A password for the Hawaii emergency agency was hiding in a public photo, written on a post-it note
AP/Composite/Rob Price
- A false alarm was broadcast to Hawaii on Saturday warning of an inbound missile.
- In the days following the alert, people discovered that a photo taken in Hawaii's Emergency Management Agency for a newspaper article in July includes a sticky note with a password on it.
- Hawaii says the false alarm was because an employee "pushed the wrong button," not because it was hacked, but the photo sparked criticsm from the security industry about the general level of security at the agency.
Over the weekend, people who lived in Hawaii were awakened by a terrifying false missile alert. It turned out that it was a "mistake," according to Hawaii's Emergency Management Agency, which said that the emergency system had not been hacked. Instead, the agency said a worker had clicked the wrong item in a drop-down menu.
"It was a mistake made during a standard procedure at the change over of a shift, and an employee pushed the wrong button," Hawaii Gov. David Ige said.
But a photo from July recently resurfaced on Twitter raises questions about the agency's cybersecurity practices. In it, Hawaii EMA's current operations officer poses in front of a battery of screens.
Attached to one of the screens is a password written on a post-it note.
AP
Jeffrey Wong, the Hawaii Emergency Management Agency's current operations officer, shows computer screens monitoring hazards at the agency's headquarters in Honolulu on Friday, July 21, 2017. Hawaii is the first state to prepare the public for the possibility of a ballistic missile strike from North Korea.
Computer, enhance:
AP
Hawaii's EMA didn't immediately respond to a request for more information.
While these computers are likely different from the system that sent the false missile alert, the photo does raise questions about the general approach to security at the agency that may have led to the scary situation on Saturday. (On the other screen, a post-it note reminds the user to "SIGN OUT.")
Writing down passwords isn't a strict security no-no, with some security experts suggesting that keeping a hard copy of a password in your wallet is a defensible decision if you can keep the piece of paper secure. Obviously, a post-it note on a monitor is not secure, especially if it's protecting computer systems dedicated to keeping people safe.
The discovery of the photo has already drawn some ridicule from the operational-security industry.
Here's what the Hawaii EMA system that sent the false alert on Saturday looks like:
This is the screen that set off the ballistic missile alert on Saturday. The operator clicked the PACOM (CDW) State Only link. The drill link is the one that was supposed to be clicked. #Hawaii pic.twitter.com/lDVnqUmyHa
- Honolulu Civil Beat (@CivilBeat) January 16, 2018
Next Story
I quit McKinsey after 1.5 years. I was making over $200k but my mental health was shattered.
Some Tesla factory workers realized they were laid off when security scanned their badges and sent them back on shuttles, sources say
I tutor the children of some of Dubai's richest people. One of them paid me $3,000 to do his homework.
Why are so many elite coaches moving to Western countries?
Global GDP to face a 19% decline by 2050 due to climate change, study projects
5 things to keep in mind before taking a personal loan
Markets face heavy fluctuations; settle lower taking downtrend to 4th day
Move over Bollywood, audio shows are starting to enter the coveted ‘100 Crores Club’
