Open 1 port to 1 IP = turn off the firewall



  • One day I came into work and found a pile of emails - "Server X isn't working!", "Data replication has failed!", "Log files can't auto-grow any more!", and so on.

    I log into the server, and notice immediately that one of the the HDDs is completely full.  The databases are deleted.  And the log files have grown 30+ GBs.  Now the fun of tracking down the problem begins.

    I scan the logs - hundreds of thousands of unauthorized access attempts from IPs spread all over the world.  The login attempts were trying to get into the server admin account; a brute force attack that went on for a solid month.  Each day the IP of the attacker changing to an address in another country.  Back to the present - the attempts mysteriously stop, and there are no more log entries for hours until the one noting my valid log-in.  All logs detailing what happened after a certain point in that day have been deleted, along with any trace of whatever the attacker was doing after having successfully logged in, and our replicated ERP system databases (which contain all financial, product, and customer data - basically the entire set of information managed by our ERP system).

    It all began a month ago, according to the logs.  A month... what happened a month ago that allowed these attacks to take place?

    Oh.

    I needed to have one port opened to one IP address on our firewall,
    allowing an outside SAAS vendor to replicate data to an internal server.

    Simple, right?

    I
    submitted my request to the IT services firm my employer outsources
    their IT department too. What they heard, apparently, was "Please turn off the
    firewall for internal server X, and expose it to the Internet".

    After spending the day figuring out what happened, I wrote a report, sent it off to the higher-ups with the three letter acronyms, and expected swift death the next morning when they look for someone to blame and see that I'm the one who sent the request for the port to be opened (not expecting them to appreciate the different between the person who submitted a sane request, and the people who bungled the execution of the request in an insane manner).

    I get in the next day.  Nothing.  No emails.  No voice mails.  No response from the acronyms at all. Everything is status quo. I got the outsourced IT people to fix the firewall, got the replication going again, and that's that.

    Weeks later - still nothing.  The acronyms, it seems, just don't care about an intrusion on the server hosting our ERP data.

    And life goes on.

    For now.



  • TRWTF is that you don't have some kind of monitoring software that alerted you to the shrinking disk space.

    @KrakenLover said:

    I get in the next day.  Nothing.  No emails.  No voice mails.  No response from the acronyms at all.

    Maybe your email server and Asterisk server ran out of disk space?



  • @morbiuswilters said:

    TRWTF is that you don't have some kind of monitoring software that alerted you to the shrinking disk space.
    Monitoring software is for wimps.  The way we like it here is to be totally surprised when things go wrong and systems crash.

    And we also don't like that so-called "preventative maintenance", "failure analysis", or "network monitoring".



  • I sense a front-page post about this soon.  And of course I mean front page of the New York Times.



  •  Relax, I've gone over the data and there's nothing useful in here.

    A whole damned month wasted...



  •  If it's any consolation, I keep a regularly updated backup copy of the data on this external drive here on my desk. So no worries.



  • 1) I would be going after the schmuck that turned your firewall off to find out what in the world they though they were thinking.  They should have confirmed with you first if they thought you were requesting that.

    2) The fact that you didn't notice for 30 days what was going on is really bad.    You should be checking your logs for issues each morning.  If your using SQL Server you can also set up an alert to email you when a login fails repeatedly.   



  • @KrakenLover said:

    I log into the server, and notice immediately that one of the the HDDs is completely full.  The databases are deleted.
     

    Given your IT department, I think they say the HDD was full, and helpfully deleted what was taking up the most space. It Makes Sense.



  • @galgorah said:

    2) The fact that you didn't notice for 30 days what was going on is really bad.    You should be checking your logs for issues each morning.  If your using SQL Server you can also set up an alert to email you when a login fails repeatedly.
    We outsource our IT department.  It isn't my job to check the logs, or make sure the servers are running, or fix server-related issues except in cases of emergency.

    That said, we don't have anyone whose job it is to do things like that.  Supposedly the outsourced IT services vendor is meant to do such things, but since we outsource our entire IT department, we don't have anyone internally in charge of making sure IT issues are handled correctly and preemptively.  That means we kind of have an understanding of what they are supposed to do, but no one really follows up on that or holds them to it.

     



  • Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  You may know that you're now a heightened spear-phishing target, but nobody else will.



  • @UpNDown said:

    Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  You may know that you're now a heightened spear-phishing target, but nobody else will.

    I'm thinking that might be why upper management hasn't said anything.  They probably just want this to go away and pretend it never happened, and don't want anyone to ever find out.

     



  • @KrakenLover said:

    @UpNDown said:

    Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  You may know that you're now a heightened spear-phishing target, but nobody else will.

    I'm thinking that might be why upper management hasn't said anything.  They probably just want this to go away and pretend it never happened, and don't want anyone to ever find out.
    Wow.... Just, wow...  If that isn't reckless, then I don't know what is.



  • @C-Octothorpe said:

    @KrakenLover said:

    @UpNDown said:

    Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  You may know that you're now a heightened spear-phishing target, but nobody else will.

    I'm thinking that might be why upper management hasn't said anything.  They probably just want this to go away and pretend it never happened, and don't want anyone to ever find out.
    Wow.... Just, wow...  If that isn't reckless, then I don't know what is.

    Yeah, the vast majority of companies do this. I'm not saying it's right, but it is common to cover up incidents like this, rather than acknowledge them.



  • @morbiuswilters said:

    @C-Octothorpe said:

    @KrakenLover said:

    @UpNDown said:

    Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  *You* may know that you're now a heightened spear-phishing target, but nobody else will.

    I'm thinking that might be why upper management hasn't said anything.  They probably just want this to go away and pretend it never happened, and don't want anyone to ever find out.
    Wow.... Just, wow...  If that isn't reckless, then I don't know what is.
    Yeah, the vast majority of companies do this. I'm not saying it's right, but it is common to cover up incidents like this, rather than acknowledge them.
    I can see that, but can you imagine the implications if it leaks (by said hacker or whistleblower/insider) that a breach this large happened, over that long of a period of time, and there was nothing done about it, including not contacting the affected people. Christ, that would probably result in criminal charges...


  • @KrakenLover said:

    @UpNDown said:

    Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  You may know that you're now a heightened spear-phishing target, but nobody else will.

    I'm thinking that might be why upper management hasn't said anything.  They probably just want this to go away and pretend it never happened, and don't want anyone to ever find out.

     

     

    I guess you're in a classic CYA situation.  Make sure that a manager has received and replied to your email detailing the situation.  If he hasn't replied to it, you may still find yourself explaining your lack of action.

     



  • @C-Octothorpe said:

    @morbiuswilters said:

    @C-Octothorpe said:

    @KrakenLover said:

    @UpNDown said:

    Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  *You* may know that you're now a heightened spear-phishing target, but nobody else will.

    I'm thinking that might be why upper management hasn't said anything.  They probably just want this to go away and pretend it never happened, and don't want anyone to ever find out.
    Wow.... Just, wow...  If that isn't reckless, then I don't know what is.
    Yeah, the vast majority of companies do this. I'm not saying it's right, but it is common to cover up incidents like this, rather than acknowledge them.
    I can see that, but can you imagine the implications if it leaks (by said hacker or whistleblower/insider) that a breach this large happened, over that long of a period of time, and there was nothing done about it, including not contacting the affected people. Christ, that would probably result in criminal charges...
    Talking of whistleblowers, check if you can't get a significant reward for turning them in. In any case, in most jurisdictions whistleblowers are effectively unsackable forevermore.


  • Oh, and print out the email, take a copy home.



  • @fterfi secure said:

    @C-Octothorpe said:

    @morbiuswilters said:

    @C-Octothorpe said:

    @KrakenLover said:

    @UpNDown said:

    Depending on the country you work in, you may be legally required to provide notice to anyone whose personal information has been compromised.  That would probably include all the employees in the ERP system. You should contact your legal department, as the company may be liable for fines if the right procedures are not followed.  Plus, it's the right thing to do for the other employees.  *You* may know that you're now a heightened spear-phishing target, but nobody else will.

    I'm thinking that might be why upper management hasn't said anything.  They probably just want this to go away and pretend it never happened, and don't want anyone to ever find out.
    Wow.... Just, wow...  If that isn't reckless, then I don't know what is.
    Yeah, the vast majority of companies do this. I'm not saying it's right, but it is common to cover up incidents like this, rather than acknowledge them.
    I can see that, but can you imagine the implications if it leaks (by said hacker or whistleblower/insider) that a breach this large happened, over that long of a period of time, and there was nothing done about it, including not contacting the affected people. Christ, that would probably result in criminal charges...
    Talking of whistleblowers, check if you can't get a significant reward for turning them in. In any case, in most jurisdictions whistleblowers are effectively unsackable forevermore.
    This.

    Have you tried nudging them by resending the original email?  Fuck I would...  "I have yet to receive a response as to what action should be taken regarding the massive security breach last week.  Please advise."



  • Now that I think of it, there's also a liability issue for the outsourcing company.  They may be off the hook if not promptly advised of the extent of the problem.  Personally, I wouldn't get much sleep at night until I had informed legal.  Once you've made that step, the ball's in their court.  Just save your evidence in case you end up with a wrongful dismissal case on your hands.



  • @C-Octothorpe said:

    Have you tried nudging them by resending the original email?  Fuck I would...  "I have yet to receive a response as to what action should be taken regarding the massive security breach last week.  Please advise."
    Not until after having an off-the-record conversation with them to check what their intention was. They may simply not have appreciated the seriousness, they may have forgotten to tell you what was happening, or they may have tried to cover it up. Your subsequent actions will be dictated by which of those it is. Keeping it off the record gives you more options.



  • @fterfi secure said:

    @C-Octothorpe said:
    Have you tried nudging them by resending the original email?  Fuck I would...  "I have yet to receive a response as to what action should be taken regarding the massive security breach last week.  Please advise."
    Not until after having an off-the-record conversation with them to check what their intention was. They may simply not have appreciated the seriousness, they may have forgotten to tell you what was happening, or they may have tried to cover it up. Your subsequent actions will be dictated by which of those it is. Keeping it off the record gives you more options.

    Such as hush money 😉



  • @fterfi secure said:

    @C-Octothorpe said:
    Have you tried nudging them by resending the original email?  Fuck I would...  "I have yet to receive a response as to what action should be taken regarding the massive security breach last week.  Please advise."
    Not until after having an off-the-record conversation with them to check what their intention was. They may simply not have appreciated the seriousness, they may have forgotten to tell you what was happening, or they may have tried to cover it up. Your subsequent actions will be dictated by which of those it is. Keeping it off the record gives you more options.

    That seems like very bad advice. First of all, your subsequent action should be the same no matter what their intent: push them to comply with the law and keep thorough records of this. Second, no conversation is truly off-the-record: anything you say can come up later during criminal or civil proceedings. The reason to have a record is that you have proof of what you said. Imagine you have this OTR conversation and then are later subpoenaed to testify as to the nature of it, do you think your recollection will be pristine? Do you think the prosecutors and lawyers involved aren't going to do everything in their power to trip you up? Who do you think legal will pin the blame on, you or the executives?



  • @morbiuswilters said:

    That seems like very bad advice. First of all, your subsequent action should be the same no matter what their intent: push them to comply with the law and keep thorough records of this. Second, no conversation is truly off-the-record: anything you say can come up later during criminal or civil proceedings. The reason to have a record is that you have proof of what you said. Imagine you have this OTR conversation and then are later subpoenaed to testify as to the nature of it, do you think your recollection will be pristine? Do you think the prosecutors and lawyers involved aren't going to do everything in their power to trip you up? Who do you think legal will pin the blame on, you or the executives?
    Morbs is right.  Most companies willl try to pin it on a lower level employee.  Usually whoever noticed it.  it may be that they are too focused on figuring out a proper course of action, however you do need to protect yourself and document everything regardless.  



  • @morbiuswilters said:

    @fterfi secure said:
    @C-Octothorpe said:
    Have you tried nudging them by resending the original email?  Fuck I would...  "I have yet to receive a response as to what action should be taken regarding the massive security breach last week.  Please advise."
    Not until after having an off-the-record conversation with them to check what their intention was. They may simply not have appreciated the seriousness, they may have forgotten to tell you what was happening, or they may have tried to cover it up. Your subsequent actions will be dictated by which of those it is. Keeping it off the record gives you more options.

    That seems like very bad advice. First of all, your subsequent action should be the same no matter what their intent: push them to comply with the law and keep thorough records of this. Second, no conversation is truly off-the-record: anything you say can come up later during criminal or civil proceedings. The reason to have a record is that you have proof of what you said. Imagine you have this OTR conversation and then are later subpoenaed to testify as to the nature of it, do you think your recollection will be pristine? Do you think the prosecutors and lawyers involved aren't going to do everything in their power to trip you up? Who do you think legal will pin the blame on, you or the executives?

    If you get subpoenaed, it never happened. That's what 'off the record' means. It's your word against theirs, and if they want to lie, your bosses can lie whether you had a conversation or not - it won't affect the plausibility either way if they tell a good story. The fact is that sometimes you don't want to make waves. It may be that there's nothing so terrible going on, but someone forgot to jump through some regulatory hoop or other. Make sure they jump pronto, of course, but there's no need to leave records of the fact that they forgot.

    If someone's refusing to do something you're telling them is necessary, of course you cover your arse first. If someone merely makes a mistake, there's not necessarily a reason to land them in the shit just to make a point. You'll have more leverage to make sure it doesn't happen again that way.

    In this specific case, it may be that the top level execs didn't appreciate the seriousness of the problem. If so, the first thing to do is try to make them understand just how much shit they're in. If you succeed in getting through to them, there's simply no need to make a big deal out of the fact that they were a bit slow off the mark (just as long as they've learnt their lesson).

    Sometimes it's appropriate to make something 'official' by putting it in writing, but before you can know if it is appropriate to do so you have to gather information. That's what phone-calls are for.


  • :belt_onion:

    @fterfi secure said:

    If someone's refusing to do something you're telling them is necessary, of course you cover your arse first. If someone merely makes a mistake, there's not necessarily a reason to land them in the shit just to make a point. You'll have more leverage to make sure it doesn't happen again that way.
     

    If I'm reading the OP correctly, someone didn't just make a "mistake"; there's evidence the server was compromised due entirely to what they did. That's legally actionable negligence and the OP shouldn't say a single word to those responsible that's not written down. Hell, I'd have a lawyer as a party to any conversation too, but that may just be me.

     



  • @heterodox said:

    @fterfi secure said:

    If someone's refusing to do something you're telling them is necessary, of course you cover your arse first. If someone merely makes a mistake, there's not necessarily a reason to land them in the shit just to make a point. You'll have more leverage to make sure it doesn't happen again that way.
     

    If I'm reading the OP correctly, someone didn't just make a "mistake"; there's evidence the server was compromised due entirely to what they did. That's legally actionable negligence and the OP shouldn't say a single word to those responsible that's not written down. Hell, I'd have a lawyer as a party to any conversation too, but that may just be me.

     

    I agree in regards to the outside IT vendor.  However when it comes to dealing with his own management its another story.  And while the OP needs to cover himself, he also needs to figure out what managements plan is.  So dealing with them is another story all together.

     



  • @galgorah said:

    I agree in regards to the outside IT vendor.  However when it comes to dealing with his own management its another story.  And while the OP needs to cover himself, he also needs to figure out what managements plan is.  So dealing with them is another story all together.

     

    This. Obviously something needs to be done, and the outsourcers need to be hung out to dry, but there's no harm in a quick phone-call to your manager to check why nothing's being done. If they fob you off, you immediately put your concerns in writing. If they say something like 'ohshitohshitohshit, I had [distraction] that day and I completely forgot to do anything about that, I'll get right on it now' then you may not want to land them in it.



