Windows flaw allows access to data after accounts are revoked
Posted on 06 May 2014.
A disabled account in Windows' network does not take effect immediately, according to Aorato. In fact, due to design considerations disabled accounts - and the same goes for deleted, expired and locked-out accounts - effectively remain valid up to 10 hours after they had supposedly been revoked.


As a consequence, so-called disabled accounts expose the corporation to advanced attackers seeking to gain access to the corporate network. Leaving employees who have had their user account disabled can also potentially continue and gain access to corporate data.

With 95% of Fortune 1000 companies running a Windows based network, this flaw affects enterprises across industries. Organizations seeking to comply with the PCI Data Security Standards, will find that this authentication flaw makes the requirement of the immediate revocation of any terminated user, a requirement that in reality cannot be met.

The problem lies in the Kerberos authentication protocol which is based on an organizational "ticket". The ticket eliminates the need for employees to re-supply their username / password each time they access a system. However, the fact that authentication and authorization rely solely on the ticket, and not on the user's credentials, means that disabling the user's account has no effect on the employees' ability to access data and services.

"Unfortunately, Windows's fails to solve this authentication flaw. Worse yet, Windows' Kerberos implementation does not externalize the ticket information through logs and events, and so exploitation of the flaw cannot be mitigated through traditional log and SIEM measures. A required solution needs to both enforce the termination of disabled user accounts as well as have visibility into the relevant information," said Tal Be'ery, VP Research at Aorato.

To mitigate, organization should monitor network traffic to Windows authentication servers in order to:
  • Recouple the ticket with the user's account in order to eliminate the root cause of the problem
  • Monitor changes in user's account's state and activities and in particular, to the revocation of the user's account
  • Terminate requests of a disabled user requesting access to a resource using a valid ticket.





Spotlight

Android Fake ID bug allows malware to impersonate trusted apps

Posted on 29 July 2014.  |  Bluebox Security researchers unearthed a critical Android vulnerability which can be used by malicious applications to impersonate specially recognized trusted apps - and get all the privileges they have - without the user being none the wiser.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //