A security researcher has revealed that Oman's stock exchange, the Muscat Securities Market, was left wide open to cyber attacks for months - because IT staff had failed to change the default passwords on the organisation's networking equipment.
Oman operates one of the biggest stock exchanges in the Middle East, but cyber criminals could have been able to takeover its network due to the glaring security issue.
The IT staff at the exchange were using "admin" as the username and password on their Huawei routers.
The fact that these details weren't changed meant that crooks could very easily have used the credential to penetrate the exchange's IT infrastructure.
Gevers first came across the issue in 2017, when he found the router's IP address in a list of leaked Telnet credentials
Victor Gevers is the security researcher who first discovered the flaw. He attempted to get in touch with the Omani authorities in order to warn them of the flaw, but was unsuccessful.
He claims that if a hacker had got into the network, they could have monitored its traffic. Muscat Securities Market has since fixed the issue, but the organisation didn't confirm when.
Gevers first came across the issue in 2017, when he found the router's IP address in a list of leaked Telnet credentials. "We saw a potential of 1.9 million vulnerabilities online," he told ZDNet.
He continued: "This means that we will likely have to brace for even more cyber attacks and data breaches in the coming months."
Ilia Kolochenko, CEO of web security company High-Tech Bridge, slammed the incident. He said that such examples of negligence are still all too common.
"People don't really care about cyber security, while IT security teams have too many other priorities and emergencies to take care of. I wouldn't be surprised if well-known Western stock exchanges have similar problems and omissions," suggested Kolochenko.
"In case of a breach, their financial liability to the victims may surge if facts of overt and continuous ignorance of cybersecurity essentials are proven. While enforcement of GDPR in May 2018 may severely punish such carelessness even if victims don't file a civil lawsuit."
The former employee says that Tesla fired him for bringing the accusations to management internally
Insecticides based on sulfoxaflor might be as bad for bees as neonicotinoids
Intel teases forthcoming new graphics card accompanied by the text "We will set our graphics free"
Think your password manager is completely secure? Think again...