A password for the Hawaii emergency agency was hiding in a public photo,written on a post-it note.
A false alarm was broadcast to Hawaii on Saturday warning of an inbound missile.
In the days following the alert, people discovered that a photo taken in Hawaii's Emergency Management Agency for a newspaper article in July includes a sticky note with a password on it.
Hawaii says the false alarm was because an employee "pushed the wrong button," not because it was hacked, but the photo sparked criticsm from the security industry about the general level of security at the agency.
Over the weekend, people who lived in Hawaii were awakened by a terrifying false missile alert. It turned out that it was a "mistake," according to Hawaii's Emergency Management Agency, which said that the emergency system had not been hacked. Instead, the agency said a worker had clicked the wrong item in a drop-down menu.
"It was a mistake made during a standard procedure at the change over of a shift, and an employee pushed the wrong button," Hawaii Gov. David Ige said.
But a photo from July recently resurfaced on Twitter raises questions about the agency's cybersecurity practices. In it, Hawaii EMA's current operations officer poses in front of a battery of screens.
Attached to one of the screens is a password written on a post-it note.
Hawaii's EMA didn't immediately respond to a request for more information.
While these computers are likely different from the system that sent the false missile alert, the photo does raise questions about the general approach to security at the agency that may have led to the scary situation on Saturday. (On the other screen, a post-it note reminds the user to "SIGN OUT.")
Writing down passwords isn't a strict security no-no, with some security experts suggesting that keeping a hard copy of a password in your wallet is a defensible move if you can keep the piece of paper secure. Obviously, a post-it note on a monitor is not secure, especially if it's protecting computer systems dedicated to keeping people safe.
The discovery of the photo has already drawn some criticism from the operational-security industry.
Here's what the Hawaii EMA system that sent the false alert on Saturday looks like:
This is the screen that set off the ballistic missile alert on Saturday. The operator clicked the PACOM (CDW) State Only link. The drill link is the one that was supposed to be clicked. #Hawaii pic.twitter.com/lDVnqUmyHa
— Honolulu Civil Beat (@CivilBeat) January 16, 2018