BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Testers penetrated DOT-wide network

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 19 Sep 2013 00:22:48 -0600
http://www.fiercegovernmentit.com/story/testers-penetrated-dot-wide-network/2013-09-18

Weak user authentication permitted testers to penetrate the Transportation
Department-wide network undetected, says a new departmental office of
inspector general report.

In the report, which is redacted, auditors say they used common hacking
techniques to capture a network administrator's user id and password and
their use of that credential went unobserved for a week. Once testers
gained access--letting them freely sift through departmental servers and
sensitive data and reroute network traffic--they set up a new
administrative-level account that Transportation office of the chief
information officer personnel never found, the report adds.

The network in question, the Common Operating Environment, is managed by
the DOT OCIO and is used by all departmental operating administrations
except the Federal Aviation Administration. Through the COE, the OCIO also
manages administrations' desktops and backend services.

Auditors say that unless the OCIO implements multifactor authentication for
all network users, it can't be sure that unauthorized users aren't in the
COE. Office policy currently requires system owners and administrators to
use a personal identity verification card only to access accounts with
network modification privileges, the report says. Auditors also say the
OCIO doesn't have a tool that inventories devices connected to the network,
including those using wireless access. When asked for an inventory, OCIO
officials provided documentation generated through Microsoft SharePoint and
BMC Remedy.

In addition, testers examined 205 public DOT websites and found that 30
contained vulnerabilities such as those that could allow hackers to
redirect visitors to malicious sites, take control of the server, access
proprietary data or gain access to DOT video conferencing.

Scans of a random sample of 99 network servers found that 34.3 percent had
critical issues. At least 13 of the 493 DOT users selected for a social
engineering phishing bait test also clicked on the link in the email, the
report says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: