Does that security vulnerability come standard, or did you pay extra?

Cliff Stoll, the author of The Cukoo’s Egg points out that the most common vulnerabilities are the ones that come by default on a machine. DEC’s Vax computers came with three system accounts, all with a default password. The system never forced the administrator to change them. For the most part “Hunter,” the hacker he chased for over a year, didn’t use sophisticated tools or brute force. He tried the front door, which was usually wide open.

The modern day front door is a wireless router. Cracking wireless security has become almost trivial. There are utilities that do it automatically. But as easy as it is, it’s even easier to find an unsecured network. If you want free internet, look for a network called “linksys,” “default,” “Wireless,” “NETGEAR,” “belkin54g,” or “Apple Network 0273df.” Those are the default network names for the most popular routers. The owner will most likely have left it wide open, with no encryption of password.

The other day a friend decided to help out his neighbor. He had noticed that the internet connection he was “sharing” still had the default administrator password, so he changed it to something a little harder to guess. Had he been malicious, he could have done far more. He could have enabled MAC address filtering on the router, so that it would reject any computer except his own, and the owner wouldn’t have known what happened. He could have secured the router and given the passkey only to his friends. He considered locking the owner out of his own network to teach him a lesson, but decided that was a bit extreme.

Nearly every new cellphone sports Bluetooth technology. But many users don’t understand that their phone could pair with most other Bluetooth devices without so much as a password. They leave their phones in “discoverable” mode, not realizing that this leaves them wide open to attack. The amount of damage to be done is relatively small. Crackers can siphon data being transfered to the phone, or can use the handset for their own data connection. This has spawned the term “war nibbling,” a take-off on war driving. instead of cruising for open WiFi networks, nibblers find unsecured or unpatched Bluetooth connections.

How do you protect a user from their own stupidity? Ubuntu Linux disables the root account by default. They give the first user account enabled sudo access. A cracker trying to brute-force their way into an Ubuntu box might try the root account, but they don’t know the name of the account with real power.

Windows Vista takes an interesting approach: Hit the end user with a deluge of popups. “You appear to be trying to do something. This could be dangerous. Are you sure you want to continue?” This can only protect a user from certain types of stupidity, however. Windows users already have all sorts of popups that warn about the harmfulness of certain actions — a simple download requires two to three clicks before you can run it — but this hasn’t stopped many users from merrily clicking OK to offers for free iPods, or (ironically) popup blockers and computer security scans.

This sort of security is dangerous, however. I regularly use a Linux box that requires confirmation for each file in a recursive delete. This can be tedious, so, rather than encouraging more thoughtful use of the function, it encourages me to use rm -rf by default. Excessive security features or warnings can cause complacency or even circumvention.

Ultimately, who is to blame for an unsecure system? Should the vendor force users to run a secure system? Many websites run algorithms on passwords to ensure that they are sufficiently hard to guess, and that they change on a regular basis. Perhaps an operating system or network should enforce similar standards.