This story seems to be every where now. Including some video on CNN - http://www.cnn.com/video/#/video/crime/2008/01/24/pkg.disgruntled.employee.wtlv
It does appear that the accused used her own account to access and delete the files. I suspect that there will be some serious consideration of separation of duties and access at that office over the next few days. Take that to heart, learn the lesson and review your own networks (if you are the one responsible - if not, ask the person who is responsible for your network security if they are aware of the story)
The spokesperson for the Sheriff's department said it so well "the lesson to be learned here is that you can't depend on having one set of record or files and having your employees having accessibility to it. You've got to have some type of back up."
Security is not just about preventing. Security is also about being able to recover should something bad happen.
Be safe
James
Friday, January 25, 2008
Thursday, January 24, 2008
Access Control
I have been reading a lot about access control lately. I am a firm believer in least access. Only give access to those people who need it and deny access to everyone else.
This story in the Register is a prime example of someone having more access than they should have...
http://www.theregister.co.uk/2008/01/24/disgruntled_employee_silent_rampage/
the gist is this ...
An administrative assistant (AA) who thought she was about to be replaced went to the office between 11PM and 3 AM Sunday and deleted a large number of files from the architects office she worked for. The firm was able to recover the files with the help of an outside company.
The story does not say how the files were deleted or whose account was used.
Assumptions I am making:
The company server was either in a common area (store room) or in a locked area that the AA had access to.
The server was logged in as administrator and not locked.
The AA's user account had access to the files
There were no time restrictions for login to the network.
Suggestions:
Server should be secured in areas that few people have access to.
Do not leave your server logged and unlocked on as an administrator, this is an invitation to having all of your files erased - oh wait.
Why does your AA have access to all of the files? Limit access to the really important files in your company. I know it is easier for everyone to have access to everything than to have to figure out who should have access to what, but that also makes it easier for your really important files to disappear.
If your office staff is not on site or not connecting on the weekends, turn off their access.
I relate this to having a safe in your house with a nice combination lock. To make best use of it you aren't going to leave the safe sitting out in the middle of your floor with door sitting wide open. You also would not give your cleaning company the combination to the safe.
Look around where you are at now, what could you do to improve the security of your company or home?
Be safe
James
(additional) a little communication could have avoided all of this - on both sides.
The Register does close the story with "(The AA's) job was never under threat, though it probably is now."
This story in the Register is a prime example of someone having more access than they should have...
http://www.theregister.co.uk/2008/01/24/disgruntled_employee_silent_rampage/
the gist is this ...
An administrative assistant (AA) who thought she was about to be replaced went to the office between 11PM and 3 AM Sunday and deleted a large number of files from the architects office she worked for. The firm was able to recover the files with the help of an outside company.
The story does not say how the files were deleted or whose account was used.
Assumptions I am making:
The company server was either in a common area (store room) or in a locked area that the AA had access to.
The server was logged in as administrator and not locked.
The AA's user account had access to the files
There were no time restrictions for login to the network.
Suggestions:
Server should be secured in areas that few people have access to.
Do not leave your server logged and unlocked on as an administrator, this is an invitation to having all of your files erased - oh wait.
Why does your AA have access to all of the files? Limit access to the really important files in your company. I know it is easier for everyone to have access to everything than to have to figure out who should have access to what, but that also makes it easier for your really important files to disappear.
If your office staff is not on site or not connecting on the weekends, turn off their access.
I relate this to having a safe in your house with a nice combination lock. To make best use of it you aren't going to leave the safe sitting out in the middle of your floor with door sitting wide open. You also would not give your cleaning company the combination to the safe.
Look around where you are at now, what could you do to improve the security of your company or home?
Be safe
James
(additional) a little communication could have avoided all of this - on both sides.
The Register does close the story with "(The AA's) job was never under threat, though it probably is now."
Tuesday, January 15, 2008
Avoid this at all costs...
http://kracomp.blogspot.com/
Ok, that's sarcasm. This is my friend Tim Krabec's blog.
He asked me to ask people not to read it.
So I have.
Avoid it like the plague
Dang sarcasm, keeps popping up.
Tim has worked with small business and home offices for several years and has some great insights. Check it out.
Be safe
James.
p.s. I am coining the term anti-viral marketing to go along with this, as I am trying to encourage you to go by telling you to stay away
Ok, that's sarcasm. This is my friend Tim Krabec's blog.
He asked me to ask people not to read it.
So I have.
Avoid it like the plague
Dang sarcasm, keeps popping up.
Tim has worked with small business and home offices for several years and has some great insights. Check it out.
Be safe
James.
p.s. I am coining the term anti-viral marketing to go along with this, as I am trying to encourage you to go by telling you to stay away
Monday, January 14, 2008
USB Wifi with VMWare and BackTrack
I also posted this to my original blog but wanted to post it here as well.
I read about this in a paper on the SANS Reading Room about a month ago and finally got around to trying it over the weekend. The paper is available here - http://tinyurl.com/24o95n
In six steps you can use a wireless USB adapter within a VMware virtual machine.
