The Story of Jeff: Part VII, VIII & IX

By Kurt Seifried, [email protected]

 


The Story of Jeff: Part VII


 

Somewhere in a tacky but well-lit office deep in the bowels of Acme Corp., a printer comes to life, spitting out several sheets of paper. It shudders to a halt and silence returns. Andy picks up the printouts and starts flipping through them. A small twitch at the corner of his mouth slowly develops into a smile.

"Jeff, I think we've found it."

"Huh, found what?"

"The hacker, from Russia, we've got his phone number," replies Andy, drumming his fingers nervously on the desk.

"How sure are you?"

"Pretty sure. It fits the access pattern — same time, he tried several times, login failed, the user is not in Russia, in fact, he was working late last night in building X."

"Sounds good to me. Let me call Cindy and we'll meet for lunch."

"OK Jeff." Hanging up the phone, Andy glances up at the clock. 11:15. He decides to reread a few pages on Windows security policies.

Every phone call has an equal and opposite phone call. Jeff's reaction to Andy's call results in a call to Cindy to arrange lunch. In turn, Cindy makes a phone call to her niece Samantha.

"Hey Sam, I'm sorry but I won't be able to make it for lunch today like I promised."

"But you promised! We had this planned weeks ago!"

"I'm sorry, but something came up. We can do it tomorrow, I promise."

"You promised last time!" Slamming the phone down, Samantha lets out a primal scream. Then she wrenches the phone off again and throws it into the wall with a resounding crack.

Shaking her head violently, Samantha heads for her desk. She takes several deep breaths and, grinning ferally, starts to compose an email:


To: [email protected]
From: [email protected]
Subject: Acme corp trade secrets
Please find attached some blueprints for an old Acme 
Corp. favorite, the mark 4 anvil with optional drop hooks.
This is just a taste of what is available. I can send you
blueprints to all their current stuff and their research
and development labs for a measly $1 million US.
Have a nice day. 

Meanwhile, in the cheerful employee cafeteria at Acme Corp., we see three people at a table in the corner. Cindy is waving her fork animatedly. "I think we should report him to the police and provide them with evidence of the break-in. Prosecute him!"

"Is that such a great idea?" Andy asks. "The negative publicity, we already got hacked once. We've kicked them out and secured our network. I say we let things be and get on with work."

"I think you both have valid points," Jeff replies in a calm tone. "I spoke with the CEO this morning and he said we're not going to prosecute. The chances of a conviction are far too slim, and the publicity isn't what we want"

"That spineless gimp! If we go after this guy, it'll make any other hacker think twice about messing with us. We need to set an example. We have an office in Europe; they can coordinate with the police."

"No, Cindy, we are not going to prosecute. However, the CEO did authorize me to hire a Russian investigator to find the identity of our hacker. After that we'll decide how to proceed, as well—"

Andy interrupts. "We should call him up and tell him we know where he lives!"

"No, that might even be considered a threat and be illegal. We're definitely not going to do anything illegal. Both of you got that? Cindy?"

"OK Jeff, but I still say we prosecute him."

Andy and Cindy look at their plates rather unhappily. Jeff slowly pushes a French fry around with his spoon. "Look, I think we should nail him to the wall, too, but until the CEO makes up his mind we have to sit on it."

Lesson #15
Response can take many forms. If you want to prosecute, that means court and probably publicity and possible negative attention. On the other hand, if every company actually opted to charge people with crimes, instead of quietly covering them up, we'd probably have a much lower computer crime rate.
To: [email protected]
From: [email protected]
Subject: Acme corp trade secrets
We are very interested, but 1 million seems a bit steep.
We will pay you $5,000 to the bank account of your choice 
for each existing product you send us the complete blueprints for
and $10,000 for each R&D project. 
Having a nice day.

Samantha smiles. Typing her reply in, she thinks of all the wonderful things she'll be able to afford.

To: [email protected]
From: [email protected]
Subject: Acme corp trade secrets
Sounds fair. I'll send them in batches of 5 at a time, and once
payment is confirmed, I will send another batch.
Lesson #16
Your competitors may not be as honest as you, stooping to corporate espionage to steal R&D work. Producing knockoffs is another common way of making a quick profit at the expense of consumers.



The Story of Jeff - Part VIII


 

The sun rises, the sun sets. Men and women go to work and then they go home. People go about their daily lives, oblivious to the growing storm that is about to explode around them like a Ford Pinto getting rear-ended in a low-speed collision.

High over the Atlantic zooms a large corporate jet with "EMCA" painted on its fuselage. A man sits in a large padded chair, and on his lap a large pink longhair Tibetan mountain cat, purring softly.

"Ms. Pinkleweather, have we got an update on our new research effort?"

"Yes, Herr Doctor. The first five files were uploaded several hours ago. As soon as our lab finishes verifying them, we will send the money."

"Purrrfect. Soon we can begin production of their best products in our secret Antarctic factory. That was a brilliant move, if I say so myself . . . the tax breaks are amazing."

"Yes, Herr Doctor, and using penguins to assemble the products was a stroke of genius, especially with the worldwide drop in herring prices."


A server in a brightly lit room. Hard drives chatter, lights flash; data is moved, magnetic patterns reassembled.

"Hello, this is the help desk."

"Yeah, hi, I tried to open up the project folder for project X-53 but it says folder not found, so I did a search for it, but I couldn't find it."

"Hmm. . . . I can't find it either. Someone must have accidentally deleted or moved it. I'll restore a backup — just give me a few minutes."

"OK, thanks!"

A ticket is logged, and the tech returns back to work.

Lesson #17
Files that go missing might warrant some investigation. Data doesn't normally just disappear.

Profiles and System Policies

"OK Andy, it looks like we're ready to roll. Have you made a backup of all the user accounts and settings?"

"You bet, Jeff. We can roll this back if it blows up."

"All right, let's go over the checklist one last time then. Administrator profile with everything enabled?"

"Check."

Lesson #18
In Windows, system policies basically work by modifying registry settings. So if you log in with a very restrictive profile, you may end up stuck if you do not have a way to re-enable all the settings. If you do not make a profile for the administrator with everything enabled, you could end up in very deep trouble.

"Admin group with everything enabled?"

"Check."

"General sales and marketing profile with network neighborhood disabled, network sharing disabled, control panel disabled, file sharing disabled, run command disabled?"

"Check."

"OK, let's do it."

A few short clicks later, the config.pol files have been copied to the PDC and all the BDCs on the network. Jeff logs in at a workstation under a test account and smiles at the missing icons and commands. "Good work, Andy. Now the question is, what do we do about any existing network shares?"

"Uhmmm . . . we could scan the network for machines with ports 137 and 139 open, and then see if they have any shares."

"Good answer. It so happens I downloaded just such a scanner that also lists open shares. Let's get it running and go have a coffee."

"Sounds good to me!"

Lesson #19
If you're going to disable a feature such as allowing users to share out folders, you should also check for any existing shared folders and stop sharing them as appropriate. In any event, all data should be stored on servers where access can be better controlled and logged and backups are much easier to make.

Samantha is grinning wickedly, watching the progress meter on a download steadily approach 100%.

"This'll show them! I can fly to Bermuda and laugh at all of them!"

Humming to herself, she encrypts the downloaded files and sends them on their merry way.


"Jeff, when did you guys emplace system policies?"

"Ermm, last night, Cindy. Why do you ask?"

"Thanks for the warning. . . . You know how many help desk calls we had this morning?"

"Oh, my bad! Didn't you get my email?"

"No — in fact, I haven't gotten any email from you in a few days."

"That's strange. I'll take a look into it."

Sitting down at his desk, Jeff logs into the network and accesses the mail server.

"What the—? That can't be right!"

Turning around, he picks up the phone and dials Cindy.

"Hey, why have you been sending 10 megabyte files out? You exceeded your quota, which is why you aren't getting any email."

"I haven't been sending out any 10 megabyte files via email!"

"According to the logs, you have."

"That doesn't make any sense!"

Is Cindy a mole? Will Jeff manage to trace the attacker down? Why does the author keep mentioning a cat?


The Story of Jeff - Part IX


"Oy vey, oy vey, third session circuit court of Acme Corp Inc. is now in session, the honorable Judge William E. Coyote presiding. All stand."

A quiet shuffling as people stand and stare at the judge.

"You may be seated. Bailiff, read the charges please."

"The defendant, Cindy Plunkett, stands accused of high treason against the company. The sentence is 40 years of forced labor."

"Thank you. The prosecutor may begin."

"Thank you, your honor. As we all know, the defendant is guilty. We have incontrovertible evidence and witness testimony to offer."

The prosecutor smirks at Cindy's lawyer and sits down.

"Your honor, my client is simply a victim of circumstance. She did not copy secret research data and send it to an outside source via her email account, as the prosecution claims. We will be offering an alternative theory that will explain what happened."

"The prosecution may call its first witness."

"We call Jeff Chang to the stand. Please state your name and position with the company."

"My name is Jeff Chang. I am currently in charge of the network."

"When did you first suspect the defendant to be a disloyal, backstabbing traitor?"

"Ehhh? I never said that! I said I think she might be sending out research data, and next thing I know some corporate security goons are hitting me in the head with a sack of doorknobs, and then here I am in the courtroom."

"Can you describe to us the evidence you found?"

"Uhh, sure. Well, I noticed that Cindy's mail account was wedged; she'd been sending out a lot of large emails. She said she didn't send them, so I decided to check further. I found she'd sent out five 10-megabyte files, which means she hit the quota of 50 megs per week of email. I managed to find a copy of the sixth email that was supposed to be sent and found it was a single file, either compressed or encrypted. I haven't been able to decode it yet.

"So I was curious as to what it might be, and I remembered several helpdesk trouble tickets regarding research data going missing, so I decided to check the access logs on them. They showed that Cindy's account had accessed the files. But the access time on these files was 4 a.m., and I checked with security and Cindy wasn't in the building then. But she could have accessed it remotely, or written a script that waited till 4 a.m. to do it."

Lesson #20
Accessing files can be automated, so if someone claims they weren't at their workstation when something happened, they may be telling the truth. They may have simply automated that task.

Taking a deep breath, Jeff glances nervously at Cindy. He wonders if the homicidal look in her face is real or not.

"So anywise, I checked Cindy's machine and found she had PGP installed, along with an unknown public key. When I checked to see if the file was PGP-encrypted, it was, so it looks like research data was copied, encrypted and then sent out via email. I checked Cindy's workstation some more and found a script set to run in Windows Scheduler that did all this at 4 a.m."

Lesson #21
Windows Task Scheduler is a really nifty tool and should probably be disabled and removed if at all possible.

"And this was all done from Cindy's workstation. There is no sign of anyone else involved?"

"Er . . . no . . . I don't think so."

"Your honor, the prosecution rests."

Cindy leans over to her lawyer and whispers, "Don't forget to ask about the KeyGhost. I'm not doing 40 years of forced labor in the marketing department." Cindy's lawyer pales slightly and nods.

"Jeff, you say you found all this evidence on Cindy's computer, correct?"

"That's right. . . ."

"Is it possible that someone could have accessed Cindy's computer remotely, or locally, and done all this?"

"Well, yes. . . ."

"Someone like the attacker that broke in several times from Russia?"

"I suppose so."

"Or someone with physical access to her computer, in a normally unlocked office?"

"Yes."

"Your honor, I have here defense exhibit A, a list of all personnel with physical access to Cindy's office. As you can see, the list is over 100 names long."

"So noted. Label exhibit A and put it in the shoebox."

"Thank you. Now Jeff, if this had been set up remotely, or locally, would there be any way to tell?"

"Well, not really, if they did it locally . . . but they would have had to get Cindy's password, and we've recently had everyone reset their passwords."

"Indeed they would have. Your honor, I have here defense exhibit B. Jeff, can you identify this item?"

Jeff takes the piece of PS/2 cable with a big lump in the middle and looks at it for a moment. "I'm sorry, no I can't."

"Your honor, this is called a KeyGhost. It's a piece of hardware you simply plug in between the keyboard and the computer and it logs all the keystrokes. You can later retrieve these keystrokes, meaning any passwords and so on would be easily discovered. It was found attached to Cindy's machine, and five other machines in the building, mostly executives. We dusted them for fingerprints and found some. Unfortunately, they did not match anything in the employee database, meaning they were put in by an external intruder."

Lesson #22
Getting DNA samples from all your employees may not be possible, but getting a photograph is probably a good idea. And if you can, you may want to collect fingerprints. Of course, convincing employees that the company will safely store these details and not use them for nefarious purposes is another matter.

"Pending further evidence, I am dismissing the case against Cindy Plunkett. In light of the fact that we have an external intruder, I suggest we find out who it is as fast as possible.

"Oy vey, oy vey, third session circuit court of Acme Corp Inc. is now closed, the honorable Judge William E. Coyote presiding. All stand."

Is Samantha's retirement fund blown? Is the slight wobble in the tape storage rack actually a problem? Is Jeff allergic to cats?

 


Back

Last updated on 3/10/2002

Copyright Kurt Seifried 2002