Bob's Blogs

Sentimental journey

I'm an evangelist for what I consider to be the "right" or "thorough" way to do things, and I want to spread my "professional religion" as far as I can. But humor is part of our lives, too, and it helps to know that you're not the only one who gets idiotic behavior thrown in your path.

Every one of us has a collection of personal war stories, as well as those we've collected from colleagues, trade shows and Web sites. So I'd like to share some of mine which are network- and/or network security-related. I'll try to keep them short and to the point. --------------------------------------------------------------------------------

Director of Network Operations is very picky about who may and who may not have domain administrator status. Until his 14-year-old son comes to visit for the summer, and he makes him a domain admin.

As mentioned in a previous blog, I was working in the server room when several excited people came in demanding to know what I'd done. Nothing, in this case, but the entire set of racks behind me had their power strips daisy-chained, and the one more server added two days before it was finally too much for the circuit breaker to take any more.

Customer Service department complains that someone has run up over a $1000 worth of overseas phone calls, and they don't want to pay the bill, they want to find the culprit. Investigation determines that someone in Engineering learned about an outbound modem pool during a cooperative support case and had been using the modem pool to dial up to a BBS (yes, they still exist) in England.

Main Data Processing group complains that communication with the England-based data center slows down every day between 8:00 a.m. and 9:00 a.m. Investigation finds that an engineer visiting from the U.K. had been connecting back to his Unix workstation in London and using X-Windows to forward the display across the trans-Atlantic link, so that he could surf the Web from his office in California.

Server for one department has been trashed. The department is pretty sure that it's a disgruntled worker who has just been let go. Investigation showed (to my personal satisfaction) that it was indeed the person suspected. But none of the systems in the chain are using NTP/SNTP (Network Time Protocol/Simple NTP), and all of the time stamps disagree over a range of about two weeks, making prosecution impossible.

During a routine "war-dialing" sweep of all company phone numbers, a modem is found that allows direct pcAnywhere control (with no password) of a desktop computer in Toronto. When I connected to the system using pcAnywhere, it took several minutes to get the user of the machine to stop trying to kill the Notepad window I was opening to identify myself. I typed in my name, position and phone number (through the company switchboard - always remember your identification script) with extension. Turned out that it had been set up by a sales engineer in British Columbia to provide her with desktop support. But he had neglected to tell her that.

Shortly after joining a new outfit, I got a call from the on-duty operator reporting that our ISP had called to notify us that we were being used as a Smurf amplifier. A Smurf attack is performed by spoofing (forging) the source IP address of your victim and sending a ping (echo request) to a broadcast address ( to get as many systems on that network to respond to the victim directly. So why were we vulnerable to this? Investigation showed that the VP of Engineering didn't like the response time from IT for firewall requests. So he demanded and was granted wide-open access inbound and outbound for his entire department subnet.

While examining firewall logs at a Midwestern company, I noticed a lot of P2P probes from a network a few thousand miles (and divisions) away. Investigation took several people in several different divisions because I didn't work with the remote division at all. But I could probe the remote machine, which showed that the only listening port on that system was for P2P file sharing. The system did not even respond to a ping. Investigation showed that the machine belonged to a director-level manager in a publishing company (who should have known better), who was running a massive music piracy operation from her office. I'm not sure, but I don't think she works there any more.

One of my painful lessons at one company was my attempt to suggest (not mandate, just suggest) by companywide e-mail, that everyone change their passwords from the default (first initial, first five characters of last name) to something a little better. The director of desktop support told me that this was not going to happen "because it will just tick off our users." (Lesson: If upper management doesn't care, you're wasting your time).

During an audit of an ISP, I found spam being sent to people that used their "internal" name as opposed to their "external" name. Tracking the e-mail headers back to their origin, I found that they led to a software development company. Bringing this to the attention of my customer (the ISP), they identified the last name of the sender as belonging to one of their customers. It finally turned out that the customer's son had broken into one of the ISPs systems from his father's computer, harvested the internal e-mail names and was sending his spam to advertise his new sideline of selling real estate.

One of my current investigations is beginning to look like some sort of back-channel that uses DNS ports. The IDS has caught these and flagged them as DNS violations. Problem is, looking at the packet data, it looks nothing like DNS, so I'm suspicious of it. But so far I've found nothing relevant on Google. Problem is, the source system is behind a proxied wireless gateway, so that's going to take more digging to find -- but it should be interesting, whatever it turns out to be.

Happy securing and networking, Folks...Bob

Meeting Network Security & Control Requirements: (408) 395-3921