  • Its become suprisingly quiet from the side of KrakenLover. At first I thought that all the legal advice was perhaps a bit premature, but you start to wonder.



  • I had a meeting with the CTO, and handed the issue off to him.

    He was not pleased by the lack of action from other people in management, it seems.  And, thus far, I haven't been on the receiving end of any blame.  It looks like the outsourced IT services vendor will be on the receiving end on this one.



  • Sorry if you find this written in a strange style and a little out of context, your confusion about no-one taking any notice bought to mind this piece I wrote ages ago, so I've just copied and pasted a block of it. It was a similar experience, the reason they seemed not to care was because A. They'd have to admit it happened and B. They'd have to acknowledge that you bought the problem to light., here goes...

     

    After a year off I got a new job at a University, I was thrilled. The
    money was better, the work was less and I got use of all their
    facilities whilst I was there. I was working in the electrical and
    electronic engineering department and it was geek heaven. You want to
    mess with computers on a slow afternoon? What do you want to mess with?
    The sixteen core workstation, the old Sun or the SGI boxes? Got a
    project you want to build, no problem use the electronics lab.


    We even had facilities to etch our own PCB's and a free store of
    basic components to dip into, if you needed something special nine times
    out of ten Maxim/Microchip/TI were keen to give you a free sample, this
    was the university after all.


    Combine this with lunches that were quite often liquid, or erm... herbal and well, paradise.

    I
    was happy at WTF U, this was where I was going to stay forever, I could
    not imagine any set of circumstances that would ever make me leave,
    eventually though I found just such a set of circumstances but I will
    come to that later.


    Whilst I was working at WTF U I did end up doing a few jobs well
    outside of the job I had been hired for, I did them thinking I might get
    a promotion and actually get paid for them one day but really I wasn't
    actually that bothered even if I didn't. The pay I was getting was more
    than I was used to and the workload was so light than in a bang per buck
    sense I was spoilt, in fact often I had so much free time I NEEDED to
    work on extra projects just to cut through the boredom.


    Some of the things I got up to were practical like the environmental
    and power monitor for the server room with GSM modem so the server room
    could text message me when the network was down and no other
    notifications could get through.


    Some of them were just fun, like the sensors on the office door that
    caused the 'star trek doors' sound effect to sound every time someone
    entered or left the room, the hovercraft and turning the twenty thousand
    pound environmental testing chamber into an overpriced beer cooler.


    Some of them however were just out of boredom and curiosity like the
    machine to crush empty cans for recycling, based on an old vacuum pump
    which when attached to the top of an empty beer can would evacuate it
    and allow the atmosphere outside to crush the can.


    Just one of those projects inspired by curiosity is why I actually
    started writing this piece because I was thinking about it when I got up
    this morning, however it is three or four SERIOUS WTFs rolled into one.
    The first one is kind of funny, so we will start there before we get
    into the more serious matters.



    University WTF #1, the internet and the DHCP office.

    My first day at WTF U was something of a jaw dropper, especially after being used to running IT in a business environment.
    Pretty
    much everyone had admin/root access to their own desktop and every
    machine had its own real, live external internet IP. No NAT, no proxy,
    machines live on the internet with ordinary users sitting at them with
    admin rights.


    Obviously this was a nightmare scenario of people running bit
    torrent at Super JANET speeds and desktops infested with worms, viruses
    and spyware. However this was apparently how they liked it, the
    academics set policy it was merely my job to support it and try as I
    might to suggest changes and improvements my ideas were always
    completely ignored because I wasn't one of the academics and obviously, a
    doctor in sonar and acoustics knows more about running real world IT
    than any pleb such as myself, even with years of experience.


    The university was an ape enclosure full of power games and internal
    struggles, only the top ape was decided by the number of letters after
    his name rather than his size and strength.

