Basically Apple's new OSX 10.7 (Lion) allows Macs users connected to a domain to log in as any other user on that domain. If you're and administrator and you have someone on your domain using 10.7, then that means they have access to the administrator account, the nice HR lady's account, and Joe the CEO's account (or Kieth the Chief as it may be).
I'm not saying OSX 10.7 machines connected to a domain are prolific or anything or that would be attackers would need OSX Lion to subvert LDAP authentication. It's kind of like a lock on a glass door, it's not actually a security mechanism it's just there to keep honest people honest.
Think about it, if you have an ambitious employee with open access to every piece of data on the domain what kind of trouble could they get into? They probably don't want to actively damage the company in any way, but they might accidentally release company secrets before the press release to stroke their ego. Potentially worse is if they find something that upsets them. When things like payroll or personnel records make it to the general work-force morale and trust can take a huge hit.
Now imagine all of that with a disgruntled employee or an attacker with something more to prove. How much easier would the three Arizona Department of Public Safety attacks have been for the attackers if all they had to do was snag one administrator password? How much more detrimental would it have been? I imagine lulzsec/antisec probably wouldn't have bothered with any other attack since they would have been able to connect to the domain and freely exfiltrate anything they wish. More over strong passwords wouldn't have been a limiting factor. Surely they didn't get access to EVERY domain account, what information was left for them to pilfer?
Long story short, attack vectors like these are being discovered all the time. We have moved out of the Information Age and are moving into the Security Age and it's time to take these threats seriously. I'm sure AZDPS believed they couldn't be the target of a cyber attack and so did Bay Area Rapid Transit Authority. But the reality is as soon as an LE agency or private company makes the front page, they're a target.
Nice job on the blog Lee. Keep it up!
ReplyDelete