United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

Dustin and the Secret Plans (Part 1)

by the LiveSecurity Content Team

"So come on, dish the dirt. You said you owe me."

Dustin Barnes, network administrator for Kunstler & Sons Musical Instruments, didn't smoke cigarettes. This was not a moral stand for him -- in fact, he enjoyed a Partagas after a big meal on occasion -- but he just hadn't happened to pick up the cigarette habit. Nonetheless, most afternoons found him shivering in a cold parking lot with the smokers, because he had learned that this was the best pipeline for interdepartmental scuttlebutt. Tongues flapped loose in the smoker's circle, and Dustin made a point of listening. He rationalized this as "the outermost circle of my intrusion detection system against possible insider attacks," but secretly, like most men, he dug gossip.

"Spill, Randy," he continued with the factory foreman. "What's really going on?"

Randy, the lanky cowboy type, exhaled smoke, then blinked as the wind tossed it into his flinty eyes. "Times are good at ol' K & S," he allowed. "We got a 200-trombone order from a Chicago school district."

The cluster of people groaned. "Not that!" Dustin urged. "This sales conference. Junior has never called in the whole force at a moment's notice before." Junior was the smoking group's nickname for Karl Kunstler III, the third-generation CEO of Kunstler & Sons.

"And," added a slender, dark-complected young man on Dustin's right, "something is being very hush-hush about it."

"Exactly, Nandi," agreed one of the smokers, a Puerto Rican artist who designed the elegant swirls engraved on K & S horns.

Randy let a suitable moment of tension build, then said, "You didn't hear it from me..."

"So far, that's true," Dustin observed.

"...but word is, Junior got an exclusive on some high-tech new alloy. The horns'll toot higher than they did before, and shine brighter, but they'll be cheaper to make and lighter to ship."

"Excellent!" Nandi beamed. "Cutting-edge trombone technology!"

"So...Sales is here to get briefed on the new FABs?" Dustin asked, referring to Features, Advantages, and Benefits.

"Bingo." Randy dropped his cigarette to the asphalt and stepped on it. "The meeting's tomorrow, but some of the reps have already arrived. Junior wants to take Fender and Selmer by surprise, so keep this on the down-low, okay?"

"Of course," Dustin said, as the cluster of co-workers began drifting back to the building. "Thanks."

Hands jammed in his coat pockets for warmth, Dustin shuffled along several steps before he noticed Nandi hadn't followed. He looked back, and saw Nandi, in his navy peacoat, staring at the business immediately across the parking aisle from the Kunstler & Sons factory.

Dustin turned and rejoined him. He followed Nandi's gaze. The neighboring building looked boring as ever: beige tilt-up walls, just like every other building in this business park; glass doors, with AMI in large letters above them, and "Arlington Military Instruments" in smaller letters. "What?" Dustin asked.

Too cold to pull a hand out of his pockets, Nandi pointed with his chin. "Over there. I have read about war chalking, but I have never seen it myself."

Dustin looked, and now noticed a symbol drawn on the concrete, like graffiti, to the right of AMI's front door:

"Wireless," Dustin grumped, in the tone people usually say, "tax audit." "Not in my house. I just don't feel like we can secure it."

Nandi seemed upbeat. "Leet hax0rz have been roaming my neighborhood!" he grinned.

"Why so happy?"

"It means job security!"

Dustin laughed as they hustled into the warmth of Kunstler & Sons' lobby. "Not if they take us down--"

As they crossed the lobby, he spotted two members of the sales force rushing to intercept him. Dustin groaned inwardly. This Monday had already been the craziest one in memory. He and his assistant, Nandi Paradivash, had attended a SANS conference all last week. On top of the usual stacks of work and hundreds of e-mails that piled up whenever Dustin was away, he returned to find that CEO Karl Kunstler had called in the eleven members of Kunstler & Sons' national sales force for a one-day emergency meeting. Dustin had perceived a rare opportunity to standardize every one of the company's remote users on updated personal firewalls and anti-virus, and he seized it -- especially since he knew first-hand what could happen if he didn't (recounted in "Dustin and the Pirate Treasure"). But oh, the cries of protest and the endless special requests once Dustin began commandeering the sales reps' computers!

And now here they came again. He had already set up his back-up print server in a conference room; just a quick-and-dirty network segment, without any domain name, so they could print out tomorrow's PowerPoint hand-outs without bothering the rest of the office. Now what did they want? He pretended not to see them, and walked faster.

"Big D!" Troy Blount, former all-Indiana college linebacker, hollered in an "Outdoor Voice." "Hold up a sec! You gotta help us." Troy caught up with Dustin from behind, slapped his big hands on Dustin's shoulders, and pounded them in artificial affection. "We can't print!"

