Feeds

BOFH: The enemy at the gate

Semper vigilo

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Episode 13

BOFH 2004: Episode 13

So we’ve got someone on the network who considers themselves a bit of a ‘leet dood’ hacker.

I notice when IDS starts throwing up portscans stepping through our IP address range one at a time.

“He’s not even bothering to disguise it...” the PFY remarks drily, pointing at an IP address allocated to one of the lesser machines in beancounter central.

“Yeah, AND he’s using a desktop machine, not a service kiosk, which would have obscured the trail a little bit.”

“Really? I prefer turning off Mac-Address change warnings on the router then use a networked printer’s address.”

“Sneaky,” I comment.

“Yeah. So what’s he doing now the scan has finished?”

>Clickety<

“Hmmm. Looks like he’s testing rootpaks against our main web server.”

“We're still running Apache on it aren't we?” the PFY asks worriedly.

“No no, 'secure' IIS.”

We laugh a bit at that one, and continue watching. As if..

"Ah! Now he's switching to ftp vulnerabilities.. ... and now back to the portscanning again."

"So not much of a threat?"

"Not as yet. But bear in mind, once he gets into the Beancounters' area with their requirement to administer their own 'servers' it's going to be intrusion city Arizona!"

"Should we warn them?"

"Yeah, I suppose so."

"Give their geek a ring?"

"I was thinking more of pings-of-death on their older unpatched machines.."

... Several crashes later...

"There's something wrong with the network," the Boss blurts, bumbling into Mission Control. "The phones are going mad!"

"Yes, it seems we have a hacker..." I say, pointing at the IDS console.

"It looks like he's using a prepackaged kit to attack our servers in a pseudo random manner to avoid detection," the PFY adds.

"Aren't you going to stop him?"

"Ordinarily yes, but we'd like him to get in somewhere so that we can eavesdrop and see what he's looking for."

"How?"

"We'll activate the remote snoop client on his machine."

"Remote snoop client?"

"Yeah, we fudged their install media to always install the snoop client. Just to... uh.. help them diagnose problems... if they ask us."

"So they don't know that it's installed on their machines?"

"No."

"Do you install this remote stuff on everyone's machines?" the Boss asks.

"What would be the point of that?" I respond, dodging the question so as to avoid putting a quid in the 'lie jar' that the PFY and I recently installed.

"Shouldn't we be calling the police?!" the Boss asks.

"What for?" the PFY asks. "It'll just be some wingnut down in Finance who's watched that movie Wargames one too many times in his childhood and believes he can use the system to trigger a nuclear incident if he tries really hard."

"Which of course he can't," the Boss finishes.

"Well..... probably not. Well 95 per cent certain," the PFY responds.

"You don't sound too sure."

"It's difficult - I mean he might be quite intelligent, he might have outside help, or he might just have beginner's luck."

"So do you know where it's coming from?"

"Yeah, down in accounts. From the IP number I'd guess it's over in the far corner, near where that new guy is."

"New guy?" the Boss asks, forming a theory.

"Yeah, what's his name...... Almed, Amal" the PFY replies, dropping a quid in the lie jar with a >clink<

"Amal," I say. "Remember, he came up to introduce himself. Arab guy, new to London," I say, adding a quid with another quid.

"I... uh..." the Boss says, not wanting to say it.

Honesty, it's just too bloody easy sometimes, and at this rate the jar will be full by lunchtime.

"What.. uh.. does he do?" the Boss asks.

"Something in accounts I think he said," the PFY says >clink<

"Yeah," >clink< I add. "But he needed to borrow a laptop for the time being because they didn't have a machine for him - hey, maybe that's the machine he's using!"

"And you checked his ID."

"WhatID?" the PFY asks.

"His company ID."

"You have to be here for a couple of weeks before your ID's made!" I say.

"Well did he have a swipe card?"

"Uuuuuhhhhm, no, I think I let him through the door." >clink<

"Right. OK," the Boss chirps irrationally, trying to gather his thoughts while pacing excitedly "Right! This Amal chap, what did he look like?"

"Hard to tell. Normal I spose, Tall, strong?"

"Strong."

"Yeah, he was carrying his bag like it was nothing. Huge bag, canvas thing. Green." >clink<

"Khaki, not green," >clink< I correct. "One of those army surplus things that flooded the market after the Gulf W..."

>slam<

. . . two hours later . . .

"Well it was all a bit of mistake," I say, to the Head of IT as the Boss is taken away for a bit of questioning. "It seems that someone down in Beancounter Central was running a Nessus scan across our hosts - without telling us, mind - which looked to all intents and purposes like an attack from inside the company. Meanwhile my assistant and I were talking about a movie that we'd seen sometime, and he must have mixed the two together in his head." >clink< "Unless of course, he had some other reason for calling the Antiterrorism people. "

"He's often said that he doesn't like the way Microsoft always chooses the American way of spelling," the PFY adds with another >clink<

"So the whole thing was a big mistake."

"Yeah. Well, 95 per cent certain..." ®

Internet Security Threat Report 2014

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.