Zombie user account let hackers control the city’s water

PWNED Welcome once again to PWNED, the column where security flubs are held up to the harsh, piercing red light of the vulture signal. This week's sad story concerns a municipality that failed to perform basic account housekeeping and paid for it dearly. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our tale of tech missteps comes courtesy of Nicole Beckwith, who serves as the senior director for security engineering and operations at Cribl, an AI platform for telemetry. She used to work as a consultant, and at one point was hired to investigate breaches in an American city's network. A threat actor took a leisurely tour" of the city's online resources and had started messing around with conference room projectors and other relatively harmless endpoints. Then they realized that they could change settings with the water utility where they switched many controls off, potentially endangering the water supply. When Beckwith investigated, she found that all of the mischief was performed by an account that belonged to Greg from Auditing." There was just one problem. Greg hadn't worked for the city for many years. Unfortunately, even though Greg was no longer around, his account was, and it retained extensive privileges, including domain admin rights, SCADA (Supervisory Control and Data Acquisition) operator access, and even the ability to perform help desk functions. It's unclear if someone from auditing ever needed this level of access, but a former employee definitely did not. It wasn't Greg himself who hacked the network. But he had used his work email address to sign up for various online accounts, some of which may have been exposed in previous data leaks. She speculates the hackers saw an email address with a .gov in it and decided to try their luck with the leaked password that went along with it, and that Greg likely used the same password for work that he did for these outside services. We have a few takeaways here. First, the people who ran IT security for the city should have both deleted Greg's account when he left and done periodic audits to see who had access and whether they should still have it. Second, Greg should have kept his work credentials separate from third-party services like shopping and social media sites. And he should not have used the same password in multiple places. The lesson, beyond the obvious 'please, for the love of all that is holy, audit your dormant accounts,' is that every forgotten user is an easy ticket to being on the 5 o'clock news," Beckwith told The Register. Quarterly access reviews should be mandatory because everyone seems to think when a user leaves, that is the end of it and someone surely terminated access, deprovisioned accounts, removed access to tools, mobile communications, email and other business critical systems, but sadly I've responded to way too many incidents like this one because of this simple control which is often overlooked." (R)