Security breach: Employee convicted of uncovering critical reality
A former Engie employee was arrested and criminally sentenced for taking control of two sets of terminals via Active Directory.
The events take place in August 2020. The computer system of the Engie energy group is in motion. In all likelihood a person was able to learn briefly control of one of the forests. This brings together 188,000 machines and 232,000 Active directory user accounts in several areas. The culprit: an employee of the electrical supply company still on duty at the moment. He achieves the feat of granting himself very high rights and privileges on the Active directory, the computer program that allows central management, resources, permissions and of course accounts.
This article will also interest you: An information system security manager sentenced to 2 years in prison for selling Cisco switches on eBay
This situation highlighted something that everyone already knew. The vulnerability of Active directory is something very real and almost common. Unfortunately, several organizations are subject to this security breach. On the hacker side, this is considered to be a kind of "Grail".
This situation has been widely recalled by CESIN. The association that brings together IT security professionals. The reality is there, these are very poorly secured. « … access to the information system's data." On the side of the National Information Systems Security Agency, experts complained of a "critical and recurrent lack of maturity on security".
Returning to the intrusion suffered by the electricity company, it must be said that the former employee was sentenced last Monday, March 8, to a 4-month suspended prison sentence followed by a fine of 15,000 euros, also with two-thirds of a suspended sentence. His sanction was decided by the Paris Court of Justice for "fraudulent access to an automated data processing system". On the side of his former employer, the electricity company, he demanded the payment of 1 euro as damages. A symbolic requirement when we know that these incidents cost the electricity company nearly 238,000 euros.
In a way, it can be said that the former employee is doing quite well in that the prosecutor's office had asked him for a one-year suspended prison sentence, whereas on the defence side he had been asked for a simple sentence with a fine. The prosecutor's requirement is explained by the fact that the former employee's exploit occurred only a few days before his departure from the company. It is that raises doubts about these true intentions.
The security flaw discovered by the former employee concerns certain Telecom infrastructures of the energy company. Infrastructure protected by a very poorly constituted password "Password". It sounds like a bad joke but it is actually that.
"You could laugh about it, but at the time of the incident I was absolutely concerned: you can't leave a service account with such a password," the former employee at his trial on Monday, March 8. We understand his reaction when we know that "password" is in the category of bad passwords with the famous "1 2 3 4 5 6".
"With this service account, I realized that I could go to another server. I repeat the same approach, asks the directory, until I see a director account lying around," explains the former Engie employee. Following this feat, he wrote a report with certain recommendations and sent it to the company's information system security manager. As a result, a complaint was filed against him. Unfortunately for this computer security specialist, look at the law his act qualifies as an offence. This cannot be viewed as an audit without malicious intent. "It was my duty to alert, it was necessary to alert Engie so that there was a minimum of computer security," explains the condemned man.
Unfortunately for the latter his initiative is not understood in the same way by all.
"When we do an audit, we sign a service agreement with our client that defines its objectives, its limits, an audit authorization sheet, and we prepare ethical charters for our auditors," says Nicolas Langeard, in charge of this activity at the consulting firm Amossys, qualified on this subject by the National Agency for Security of Information Systems since 2013.
Now access an unlimited number of passwords: