In 1998, I was in a role where I was leading teams on-site to conduct vulnerability assessments for
organizations. For the technical part of the assessments, we were using ISS’s Internet Scanner product, which was a commercial scanner. Several years prior, while I was in graduate school, the SATAN scanner had been released, but it was open source, and you could look at the code and see what it was doing. This wasn’t the case with Internet Scanner.
What we started to see, when we began looking closely, was that the commercial product was returning results that weren’t…well…correct. One really huge example was the AutoAdminLogon setting; you could set this value to “1”, and the Administrator account name you chose would be included in another value, and the password would be included in a third value, in plain text. When the system was restarted, those credentials would be used to automatically login to the system.
Yep. Plain text.
Anyway, we ran a scan across an office within a larger organization, and the product returned 21 instances where the AutoAdminLogon capability was enabled. However, the organization knew that only one had that functionality actually set; the other 20 had had it set at one point, but the capability had been disabled. On those 20 systems, the AutoAdminLogon value was set to “0”. We determined that the commercial product was checking for the existence of the AutoAdminLogon value only, and not going beyond that…not checking to see if the value was set to “1”, and not checking to see if the value that contained the plain text password actually existed.
We found a wide range of other checks th
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: