304 North Cardinal St.
Dorchester Center, MA 02124
On Saturday, people in Hawaii were awakened by a terrifying false alert about an inbound missile. Hawaii’s Emergency Management Agency has said a worker clicked the wrong item in a drop-down menu and sent it, and that its system was not hacked.
"It was a mistake made during a standard procedure at the changeover of a shift, and an employee pushed the wrong button," Gov. David Ige said.
But a photo from July that recently resurfaced on Twitter has raised questions about the agency’s cybersecurity practices.
In it, the agency’s operations officer poses in front of a battery of screens. Attached to one is a password written on a Post-it note.
The agency didn’t immediately respond to a request for more information.
While these computers are most likely different from the system that sent the false missile alert, the photo raises questions about whether the approach to security at the agency may have led to the scary situation on Saturday. (On the other screen, another note reminds the user to "SIGN OUT.")
Writing down passwords isn’t a strict security no-no. Some experts say that keeping a hard copy of a password in your wallet is defensible — if you can keep the piece of paper secure. But a note on a monitor is not secure, especially if it’s for computer systems dedicated to keeping people safe.
Here’s what the system that sent the false alert on Saturday looks like:
This is the screen that set off the ballistic missile alert on Saturday. The operator clicked the PACOM (CDW) State Only link. The drill link is the one that was supposed to be clicked. #Hawaii http://pic.twitter.com/lDVnqUmyHa
— Honolulu Civil Beat (@CivilBeat) January 16, 2018
from SAI http://read.bi/2mGqsAh