The following is not a drive encryption software issue per se, but just had to mention it because it deals with information security: apparently, there is malware that is making the rounds. It's exploiting a hard-coded password, and the makers of the software are advising against changing it.
The malware, dubbed Stuxnet, is a worm/Trojan hybrid that was programmed to take advantage of the passwords used in SCADA systems (Supervisory Control and Data Acquisition) by Siemens. SCADA is used to manage critical operations, such as at utilities companies and manufacturing facilities. The hard-coded password, according to wired.com, is used to protect the database used in SCADA. Except, of course, when it isn't. The password leaked on-line since 2008, "at a Siemens technical forum, where a Siemens moderator appears to have deleted it shortly thereafter. The same anonymous user, 'Cyber,' also posted the password to a Russian-language Siemens forum at the same time, where it has remained online for two years."[wired.com] (It appears to be something of an open-secret, because Wired just went ahead and published it, too.)
The malware, dubbed Stuxnet, is a worm/Trojan hybrid that was programmed to take advantage of the passwords used in SCADA systems (Supervisory Control and Data Acquisition) by Siemens. SCADA is used to manage critical operations, such as at utilities companies and manufacturing facilities.
The hard-coded password, according to wired.com, is used to protect the database used in SCADA. Except, of course, when it isn't.
The password leaked on-line since 2008, "at a Siemens technical forum, where a Siemens moderator appears to have deleted it shortly thereafter. The same anonymous user, 'Cyber,' also posted the password to a Russian-language Siemens forum at the same time, where it has remained online for two years."[wired.com]
(It appears to be something of an open-secret, because Wired just went ahead and published it, too.)
Wired also notes, "Well over 50 percent of the control system suppliers" hard-code passwords into their software or firmware, says Joe Weiss, author of the book Protecting Industrial Control Systems from Electronic Threats. "These systems were designed so they could be used efficiently and safely. Security was simply not one of the design issues." In fact, there are reports that changing passwords could stop the system from working. Which is why we've got this situation: "We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," Siemens spokesman Michael Krampe told journalists.
Wired also notes,
"Well over 50 percent of the control system suppliers" hard-code passwords into their software or firmware, says Joe Weiss, author of the book Protecting Industrial Control Systems from Electronic Threats. "These systems were designed so they could be used efficiently and safely. Security was simply not one of the design issues."
In fact, there are reports that changing passwords could stop the system from working. Which is why we've got this situation:
"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," Siemens spokesman Michael Krampe told journalists.
The ability to change passwords is an important aspect of data security. The reason is pretty well covered above. But, its importance doesn't come from the fact that you'll need to change a password if it has been compromised. Changing passwords is also seen as a preventative measure: if someone is working on guessing your password, he'll have to start all over again when you change your password. This is why, for example, users of encrypted systems are encouraged to change their passwords every 3 months or so (there are pros and cons to it, actually). Also, the keys to encryption software have an "expiration date" for the same reason. While it's virtually impossible that one will guess the encryption key successfully, if someone decides t work on it for 50 years, there is an increased (but still very low) chance that the protected content will be revealed. Hard coding a password? Why even have one?
The ability to change passwords is an important aspect of data security. The reason is pretty well covered above.
But, its importance doesn't come from the fact that you'll need to change a password if it has been compromised. Changing passwords is also seen as a preventative measure: if someone is working on guessing your password, he'll have to start all over again when you change your password.
This is why, for example, users of encrypted systems are encouraged to change their passwords every 3 months or so (there are pros and cons to it, actually).
Also, the keys to encryption software have an "expiration date" for the same reason. While it's virtually impossible that one will guess the encryption key successfully, if someone decides t work on it for 50 years, there is an increased (but still very low) chance that the protected content will be revealed.
Hard coding a password? Why even have one?
Related Articles and Sites:http://www.sophos.com/blogs/gc/g/2010/07/20/malware-scada-password-siemens/http://www.zdnet.co.uk/news/security-threats/2010/07/20/siemens-warns-stuxnet-targets-of-scada-password-risk-40089591/?s_cid=938http://www.wired.com/threatlevel/2010/07/siemens-scada/