This paper summarizes a year’s worth of credential scanning data collected from Heisenberg (Breaking Bad fan’s anyone?), Rapid7’s public-facing network of low-interaction honeypots. Instead of focusing on the passwords that end users typically pick, this data contains what opportunistic scanners are using in order to test— and likely compromise— Internet connected point of sale (POS) systems, kiosks, and scamware-compromised desktop PCs which offer the Remote Desktop Protocol (RDP) service for remote management. Heisenberg honeypots are custom-engineered, low-interaction honeypots that are distributed geographically across several regions. There’s a lot of interesting statistics in this paper such as the frequency of scans from certain geographical areas, the most common usernames and passwords used in scans against the honeypots, and how these usernames passwords are associated with each other in the attack. The surprising detail uncovered was just how weak the passwords were (the most common username and password combination used was username: administrator – password: x). Since these passwords were deliberately chosen by the various scanners which ran up against Heisenberg, it implies that the default and common passwords to several POS and kiosk systems are chosen out of convenience, rather than security. Sobering stuff!
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Mauchel Barthelemy says
Perhaps the real question is why is it legal for regular people to access such tool without being registered. Accessibility plays a big part of the problem. Major corporations that are licensed and government officials should have access to these type of technologies. Other security professionals would need to be registered to use these tools.