RE: Default Admin Account

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

Who is at fault.... With all of the audit and policy's that have been
created the past few years, I have seen a huge increase in 'legal'
who-is-to blame paper work. It is very common in medium to large
companies to have a sign-off paper trail.

Example -
Loading doc guy signs the equipment in. <-- he is 100% responsible at
this point

IT dept signs equipment to them. <they take 100%

IT engineer installs OS/software. He would follow and check off company
standards policy form. < he is 100% responsible at this point.

Forms include fields such as:
Root/admin account password changed.
Current patches applied.
Host locked down per company standards .......ect

IT dept manager or dept head would verify and sign off <--- he is now
100%

Security Dept verify <--- they are now 100%

User assigned access <-- they sign company standards doc. 100% them
Or
User assigned equipment <--- they sign company standards doc. 100% them


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Paul Slade
Sent: Thursday, February 05, 2009 5:15 PM
To: J.Hart, Elec.Eng.Tech.
Cc: pen-test () securityfocus com
Subject: Re: Default Admin Account

I don't much like the Insurance Industry analogy, since I consider them 
to be unethical at best.

But to use the analogy you have suggested, Gary broke the law and should

be penalised but I bet he's glad Obama is closing Guantanamo. As for the

insurance company not paying out due to negligence of the owner, the 
staff responsible should (have been) sacked and banned from ever gaining

any Government clearance.

Paul


J.Hart, Elec.Eng.Tech. wrote:
> That's exactly what I am trying to figure out - who is at fault and
> who should take ownership.  If it were a car and I left the keys in it
> and it was stolen, if the perpetrator was caught her would be charged,
> but my insurance company would not cover me cause I left the car in an
> unsecure state. So both take ownership - is it the same as in this
> situation?
>
> On 2/4/09, Scott C. Kennedy <sck () nogas org> wrote:
>   
> > Why does it matter if there were "default administration account on
the US
> > Military machines", it doesn't change the alleged fact that he
accessed
> > computers & networks without permission.
> >
> > One's reason for breaking the law doesn't matter whether he was
"motivated
> > by curiosity about evidence of UFOs" or not.
> >
> > If you broke into people's luggage at the airport, using the default
> > luggage combination set from the factory because you were motivated
by
> > curiosity about evidence of Bigfoot. Would that make it any less of a
> > crime?
> >
> > Scott
> >
> > On Mon, February 2, 2009 8:48 am, J.Hart, Elec.Eng.Tech. wrote:
> >     
> > > Hey all,
> > >
> > > I have been following the Gary McKinnon case for years now.
> > > My interest is in the legal area of penetration testing and the
> > > evolution of cyber law.
> > > What do IT Security experts and pen-testers think about the default
> > > administration account on the US Military machines? You can read
about
> > > the case here http://freegary.org.uk/
> > >
> > > --
> > > "For the best in web site design - StarNET
> > > http://www.s-t-a-r.net
> > >
> > >
> > >
> > >       
> >     
>
>
>   






-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.