Agency for Hawaii’s missile alert system caught with passwords on Post-it notes


TechViews News   …..

Last weekend the residents of the US state of Hawaii received a terrifying message on their mobile phones:

“BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL. If you are indoors, stay indoors. If you are outdoors, seek immediate shelter in a building. Remain indoors well away from windows. If you are driving, pull safely to the side of the road and seek shelter in a building or lay on the floor.”

A similar message was broadcast on television and radio stations.

Thankfully, the alert was a false alarm. An employee of the Hawaii Emergency Management Agency (HEMA) had pressed the wrong button, as a spokesperson explained:

Shortly after 8 a.m. local time Saturday morning, an employee at the Hawaii Emergency Management Agency settled in at the start of his shift. Among his duties that day was to initiate an internal test of the emergency missile warning system: essentially, to practice sending an emergency alert to the public without actually sending it to the public.

Around 8:05 a.m., the Hawaii emergency employee initiated the internal test, according to a timeline released by the state. From a drop-down menu on a computer program, he saw two options: “Test missile alert” and “Missile alert.”

As it turns out, it was a bad user interface design. Even though the menu option still required confirmation that the user really wanted to send an alert, that wasn’t enough on this occasion, to prevent the worker from mindlessly clicking onwards.

There was an “are you sure?” message, but the user clicked it anyway. Clearly the “are you sure?” last-chance option wasn’t worded carefully enough, or didn’t stand out sufficiently from the regular working of the interface, to make the worker think twice.

It took a full 38 minutes for the Hawaii Emergency Management Agency to allay fears, and send out a correction.

Serious questions have been asked about how the bogus missile alert could have been sent out, and what can be done to ensure that members of the public are more rapidly informed if more mistakes occur in the future.

However, an equally alarming practice by HEMA is their technician’s habit of sticking Post-it notes containing passwords onto their computer monitors.

That in itself is far from ideal, but what’s even worse is that these Post-it note passwords have been caught on camera by the media, and available for anybody to view on the internet.

A photograph, taken by Associated Press back in July 2017, shows HEMA’s chief operations officer in front of a bank of computer screens at its headquarters in Honolulu. But if you look past Jeffrey Wong’s colorful Hawaiian shirt, and zoom in on the computers used to monitor potential hazards, you’ll see a solitary Post-it note.

hawaii password

My eyesight isn’t perfect, but it looks to me like it reads:

Password: Warningpoint2

Now, there’s no confirmation at this point if that is a password that can be used only at the control panels, or even if it could be used to remotely access computers at the agency, or indeed that it’s a password connected with the sending of missile attack alerts. But it surely does say something about the state of security practices at what should be a considered a potential target for a state-sponsored attack.

If the media, or any outside guests for that matter, are visiting your office — it’s probably sensible to remove any passwords which could appear in the background. In fact, maybe it makes sense to remove any such visible passwords regardless of whether someone is likely to be pointing a camera around.

Be Safe – Backup Your Data Regularly!


And don’t forget to take advantage of our FREE subscription to the TechViews News Updates. You will receive all of our updates and posts the moment they are published.