Tag Archives: administrative privileges

Anthem hacked – 80 Million data sets lost

11 February 2015

This was a really long winter break. The Sony hack is all water under the bridge now. The hackers have gone back to work, with a bang. 80 Million data sets lost. Anthem was hit particularly hard, and Anthem’s customers are hit by a wave of phishing emails.

The main question is always: How could it happen? And, what can be done to prevent such thefts in the future?

I found an interesting statement in a report published 2/4/2015 by Steve Ragan at CSO-Online:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

This makes it clear: The attackers got access to at least the database login information of some database administrators. In addition, they had to steal some at least standard user credentials for access to company computers. This is required to start the database queries. The rest is easy!

Remind: Attackers can read in company networks like in an open book.

Once they got access to some computers, social engineering could be used to find information about the business critical databases. With an e.g. Oracle client and Microsoft Access as front end, they are able to read all data, even if the database is fully encrypted. In the case of an SQL-Server backend you do not even need a database client software installed because the ODBC driver is part of the Office installation.

The big problem is that any company workstation could be used to launch a query. Even if e.g. an Oracle client is not installed, an instant client, which could be installed by the user, is absolutely enough for access to the business critical data.

The attack surface is enormous. But it’s easy to shrink it. Most database providers offer whitelisting technologies to restrict access from computers to the database server. In the best case, only some application servers, backup systems and admin workstations must have access to the database. Include only this systems in the white list, and exclude all other computers in the black list. That’s it.

For Oracle, parameter TCP.INVITED_NODES specifies the white list, TCP.EXCLUDED_NODES the black list in the SQLNET.ora configuration file.

The only question remaining is: How could the attackers get access to the login credentials of the database admins and the standard users? Unfortunately I haven’t found any hints so far…

That’s it for today.

Fun with 24h Admin Rights

19 January 2015

Once you granted 24h admin rights to a user he is able to grant himself privileges with a just few clicks. Startup scripts give an easy means to do this.

About startup scripts.

With startup scripts Windows offers administrators a powerful tool to run commands at system boot. Scripts are stored in directory %windir%\System32\Group Policy\Machine\Scripts\Startup and executed with system privileges.

But just adding a script to the startup directory is not sufficient to execute the script. Because startup scripts could be easily used to compromise a system they have to be enabled through the Local Group Policy Editor gpedit.msc. And at least for enabling a startup script with gpedit.msc local admin privileges are required.

3 Steps for 24h admins to get admin privileges again.

  1. Create a PowerShell script for adding your user account to the local administrators group.
# addMalUser.ps1
$Domain = "YourDomain
$Computer = "YourComputer"
$Username = "YourUsername"

$Group = [ADSI]"WinNT://$Computer/Administrators,group"
$User = [ADSI]"WinNT://$Domain/$Username,user"
$Group.Add($User.Path)

Save this script to file addMalUser.ps1. To get the exact values for $Domain, $Computer and $User please run set in a command prompt.

  1. Copy script addMalUser.ps1 to %windir%\System32\GroupPolicy\Machine\Scripts\Startup.

  2. Start gpedit.msc and add script addMalUser.ps1 to the startup scripts.

GPEdit Add Startup Script

Gpedit Add Startup Script Dialog (click to enlarge)

Tips for would-be malicious users.

  1. Purple Loosestrife in my Garden. Feels like Summer.
    Purple Loosestrife in my Garden. Feels like Summer.

    Please note that this operation is recorded in the Security Event Log of your computer.
    Never mind! Only very few organizations are scanning security events on user workstations. Those which tolerate 24h admin rights are certainly not amongst them.

  2. Please feel free to add switches to this script to run it on demand only. This will help to hide your malicious activities, because you could remove yourself from the admin group or reset the Security Event Log after the job is done.

Have Fun with 24h Admin Rights!

Still looking for a good New Year’s Resolution?

8 January 2015

In the past weeks I read a lot about Pass-the-Hash (PtH) attacks, the Zeus botnet and other frightening attack vectors.

For example in PtH attacks, access to specially protected files and registry settings is required. Standard users have very limited or no access to this system objects. If an attacker hijacks your computer he will take all your privileges, in the best case administrative privileges for your computer only, but, in the worst case, administrative privileges for a network.

I think a good New Year’s resolution would be to do everyday work with standard user accounts, and to use accounts with administrative privileges only when required.

If you are managing a company network please avoid login to member servers and workstations with a domain administrator account. Windows stores your password in the computer’s SAM (Security Accounts Manager). Thus it could be attacked by a malicious user …

You will not gain 100% safety, but you will become a lot safer than if you don’t take basic security precautions.

That’s it for today. The only thing left for me to say is …

Happy New Year!

Sony-pocalypse is still stuck in my mind

13 December 2014

The more technical details about the Sony attack come to light, the more restless I become. Although the attacker delivered a high sophisticated piece of code, the impact of this attack would not have been such serious without the unintended help of the Sony users and IT groups.

Samuel Gibbs writes in theguardian ‘While security analysts have said that preventing sophisticated and well-funded cyber criminals from breaking into a company is very hard indeed, researchers have criticised Sony Pictures for its poor data security, which allegedly saw login details stored in unencrypted spreadsheets.’

That’s really bad! And particularly critical in the case of functional accounts or global admin accounts.

Another large weak spot, users who work with administrative privileges or accounts, was exploited for the initial attack.

The big question is: How could we make an attackers life more difficult?

Just a few suggestions:

  • Never use an account with administrative rights for daily work. This also applies for members of the IT groups. Administrators should work with standard user accounts, and switch to privileged accounts if required.
  • Never use the same accounts and passwords for administration of services like email or database server systems and workstations. Even if a workstation account is compromised the server will stay safe.
  • Never use the same functional accounts and passwords for workstations and servers. Functional accounts are often used for managing services of third-party vendors, e.g. the anti-malware systems. Unfortunately these accounts must often have administrative privileges. Different accounts and passwords for workstations and servers will prevent the spread of malware to servers if e.g. the workstation account is compromised.
  • Never use the same functional account for multiple services. Mind the isolation principle!
  • Service specific functional accounts should be defined locally, and only on systems where the services are hosted.
  • Use strong passwords with length > 20 chars only. This is in particular for functional accounts no problem because the passwords are not very often used.
  • Decide about implementing Two Factor Authorization.

That’s it for today, and for this year. I will take a Christmas break.

Christmas Trees

A merry Christmas to you all
and the best wishes for health, happiness
and prosperity in the New Year.

Sony-pocalypse -Sony hack exposes poor security practice

6 December 2014

In ‘Sony hack exposes poor security practices’ Warwick Ashford talks about the lessons learned from the latest Sony cyber attach.

‘According to the FBI, the malware comes wrapped in an executable “dropper” that installs itself as a Windows service.’

The big question is: How comes a dropper on my computer? And why could a dropper start itself as a service? Under normal conditions, administrative privileges are required to start a Service.

‘It also uses the command line of the Windows Management Interface (WMI) to spread to other computers on the network.’

This is definitely the most important information. If you are somewhat familiar with Windows computer networks you know, that you can install services on another computer in your network only, if you have administrative privileges on this computer.

In other word, this means that the attackers got access to a domain administrator account. Or a service account which is installed on all computers in the network, including the servers.

All this sounds like phishing and weak passwords, flavored with a missing concept for privileged account management. It’s always the same old story…

If you like to read more about the impressive technical details of the malware see this report on ars technica.

Lütetsburg Park, 53°35'55.0"N 7°15'39.5"E

Lütetsburg Park, 53°35’55.0″N 7°15’39.5″E

Have a good Weekend!