IG: Treasury Dept was wide open to our ethical hackers

Nothing could possibly go wrong if the US Treasury's IT systems were penetrated and disrupted, right? Un-possible. The Treasury is a veritable fortress of security and stability, right?

TOP MEN baby, top men.

We found that default factory-preset administrative usernames and passwords were present in OCC’s systems. In one test we conducted, we discovered a default username and password of an internal service account on an OCC server which had local administrator privileges. We used those privileges and deployed our penetration test tool’s agents to the host server. That server contained password hashes for local and domain administrator accounts. Using these hashes, we obtained a domain administrator’s password, which we then used to log on to the network domain controller. With full access given to a typical domain administrative account, we created a domain administrator account and thereby had full control of OCC’s
network.

In accordance with our Rules of Engagement, we did not attempt to perform actions that would disrupt OCC’s operations, such as deleting data, powering off servers or other resources, locking out accounts, and similar activities, any of which could have resulted in interruption or shutdown of devices or services. However, malicious attackers would have no such restrictions against performing these actions

Because systems and devices connected to OCC’s internal
network could freely communicate between one another, with very little internal partitioning, we successfully attacked multiple OCC systems in a very short amount of time from a single workstation.

posted by Purp at 03:22 PM

| Access Comments