Feeds

BOFH: The enemy at the gate

Semper vigilo

  • alert
  • submit to reddit

3 Big data security analytics techniques

Episode 13

BOFH 2004: Episode 13

So we’ve got someone on the network who considers themselves a bit of a ‘leet dood’ hacker.

I notice when IDS starts throwing up portscans stepping through our IP address range one at a time.

“He’s not even bothering to disguise it...” the PFY remarks drily, pointing at an IP address allocated to one of the lesser machines in beancounter central.

“Yeah, AND he’s using a desktop machine, not a service kiosk, which would have obscured the trail a little bit.”

“Really? I prefer turning off Mac-Address change warnings on the router then use a networked printer’s address.”

“Sneaky,” I comment.

“Yeah. So what’s he doing now the scan has finished?”

>Clickety<

“Hmmm. Looks like he’s testing rootpaks against our main web server.”

“We're still running Apache on it aren't we?” the PFY asks worriedly.

“No no, 'secure' IIS.”

We laugh a bit at that one, and continue watching. As if..

"Ah! Now he's switching to ftp vulnerabilities.. ... and now back to the portscanning again."

"So not much of a threat?"

"Not as yet. But bear in mind, once he gets into the Beancounters' area with their requirement to administer their own 'servers' it's going to be intrusion city Arizona!"

"Should we warn them?"

"Yeah, I suppose so."

"Give their geek a ring?"

"I was thinking more of pings-of-death on their older unpatched machines.."

... Several crashes later...

"There's something wrong with the network," the Boss blurts, bumbling into Mission Control. "The phones are going mad!"

"Yes, it seems we have a hacker..." I say, pointing at the IDS console.

"It looks like he's using a prepackaged kit to attack our servers in a pseudo random manner to avoid detection," the PFY adds.

"Aren't you going to stop him?"

"Ordinarily yes, but we'd like him to get in somewhere so that we can eavesdrop and see what he's looking for."

"How?"

"We'll activate the remote snoop client on his machine."

"Remote snoop client?"

"Yeah, we fudged their install media to always install the snoop client. Just to... uh.. help them diagnose problems... if they ask us."

"So they don't know that it's installed on their machines?"

"No."

"Do you install this remote stuff on everyone's machines?" the Boss asks.

"What would be the point of that?" I respond, dodging the question so as to avoid putting a quid in the 'lie jar' that the PFY and I recently installed.

"Shouldn't we be calling the police?!" the Boss asks.

"What for?" the PFY asks. "It'll just be some wingnut down in Finance who's watched that movie Wargames one too many times in his childhood and believes he can use the system to trigger a nuclear incident if he tries really hard."

"Which of course he can't," the Boss finishes.

"Well..... probably not. Well 95 per cent certain," the PFY responds.

"You don't sound too sure."

"It's difficult - I mean he might be quite intelligent, he might have outside help, or he might just have beginner's luck."

"So do you know where it's coming from?"

"Yeah, down in accounts. From the IP number I'd guess it's over in the far corner, near where that new guy is."

"New guy?" the Boss asks, forming a theory.

"Yeah, what's his name...... Almed, Amal" the PFY replies, dropping a quid in the lie jar with a >clink<

"Amal," I say. "Remember, he came up to introduce himself. Arab guy, new to London," I say, adding a quid with another quid.

"I... uh..." the Boss says, not wanting to say it.

Honesty, it's just too bloody easy sometimes, and at this rate the jar will be full by lunchtime.

"What.. uh.. does he do?" the Boss asks.

"Something in accounts I think he said," the PFY says >clink<

"Yeah," >clink< I add. "But he needed to borrow a laptop for the time being because they didn't have a machine for him - hey, maybe that's the machine he's using!"

"And you checked his ID."

"WhatID?" the PFY asks.

"His company ID."

"You have to be here for a couple of weeks before your ID's made!" I say.

"Well did he have a swipe card?"

"Uuuuuhhhhm, no, I think I let him through the door." >clink<

"Right. OK," the Boss chirps irrationally, trying to gather his thoughts while pacing excitedly "Right! This Amal chap, what did he look like?"

"Hard to tell. Normal I spose, Tall, strong?"

"Strong."

"Yeah, he was carrying his bag like it was nothing. Huge bag, canvas thing. Green." >clink<

"Khaki, not green," >clink< I correct. "One of those army surplus things that flooded the market after the Gulf W..."

>slam<

. . . two hours later . . .

"Well it was all a bit of mistake," I say, to the Head of IT as the Boss is taken away for a bit of questioning. "It seems that someone down in Beancounter Central was running a Nessus scan across our hosts - without telling us, mind - which looked to all intents and purposes like an attack from inside the company. Meanwhile my assistant and I were talking about a movie that we'd seen sometime, and he must have mixed the two together in his head." >clink< "Unless of course, he had some other reason for calling the Antiterrorism people. "

"He's often said that he doesn't like the way Microsoft always chooses the American way of spelling," the PFY adds with another >clink<

"So the whole thing was a big mistake."

"Yeah. Well, 95 per cent certain..." ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.