    As I said before, for
    the most part I was happy to let all of that go over my head because of
    the good pay, conditions, environment and facilities. I was however
    continually frustrated by the power struggle between Elec. Engineering
    and Central IT.


    At Elec Eng. we ran our own mail, file, apps and web servers. We
    took care of our own clusters and lab computers but they all had to
    connect via the network provided by central IT, whatever suggestions I
    made to improve that were always ignored simply on the basis that they
    had come from those evil outsiders over in Elec Eng.


    The network was a nightmare and not least because every machine was
    on the internet, network points in publicly accessible labs were often
    used by students to gain internet access for their laptops. Central IT's
    solution to this was to only give out DHCP allocations to registered
    kit, every machine we had was allocated a DHCP reservation. Of course
    this didn't stop students hard coding IP's. I tried to suggest that we
    simply lock the ports on the switches down to a single MAC address, this
    wouldn't stop them all but it would at least have curbed the problem a
    little.


    In the end the best I could do was fire fighting, I would monitor
    networks for unregistered MAC addresses and try to track down and punish
    the students involved. Even when MAC addresses matched I would try to
    log into windows machines with a dummy active directory account I had
    set up, this would confirm whether the machine behind that MAC was
    actually one of our windows boxes or some foreign machine, not part of
    our AD structure.


    Even when the computers did belong to us most of the academics had
    admin access to their own machines and would use the network to download
    movies and cracked software via P2P, so I started monitoring for that
    too.


    In the end though the most they ever got was a telling off and a
    "Please don't do that again on the work's network, KTHXBAI.". The
    unwritten rule was that academics could do no wrong even when they
    blatantly violated the terms of use for computing facilities, the JANET
    terms of use and their contracts of employment with the university.


    So I would do my best to keep a lid on the can of worms and
    dutifully register new kit on the DHCP server, I should I say, with the
    DHCP office.

    You see allocating a piece of kit an IP was not as
    simple as editing a CONF file or opening an MMC snap in, due to the
    internal power struggles, the ill thought out IT infrastructure and I
    suspect the desire to keep some old friends in a job the process for
    getting a DHCP reservation went like this:


    I would have to fill in the details of the new machine in an excel
    spreadsheet, save a copy, attach it to an email and send it to someone
    in central IT, to protect the identity lets call her Barbera.

    Barbera
    would then open the spreadsheet, read the details and re-type them
    manually into a web based inventory. A script somewhere in central IT
    would daily update the reservations to reflect the inventory.


    As a WTF this is unfortunately far from unique, I seem to recall
    reading one along the lines of a 'human pipe' once where someone would
    take a screenshot of a folder listing in the GUI and someone else would
    have to read it and re-type the file listing, keeping two people in a
    job where both could have been replaced by a dir /b >listing.txt


    It could have been worst, I learnt that until recently the excel and
    email system had been a paper form which would have to be posted
    through the internal mail!

    University WTF #2, security by obscurity.



    As part of my system to track down rouges, I would have to compare the
    results of my network monitoring and scanning against the 'official'
    inventory of equipment supposedly on the network, this meant I had to
    get information back from Barbera.


    Fortunately getting information out was not as convoluted as putting
    it in, I had access to the web based inventory and although I couldn't
    register kit I could download dumps of the official DHCP reservations.


    This involved logging in using a username, password and supplying my
    date of birth to be checked against personnel records. The server would
    issue me a cookie with a session id which allowed me to use the system,
    I could then request a dump of a particular subnet and I would be
    redirected to an XML file.


    Interestingly I noted that the XML file was just that, a flat file,
    not a script that generated an XML output. These files would be
    re-generated at 7am every day.

    It soon became obvious that armed
    with the URL of this flat file I could simply GET it, without having to
    log in or have a valid session ID. This was a security WTF but it was
    useful to me as I could script the downloading of up to date information
    on a daily basis without having to log in myself.


    What did start to worry me though, was that the files were
    accessible off site, from any anonymous dialup IP anywhere on the
    internet. If you knew the URL you could download not just a list of
    MAC's and IP's but other inventory information such as the names and
    staff ID numbers of the registered owner and user, the physical location
    of the machine and DNS records associated with it.


