United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

Dustin and the Pirate Treasure (Part 2)

by the LiveSecurity Content Team

Dustin badged into the LAN room and strode purposefully to his Exchange server, the shapeless roar of the servers echoing his state of mind. In several years of working with networks, he had never been hacked from outside. Indignation fired his thoughts of the freakin' wacko who had waltzed into his network and tromped on valuable resources. Normally about as emotional as a bag of hammers, Dustin was surprised at how many feelings the intrusion triggered in him: embarrassment, a sense of violation, excitement at being challenged, exasperation that senior management had turned down his security recommendations in the name of the great god Bottom Line … But most of all, he wanted to catch the rat. That required focus. He forced himself take a few deep, slow breaths.

His next move seemed obvious. Even with Larry Trank on vacation, Dustin could check the accountant's e-mail. Every bit of it, coming or going, had to pass through FreddieMercury, the Exchange server whose name saluted both the lead singer of Queen, and the mail man of the Roman gods. Dustin logged on as Exchange administrator with his password, "I am totally L33t!" -- after a scary afternoon experimenting with John the Ripper, he was enforcing a minimum password length of 12 characters -- and opened Outlook. He then directed Outlook to Larry Trank's mailbox and went straight to Larry's Inbox folder. This was more invasive than Dustin preferred, but what else could he do? Sacrifice the company's whole network over one individual's privacy? Not on his watch.

Starting from the present and working backwards, he began reading Subject lines, looking for the Scr3w-U worm's header, "Funny joke! LOL!" Larry turned out to be a business-focused guy; compared to some accounts Dustin had seen, Larry had very little hobby-oriented e-mail or letters to relatives. Most recently, he had several e-mail exchanges with Expedia.com as he prepared to leave on vacation. "Huh," Dustin noted. "So ol' Larry's in Aruba about now!" But over 90 percent of his e-mail had business subjects.

The bandwidth usage had shot up on November 28, so Dustin expected to find the Scr3w-U e-mail slightly before that. As he worked his way back through November 25, November 24, November 23, Dustin nearly doubted his own diagnosis. Scrolling, scrolling, scrolling … Then at last, datestamped in the wee morning hours of November 21, there it was: "Funny joke! LOL!" "Great Gates," Dustin mumbled, "This thug'shad more than a week to enumerate the network." His mind reeled at the possibilities. The hacker could have watched where SMB broadcasts were going, established which IP was the domain controller, used any of various local elevation of privileges attacks to gain domain administrator status...

He clicked on the little paper-clip icon. Sure enough, the e-mail carried an attachment, heheheh.pif. Dustin remembered that Nandi had described Scr3w-U as a "typical mass e-mailer" -- in other words, he hadn't mentioned a thing about Scr3w-U doing any spoofing. Dustin's eyes alit on the "From" field. Then, despite himself, he broke into a Cheshire grin. "Well, well," he said to the server room. "I wonder if I've just solved our security budget problem."

From behind him, Dustin heard the click of the LAN room's door latch. He turned to see Nandi backing in, shoving the door open with his rump while dragging in a cart containing Larry Trank's PC and a monitor. Dustin called, "Check this out. I know who sent the Screw-U virus to Larry."

Once the cart was through the door, Nandi smacked dust off the knees of his Dockers, then joined Dustin at the console. Nandi's eyes lit up, and his face blossomed into a twin of Dustin's big grin. "He can run, but he cannot hide," he observed.

"Yep. What do you give the CEO who has everything? Well, everything except time to get defenses on his laptop?"

"A 'mastered' degree from Screw-U," Nandi answered. "I presume the pleasurable task of informing him falls to you?"

"Aw yeah," Dustin said. He did a little "I da man!" victory bounce, grooving in place for a second, while improvising a few measures of something like the bass line from Shaft. "You presume correctly."

