Penetration Testing mailing list archives
Re: Default Admin Account
From: "J. Oquendo" <sil () infiltrated net>
Date: Thu, 5 Feb 2009 12:30:50 -0600
On Wed, 04 Feb 2009, Prodigi Child wrote:
On the default admin accounts on US Military machines, I think that poor (or even negligent) security is no excuse for a compromising a system. To borrow from the port scanning debates, leaving my front door wide open doesn't give someone permission to invade my home.
Thinking about this argument would open a can of worms if I posted on this and we all got into a discussion about this, with this said, I'll shift this to the recent Fannie Mae incident. Personally, I'd of fired the whole lot of security admins and CSO's etc who were involved in drafting the "security structure" for Fannie Mae. So new question - you don't believe in accountability? For instance, if someone sent me news telling me that the particular lock I was using was prone to a "higher instance" of "burglaries" because "many a robbers KNOW how to" go about circumventing that lock, whose fault would it be if I shrugged it off and robbers broke in because that same lock I was warned about - was never changed. I'd be the idiot here, not the lock vendor, not the insurance company. If you leave your front door open, you'd be the idiot in the sense of being so trusting that anyone driving down your street isn't going to enter your home. Whether its a curious neighbor checking inside to see if all is alright with you, to the curious and mischievious teens walking by on their way home, to the opportunistic thieve looking to run in and out, to the professional burglar coming by with a moving van. Leave your door open and continue to believe that everyone else will follow your logic and not rob you blind. When your home is wiped out, tell it to law enforcement to see their response: "I left my door opened so what! That's not an invitation for someone to do something to my home!" See how far you get. Then tell that to your insurer when you file a claim and they won't fork over a dime because of your arrogant negligence.
I have been following the Gary McKinnon case for years now. My interest is in the legal area of penetration testing and the evolution of cyber law. What do IT Security experts and pen-testers think about the default administration account on the US Military machines? You can read about the case here http://freegary.org.uk/
In the matters of "default account/passwords" you have to look at the overall picture. One, the time frame this was happening was a lot different then from what it is now. Secondly, you have to understand the politics of working in government where even if you were responsible for that machine, you'd of likely had to go through so much red-tape to make a change it would have made your head spin. Security from that level should have been architectured appropriately from the top down. Procedures should have been in place to ensure that would have never occurred. Poop happens. Look at the time frame. / sil =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Current thread:
- Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 03)
- RE: Default Admin Account Prodigi Child (Feb 05)
- Re: Default Admin Account J. Oquendo (Feb 09)
- RE: Default Admin Account Prodigi Child (Feb 10)
- Re: Default Admin Account David Howe (Feb 11)
- Re: Default Admin Account J. Oquendo (Feb 09)
- Message not available
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 05)
- Re: Default Admin Account Paul Slade (Feb 10)
- RE: Default Admin Account Levenglick, Jeff (Feb 10)
- Re: Default Admin Account R. DuFresne (Feb 10)
- Re: Default Admin Account M.D.Mufambisi (Feb 10)
- Re: Default Admin Account J. Oquendo (Feb 11)
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 11)
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 05)
- Re: Default Admin Account pand0ra (Feb 11)
- RE: Default Admin Account Prodigi Child (Feb 05)