Perhaps the most OBVIOUS question you will ever see.

Discussion in 'Computer Security' started by Curious George, Jan 28, 2005.

  1. Dear Colleagues:

    For the life of me I don't know why I have to ask this question since the
    answer is so obvious, however, I need to have others tell me that I am not
    completely insane.

    I work at a place where we have a myriad of wireless access points and NO, I
    am not writing from there at present.

    NONE of the wireless access points has any form of security on them
    whatsoever. No WEP, no CHAP. . . no nothing. Everything is open so you
    could walk into our joint, grab an IP address and surf the web to your
    heart's content.

    Here is the problem. My boss insists that its "no big deal" and that since
    the servers are on the inside and protected, we really don't have a thing to
    worry about. Furthermore, my boss is under the impression that since we are
    situated in a wide area, that nobody would be able to get into our network
    because of this distance. Needless to say, my boss does not consider
    somebody sneaking into a parking lot with a laptop, a good network card and
    a directional bazooka antenna a possibility.

    So here is what I have to explain to my boss' boss and, perhaps, the board
    of directors. . . and here is where I can't help but laugh. I hope that I
    will be able to keep a straight face come Monday when I have to explain
    myself to people why its important.

    Okay, so I know the analogies. For example, I understand that not having a
    secure wireless network with many Waps and high gain transmission antennas
    is the same as putting cables out to anybody within 'x' amount of yards with
    a sign that says "free internet access", but since I am going to be asked
    these obvious questions, just what type of damage could somebody do?

    Yeah, I know about denial of service attacks, yeah I also know about
    enumeration and password guessing, but considering that we have an SQL
    server on the inside of our network (no, the sa account password is not
    null) what are we talking about.

    I can envision so many things. Like somebody just sitting there caputring
    packets to get things like usernames, passwords and the like, but come on. .
    .. what else could they do.

    I have read my boss the riot act many times, but this is now going to go in
    front of somebody over my boss' head, so, aside from giving them worst case
    scenarios, end of the world analogies, etc., how else could people break in.

    Creative responses are appreciated and will be rewarded with much praise.

    I can't believe that I have to actually explain this to people, and this
    entire thing would last about two seconds when it comes to talking with a
    computer professional, but you see, my boss is under the impression that
    they are a computer professional because they received a Master's degree in
    Comp Sci back in the 80's. I know that this line of thinking is dangerous,
    but I really want some creative answers to put my point across strongly, and
    yet professionally.

    Although I realize that this post will likely be the butt of many jokes
    (which I will appreciate immensely) I never the less would appreciate a bit
    of useful information in your responses.

    I am going to have a serious drink now, and then bang my head against the
    wall.

    Thanks in advance,

    CC
     
    Curious George, Jan 28, 2005
    #1
    1. Advertisements

  2. Curious George

    Roger Abell Guest

    Being a bit flippant just now, but why not suggest that, if they are
    so sure of their "beliefs", you just post the address of the parking
    lot here. I am sure there are some within driving distance reading
    the newsgroups.

    Let's see, your industry - it has confidential client info? it has
    trade secrets? it has government imposed data privacy/security
    regulations? it has a revenue stream that depends on uptime?

    Those are some of the things in the vault.

    Now, you are asking us, how can I explain without explaining,
    to the boss' boss, that having those things in the vault is not all
    that good if no one shuts the door and spins the tumbler enough.

    That's what you are asking?
     
    Roger Abell, Jan 28, 2005
    #2
    1. Advertisements

  3. Curious George

    Anonymous99 Guest

    Hey buddy where is this office located at just so i can know what your
    talking about not for any other reason.
     
    Anonymous99, Jan 28, 2005
    #3
  4. Curious George

    Bigbruva Guest

    Might I suggest a different tack.

    Simply send them a memo or email explaining in simple non-inflammatory terms
    that by having an unprotected wireless network they are exposing all the
    data on that organizations network to a serious risk. You understand that it
    is not your place to set the network strategy for the whole company but you
    do feel that it is important to highlight this issues before a security
    breach occurs.

    Then leave it at that, if you push too hard you could be out of a job!
    However, if your boss does nothing after that memo and you are later hacked,
    he will be the one out of a job while you will probably be first inline for
    his post :)

    Good luck, either way

    BB
     
    Bigbruva, Jan 28, 2005
    #4
  5. First off, I think you cross-posted this a bit excessively. Bad etiquette.