"So the Trojan e-mailed itself from Mr. Kunstler's machine to Mr. Trank's machine," Nandi thought aloud. "Mr. Trank, seeing an e-mail from his boss, opened the attachment before he left on Friday, activating the virus executable...." He trailed off, puzzled. "Dustin, I can see how Mr. Kunstler picked up the virus, with his tendency to gad about the country with his naked laptop. But that still does not explain how the .pif file got through the firewall."

Dustin had already turned to his second Management Station and logged in to SimplyRed, his perimeter Firebox. "Way ahead of ya," he said. "I wonder if you, Jennifer, or Rod had some reason to change the Firebox configuration. Let's make sure it really is set to block .pifs." He double-clicked on the Control Center icon and brought up Policy Manager. He opened the SMTP Proxy icon, and seconds later, was looking at the Incoming SMTP Proxy Content Types. He went to the box labeled, "Deny attachments based on these file name patterns," and scrolled down the list. The list included the usual suspects: *.scr, *.bat, *.exe, *.vb?, and more. Nestled among them was *.pif. (as on this screen capture).

"It is there!" Nandi said. "Do you suppose the Firebox's SMTP Proxy is malfunctioning?"

Dustin's mind raced. "Nnnno," he said tentatively. "Actually, if Kunstler got the virus while on the road, then carried his laptop into his office and connected, that would do it. He'd carry the virus right around our firewall, then connect on the Trusted network. But he hasn't been in the building for weeks, until today." Dustin executed his nervous "I'm thinking" habit of alternately twiddling the = key and the Backspace key, making the cursor jiggle frenetically in place. "Hey. When Kunstler's e-mail arrived, what IP did it come from?" He turned back to FreddieMercury, right-clicked on the contaminated e-mail message, and examined the headers. "Aha!"

Nandi read over his shoulder. "192.168.0.241. What does that tell you?"

"Remember? Last month we began reserving all our IPs from 240 and higher for our mobile users." Dustin saw Nandi's brow furrow in puzzlement. "This shows why the virus got through the firewall," he explained, "The SMTP proxy never got to see it."

Nandi began to ask why, but stopped as the answer dawned on him. "Ah! His mobile user connection is VPN --"

"Yep," Dustin finished, "and the Firebox treats VPN connections as though they came from the Trusted network. VPN traffic comes in through the Any service, so it never passes through any of the proxies. But that means a VPN tunnel is only as trustworthy as the machine on the other end."

They paused for a second, thinking through Dustin's theory, and decided it held up. Dustin declared, "I'm sure that's how it happened. And that is why I'm going to get a personal firewall and anti-virus on Kunstler's laptop the next time it comes in here, even if I have to sit on him to do it." The more he thought about it, the more it bothered him. He'd let internal politics declare the security policy, instead of best practices.

"The intrusion is not your fault," Nandi said. "You tried to do the right thing. But sometimes one cannot cross the strange politics of a family-owned business. Trust me on this."

"Some things will have to change around here, or I refuse to be held accountable for this network." Dustin noticed his shoulders had tensed and his jaw clenched. He forced himself to lighten up. "Leave it to our users to turn a VPN tunnel into an attack vector, huh, Nandi?"

"Do I get to see what is on that pirate FTP server now?" Nandi asked. "I am hoping for my own free copy of Lord of the Rings!"

Dustin sighed. "First I'm going to have a little chat with Kunstler about providing server-side anti-virus. Then we have all the rest of the clean-up to do. I'll e-mail you and the rest of the IT team a memo." He headed for the server room door, suddenly longing for the quiet of his office. Just before he opened the door, he glanced back at Nandi. "Lord of the Rings. Ha. Make me a copy, too, and we'll consider it our severance package, huh?"

Nandi held his hands up, wide-eyed, in a "Who, me?" gesture of pure innocence. Dustin shook his head, then left.

