 |
|
  
|
Dustin and the Golden Tubas (Part 2)by the LiveSecurity Content Team[Editor's Note: This story began in Part 1, when Dustin Barnes, network administrator for Kunstler & Sons Musical Instruments, obeyed ConGlomCo's request that he terminate the VPN tunnel connecting to their JIT server at a name instead of an IP address. Later, Kunstler & Sons' manufacturing line stops when a "Just In Time" order "Just Isn't There." Instead, ConGlomCo shipped an unexpected half ton of gold. What's going on? The mystery concludes, below. Then check our "Afterward," which reveals who answered last week's "Extra Credit" question rapidly and accurately enough to win the pretentiously-named WatchGuard ergonomic mobile Universal Character Set output device. Enjoy! --Scott Pinzon] "I think I know what happened," Dustin told his assistant, Nandi, as they rushed into the office. "But I want to know how it happened." He searched through some piles of papers on his desk. "You said 'our problem.' What is 'our problem'?" Nandi asked. "Aha!" Dustin exclaimed, finding the Order Acknowledgement receipt he'd printed. He held it so Nandi could read it. "Right here," he pointed. "The JIT server we connect to at ConGlomCo has a new IP address. Chew told me they might move some servers around. Obviously, something has gone wrong." "And Mr. Crawford is freaking out because of why?" "We have a trumpet part that didn't get restocked, even though ConGlomCo's system acknowledged the order. That shut the whole line down." "And the gold in the parking lot is related how?" "Heck if I know." He shook his head, plopped into his chair, and hit speed dial. After several rings, the speakerphone said, "ConsolidatedConsortiumofGlob--" "Chew, it's Dustin!" he interrupted. "I might have information related to your problem." "Let's hear it," Chew said, flustered. "God knows we need help. Can or not?" "Is your order fulfillment database server now 10.10.10.56?" While Dustin spoke, he pinged jit15.dbserver.internal.conglomco.com, the server name Chew had told him to use two weeks earlier. Sure enough, the result returned 10.10.10.56. "Hah? I authorized no such change." "Well, that's the address that comes back on your Order Acknowledgement receipts." "But dot 56 is one of our development servers!" "You sure? It's not for processing orders?" "I know it well," Chew said. "Until two weeks ago, I was working on that server every day. Nothing on it should connect with outside sources." Nandi signaled Dustin. Dustin said, "Chew, my assistant Nandi wants to tell you something." "Nandi?" Chew said. "He yandao? Is he tall, dark and handsome?" Dustin grinned at Nandi. "Well, he's dark!" Nandi made a face at his boss, and said, "I am pleased to make your acquaintance, Chew. It appears a server has been switched without your authorization. Is that correct?" "I can't verify that. We checked the Ops Center change logs, and everything looks normal." As Dustin opened his mouth, Nandi beat him to it: "Have you checked your DNS server logs?" Chew said, "I can right now. Can you hold on a minute?" "Sure," Dustin agreed. Suddenly his speakerphone played the kind of upbeat jazz used on motivational tapes and TV news. An announcer was saying, "--omCo's commitment to service is unparalleled. Others may settle for 'good enough.' At ConGlomCo, excellence is just the beginning --" Imitating the announcer's tone, Dustin inserted, "-- and free gold is the ending!" "I like her voice," Nandi said, meaning Chew. "She sounds cute." Dustin chuckled, then waited for it. The music had cut off right between "I like her voice" and "she sounds cute." Sure enough -- "I'm back," Chew said. "Thank you, Nandi. You sound cute, too!" Dustin had never seen an Indian blush before. Trying to save his friend some embarrassment, he changed the subject. "What do the logs say, Chew?" The speakerphone emitted the rustling of paper. "Still looking," Chew said. "I'm paging backwards, I've made it to yesterday -- hm." Silence. "Well?" Dustin asked. "What do they say?" "Too cheem for me," Chew said. "They say nothing." "They've gotta say something," Dustin prodded. "No, nothing!" Chew insisted. "On 3 November, the IP address was 10.10.10.174. On 5 November, the IP address is suddenly 10.10.10.56. On 4 November, the log has no entries at all. So, they say nothing." Dustin frowned. "You use BIND, right?" "I believe you have been hacked," Nandi said. "And the attacker tried to delete the log evidence. There have been numerous BIND exploits detailed on the security lists." "Kah nah sai! I will check the logs more and call you back, what?" "Wait," Dustin said. "I called to let you know our ConGlomCo parts orders are not being fulfilled, even after your server acknowledges the order. And today we received a shipment from you that we never ordered. A half ton of gold bars." Dustin and Nandi heard a barrage of Singlish explode from the phone, indistinctly, as if Chew had turned to someone in the room and told them the news. Then, directly into the phone: "Gold?!" "I saw it myself," Dustin said. Nandi added, "The log entries that are missing might be where the attacker switched your production server with your development server." "The development team is testing order fulfillment software," Chew thought aloud. "Alamak! We made up all kinds of crazy transactions to smoke test the software. Some of the testers cut and pasted real customer addresses to avoid typing. Others invented silly shipments. In fact, one --" Suddenly Chew gasped. "Piang! That means the fake transactions we made up are being filled for real! Gotta go!" The line went dead. Dustin and Nandi stared at each other. "Are you thinking what I'm thinking?" Dustin asked. "Yes," Nandi answered. In unison, they said, "I am so glad I'm not her." It was a nice moment until Dustin asked, "Doesn't anybody think I sound cute?" After Dustin alerted Crawford and his staff that ConGlomCo had probably been hacked, he took a moment to think through his next steps. He let voice mail take his phone calls. Gherkin approached the office door, print-out in hand, and Dustin waved him off. After ten minutes he knew what to do, but he felt only 80 percent certain he knew how to do it. Because his VPN tunnel to ConGlomCo could pass any kind of network traffic, a hacker could step from ConGlomCo's server to Dustin's network. To seal off that possibility -- hopefully, before someone exploited it -- he wanted to create a more restrictive tunnel. So he took a quick look at the online documentation on his local drive, placed there automatically when he installed WFS 7.0. He reviewed:
Ten minutes later he was ready. He slapped on his headphones, dialed up his Stevie Ray Vaughn and Double Trouble MP3s, and started building some Texas tavern tunnels. Dustin opened the Policy Manager for his Firebox (which he had named, "Simply Red") and removed the "Any" service for the ConGlomCo tunnel. "Any" allowed any kind of traffic to flow through the VPN tunnel between the two companies, which was convenient but was also why it had to go. Next, he created a Host Alias for ConGlomCo's server. The new alias, which he named ConGlomCo_JIT_srvr, pointed to just one server. He specified 10.10.10.174, the address Chew's server had before the hacker swapped it with the production server. He'd coordinate with Chew later, to make sure this would work. Tapping his feet to "The House Is Rockin'," he began building a new service to replace the "Any" service he'd deleted. He defined a packet filter where the only ports Enabled and Allowed were the specific ports his custom JIT applications used, ports 20546 - 20550. That should stop any hacker from sending surprises up the tunnel as HTTP, FTP, or any other kind of data non-essential to JIT exchanges. Finally, he built the service, naming it JIT_svc_ConGlomCo. He picked the alias he had just created as the destination for this service. Using a meaningful name rather than an IP address for the destination increased the likelihood that his staff could understand the settings if they needed to make an adjustment when he wasn't available. He set the service up to allow Outgoing traffic From only his JIT server, To only the ConGlomCo_JIT_srvr. He set up the Incoming traffic vice versa. He also adjusted his existing DNS proxy and ping service, adding ConGlomCo's JIT server to them as a destination. Just to be considerate, he set up a separate service allowing ConGlomCo's JIT server to ping his JIT server. Just as the band was finishing with a full guitar-screaming, drum-thundering concert ending, he saved the new configuration to his Firebox. He expressed his sense of accomplishment by mock-roaring in his best rock star voice, "Thank you, Madison!" as whistles and applause from the CD filled his ears. The rock star high withered up and died when he realized that all his VPN tunnels should be fine-tuned the same way. He made a face. There went the coming Saturday. He tested the tunnel and verified that it worked. Cool. He jotted a note to himself to assign Nandi the task of writing a little cron job that would perform a DNS query to ConGolomCo's DNS server every few minutes, and e-mail him and Nandi if ConGlomCo changed the IP address for jit15.dbserver.internal.conglomco.com. That took care of the connection between ConGlomCo and Kunstler & Sons. Next big issue: had ConGlomCo's hacker trespassed on Dustin's network? He thought not. But wisdom dictated that he check. From his Management Station, he briefly checked his Auth logs and error logs back to November 3, the date Chew had said her servers were still intact. Since the JIT apps were all heavily customized for Kunstler & Sons, typical automated exploits wouldn't work against his server stealthily. Anyone trying to hack it would have to make a lot of noise in the logs while gathering intelligence about the server. But the logs showed nothing abnormal. Dustin remembered seeing some LiveSecurity articles called, "I've Been Hacked! What Should I Do?" He went to LiveSecurity's Editorials Index, and found Rik Farrow's series under the topic, "Disaster Recovery." Skimming quickly, he found Part 4 and Part 6 especially helpful. Using Sleuth Kit and Autopsy to verify software through known checksums seemed like a relatively fast way to verify the integrity of the apps on the server. Using Outlook's scheduling, he assigned Nandi to inspect the servers, following Rik Farrow's advice. And with that, he'd taken every reasonable measure he could to follow up after an intrusion on a partner's network. Given the negative atmosphere at ConGlomCo, he worried about whether Chew would lose her job. He wondered if he'd ever find out what really happened at ConGlomCo. The following week, with the JIT problems solved and the production line back up to speed, Dustin felt quite expansive -- especially since none of the problems had been his fault. He stood in his office, hands in pockets, trying to recall whether he had in his garage all the parts he needed to make his daughter a small-scale punkin' chucker, when Nandi walked in with a strange look on his face and a DHL shipment in his hands. "What?" Dustin said. Nandi fished around in the box, pulled out a paper, and handed it to Dustin. It read:
"Woah!" Dustin grinned. "I don't know which is funnier -- that Lee is in trouble, or you have a pen pal in Singapore!" Nandi protested, straight-faced, "I am just trying to assist an IT colleague!" "Who you think sounds 'cute,' Mr. Tall, Dark, and Handsome. So what's the gift?" Nandi smiled. "See for yourself." Plastic peanuts cascaded to the floor as Dustin dug through the box, then pulled something free. He held up a shiny new brass spittoon. Poking out of it was a generous package of Big League Chew. Dustin spotted a sticky note in clear, loopy handwriting, and read aloud: "Tell Dustin I sent him the gold. Now he owes me the tuba. -- Chew." "Big League Security!" he said, delighted to encounter another punster. "You know, if this were a TV sitcom, we would both laugh right now and then they would freeze frame." "I have no time for freezing," Nandi observed. "I must get back to work. Kindly hand me my spittoon." "First, admit it," Dustin said, dangling the spittoon out of Nandi's reach. "Maybe I don't sound cute, but I think I sound smart. Don't Chew?" ## The End Credits: |
