washing his or her hands? Pretty hard right? The knowing look given by other bathroom patrons would likely be enough to make him or her blush and get those suds a-goin’. There’s an enormous societal pressure to wash your hands after using the restroom, especially for professionals! It’s common sense. Now, how hard would you judge your infrastructure engineers for leaving a default password on an internet-facing device? Well, you specifically may judge them sternly (considering you are reading this blog), but there doesn’t seem to be the same societal pressure on setting good, strong passwords as there is about washing your hands. Awareness is growing but we need more shame on that lazy admin with a password of admin.

Passwords are perhaps the most common sense security feature. There isn’t a more important, effective and simple security tip than to make and use strong passwords. Even if you don’t use a strong password, at least using something is better than not changing the default password at all. I used the Shodan * search engine to find devices with the strings “default” and “password” in their header indicating potential default passwords being used.

It would be terrible to be the admin of the device that shows up on Shodan’s fifth top voted search, “Default Password.” Now it’s not the end of the world, the presence of the strings “default” and “password” in a banner doesn’t necessarily indicate that the default password wasn’t changed, but it’s a data point that I argue is more indicative than a device with an altered banner. Consider the following device:

https://www.shodan.io/host/41.138.52.59

It’s a Cisco router of some sort running Security Device Manager. Its banner hasn’t been changed and why would it be? It’s likely some small business router that one would HOPE the ONE TIME default login was used configure it properly. Let’s analyze the information available:

80 tcp http

Cisco IOS http config HTTP/1.1 401 Unauthorized Date: Sat, 01 Jan 2000 21:19:37 GMT Server: cisco-IOS Connection: close Accept-Ranges: none WWW-Authenticate: Basic realm="level_15 or view_access"

We see that the device is displaying a “401 Unauthorized” banner which indicates that a login is required. Want to venture a guess what those creds would be? Alright, let’s give our network admin here a break and assume that the creds were changed (I will not attempt to enter this device…), there’s still a problem! This device was last updated 16 years ago (or at least its clock thinks it was 16 years ago, which at the very least indicates that the admin has not configured an NTP server for this thing). It’s likely breakable.

This isn’t the only device either. Shodan returns 28,168 total results for banners with “default” and “password” in them. A hacker could likely narrow that down with improved search terms and pick the low hanging fruit all day. Avoid being one of the 28,168.

The common sense tip here is to change your default password AND obfuscate your banner. There’s no reason your device’s information has to be public.

Wash your hands too.

Thanks for reading! Stay tuned for more Common Sense Security Blog. It’s just common sense.

You can learn more about how Shodan works on its wikipedia page.