    I mentioned it but like anything else that came out of Elec Eng it was ignored.

    I
    let it go, I'd done my bit to flag up the problem and it was out of my
    control to fix it so I just carried on capping that can of worms
    until...


    University WTF #3, the one factor authentication.

    Coming back to those projects I would undertake just out of curiosity.

    One
    day on a slow Friday afternoon I was sorting out some old IT junk and
    found a bunch of old photocopier-card machines. Before the university
    had a printing credit system for students, copies and print outs would
    be limited using cards. Students could purchase cards from the library
    which contained a simple magnetic stripe, this would be read by kit
    attached to the printer and would only allow a certain number of pages
    to be printed before it interrupted the paper sensor and convinced the
    printer it had no paper left. The card would then be updated and
    ejected.


    Armed with a load of these old magnetic stripe readers, I decided to
    take one apart and wire it up to the soundcard on my computer.

    I fed my university supplied ID card through and recorded the output.

    I like everyone in the university had such an ID card and we were
    required to swipe it through readers on a daily basis to unlock doors to
    restricted areas, "Wouldn't it be funny." I thought "If you could clone
    one?"


    You see the cards where not just used for opening doors, they opened
    the barriers to the car park in the morning and this logged how often
    you had parked on campus, charges for car parking would then be
    automatically deducted from your pay. There was also a system taking
    shape where a small amount of credit could be loaded onto a database
    somewhere in central IT and you could then use your ID card to pay for
    small purchases at the canteens and coffee shops around campus.


    Cloning a card seemed like a good idea, the last time we hired a van
    from university transport they included a visitors card which would get
    us through all the parking barriers without having to pay.. the idea
    was simple, clone one, free car parking!


    Cloning a card was easy when in possession of the original but being
    curious I didn't stop there, I wrote a small app to decode the
    information my soundcard was collecting.

    The stripe was biphase
    encoded and used a standard ISO character set, after decoding my own
    card I got my own staff ID number back.


    I tried it with a few others and it seemed that this was all that the stripe contained.

    An
    intriguing possibility presented itself, the staff ID number was no
    secret, it was printed on the front of the card, on payslips and of
    course it was listed in that inventory I mentioned early. It became
    clear that armed with someone's staff ID number I could create an ID
    card out of an old credit card, mobile phone top up card, train ticket
    or just a piece of card with some VHS tape stuck to the back.


    I proceeded to test the idea with the ID number of the building manager.

    Swipe - click.. heeelllooooooo. 🙂

    I
    like most sneaky IT technicians would have liked to keep this to myself
    and take advantage of the ability to move anywhere, any time without
    leaving an audit trail behind me. However it was obvious that because
    these staff ID numbers where accessible by anyone, anywhere on the
    internet I had to bring it to light.


    Armed with the correct URL, you could get staff ID's tied with their
    building and office number. Thus armed with that URL and an old train
    ticket you could get yourself into just about anywhere in the
    university, including the biochem lab where they kept the smallpox.


    Given that the network was so easily penetrated and that so many
    spyware infested machines existed around campus, it was a possibility
    that someone could easily get hold of this URL..

    Something had to
    be done even if it meant going over everyone's heads, it just wasn't
    right to let political infighting bury the news because it embarrassed
    someone, somewhere.


    I reported it over an above my superiors to anyone who would listen,
    I never did get any acknowledgement that they recognised my problem let
    alone fixed it, it wouldn't be right to acknowledge that a mere IT guy
    had uncovered such a gaping security hole.


    However six months later all the card readers where upgraded and
    everyone was issued with new ID cards, this time with a second random
    track. Now you did at least have to be in possession of an original card
    to clone it. I also noticed changes to the inventory system, they are
    still flat XML files and there is still no security on them but the
    filenames are now a little bit more obscure.


    Obviously someone somewhere took credit for uncovering and fixing this but it wasn't never going to be me.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.