Alleged hacker: U.S. defense sites poorly secured

A British man facing possible extradition to the United States says poor security was a major factor in his ability to have wandered through the IT systems of some key defense establishments.

Gary McKinnon, who is accused of hacking and causing damage to federal defense systems, also said that his actions, far from intending to cause harm, all started as an innocent attempt to prove that the U.S. Defense Department knows of the existence of extraterrestrials. Later he was driven by suspicions about federal policies and actions in the wake of the Sept. 11, 2001, terror attacks.

In an interview with ZDNet UK, McKinnon, who is out on bail pending an extradition hearing later in July, said that he was "frightened" to find U.S. defense systems were open to "people from all over the world."

He claims that in one system he found that the local administrator's password was blank. Those in charge of the system, McKinnon said, had used "image-based installation techniques where most of the machines have the same BIOS, the same hard drive, the same hardware specification" just applied across different systems.

"So you don't even need to become domain administrator," he said. "That's 5,000 machines all with a blank system-level administrator password."


read the rest at:
http://news.com.com/Alleged+hacker+U.S.+defense+sites+poorly+secured/2100-7350_3-5786440.html?tag=nefd.top

If what he is claiming is true about the admin passwords, then they really need to look at their passord policies. He should still face trial, but it does begger belief that they have no admin passwords!

I doubt you'll ever anything he said being verified (or denied even) by the government. They can never admit they're wrong, but there are probably more than a few guys in their IT department saying "I told you so." I bet the NSA is laughing at them too.

this is not the first time weak passwords has been a problem for the DOD. When firefox was first starting to become mainstream, many DOD webpages, not the hard core ones but mainly affiliate pages like recruting or specail pages set up for special projects, had issuses with their Username/password authentication. If you went to the pages with firefox 1 of two things was happening. 1) you could type in any information and just click cancel and it would let you in as if you had logged in, or two it would take the username and password of the last person who really did log in using firefox and have their UN/PW saved. I believei t was negative who first pointed out this flaw on other webpages, but with some exploration I had found a handful more pages with the same flaw and of course reported it back to their admins. All were very nice and since have fixed the problems.

EDIT** hey cool, my 1000th post.

You kind of wonder if they do not use passwords is it still wrong. If I had a network and used no passwords I must not care if anybody uses my network. Just kidding,
Sounds like they will have some openings in that gov. IT dept. any body looking for a job:)