hack attack 'down to poor end-user security settings'

Send to friend

The hack of a US military dating Web site whose database was leaked after it reportedly "blindly trusted" user submitted files, took place because an admin level user's Windows settings were compromised, according to Avecto. 

The hack against - which was carried out by `LulzSec Reborn' hacktivists revealed sensitive information on over 170,000 military professionals looking for relationships.

According to Paul Kenyon, chief operating officer with the Windows privilege management specialist, the hack is technically interesting as the hackers were found to have uploaded a PHP file with a file suffix of a text document, which the system's IT security system took at face value, and allowed the upload to complete.

"We would agree with Imperva's view that if the Web portal's server had filtered user-supplied content, the rogue file would never have been allowed on to the system and would simply have been discarded or blocked totally," he added.

"This all comes down, to the simple premise of the lower the privilege settings of the various accounts on the system, the less security risk there will be even if the file was successfully uploaded to the MilitarySingles' server, if the account responsible for user uploads had only limited access to the server's resources, the hack would not have taken place."

As Avecto's recent survey of 1,000 IT security professionals found, the admin rights issue is causing havoc in many organisations, with 19 per cent of respondents having missed a critical deadline as a result of being denied full access to an application - and a further 14 per cent claiming to have  lost a job as a result.

The survey which was carried out during April 2012, found that 16 per cent of those surveyed said they would be tempted to use their admin rights to access sensitive data if they still had them after leaving the company.

"Morals aside, we always knew that there would be a significant impact on businesses if they mismanage user admin rights, but not to the degree that the survey highlighted."Kenyon explained.

The survey also asked respondents how many times a year they call IT as a result of not being able to get an application to work because of admin rights issues.

The average, was 1.77 times per year, but almost a quarter of respondents said they call on the resources of their IT team more than three times a year, with each and every call costing real money - both from the IT team and also the loss in productivity of the user while they are failing to do what they need to get done.

"As this military dating site hack shows, the key to giving people access to the applications they need without compromising security lies in adopting a least privilege approach to security," he said.

"The principle of least privilege means giving a user account only those privileges which are essential to that user's work - leaving employees free to do their jobs and companies safe in the knowledge that their networks stay safe and their helpdesk bills are reduced," he added.


Comments (0)

Add a Comment

This thread has been closed from taking new comments.