Turning, Dustin asked, "What's wrong with the printer I set up for you?" He glimpsed Nandi fading away with a "you stepped in the cow pie and I didn't" grin.

"Oh, it's printin' all right," said Sharon Hooter, the company's Southeast rep, with her mouth full of food. "That's the problem. Goo-Goo Cluster?" She thrust out a candy box containing a couple of left-over, half-melted chocolates.

"Uh, no thanks. Just show me what's wrong."

Troy gave Dustin a good-natured shove -- at least, Dustin hoped it was good-natured -- into a nearby conference room. Langston, the company's Central rep, and Kai, the company's West Coast rep, stood over an HP LaserJet 4050 TN, which was adding to a stack of at least 200 pages in its output tray. Dustin picked up the top page and glanced at it. Dense text surrounded a CAD-style illustration of an aircraft carrier. "Seems to be printing fine. But what is this?"

Langston shrugged. "None of us know. It has nothing to do with our business, but it's tied the printer up since you left. Can't you stop it?"

"Sure." Duh. Dustin pressed the Cancel Job button on the top of the printer. The flow of pages halted. The printer's two-line menu flickered through a few different status notes, then seconds later, the first page of Langston's presentation began to slide out of the machine.

Delight and embarrassment mingled on the sales reps' faces. "Hell, if we'd known it was that easy, we wouldn'ta bothered ya," Sharon said.

"This has been printing for over half an hour?" Dustin asked. He took the thick pile of papers off the printer and paged through them. Footers and headers labeled each page "Top Secret," "Confidential," or "Eyes Only." A quick tour through the stack confirmed his impression: it looked like secret United States military weapon specifications. "Who printed this?" he asked the room.

The account managers stared back with innocent expressions.

"None of us," Troy said.

Sharon added, "It started on its own."

Through a supreme effort of will, Dustin did not react to the notion of sentient print jobs initiating themselves. But he realized Kai might have a point -- not that the job started itself, but since his impromptu print server was hanging off the company network, theoretically someone outside of this room could have found the printer.

Whoever had printed would have left their IP address behind. Just last week, Dustin's boss, Grant Crawford, had told him that the company wanted to more closely track who was printing, and when. Dustin had downloaded and installed a trial of Advanced Printers Activity Logger on his regular print server, and on this back-up. "Excuse me a sec, Langston," he said. Leaning across Langston to reach the mouse, he right-clicked on the system tray and chose "Minimize All Windows" so he could see the desktop, then double-clicked on the icon to open the Logger. It popped open a window, and he clicked on the Jobs Journal tab, revealing this window.

What was "HawkEyes1.5"? And he had expected to recognize the user name. "Who in heck is Alexa T?" he mumbled. Kunstler & Sons had fairly low employee turn-over, and he believed he knew all his users' names. K & S had no Alexa. "234," he muttered, making a mental note of Alexa's IP address. And the He exited from Advanced Printers Activity Logger. Then, to the sales reps: "Looks like you're good for now. Kai, Troy, I'll need your laptops for a few minutes, like we discussed."

Kai shrugged and shoved his Sony VAIO across the table. "By the way," he commented, "while you're adjusting things, could you open the company firewall to allow KaZaA through? I'm having problems downloading some stuff, and I figure that's why."

"Oh, good reminder, Kaiser Roll," Troy broke in. He handed his laptop to Dustin, saying, "Can you change the time-out on this thing? The screen's always locking up when my son plays Sims Online."

Dustin ground his teeth, trying to wait out the red mist swimming before his eyes.

Just then Kunstler entered, all macho fun all the time, greeting his sales force. "Hey! What stinks in here? Oh, must be Sharon's Goo Goo Clusters!"

That triggered a cacophony of greetings, catcalls, and vile puns. Dustin's highly tuned Spider Sense told him this was not the best time to explain corporate Acceptable Use Policy. He had the laptops he wanted. Counting this a moral victory, he retreated.

He strode down the corridor, shifting the laptops to his other arm so he could check his watch. Almost 5:00 o'clock. A chaotic day, but it would be over soon.

He arrived at the bullpen where his IT team worked. Nandi sat surrounded by the glorious mess of too much gear: shiny geometric shapes, enough twinkling LEDs to land a jet by night, and multi-colored wires snaking as if a paint store had blown up next to a spaghetti factory.

"Two more, Nandi," Dustin announced, looking for an open flat surface, giving up, and placing the laptops on the floor near Nandi's feet.

"Not a problem," Nandi said. While his hands picked up Troy's laptop and opened the CD-ROM tray, he nodded his head at three Toshiba 8100s stacked on his desk. "We have finished those, if the owners want them."

"Way to go. Have Jennifer take 'em to the conference room, and let the reps sort 'em out." Dustin headed into his office.