Supplies used:
Windows XP SP2 laptop
VMware Workstation 6 - http://www.vmware.com/download/ws/
Belkin Wireless G USB Network Adapter http://catalog.belkin.com/IWCatProductPage.process?Product_Id=179211
BackTrack 2.0 Final ISO - http://www.remote-exploit.org/backtrack_download.html
IronGeek's bootable CD vmx file - http://www.irongeek.com/downloads/live-cd-iso.vmx
Assumptions:
Windows is completely patched.
VMware Workstation has been installed on the laptop
Belkin Wireless drivers are not already installed on the laptop and the adapter is not connected to the laptop (yet).
Tasks
Step one - download the BackTrack 2.0 ISO to a directory on you hard drive (I used C:\Virtual)
Step two - download IronGeek's bootable CD VMX file to the same directory as the ISO. Now open the file in a text editor. Set the Memory to be at least 256MB by changing this section of the file:
Original
# Memory
#####
memsize = "128"
# memsize = "256"
# memsize = "512"
# memsize = "768"
Updated
# Memory
#####
# memsize = "128"
memsize = "256"
# memsize = "512"
# memsize = "768"
Configure the boot objects to use the boot CD:
Original
#####
# IDE Storage
#####
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "myiso.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"
Updated
#####
# IDE Storage
#####
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "bt2final.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"
The file should be in the same directory as the BackTrack iso. Additionally you can update the display name and annotation lines in the file to display better descriptors
Step three - launch VMware Workstation, open the bootable CD VMX file and start the virtual machine.
Step four - You will likely receive an error about the video settings not being supported - I used option 0. Before pressing 0, I inserted the Belkin USB card, this causes Windows to recognize the card as a VMware USB device instead of the Belkin wireless device.
Step five - logon to BackTrack.
Step six - launch Wlassistant and verify that the Belkin USB card is finding other devices around you.
Final result
The BackTrack Cd is now capable of using the Belkin wireless card to scan for other resources from inside the virtual machine without the drivers ever being installed on the XP or Vista host.
This also should work with VMPlayer (in fact IronGeek has a video tutorial on cracking WEP keys using a similar setup - http://tinyurl.com/25zz98) and just about any Windows XP or Vista workstation (PC or laptop). It may or may not work for Intel based Macs or Linux workstations. This may also work with other wireless USB adapters.
Your feedback would be appreciated.
Be Safe
James
I read about this in a paper on the SANS Reading Room about a month ago and finally got around to trying it over the weekend. The paper is available here - http://tinyurl.com/24o95n
In six steps you can use a wireless USB adapter within a VMware virtual machine.
Supplies used:
Windows XP SP2 laptop
VMware Workstation 6 - http://www.vmware.com/download/ws/
Belkin Wireless G USB Network Adapter http://catalog.belkin.com/IWCatProductPage.process?Product_Id=179211
BackTrack 2.0 Final ISO - http://www.remote-exploit.org/backtrack_download.html
IronGeek's bootable CD vmx file - http://www.irongeek.com/downloads/live-cd-iso.vmx
Assumptions:
Windows is completely patched.
VMware Workstation has been installed on the laptop
Belkin Wireless drivers are not already installed on the laptop and the adapter is not connected to the laptop (yet).
Tasks
Step one - download the BackTrack 2.0 ISO to a directory on you hard drive (I used C:\Virtual)
Step two - download IronGeek's bootable CD VMX file to the same directory as the ISO. Now open the file in a text editor. Set the Memory to be at least 256MB by changing this section of the file:
Original
# Memory
#####
memsize = "128"
# memsize = "256"
# memsize = "512"
# memsize = "768"
Updated
# Memory
#####
# memsize = "128"
memsize = "256"
# memsize = "512"
# memsize = "768"
Configure the boot objects to use the boot CD:
Original
#####
# IDE Storage
#####
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "myiso.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"
Updated
#####
# IDE Storage
#####
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "bt2final.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"
The file should be in the same directory as the BackTrack iso. Additionally you can update the display name and annotation lines in the file to display better descriptors
Step three - launch VMware Workstation, open the bootable CD VMX file and start the virtual machine.
Step four - You will likely receive an error about the video settings not being supported - I used option 0. Before pressing 0, I inserted the Belkin USB card, this causes Windows to recognize the card as a VMware USB device instead of the Belkin wireless device.
Step five - logon to BackTrack.
Step six - launch Wlassistant and verify that the Belkin USB card is finding other devices around you.
Final result
The BackTrack Cd is now capable of using the Belkin wireless card to scan for other resources from inside the virtual machine without the drivers ever being installed on the XP or Vista host.
This also should work with VMPlayer (in fact IronGeek has a video tutorial on cracking WEP keys using a similar setup - http://tinyurl.com/25zz98) and just about any Windows XP or Vista workstation (PC or laptop). It may or may not work for Intel based Macs or Linux workstations. This may also work with other wireless USB adapters.
Your feedback would be appreciated.
Be Safe
James
Subscribe to:
Posts (Atom)