*****

An hour later, Dustin sat back in his Aeron chair and indulged in an enormous stretch-and-yawn. His boss, Grant Crawford, had nearly burst a vein upon finding out what had happened to the network, and why; Dustin had enjoyed watching that. For once, someone was taking network security as seriously as he was. After a cursory examination of the compromised FTP server, Nandi had provided vital details on the quantity and quality of pr0nthe company's server had distributed, and how many copywrite laws Kunstler & Sons had helped break over the weekend. The prospect of the little 200-employee music company being kicked back and forth through the courts by copywrite-holding titans like Sony and Bertelsmann, definitely motivated the CIO.

By speakerphone, Crawford and Dustin had managed to reach CEO Kunstler on his cell phone at the airport. Kunstler freely admitted he had been using the company laptop at home to get personal e-mail both from his ISPand a Hotmail account, apparently clueless that these were Bad Things. A born opportunist, Crawford neatly spun the already-serious intrusion into a massive nightmare of liability by dwelling at length upon worst-case scenarios. What if the attacker had stepped from Kunstler's FTP server to one of the company's Just-In-Time vendors' networks? Then Kunstler could be liable for any damage committed on the vendor's computers. What if the attacker had found his way into the customer database and taken music store credit terms or bank account numbers? Then Kunstler could be liable for any monetary loss. What if the attacker had targeted some of the computer-controlled stations on the assembly line, and made them produce trombone tubing inspired by Dr. Seuss? What if...

Confronted with the costs of a successful intrusion, Kunstler quickly agreed that an ounce of prevention cost less than a pound of cure. Crawford and Dustin won permission to purchase and install server-based, centrally-administered anti-virus, and all they needed to offer the chagrined executive in exchange was a promise to keep discretely vague around the office about exactly how their network got hacked. Dustin also elicited permission (assuming the demo proved satisfactory) to purchase ServerLock, a WatchGuard product that would have stopped Rude Rex Rocks from creating directories on the FTP server or writing to the drive. And, most heartwarming to Dustin, the CEO admitted that he should model adherence to the company's e-mail policy, instead of being the biggest exception. The conversation ended with Kunstler commending their diligence, and specifying where he'd wait at the airport until Nandi could show up with all the appropriate tools to get the executive's laptop in proper shape.

Dustin snapped out of his reverie. He proof-read the e-mail memo he had just composed. He skipped the introductory paragraph and checked the To Do assignments he thought should remedy the unauthorized intrusion on the company network:

  1. Get Scr3w-U cleaning download from McAfee -- Nandi

  2. Standardize all legacy machines on current anti-virus solution -- Nandi, Jennifer, Rod

  3. Push Scr3w-U cleaner to all networked machines -- Dustin

  4. Set all client machines to auto-update anti-virus -- Jennifer and Rod

  5. Get a/v and personal firewall on all mobile user machines -- Nandi

  6. Tighten egress filtering on all servers -- Dustin

  7. Find last known good FTP server image in backup archives, and restore -- Nandi

  8. Search machines in Accounting network segment for any further anomalies -- Dustin and Nandi

  9. Audit Accounting ledgers for any corruption from hacker -- Accounting

  10. Send LiveSecurity article, "What's Risky about E-Mail Attachments," to all employees -- Jennifer

  11. Write an Intrusion Response policy -- Dustin, Crawford, and committee (to form).

Satisfied for now, Dustin clicked Send. He stood and stretched again. Okay, he hadn't caught the hacker, and probably never would, but the good guys had come out ahead -- not bad work, considering that it was still an hour before lunch. He felt he'd already made a solid contribution to Kunstler & Sons today.

Of course, he wouldn't say that to anyone. Most of his co-workers had no clue how many times a month his team saved their butts. But he didn't really mind. Unlike Kunstler & Sons' customers, Dustin Barnes wasn't the type to toot his own horn.

Credits

Technical concepts: Steve Fallin and Corey Nachreiner

Simulated logs and charts: Corey Nachreiner

Original concept and writer: Scott Pinzon

Hey, that Dustin is all right! Take me straight to Dustin and the Secret Plans (Part 1)!