    Second off, you are being far to flippant about this I think. You could be
    terminated on your attitude probably all on its lonesome. How you proceed is
    entirely up to your thoughts on how you feel about your job. Attacking your boss
    generally isn't a way to form a career somewhere. At the very least it puts you
    in a hostile environment that isn't fun to work in.

    Finally, the number of ways you could be compromised varies. It is possible,
    however unlikely, that you guys are actually locked down to the point that this
    could be safe. Again, I think it is unlikely given the impression I have of the
    technical knowledge and security conscience the company appears to have. But it
    isn't entirely impossible.

    I think the most effective way to handle this would be to go and get your own
    laptop, don't use any work resources whatsoever, and drive around the location,
    do not trespass onto the property, stick to public accessable areas and try to
    pick up the connection. If you do connect, try various things, such as network
    sniffing, etc to find what others would find. Do a network scan (based on the IP
    address you get from DHCP) and see if you can find machines with services
    available, SMTP would be a really good one to find. DO NOT use your knowledge of
    the environment to just go straight to an SMTP server you are aware of. Now try
    to send an anonymous email to some external email address that you have.
    Possibly try to scan for machines with open shares or mounts that allow you to
    read unauthenticated or write unauthenticated. Look for any SQL servers with
    blank SA accounts, etc. Again do all of this without using any knowledge you
    have of the environment, if you don't think you can, have a friend do it and
    don't give them any hints.

    Now if you are successful, this is a great example that anyone will understand.
    Walk your BOSS out to where you were, use your non-work laptop and walk through
    the process you used previously. As a finale, send an email to your boss from
    his boss or the president of the company or something like that with your boss
    standing their watching you. If he doesn't get the picture, and you really feel
    you need to, do this with your bosses boss or whomever.

    Basically try to convince your boss to be your ally and to do that, you need to
    prove that there is an issue.

    Now there is one thing you need to do before this. I doubt you do, but if you
    have security group, you need to alert them that you are going to do this.
    Explain why you are doing it. Again I doubt you have that in place. So what you
    do in that case is ask your boss if he minds if you test the security and try to
    do what it is that you think can be done. This is a key step, if you don't do
    it, you could find yourself getting in trouble for doing it since a big part of
    the whole thing is publishing to your superiors that you did it to prove the point.


    joe
     
    Joe Richards [MVP], Jan 28, 2005
    #5
  6. The only way that I could start to see this from your boss' perspective is
    if they treat their whole wireless network as a DMZ and keep it firewalled
    off from the rest. If not, then hmmmm...

    It doesn't make sense, because even moderate security like WEP or WPA
    doesn't really cost a lot or require incredible effort to implement.
    Neither are perfect but at least it would be a start.
     
    Colin Nash [MVP], Jan 28, 2005
    #6
  7. You aren't alone my friend.
    Some three months ago, our team boss (I do IT support for production PCs for
    a certain well-known German Automobile company) talked to one of the
    persons responsible for a number of servers (we are a third-party company,
    not part of that megacorp proper) and tried to explain to him that yes, a
    certain server needs an antivirus program urgently (imagine that - it
    didn't have one then!). The reply from that "specialist"? "Why should it?
    In the production network it only talks to this other server, no one else,
    so it's not threatened by anything!"

    Since that day our team boss has a remarkably flat forehead (from banging it
    on the table of course).

    Oh, yes... isn't it amazing that in one of the factory halls we have about
    400 welding robots... all controlled by a Win95A machine with all
    partitions shared via samba, read/write permission for everyone, and yet
    not a single malware infection? I guess even malware has its pride
    today... ;)
     
    Thore \Tocis\ Schmechtig, Jan 28, 2005
    #7
  8. Curious George

    S. Pidgorny Guest

    I'd just demonstrate why that is a big deal. If you have servers that are
    not totally secured, if you see applications credentials and data sent in
    clear and available to a guy in the parking lot - that will make the things
    a big deal.

    Until you show that the risk is actually a vulnerability, that will be just
    a risk - and the risk seems to be accepted by the business. For now.
     
    S. Pidgorny, Jan 28, 2005
    #8
  9. I wouldnt bother,if they know best,let them take the consequences. In
    my experience,if you try to do a good job,you are no better thought
    of. Your boss or someone higher up,always knows best
    Remove antispam and add 670 after bra to email

    Be a good Global citizen-CONSUME>CONFORM>OBEY

    Circumcision- A crime and an abuse.
     
    tarquinlinbin, Jan 28, 2005
    #9
  10. Here is a somewhat contrarian opinion.

    First of all, relax a little. This is not that bad if you have the
    sort of internal access controls which you ought to have anyway.

    A wireless attacker cannot "sniff" anything except other wireless
    traffic. Packets to and from machines on the wired network are not
    sent over the wireless, period. In order to sniff most of your
    traffic, the attacker would need to compromise a machine on the
    internal network. And even then, a switched network (like most are
    today) would make sniffing useless.

    And even the most basic Windows authentication mechanisms do not send
    passwords in the clear.

    A wireless attacker has the same access as an employee who has
    forgetten his password; no more, no less. So he can probably browse
    the Internet, send objectionable mail originating from your network,
    try to guess passwords, seek out unpatched security flaws on internal
    systems, and so on.

    But if you are a serious network admin, you should already be
    preventing (or at least noticing) any of these. By far the most
    widespread and expensive security compromises are inside jobs. They
    do not make the newspapers because they are not "sexy" and companies
    do not like to publicize them. But disgruntled or curious employees
    are the biggest threat you face, and if your network is secure against
    them, it will be secure against a wireless attacker.

    That said, it is certainly not considered best practice to have an
    unsecured wireless access point behind your firewall, because you
    might as well not have a firewall. Which is actually how I would
    argue this to management: For anybody within range, your firewall does
    not exist.

    On the other hand, unsecured access points in a DMZ are not uncommon.
    Many companies find that the convenience of easy binding to the
    wireless network (especially for visitors) is worth the cost/risk of
    providing free Internet access to anyone nearby.

    - Pat
     
    Patrick J. LoPresti, Jan 28, 2005
    #10
  11. Curious George

    Martin Guest

    Even then, if the wireless part has an unprotected internet connection
    there are other possibilities.

    How about someone running their own SMTP server sending spam out through
    the company's router? Or someone downloading child porn though the
    company's router (try explaining the one to the FBI, or then the boss
    when they 'borrow' every single computer to audit them)?
    I agree with you. Crazy for the OP's company to even argue about it
     
    Martin, Jan 28, 2005
    #11
  12. Curious George

    Ray Guest

    Actually, this is a good thing. It means you have impressed upon your boss
    that there is some issue and he wants you to present it to his superiors,
    who may be non-technical. Most people think that everything is secure out of
    the box, like buying a Ford car and knowing that other Ford car keys cannot
    open your locks.

    The people you will present to apparently have the authority to provide
    money to fix the problem, and if your boss didn't think you had a valid
    issue and were capable of presenting it professionally and at their level,
    you would never get past him.

    Ray
     
    Ray, Jan 28, 2005
    #12
  13. Curious George

    Mark Gamache Guest

    George,

    I used to work for a WISP that used 802.11. I think your boss would be
    amazed at how far off I can be and still connect to your network. If you
    have a wireless network, you have to assume that the RF is not secure unless
    you do in-depth RF planning, a survey and remediate with RF absorbing paint
    and what not.

    It sounds like your boss is lazy and doesn't want to deal with the issue so
    he's throwing out any old argument. Its really as simple as this: Either
    protecting the data is important or its not. His argument says that its
    not, so why not take down your firewall and publicly address your entire
    organization?

    As for what a hacker can do... Absolutely anything that an authorized user
    can do. You seem flippant about gathering usernames and passwords, but this
    is easy and from there one can use the stolen privileges to wreak havoc.
    Unless your VPN solution requires a certificate that can't be acquired for
    the outside, a hacker just needs to get a single username and password combo
    to get in to your core network.

    If your accounting system uses direct wire transfers for bill payments, that
    is at risk. One could open up a dummy bank account, and create a new vendor
    in your system and initiate a transfer to the account.

    I guarantee that a hacker can read your CEOs email and send email as your
    CEO. The social engineering power of sending an email as your CEO is
    enormous.

    Your CEO probably uses the same password for his network logon as he does
    for his electronic banking... Once a hacker has access to that, your
    identity is toast.

    Customer data... I'm not sure your industry, but if you store any customer
    financial data such as credit cards, that is exposed.

    The list is never ending...
     
    Mark Gamache, Jan 28, 2005
    #13
  14. Curious George

    Jeff Cochran Guest

    What the heck does this have to do with the MBSA (Baseline Analyzer)?
    So why did you crosspost this rant to every group you knew? It also
    doesn't involve Microsoft Access (a database product if you didn't
    realize that), Pocket PC wireless or SQL Server security.

    Because of that I've restricted this reply to just two groups. In the
    future, you'd make more friends if you did the same.