At his desk, he used his KVS switch to call up his Firebox Management Station. "Okay, Ms. 234," he muttered, "let's find out who you are." He opened the Control Center, found the little Firebox Monitors icon, and clicked on it. A large grid displaying the level of traffic running through the Firebox popped up. Dustin ignored it. Beneath the large grid, he found the tab labeled Status Report, and clicked it.

The Status Report popped up instantly. Ignoring the top part of it, Dustin scrolled down. Since he used DHCP, a single IP address didn't tell him much about the identity of someone on his network -- the IPs issued from, and returned to, a pool of IP addresses, as needed. He wanted to see who had 192.168.0.234 during the print job. The ARP table would show him the MAC address currently bound to 192.168.0.234. He had a list showing which Kunstler & Sons employees owned which MAC addresses.

Finally his scrolling brought him to this portion of the report:

ARP Table:
	                                            Flags 
	Address         HWtype  HWaddress           Mask   Iface
	
	205.122.52.2    ether   00:90:7F:04:2D:87   C      eth2
	205.122.52.1    ether   00:01:63:4C:38:00   C      eth0
	
	205.122.52.2    ether   00:90:7F:04:2D:85   C      eth0
	205.122.52.2    ether   00:90:7F:04:2D:86   C      eth1
	
	192.168.0.1     ether   00:90:7F:04:2D:86   C      eth1:1
	192.168.0.34    ether   00:60:8C:05:2A:1B   CMP    eth1
	
	192.168.0.174   ether   00:60:8C:05:25:45   CMP    eth1
	192.168.0.57    ether   00:60:8C:03:27:97   CMP    eth1
	
	192.168.0.79    ether   00:60:8C:03:AD:9B   CMP    eth1
	192.168.0.234   ether   00:60:1D:02:D2:3A   CMP    eth1
	
	192.168.0.231   ether   00:60:1D:02:35:15   CMP    eth1
	192.168.0.2     ether   00:60:8C:05:23:73   CMP    eth1
	
	192.168.0.7     ether   00:60:8C:03:B3:A3   CMP    eth1
	192.168.0.15    ether   00:60:8C:05:85:C2   CMP    eth1
	
	192.168.0.27    ether   00:60:8C:04:7F:2C   CMP    eth1
	192.168.0.225   ether   00:60:1D:02:11:28   CMP    eth1
	
	192.168.0.33    ether   00:60:8C:04:B4:19   CMP    eth1
	192.168.0.55    ether   00:60:8C:05:03:A0   CMP    eth1
	
	192.168.0.69    ether   00:60:8C:05:D3:AB   CMP    eth1
	192.168.0.229   ether   00:60:1D:02:B5:41   CMP    eth1
	192.168.0.238   ether   00:60:1D:02:A4:33   CMP    eth1

The Address field gave him a list of all the IP addresses currently in use on his network, and the Hwaddress ("hardware address") field gave him the MAC addresses. Except --

Dustin straightened from his slouch. Huh? The ARP table seemed to string on forever, showing twice as many users as Dustin usually saw on his network. How could that be? And --

Dustin's whole network used 3Com brand NICs, so he was used to seeing every MAC address begin with the same few digits, 00:60:8C. Okay, 00:90:7F was his Firebox. But now his listing showed cards bearing an additional manufacturer ID, 00:60:1D. Who the heck was inserting extra devices into his network? As far as he knew, he and his staff were the only ones technically capable of it. He and Nandi had been gone all last week. His lower-ranking staffers, Jennifer and Rod, knew better than to try such a thing without telling him.

Maybe if he knew what devices had been installed in his network, he'd know what was going on. Dustin kept a "References" folder in his Internet Explorer Favorites. Whenever he ran into a Web site he thought would be useful for looking something up later, he bookmarked it into that folder. He called up IE and, from his References favorites, chose IEEE. Seconds later he had a searchable database of all the manufacturers and their unique MAC identification numbers, referred to as Organizationally Unique Identifiers (OUI).

The top box on the page bore the label, "Search the public OUI listing." Dustin typed 00-60-1D, and hit Enter.

The site responded rapidly with the manufacturer's name. But it made no sense to him. Dustin blinked a few times, trying to comprehend. His mighty left brain hemisphere and his much less mighty (but still rather impressive) right brain hemisphere circled each other warily, until finally they agreed to a handshake, and suddenly he realized what must've happened.

"Holy crap!" He jumped to his feet and headed for the bullpen, shouting, "Nandi! Intruder alert!"

But Nandi was gone. Dustin scanned the twinkling lights and throbbing screen savers of Nandi's area. Nope, no skinny Indian. He glanced at his watch: 5:20p. Nandi must've gone home.

Dustin sighed heavily. An intrusion on this scale couldn't wait. He had to handle it now. And whether his guess about what had happened was right or not, he would have to handle it on his own.

[To be concluded.]

Take me straight to Part 2!