Your Fly Is Open

Netmenaces and other Internet Stupidity

If You Leave a Hacker a Default Password

In the interest of making security approachable, I’ve decided to attempt to bring proper security methodology down to a level that everyone can understand. Because my four-year-old niece lives with us, we’ve got a ton of children’s books lying around for inspiration. I decided to try passing along a little security knowledge by mimicking the style of the beloved children’s classic, If You Give a Mouse a Cookie.

If you leave a hacker a default password,

He'll use it to log into your telnet server.

Once he's logged into your telnet server,

host login: root
Password: vizxv

he'll want to install some new software.

He'll try to download something via TFTP,

# busybox tftp -c get
tftp: applet not found

but that won't work, so he'll try WGET.

# busybox wget -c get
wget: applet not found

That won't work either, so he'll resort to creating
a file all by himself.

# echo -en '\x7f\x45\x4c...\x01\x00\x00\x00\xa4\x00' >> retrieve && echo -en '\x52\x43\x56'
echo -en '\x01\x00\x34...\x28\x00\x06\x00\x05\x00' >> retrieve && echo -en '\x52\x43\x56'
# echo -en '\x00\x00\x00...\x01\x00\x00\x00\x00\x00' >> retrieve && echo -en '\x52\x43\x56'

Once he's created that file, he'll want to run it.

Once its running, it'll download another one of the hacker's files.

He'll want to run that one too.

Once it's running, it will start attacking other
systems on the Internet.

While its attacking other systems on the Internet,
it might come across Tom's Telnet Mirror™.

If the code attacks Tom's Telnet Mirror™, it'll redirect
the attack right back to your system.

And, chances are, if the attack is reflected right back to your system,
it'll probably try logging in using a default password.

host login: root
Password: vizxv

With apologies to Laura Numeroff
If you have young'uns, seriously consider buying the original... they'll love it.
And for Pete's sake... change those frickin' passwords, mmmmkay?

Tom Liston
Consultant - Cyber Network Defense
DarkMatter, LLC
Twitter: @tliston
June 6, 2016