    The first step of this process will be to get your resume ready.
    You're going to need it. In fact, you probably already should have
    used it. You and your boss are not suited for a working relationship.

    The second step is to make sure you're right. Being right won't help,
    but being wrong will definitely hurt. If you're the security admin
    for the company, you should already have fixed this so right or wrong
    you'd lose then. If you're a network admin or have another related
    job function, you still probably should have fixed this, and still
    will be taking the blame.

    Now, if you're not the one in charge of fixing this, be prepared to
    take the fallout from those who are. You'll have better ground to
    stand on, so when you lose you may be able to save face.

    That said, from your specific viewpoint presented, it may seem an
    obvious question. But you don't know all the facts, and certainly we
    don't, so most likely your issue isn't as obvious as you seem to
    believe. After all, if it is that blatant, why haven't you already
    had all the nasty things happen?

    There are perfectly acceptable reasons for the setups you describe,
    and valid business reasons to have a lower than ultimate security
    level. Think about it, the absolute best data security would be to
    let only one person know the data, never write it down and then shoot
    that person dead. That info is as secure as it can be. It's also
    useless. Security is never an absolute, and it's always a trade-off
    between security and functionality. And that tradeoff will be
    different for every organization and every piece of data.

    Lastly, no matter how ridiculously stupid they may actually be, bosses
    rule. Get used to that and you'll live a longer, happier life.

    Jeff
     
    Jeff Cochran, Jan 28, 2005
    #14
  15. Dear Colleagues:

    In all of my years of posting to newsgroups I would have to say that the
    response you all provided me are among the best I have ever seen. I thank
    you all so very much for your advise.

    To those of you who mentioned my excessive cross-posting, please accept my
    apologies but this total lack of security is something that has given me
    nightmares.

    To those of you who suggested that I publish the address of one of our
    parking lots, I would like to, if anything to prove a point, however, being
    that I am the poor slob who would be called upon to remedy the problem (and
    likely be the one who is blamed) its not advisable.

    Now, without going into much fanfare (and to better respond to those of you
    who inquired), my boss is one of those people who thinks they know it all.
    My boss is a teacher and we are a school and every time that I have
    suggested that we secure our wireless network, my boss rolls her eyes as if
    I were crying wolf. The people who installed our waps said that we should
    have some type of security in place, but her thing is all about what happens
    if somebody comes in with a laptop and cannot connect. Of course I said
    that such a person would have to visit the IT department, but this has
    fallen upon deaf ears.

    The biggest problem is not with the fact that my boss knows precious little
    about managing a network and that the last time she was involved in any form
    of network management was sometime back in 1985, it is because she is
    adamant about her technical knowledge. It does not matter if 99% of the
    industry believes in something (for example, having SDLT tape backup
    devices) its what she thinks works and does not. In short, she is
    completely ignorant.

    To be clear, I have no quams about having a woman boss. What I have a
    problem with is somebody who is so adamant that they are right and I am
    wrong that it seems that no matter what I say, she will go against it.
    There are more issues here than meet the eye, but I had to draw the line
    when it came to the integrity of our data, not to mention what could happen
    if the wrong person got in.

    For those of you who mentioned that I should tread carefully, thank you. I
    already have my resume and cover letter updated for even if they turned
    around and changed all of the things that are totally wrong and dangerous, I
    cannot stay in the sort of environment where our administrators take the
    advice of somebody who clearly has precious little technical knowledge over
    the advice of somebody who comes in with recommendations from a plethora of
    experts.

    This being said, I thank those of you who graciously contributed to this
    thread and apologize to those who feel that my cross posts were excessive -
    regardless of these complaints, those of you who took issue with my
    crossposting also contributed good advise never the less.

    Thank you so very much for your time and advice.

    Curious George
     
    Curious George, Jan 28, 2005
    #15
  16. <posted & mailed>

    Nice...
     
    Michael J. Pelletier, Feb 1, 2005
    #16
  17. Curious George

    winged Guest

    The fact they are using 95A for bots scares me but since it has been
    working so long, is remarkable unto itself. Must be whats causing that
    rattle...hrrmm.

    Winged
     
    winged, Feb 2, 2005
    #17
  18. As I said, seems like even malware has its pride ;)

    Well, to be fair, I think I heard recently that someone plans to upgrade the
    control PCs to... whatever else. I guess that would mean W2k. We'll see. 8)
     
    Thore \Tocis\ Schmechtig, Feb 2, 2005
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.