Industry News

Hawaii’s missile alert agency keeps its password on a Post-it note

Last Saturday the people of Hawaii received a terrifying alert about a ballistic missile heading its way.

Fortunately the alert was a false alarm, caused by a worker who was supposed to send an internal test, and accidentally chose the wrong menu item.

It took a full 38 minutes for the Hawaii Emergency Management Agency (HEMA) to allay fears, and send out a correction.

Serious questions have been asked about how the bogus missile alert could have been sent out, and what can be done to ensure that members of the public are more rapidly informed if more mistakes occur in the future.

My feeling is that although there was no foul play behind the false missile warning, HEMA might be wise to also look at its general approach to IT security.

As Business Insider describes, evidence has come to light that some of the organisation’s staff might be in the habit of sticking Post-it notes containing passwords onto their computer monitors.

That in itself is far from ideal, but what’s even worse is that these Post-it note passwords have been caught on camera by the media, and available for anybody to view on the internet.

A photograph, taken by Associated Press back in July 2017, shows HEMA’s operations officer in front of a bank of computer screens at its headquarters in Honolulu. But if you look past Jeffrey Wong’s colourful Hawaiian shirt, and zoom in on the computers used to monitor potential hazards, you’ll see a solitary Post-it note.

My eyesight isn’t perfect, but it looks to me like it reads:

Password: Warningpoint2

Now, there’s no suggestion that that is a password that could be used to remotely access computers at the agency, or indeed that it’s a password connected with the sending of alerts, but… it surely does say something about the state of security practices at what should be a considered a potential target for a state-sponsored attack.

Organisations who have previously accidentally revealed their passwords in front of the media’s unblinking gaze include BBC News, France’s TV5Monde (ironically in a news report about how it had been recently hacked), and the Super Bowl’s top secret security hub, amongst others.

If the media is visiting your office, it’s probably sensible to remove any passwords which could appear in the background. In fact, maybe it makes sense to remove any such visible passwords regardless of whether someone is likely to be pointing a camera around.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

4 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • That's great eyesight then. I couldn't have put that together without that help. And even then it's still a bit blurry to me. But I can see and I was born legally blind (which doesn't equate to 'blind' of course) and vision is much better after three eye surgeries years ago (and improvements to lenses of course).

    I remember some of those examples you cite before I sort of 'disappeared'. Of course it'd indeed be better if they didn't have this but I'd say that even if they were 100% detached from the Internet (this means indirectly too) the problem is that someone there might have a lot of fun with it since it's right there. It's as if it's inviting the would-be-abuser to do exactly that. And while not legal or ethical what is the purpose of it there and what do people expect? Not everyone has ethics in this regard (or at all) and so whether it's wrong or not isn't the point; the point is people will do it and it's what people will do that matters much more than whether someone should or shouldn't do something (should often isn't reality).