In article <[log in to unmask]>, James F. Knight wrote:
>
> Actually, it's important for systems managers to know how people can
>attack your system. I managed to snag a document on hacking the hp3000
>that was floating around on the Internet.
Undoubtedly. Do you really want hackers to know more about breaking
your system than you do? I recently saw the following information in
the alt.2600 FAQ, which is posted regularly to that newsgroup and is
freely available via anonymous FTP from rtfm.mit.edu and other sites:
>>20. What is this system?
>>
>>[...]
>>
>>Hewlett Packard MPE-XL
>>~~~~~~~~~~~~~~~~~~~~~~
>>MPE XL:
>>EXPECTED A :HELLO COMMAND. (CIERR 6057)
>>MPE XL:
>>EXPECTED [SESSION NAME,] USER.ACCT [,GROUP] (CIERR 1424)
>>MPE XL:
>>
>>[...]
>>
>>21. What are the default accounts for XXX?
>>
>>[...]
>>
>>Hewlett Packard MPE-XL
>>~~~~~~~~~~~~~~~~~~~~~~
>>HELLO MANAGER.SYS
>>HELLO MGR.SYS
>>HELLO FIELD.SUPPORT HPUNSUP or SUPPORT or HP
>>HELLO OP.OPERATOR
>>MGR CAROLIAN
>>MGR CCC
>>MGR CNAS
>>MGR CONV
>>MGR COGNOS
>>OPERATOR COGNOS
>>MANAGER COGNOS
>>OPERATOR DISC
>>MGR HPDESK
>>MGR HPWORD
>>FIELD HPWORD
>>MGR HPOFFICE
>>SPOOLMAN HPOFFICE
>>ADVMAIL HPOFFICE
>>MAIL HPOFFICE
>>WP HPOFFICE
>>MANAGER HPOFFICE
>>MGR HPONLY
>>FIELD HPP187
>>MGR HPP187
>>MGR HPP189
>>MGR HPP196
>>MGR INTX3
>>MGR ITF3000
>>MANAGER ITF3000
>>MAIL MAIL
>>MGR NETBASE
>>MGR REGO
>>MGR RJE
>>MGR ROBELLE
>>MANAGER SECURITY
>>MGR SECURITY
>>FIELD SERVICE
>>MANAGER SYS
>>MGR SYS
>>PCUSER SYS
>>RSBCMON SYS
>>OPERATOR SYS
>>OPERATOR SYSTEM
>>FIELD SUPPORT
>>OPERATOR SUPPORT
>>MANAGER TCH
>>MAIL TELESUP
>>MANAGER TELESUP
>>MGR TELESUP
>>SYS TELESUP
>>MGE VESOFT
>>MGE VESOFT
>>MGR WORD
>>MGR XLSERVER
>>
>>Common jobs are Pub, Sys, Data
>>Common passwords are HPOnly, TeleSup, HP, MPE, Manager, MGR, Remote
Scary, isn't it? But ignoring it isn't going to make it go away, and
it's not going to make the thousands of people who see it every month
forget that it's there, or keep them from trying to sign on to YOUR
system using one of these accounts. Hopefully this information will
help some of the administrators out there secure their systems, and it
should definitely be included in the FAQ.
> Security through obscurity is certainly nonsense.
This is true in many cases, but not always. Publicizing security problems
for which solutions exist is a good thing--the information above is a prime
example. On the other hand, publicizing security problems for which no
workaround has been found is irresponsible, because it allows (and even
encourages) people who otherwise may not get the information to attack
systems which -cannot- be protected. The ongoing controversy over the
8lgm announcements is a good example of the issues involved in full
disclosure of security problems.
---------------------------------------------------------------------
John Caruso [log in to unmask]
Unix/VMS System Administrator caruso@UMUC (Bitnet)
University of Maryland University College (301) 985-7447
---------------------------------------------------------------------
|