I teach and penetration test for a living. I find it disturbing how many system administrators think their networks and systems are secure just because they aren’t often attacked.
What launched me on my latest rant was an AS/400 penetration test that was included as part of a much larger PC engagement. The AS/400 system administrator bragged about how secure AS/400s were as compared with those silly Windows PCs. I then broke into his system in less than one minute on my first attempt.
Even though he had the system for 20 years, and through multiple upgrades, he had not changed many of the initial installation passwords. In this case, his Qsysopr (the system operator or admin) and Qsecofr (system security officer) accounts still had their default install passwords from decades ago. This isn’t unusual on AS/400 systems -- incidentally, their default passwords are the same as their log-on names listed above. To up the ante, his AS/400 is reachable over the Internet.
I doubt I’m the first person to find his misconfiguration. Just because you’re not hacked, doesn’t mean you can’t be hacked.
I’m not the only one who laments about security administrators who don’t get this. Last month, Kaspersky attendees of the LinuxTag 2006 conference in Germany complained about similar worries with Linux in their May 9 "Illusion of Invulnerability" blog posting. It’s a good, short read. To summarize, the writers feel that people’s illogical belief (in stark contrast to the facts) that their operating systems are secure will lead them to complacency.
I think the more you know about Linux, the more you realize how easily it can be hacked. Although it isn’t targeted nearly as much as Windows PCs, it has the same problems as any other computer platform.
No platform is truly immune. Hackers break in using a variety of methods, including:
-- buffer overflows
-- OS or application vulnerabilities
-- password guessing/cracking
-- data malformation
-- social engineering
Although the code used to do the buffer overflow as well as what is vulnerable may change, the techniques are the same whether you're running Windows, Linux, or AS/400s.
Many people would have you believe that Mac OS X is supposed to be security’s holy grail. As reported in InfoWorld two weeks ago, Apple just released a patch closing 31 holes, and even that patch didn’t plug all the leaks. According to the article, security researcher Tom Ferris is so frustrated that Apple didn’t close all his previously reported holes with this action that he is contemplating releasing the yet-unpatched holes to full disclosure lists as zero days. Let’s hope he doesn’t.