twitter facebook rss

The Sticky Problem Of Public Passwords

Posted by on May 2, 2015.

Close your eyes. Let me take you back in time for a moment. It’s 1985. I’m into hacking and you’re an IT manager. You ask me how I manage to break into all those computers. Is it, you wonder, because I’m a really clever hacker who knows how to defeat the technology?  Actually, no. It’s nothing of the sort. It’s because IT people, programmers and end users make mistakes, and hackers like myself merely come along at the right time to exploit them.

Those exploitable mistakes tend to fall into two categories. First, on the technical side, programmers failing to check their inputs and memory allocation correctly. Which allows for buffer overrun attacks, to execute code or crash a system by feeding it more data than it can handle.

Second, on the end user side, it’s about people not taking sensible care of their passwords. It’s a standing joke that hackers find passwords by looking for post-it notes on the side of monitors. Most travel agencies are heavy users of Prestel, so if you want a Prestel password just pop down to your nearest high street and peer through the window. It works every time.

OK, open your eyes. You’re back in the room and it’s 2015 again. Has the situation improved in the last 3 decades? Are Post-It passwords and buffer overruns a thing of the past? Surely the security product vendors and the compiler writers have managed to eliminate them. Not a chance.

Last week, TV news reports showed a monitor in the control room at Waterloo station in which the passwords appeared to have been written on white tape and stuck to the top of the screen. TV5Monde, a French TV station, also inadvertently included whiteboards in the background of a report last month on which many usernames and passwords had been written. The same thing happened last year when Prince William’s official website published some pictures of him at an RAF base – the flight planning system login details were stuck to the wall and clearly visible in the shots.

But my favourite “they really should have learned by now” security story of recent years concerns last week’s discovery that the Boeing 787 uses a 32-bit counter to record the number of hundredths of a second that the plane’s generators have been powered up. It turns out that such a counter runs out of bits after 248 days, after which the power systems shut down and go into fail safe mode. Even if the plane happens to be in the sky at the time. Which is about as intriguing a definition of “fail safe” as you could possibly imagine.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Robert Schifreen |