Feeds

Bastard Security Troubleshooter

Taking the pIIS

  • alert
  • submit to reddit

Top three mobile application threats

Episode 21

So the PFY and I rock on into work after lunch one day, pausing only to drop the pint glasses off with Security, noticing as we pass T%he Boss hobnobbing with the Head Security bloke.

I don't like it.

In fact it's high on the list of things that I don't like, nestled between slave traders and the Austin Princess as a mode of transport. (But still waaaay down the list from OS2 fans...)

The only time The Boss ever hobnobs is when he wants something, and the only thing he could possibly want from the Head of Security, (apart from pointers on how to sleep with his eyes open), is information generally related to security i.e. who's been sneaking into the cloakroom and writing "Kick me" on the back of his anorak before he jumps on the tube home.

It seems obvious now that I'm going to have to ditch the visitor swipe card and Impact Marker that have served me so well...

Ah well.

We glide back to Mission Control in time to find the Head of IT wandering about the place with a distracted look on his face.

"Ah!" he blurts as we enter. "Just the persons!"

In between "Beancounters" and "Personnel Disorganisers" on the list is also "IT Managers - pleased to see you". It doesn't bode well.

"Listen, I've got this proposal here which I'd like you two to have a quick shufty at, and tell me if it's accurate, and if the major conclusion is justified?"

He hands over a piece of paper which is obviously the handiwork of the boss. Of course, the coffee ring on the bottom is his de facto Seal of Office and a dead giveaway, but the grammar and lack of punctuation nail the lid firmly down.

I glance over the document, (which would still only be a C+ paper in an "English as a Second Language" course) and it all falls into place.

The Boss has, because of the spate of IIS vulnerabilities in the recent past, raised the issue of contracting a "Security Officer" to make sure our site is up-to-scratch on the anti-intrusion front.

I read on as he puts the slipper into The PFY and I when we're down by saying we can't possibly keep pace with the vulnerabilities in the software we support with our other workload.

ACTUALLY, I'm hurt! After all the effort I put into exploiting the problem noted in the latest CERT document to slap a photoshopped-up image of him in flagrante with a sack of potatoes!!

No-one appreciates an artist.

"I think we're perfectly capable of keeping the systems secure!" I blurt.

"So secure that an animated picture of me in a tutu managed to replace the corporate logo three weeks ago?" our Manager snaps.

I'd forgotten about that. Now THAT was craftsmanship.

"It slipped in before a patch for the server software was available" I cry, "I..."

"I don't want to HEAR it!" he interrupts. "It wasn't reported for a week, and then it wasn't removed for another three days!! What sort of system is that?"

I figure that the answer "A system that waits for the PFY to come back from holiday so he can have a laugh" isn't the answer he's fishing for, and decide to keep mum...

Ah well...

Two days later the Security Troubleshooter arrives, complete with Khaki Safari Suit. Very Old School Cloak and Dagger.

"Hello chaps," he says, at the end of The Boss's whirlwind tour of the office and Mission Control. "I take it you're the people I should be talking to about the config of the Firewall and Web servers in the first instance. Can you make a meeting... tomorrow, at say... 9am to go over that?"

"9am," I murmur out load, not really wanting to break the habit of a lifetime and come in early... "What about 10:30?"

"No, no - bright and early - on a limited time budget and all that. 10 till 11 tomorrow I'm meeting the In-house security to go other points. 9am sounds good."

"You can get stuffed," I respond, never being an exacerbater, despite what The PFY calls me when he thinks he's out of earshot...

"I beg your pardon??!"

"I said I'd be chuffed!" I respond.

"Excellent, and where should I put this?"

...ONE MINUTE LATER . .

"I said he should stick it in his OFFICE!" I say to The Boss in response to his summons, "Why, what did he think he heard?"...

TWO DAYS LATER.

"..and Nessus had detected several glaring vulnerabilities in some of the lesser known web services, an anonymous ftp site with write access to the world which appears to be stuffed with porn, and finally a mail service which responds to any email message with a virus.."

"That would be the one we use when we have to supply an email address to any service which claims it doesn't add your contact details to any list" the PFY adds.

"Yes," he responds dryly. "Anyway, as a result, I have secured the servers concerned, applied all the latest server an OS patch levels. I've also cleaned up the immoral and illegal content"

"My porn archive!" The PFY gasps sadly.

"All on backup tapes," I console him. Speaking of consoling, I also console the consultant, using a real console.

"Sorry about that" I murmur, picking the 19inch monster off his foot. "Dreadfully clumsy of me. Meant to return it to its owner earlier in the day after the Police returned it."

"Police?" he responds, true to form ."Why?"

"Oh stocktaking. You know, staff theft. We get a lot of it around here - almost every day if we're honest. Someone backs their car up to the disused Service Bay by the freight elevator and slips off with one piece of equipment or the other."

"And what happened with the prosecution?"

"Well, to have an airtight case, someone has to actually WITNESS them stealing it, and I'm not hanging around in an abandoned service pit all bloody night."

"What about CCTV?"

"No point, the service bay is supposedly never used."

"Right then, I'll do it! I've infrared kit I bought back from Nigeria. I'll have your proof in no time!!"

Two days later..

"..and he never came back?" The Boss asks.

"No, he mentioned something about Nigeria and Malaria, and that was that."

. . .

"I feel a bit sorry for him," The PFY blurts.

"Nonsense!" I respond, pointing at the IR CCTV monitor. "Look, he's found those old pot noodles. That should keep him going another day! And he's still got 1/2 a cup of urine left. LUXURY!"

"I still..."

"OK, well we are a bit strapped of things to do. Tell you what, you can choose what you want to do, let him out before he goes insane, OR, restore your porn archive?"

"I'll get the backup tapes..."

Ah well. ®

BOFH is copyright © 1995-2001, Simon Travaglia. Don't mess with his rights.

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.