Re: Default Admin Account

["J. Oquendo" <sil () infiltrated net>]

On Wed, 04 Feb 2009, Prodigi Child wrote:

> On the default admin accounts on US Military machines, I think that poor (or
> even negligent) security is no excuse for a compromising a system. To borrow
> from the port scanning debates, leaving my front door wide open doesn't give
> someone permission to invade my home.

Thinking about this argument would open a can of worms if
I posted on this and we all got into a discussion about
this, with this said, I'll shift this to the recent Fannie
Mae incident. Personally, I'd of fired the whole lot of
security admins and CSO's etc who were involved in drafting
the "security structure" for Fannie Mae.

So new question - you don't believe in accountability? For
instance, if someone sent me news telling me that the
particular lock I was using was prone to a "higher instance"
of "burglaries" because "many a robbers KNOW how to" go
about circumventing that lock, whose fault would it be
if I shrugged it off and robbers broke in because that
same lock I was warned about - was never changed. I'd be
the idiot here, not the lock vendor, not the insurance
company.

If you leave your front door open, you'd be the idiot
in the sense of being so trusting that anyone driving
down your street isn't going to enter your home. Whether
its a curious neighbor checking inside to see if all is
alright with you, to the curious and mischievious teens
walking by on their way home, to the opportunistic
thieve looking to run in and out, to the professional
burglar coming by with a moving van.

Leave your door open and continue to believe that everyone
else will follow your logic and not rob you blind. When
your home is wiped out, tell it to law enforcement to see
their response: "I left my door opened so what! That's not
an invitation for someone to do something to my home!"
See how far you get. Then tell that to your insurer when
you file a claim and they won't fork over a dime because
of your arrogant negligence.


> I have been following the Gary McKinnon case for years now.
> My interest is in the legal area of penetration testing and the
> evolution of cyber law.
> What do IT Security experts and pen-testers think about the default
> administration account on the US Military machines? You can read about
> the case here http://freegary.org.uk/


In the matters of "default account/passwords" you have to
look at the overall picture. One, the time frame this was
happening was a lot different then from what it is now.
Secondly, you have to understand the politics of working
in government where even if you were responsible for that
machine, you'd of likely had to go through so much red-tape
to make a change it would have made your head spin.

Security from that level should have been architectured
appropriately from the top down. Procedures should have
been in place to ensure that would have never occurred.
Poop happens. Look at the time frame.


/ sil

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E