Pacnet reveals cyber breach after Telstra acquisition

In April this year Telstra finished its acquisition of Pacnet, giving it access to Asia’s largest privately owned submarine cable network as part of strategy to expand into Asia.

According to news reports it appears that Telstra received a surprise signing bonus when the purchase was completed – notification that the Pacnet corporate IT network had been breached.

The itnews article claims that this wasn’t discovered during due diligence as Telstra and the Pacnet were competitors at the time and it only had limited access to information.

Access to the Pacnet internal network was gained through a SQL injection attack. SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

Attacks of this nature fall under strategy #24 Server Application Hardening ‘e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems.’ in the Australian Signals Directorate (ASD) Top 35 Mitigation Strategies.

Telstra is now left with the task of advising Pacnet customer about the breach.

Although there are no mandatory breach reporting in Australia although there is strong support for it. In October 2013, the Office of the Australian Information Commissioner (OAIC) released survey findings of community of attitudes towards privacy, which showed that 96 percent of respondents want government agencies and businesses to notify them if their personal information is lost or compromised.

Earlier this year the parliamentary joint committee on intelligence and security (PJCIS) recommended that the Government introduce a mandatory data breach notification scheme before the end of 2015. Australia’s privacy commissioner, Timothy Pilgrim, has highlighted telcos bad track record in Australia highlighting Telstra’s 2011 leak of 734,000 customer details and a further leak of the details of 15,775 customers in 2013.

 

emt Distribution represents Acunetix in Australia and New Zealand. Acunetix was founded to combat the alarming rise in web attacks including SQL Injection and Cross-Site Scripting among others.

Microsoft releases tool to manage local Admin passwords

Microsoft have attempted to address the challenge of managing local administrator credentials by releasing the Local Administration Password Solution (LAPS).

There are commercial solutions in this space, however many organisations are using either same password across machines, or try to use other methods, such as shared spreadsheets to manage individual passwords.

admin_password

Admin passwords, often seen on sticky notes or labels attached to the PC.

Using shared credentials on a network is bad security practice and can lead to a number of problems such as-

  • More people have access to, or discover the password. Word will get around and you will find the password attached to computers on sticky notes, label maker labels, or written on the computer itself in plain sight.
  • Shared passwords are rarely changed. Ex-employees and contractors will continue to have ability to access systems.
  • Networks with computers running shared passwords are more vulnerable to credential replay attacks, such as pass-the-hash (PTH). As a result hackers/malware will more easily traverse the network.
  • Users having access to these accounts will be able to install non-standard software, such as games, or remove protective controls such as antivirus protection.
  • Accountability issues. When random users are able to user the Administrator account they become anonymised. It is difficult to determine the actual individual who has made system changes from the log files.

How it works:

Install LAPS to automatically manage local administrator account passwords on domain-joined computers so that passwords are unique on each managed computer, randomly generated, and centrally stored in Active Directory infrastructure.

LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.

The tool will also allow you randomise the local passwords on an ongoing basis going forward. More information on the Microsoft Local Administrator Password Solution (LAPS) can be found here.

The LAPS tool can assist organisations to comply with the Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions. Specifically regarding control #9: Disable local administrator accounts and the Information Security Manual (ISM) Control:0383 (rev 4).

Control 0383 states: “Agencies must ensure that default operating system accounts are disabled, renamed or have their passphrase changed.”

Even though the overall objective of the ISM is to make organisations disable local administrative accounts, the LAPS tool can help in circumstances where this is not an option.

Controls above extracted from the 2015 Information Security Manual 2105 Controls.