A password for the Hawaii emergency agency was hiding in a public photo, written on a post-it note

A password for the Hawaii emergency agency was hiding in a public photo, written on a post-it note

hawaii 1

AP/Composite/Rob Price

  • A false alarm was broadcast to Hawaii on Saturday warning of an inbound missile. 
  • In the days following the alert, people discovered that a photo taken in Hawaii's Emergency Management Agency for a newspaper article in July includes a sticky note with a password on it.
  • Hawaii says the false alarm was because an employee "pushed the wrong button," not because it was hacked, but the photo sparked criticsm from the security industry about the general level of security at the agency. 


Over the weekend, people who lived in Hawaii were awakened by a terrifying false missile alert. It turned out that it was a "mistake," according to Hawaii's Emergency Management Agency, which said that the emergency system had not been hacked. Instead, the agency said a worker had clicked the wrong item in a drop-down menu

"It was a mistake made during a standard procedure at the change over of a shift, and an employee pushed the wrong button," Hawaii Gov. David Ige said.

But a photo from July recently resurfaced on Twitter raises questions about the agency's cybersecurity practices. In it, Hawaii EMA's current operations officer poses in front of a battery of screens.

Attached to one of the screens is a password written on a post-it note. 

Jeffery Wong AP

AP

Jeffrey Wong, the Hawaii Emergency Management Agency's current operations officer, shows computer screens monitoring hazards at the agency's headquarters in Honolulu on Friday, July 21, 2017. Hawaii is the first state to prepare the public for the possibility of a ballistic missile strike from North Korea.

Computer, enhance: 

enhance

AP

Hawaii's EMA didn't immediately respond to a request for more information.

While these computers are likely different from the system that sent the false missile alert, the photo does raise questions about the general approach to security at the agency that may have led to the scary situation on Saturday. (On the other screen, a post-it note reminds the user to "SIGN OUT.")

Writing down passwords isn't a strict security no-no, with some security experts suggesting that keeping a hard copy of a password in your wallet is a defensible decision if you can keep the piece of paper secure. Obviously, a post-it note on a monitor is not secure, especially if it's protecting computer systems dedicated to keeping people safe.

The discovery of the photo has already drawn some ridicule from the operational-security industry.

Here's what the Hawaii EMA system that sent the false alert on Saturday looks like: