A recent news story from Virginia, USA highlights the pitfalls of failing to change default passwords.

A man walked up to an ATM at a service station and, using the standard console accessible to all users, reprogrammed the machine to dispense $20 notes instead of $5 notes.  Net result was that if a customer requested $80, the machine would dispense $320, but the customer’s account would only be debited $80!

It transpired that the password for the machine allowing access to diagnostic mode had been left at its default setting – which in turn was published in an online service manual.  (The manual also gave any reader additional helpful information such as default combinations for the safe and instructions on how to enter diagnostic mode).

It was nine days before an unusually honest user flagged the situation with staff at the service station.  We do not know how many punters “hit the jackpot” in the meantime!

Whilst the story sounds like one of those popular urban myths, it is apparently true (read it in full at http://www.securityfocus.com/brief/310) and, from a security perspective, highlights the importance of changing default password settings at network entry points.  As part of penetration testing projects, Safecoms naturally checks to see whether any of the client’s Internet facing hosts have weak remote access authentication settings.  On more than one occasion we have found Internet facing servers accessible through well known default passwords – the hacker’s equivalent of the overly generous ATM.