Penetration Testing mailing list archives
RE: Default Admin Account
From: "Prodigi Child" <prodigi.child () gmail com>
Date: Fri, 6 Feb 2009 01:03:04 -0600
You're right - accountability does come into the picture, that's why I used the word negligent. Sure I would be negligent if I left my front door open, but the burglar is still the one that broke the law. I'd be the idiot that left my door open and maybe in a sense I 'deserved' it and everyone would laugh at me, but I didn't break the law by being an idiot. We can't reduce the amount of blame that should be levied against the burglar just because it was more tempting as an easy target. We don't know all of the details about the Fannie Mae incident (especially since the press doesn't understand high technology or know how to communicate its intricacies) so the jury is out on exactly what happened and how. It might have been as simple as an HR rep forgetting to send the e-mail or service ticket to IT or InfoSec to terminate the account, which allowed the guy to log on remotely before his access was cut off. You can't really blame a CSO for that, can you? I'm actually surprised that they caught it, because there are so many ways for an administrator to hide a script or scheduled task either he is pretty dumb or the person who found the 'logic bomb' (if it was truly that) is really sharp. I read a story about a teenager (14 or 15 years old) reporting for duty at a Chicago Police Station, and actually being assigned a partner and riding around doing Police stuff for most of the day. This teenager potentially put the life of his 'partner' in danger (what if a serious incident occurred like a gun fight? Apparently he went to a couple of domestic dispute calls). Are the cops who didn't realize this is a teenager boneheads? You bet. Should they be reprimanded for being negligent? Probably. But regardless of the lack of vigilance of the cops and regardless of the lack of detective and preventive controls around role call, the teenager is still the one who committed the crime of impersonating a police officer and should still be punished. -----Original Message----- From: J. Oquendo [mailto:sil () infiltrated net] Sent: Thursday, February 05, 2009 12:31 PM To: Prodigi Child Cc: pen-test () securityfocus com; starnetmaster () gmail com Subject: Re: Default Admin Account On Wed, 04 Feb 2009, Prodigi Child wrote:
On the default admin accounts on US Military machines, I think that poor
(or
even negligent) security is no excuse for a compromising a system. To
borrow
from the port scanning debates, leaving my front door wide open doesn't
give
someone permission to invade my home.
Thinking about this argument would open a can of worms if I posted on this and we all got into a discussion about this, with this said, I'll shift this to the recent Fannie Mae incident. Personally, I'd of fired the whole lot of security admins and CSO's etc who were involved in drafting the "security structure" for Fannie Mae. So new question - you don't believe in accountability? For instance, if someone sent me news telling me that the particular lock I was using was prone to a "higher instance" of "burglaries" because "many a robbers KNOW how to" go about circumventing that lock, whose fault would it be if I shrugged it off and robbers broke in because that same lock I was warned about - was never changed. I'd be the idiot here, not the lock vendor, not the insurance company. If you leave your front door open, you'd be the idiot in the sense of being so trusting that anyone driving down your street isn't going to enter your home. Whether its a curious neighbor checking inside to see if all is alright with you, to the curious and mischievious teens walking by on their way home, to the opportunistic thieve looking to run in and out, to the professional burglar coming by with a moving van. Leave your door open and continue to believe that everyone else will follow your logic and not rob you blind. When your home is wiped out, tell it to law enforcement to see their response: "I left my door opened so what! That's not an invitation for someone to do something to my home!" See how far you get. Then tell that to your insurer when you file a claim and they won't fork over a dime because of your arrogant negligence.
I have been following the Gary McKinnon case for years now. My interest is in the legal area of penetration testing and the evolution of cyber law. What do IT Security experts and pen-testers think about the default administration account on the US Military machines? You can read about the case here http://freegary.org.uk/
In the matters of "default account/passwords" you have to look at the overall picture. One, the time frame this was happening was a lot different then from what it is now. Secondly, you have to understand the politics of working in government where even if you were responsible for that machine, you'd of likely had to go through so much red-tape to make a change it would have made your head spin. Security from that level should have been architectured appropriately from the top down. Procedures should have been in place to ensure that would have never occurred. Poop happens. Look at the time frame. / sil =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Current thread:
- Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 03)
- RE: Default Admin Account Prodigi Child (Feb 05)
- Re: Default Admin Account J. Oquendo (Feb 09)
- RE: Default Admin Account Prodigi Child (Feb 10)
- Re: Default Admin Account David Howe (Feb 11)
- Re: Default Admin Account J. Oquendo (Feb 09)
- Message not available
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 05)
- Re: Default Admin Account Paul Slade (Feb 10)
- RE: Default Admin Account Levenglick, Jeff (Feb 10)
- Re: Default Admin Account R. DuFresne (Feb 10)
- Re: Default Admin Account M.D.Mufambisi (Feb 10)
- Re: Default Admin Account J. Oquendo (Feb 11)
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 11)
- Re: Default Admin Account J.Hart, Elec.Eng.Tech. (Feb 05)
- Re: Default Admin Account pand0ra (Feb 11)
- RE: Default Admin Account Prodigi Child (Feb 05)