RE: Default Admin Account

["Prodigi Child" <prodigi.child () gmail com>]

You're right - accountability does come into the picture, that's why I used
the word negligent. Sure I would be negligent if I left my front door open,
but the burglar is still the one that broke the law. I'd be the idiot that
left my door open and maybe in a sense I 'deserved' it and everyone would
laugh at me, but I didn't break the law by being an idiot. We can't reduce
the amount of blame that should be levied against the burglar just because
it was more tempting as an easy target.

We don't know all of the details about the Fannie Mae incident (especially
since the press doesn't understand high technology or know how to
communicate its intricacies) so the jury is out on exactly what happened and
how. It might have been as simple as an HR rep forgetting to send the e-mail
or service ticket to IT or InfoSec to terminate the account, which allowed
the guy to log on remotely before his access was cut off. You can't really
blame a CSO for that, can you?

I'm actually surprised that they caught it, because there are so many ways
for an administrator to hide a script or scheduled task either he is pretty
dumb or the person who found the 'logic bomb' (if it was truly that) is
really sharp.


I read a story about a teenager (14 or 15 years old) reporting for duty at a
Chicago Police Station, and actually being assigned a partner and riding
around doing Police stuff for most of the day. This teenager potentially put
the life of his 'partner' in danger (what if a serious incident occurred
like a gun fight? Apparently he went to a couple of domestic dispute calls).
Are the cops who didn't realize this is a teenager boneheads? You bet.
Should they be reprimanded for being negligent? Probably. But regardless of
the lack of vigilance of the cops and regardless of the lack of detective
and preventive controls around role call, the teenager is still the one who
committed the crime of impersonating a police officer and should still be
punished.




-----Original Message-----
From: J. Oquendo [mailto:sil () infiltrated net] 
Sent: Thursday, February 05, 2009 12:31 PM
To: Prodigi Child
Cc: pen-test () securityfocus com; starnetmaster () gmail com
Subject: Re: Default Admin Account

On Wed, 04 Feb 2009, Prodigi Child wrote:

> On the default admin accounts on US Military machines, I think that poor
(or
> even negligent) security is no excuse for a compromising a system. To
borrow
> from the port scanning debates, leaving my front door wide open doesn't
give
> someone permission to invade my home.

Thinking about this argument would open a can of worms if
I posted on this and we all got into a discussion about
this, with this said, I'll shift this to the recent Fannie
Mae incident. Personally, I'd of fired the whole lot of
security admins and CSO's etc who were involved in drafting
the "security structure" for Fannie Mae.

So new question - you don't believe in accountability? For
instance, if someone sent me news telling me that the
particular lock I was using was prone to a "higher instance"
of "burglaries" because "many a robbers KNOW how to" go
about circumventing that lock, whose fault would it be
if I shrugged it off and robbers broke in because that
same lock I was warned about - was never changed. I'd be
the idiot here, not the lock vendor, not the insurance
company.

If you leave your front door open, you'd be the idiot
in the sense of being so trusting that anyone driving
down your street isn't going to enter your home. Whether
its a curious neighbor checking inside to see if all is
alright with you, to the curious and mischievious teens
walking by on their way home, to the opportunistic
thieve looking to run in and out, to the professional
burglar coming by with a moving van.

Leave your door open and continue to believe that everyone
else will follow your logic and not rob you blind. When
your home is wiped out, tell it to law enforcement to see
their response: "I left my door opened so what! That's not
an invitation for someone to do something to my home!"
See how far you get. Then tell that to your insurer when
you file a claim and they won't fork over a dime because
of your arrogant negligence.


> I have been following the Gary McKinnon case for years now.
> My interest is in the legal area of penetration testing and the
> evolution of cyber law.
> What do IT Security experts and pen-testers think about the default
> administration account on the US Military machines? You can read about
> the case here http://freegary.org.uk/


In the matters of "default account/passwords" you have to
look at the overall picture. One, the time frame this was
happening was a lot different then from what it is now.
Secondly, you have to understand the politics of working
in government where even if you were responsible for that
machine, you'd of likely had to go through so much red-tape
to make a change it would have made your head spin.

Security from that level should have been architectured
appropriately from the top down. Procedures should have
been in place to ensure that would have never occurred.
Poop happens. Look at the time frame.


/ sil

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E