posted on Oct, 17 2012 @ 02:50 PM
Originally posted by CALGARIAN
Originally posted by zeeon
I work for the US Government in the IT field, specifically the Information Assurance (Cybersecurity field).
You can be black and white (and that's proper, I'm not debating that). However, as someone who works directly in this field and has done so off and
on for the last 15 years I have some insight into this case.
Then please tell me why these PENTAGON COMPUTERS had local logons consisting of "Admin" for username and nothing for a password. Remember, he
didn't "hack" these PC's.. He just accessed enough via VPN + RDP, then remoted into many machines until he found ones with simple local logons.
We call this "Low Hanging Fruit". Typically DOD Information Systems are pretty large consisting of smaller groups of computers which are then
networked together in a subnet that ultimately forms a larger, interconnected network.
Workstations are typically the lowest of the "Low Hanging Fruit". Before Content Management Systems, Version control software, and other types of
tracking systems became available everything was done by hand, using a log. When systems required upgrades, they had to be done by hand (and by hand I
mean manually, physically at the terminal in question), hardened by hand and then documented and logged.
Like I said in my post above, this was Circa 2002. Software and Operating Systems were designed to be fully functional and easy to use (as to support
the widespread usage and adoption of that software) out of the box. Security wasn't even a fore-thought. If you've ever used MS-DOS do you remember
ever having to log in?
Older versions of windows always came with the Administrator password unlocked as well as the guest (so the Installer could install the OS and set it
up properly upon first installation). What usually happened (and no doubt applied in the Pentagon as well) is that workload was high to get these new
fangled computers up and running as fast as possible. System Administrators and technicians installed these PC's (which was dictated by workload and
NOT security) as fast as humanly possible, probably only securing those that they knew MUST be secured.
Hence the term "Low Hanging Fruit". Some of the non-essential systems or workstations that weren't critical to national security, nor critical to
any other Information System process sometimes get overlooked when management lets workload dictate the schedule instead of Security.
Thus ole' Gary comes along, tries some default passwords and BLAM - access granted.
This used to be the paradigm in the Information Technology world. Today, since computers have been recognized as essential in the work place, Security
has taken the center stage. Information is the new gold friend, and everyone protects their gold.