Subscribe by Email

Your email:

Most Popular Posts

Browse by Tag

Posts by Month

The "RISKY BUSINESS" Blog

Current Articles | RSS Feed RSS Feed

The Information Security Pro's Children Gone Shoeless

Posted by John Verry on Wed, Jan 07, 2009 @ 09:43 AM
  | Share on Twitter Twitter | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon |  Share On Technorati Technorati | Submit to Reddit reddit 

Yesterday I had one of those calls that continue to remind me that we all need to be diligent and “eat our own dog food”. It also illustrated very clearly the “hidden risk” associated with allowing remote access to privileged information via employee’s home networks. One of our Information Assurance clients, a pretty “security savvy” developer for a SAAS vendor called, and began sheepishly, “I’ve been hacked and need some advice ….”

A system that he uses on his home network for personal, corporate business, and a side consulting business had been hacked. In order to allow secure remote access to the system, whenever he required, he enabled port forwarding of SSH to that system. Unfortunately, the password was “not as strong” as it should have been. Worse, it was for the root account, which he was using as his main account. A dictionary based brute force attack compromised the system.

I felt bad for him as he had to painfully detail his failure to comply with some very basic security fundamentals. The only saving grace was that his exposure was limited by the fact that he had the system email him anytime a user account was modified. Unfortunately, he didn’t read the email for 2 days.

On his initial/cursory review prior to his call he determined:

  • Root password was changed shortly after successful root login followed by four additional remote logins — all from different public IP’s.
  • One attempted email outbound whose payload looked to be script generated with no meaningful content.
  • No shell history for root for any of the connections.
  • No file level logging to determine if user had accessed personal financial data, employer related information, or client data for his home business.
  • No outbound logging at his firewall to determine if the system had connected outbound.
  • Had not yet reviewed logs for 3 other machines on home network to determine the level to which they are enabled and/or if any access was attempted or successful.

His preliminary plan was to:

  • Cancel all his credit cards and bank accounts as this information was stored on the compromised system.
  • Advise all clients whose data was on that machine that their Information Technology data was potentially exposed.
  • Advise his employer that a machine that had some sensitive employer data and is authorized to communicate through the corporate firewall had been compromised.
  • Completely rebuild the server with new drives.
  • Rethink/retool his security architecture/practices.
  • Potentially pay (out of his pocket) for a full forensic investigation of the compromised systems hard drive.

To paraphrase a famous proverb “It’s the cobbler’s children that often go shoeless.”. In this case, it would have been cheaper to put them all in Prada’s.

Got to run … I have a Linux system on my home network with SSH port forwarded (the truth)… need to revalidate the password is strong, it is IP range restricted, and account lockout is enabled! You should likely do the same …

Tags: , , , ,

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics