Attempting to log in with blank, default, and common usernames and passwords is a widely used attack technique. Unlike most enterprise or corporate networks, Berkeley Lab has an open computing environment so changing default credentials is especially important. To facilitate science and collaboration, most networks are open both to other computers at Berkeley Lab and to the global, public internet as a whole. 

Background

Default passwords are standard, known userid/password pairs that are preinstalled into an operating system, database or software. This information is likely widely available in the system manual, online documentation, forums, and other sites. Default passwords are useful for installations, access management, support and programming purposes but, if left unsecured, still pose a serious security risk to all Berkeley Lab systems. An attacker can completely compromise a system that uses default passwords and then use it as a foothold to attack the rest of the laboratory. Consistent with Department of Energy and Office of Science requirements, Berkeley Lab manages risk to systems using a cost-effect approach that balances mission and risk. See RPM - Cyber Security Risk Management Approach.

All Laboratory employees and affiliates are responsible for the life cycle management of security, operations, backups, and maintenance of Laboratory information and IT that they use or manage. Review the RPM - Lifecycle Management for Information, Hardware, Software, and Services for more information. 

Impacted Systems

Recently, the IT Division’s Cyber Security group uncovered several instances of default passwords in use on the Berkeley Lab network. Through routine scanning Cyber Security found  default credentials in active use throughout the Lab RaspberryPi devices, personal network equipment, and with new software installations with services like Grafana and Nagios. 

Each occurrence could result in a security issue for the Lab network. It is important to identify software and systems that are likely to use default passwords. Provided below are other examples of systems and devices which commonly use default passwords:

  • Routers, access points, switches, firewalls, and other network equipment

  • Software packages, including vendor demonstrations or customer support portals 

  • Databases and management systems, including IDMS, Oracle, and Microsoft SQL

  • Web applications and administrative web interfaces

  • Embedded systems and devices, e.g. BIOS PC computer chips, Unix root user accounts, out-of-band management interfaces (IPMI, iDRAC, ILO, etc)

  • Industrial Control Systems (ICS) systems 

  • Remote terminal interfaces like Telnet and SSH

Recommended Actions

Default passwords are easily exploited since information is readily available and so many systems are left unmonitored. Remain vigilant about keeping the Lab environment secure by taking the following steps: 

  1. Always Change Default Passwords. Change default passwords as soon as possible and absolutely before deploying the system on a network with internet access. Use a sufficiently strong and unique password. See Choosing and Protecting Passwords - Security Tip (ST04-002).

  2. Use a Password Manager. Use a password manager to help with replacing default logins, creating strong passwords, and reminders to update or secure credentials. See IT FAQ on LastPass password manager or search software.lbl.gov

  3. Restrict Network Access. Restrict network access to trusted hosts and networks and only allow internet access to required network services. If remote access is required, use secure access methods such as VPN, or SSH. See Minimum Security Requirements.

  4. Maintain Software and Firmware Updates. Turn on automatic updates for your programs and devices to ensure the latest security patches are applied. If automatic updating is not an option, set a calendar reminder to review updates and credentials in a timely manner. Review IT Best Practices.

For assistance with configuring secure systems and networks, contact the IT division by emailing [email protected] or submit a support request at help.lbl.gov