Bob's
Blogs
Sentimental
journey
I'm
an evangelist for what I consider to be the "right"
or "thorough" way to do things, and I want to spread
my "professional religion" as far as I can. But humor
is part of our lives, too, and it helps to know that you're not
the only one who gets idiotic behavior thrown in your path.
Every
one of us has a collection of personal war stories, as well as
those we've collected from colleagues, trade shows and Web sites.
So I'd like to share some of mine which are network- and/or network
security-related. I'll try to keep them short and to the point.
--------------------------------------------------------------------------------
Director
of Network Operations is very picky about who may and who may
not have domain administrator status. Until his 14-year-old son
comes to visit for the summer, and he makes him a domain admin.
As
mentioned in a previous blog, I was working in the server room
when several excited people came in demanding to know what I'd
done. Nothing, in this case, but the entire set of racks behind
me had their power strips daisy-chained, and the one more server
added two days before it was finally too much for the circuit
breaker to take any more.
Customer
Service department complains that someone has run up over a $1000
worth of overseas phone calls, and they don't want to pay the
bill, they want to find the culprit. Investigation determines
that someone in Engineering learned about an outbound modem pool
during a cooperative support case and had been using the modem
pool to dial up to a BBS (yes, they still exist) in England.
Main
Data Processing group complains that communication with the England-based
data center slows down every day between 8:00 a.m. and 9:00 a.m.
Investigation finds that an engineer visiting from the U.K. had
been connecting back to his Unix workstation in London and using
X-Windows to forward the display across the trans-Atlantic link,
so that he could surf the Web from his office in California.
Server
for one department has been trashed. The department is pretty
sure that it's a disgruntled worker who has just been let go.
Investigation showed (to my personal satisfaction) that it was
indeed the person suspected. But none of the systems in the chain
are using NTP/SNTP (Network Time Protocol/Simple NTP), and all
of the time stamps disagree over a range of about two weeks,
making prosecution impossible.
During
a routine "war-dialing" sweep of all company phone
numbers, a modem is found that allows direct pcAnywhere control
(with no password) of a desktop computer in Toronto. When I connected
to the system using pcAnywhere, it took several minutes to get
the user of the machine to stop trying to kill the Notepad window
I was opening to identify myself. I typed in my name, position
and phone number (through the company switchboard - always remember
your identification script) with extension. Turned out that it
had been set up by a sales engineer in British Columbia to provide
her with desktop support. But he had neglected to tell her that.
Shortly
after joining a new outfit, I got a call from the on-duty operator
reporting that our ISP had called to notify us that we were being
used as a Smurf amplifier. A Smurf attack is performed by spoofing
(forging) the source IP address of your victim and sending a
ping (echo request) to a broadcast address (1.2.3.255) to get
as many systems on that network to respond to the victim directly.
So why were we vulnerable to this? Investigation showed that
the VP of Engineering didn't like the response time from IT for
firewall requests. So he demanded and was granted wide-open access
inbound and outbound for his entire department subnet.
While
examining firewall logs at a Midwestern company, I noticed a
lot of P2P probes from a network a few thousand miles (and divisions)
away. Investigation took several people in several different
divisions because I didn't work with the remote division at all.
But I could probe the remote machine, which showed that the only
listening port on that system was for P2P file sharing. The system
did not even respond to a ping. Investigation showed that the
machine belonged to a director-level manager in a publishing
company (who should have known better), who was running a massive
music piracy operation from her office. I'm not sure, but I don't
think she works there any more.
One
of my painful lessons at one company was my attempt to suggest
(not mandate, just suggest) by companywide e-mail, that everyone
change their passwords from the default (first initial, first
five characters of last name) to something a little better. The
director of desktop support told me that this was not going to
happen "because it will just tick off our users." (Lesson:
If upper management doesn't care, you're wasting your time).
During
an audit of an ISP, I found spam being sent to people that used
their "internal" name as opposed to their "external"
name. Tracking the e-mail headers back to their origin, I found
that they led to a software development company. Bringing this
to the attention of my customer (the ISP), they identified the
last name of the sender as belonging to one of their customers.
It finally turned out that the customer's son had broken into
one of the ISPs systems from his father's computer, harvested
the internal e-mail names and was sending his spam to advertise
his new sideline of selling real estate.
One
of my current investigations is beginning to look like some sort
of back-channel that uses DNS ports. The IDS has caught these
and flagged them as DNS violations. Problem is, looking at the
packet data, it looks nothing like DNS, so I'm suspicious of
it. But so far I've found nothing relevant on Google. Problem
is, the source system is behind a proxied wireless gateway, so
that's going to take more digging to find -- but it should be
interesting, whatever it turns out to be.
Happy
securing and networking, Folks...Bob |