RE: Allowing scanning from home (or how I was really stupid)

["Keith T. Morgan" <keith.morgan () terradon com>]

Allow me to share an experience that may be relevant here.

During the course of a pen-test, we crafted a very nicely forged email
from a customer's ISP.  I sent this using my home cable modem as a relay
to further mask the origin of the probe.  The email was designed to
coerce a user into clicking a link, and running a simple .bat file that
pinged the corporate firewall with a specific payload size that would
show up nicely in our firewall logs.

The hope was, that the user would run the bat file, we'd see it in the
logs, and it would be a "gotya" situation.

Well, things didn't quite go as planned. 

I left work a little early that day to do some personal stuff.  When I
came home, my wife was frantic.  Our ISP had called, terminated our
service, and indicated that law enforcement may or may not be involved.
She was pretty much completely freaked out.  I of course replied "well
dear, what in the world did you *DO?*  Wow, I bet you're going to jail!"

She was not amused.

What happened:

The recipient user of my email was much more savvy than we gave them
credit for.  They called their ISP, who called my offices (since we were
the recipient of the pings) and called my provider (the ip being right
in the headers) and reacted most severely.

It took several days of phone calls and apologies, a box of donuts (to
the customer's ISP, we felt really bad for freaking them out), lots of
explaining and pleading to my home ISP including the provision of
documentation (security testing type activity is a CLEAR violation of
most ISP terms of service), and I'm *STILL* trying to get forgiveness
from my wife.

How all of this could have been avoided:

If I'd used my corporate networks to originate the test, none of the
above would have happened.  Most of the target network admins were not
aware of our pen-testing, but enough were that they could have put the
brakes on the whole "we better call the feds" thing as soon as they saw
the IP headers of my nicely faked email.

I guess the point is this.  If someone doesn't recognize your home IP,
and this ip is doing noisy portscans and running nessus and trying SQL
injections, and all other manner of crap, you could be in a world of
hurt (as I was).  And the PITA factor very well may not be limited to
the termination of your service by your ISP.  It could get a whole lot
worse.  You could find yourself in a room with one-way glass explaining
to a couple of guys in suits with funny bulges under the breast pocket
how you REALLY REALLY HAD PERMISSION TO ACT LIKE A LEET HAXOR! HONEST!
and asking if you need a lawyer.


> -----Original Message-----
> From: ericaldrc51 () netscape net [mailto:ericaldrc51 () netscape net] 
> Sent: Thursday, October 28, 2004 2:05 PM
> To: security-basics () securityfocus com
> Subject: Allowing scanning from home
>
>
> What's the group's consensus on allowing security staff to 
> scan the company's external interfaces from their home, to 
> get a true external assessment.  I personally don't agree 
> with this for audit and other reasons.  Just looking for some 
> other professional viewpoints.  Thx.
>
> __________________________________________________________________
> Switch to Netscape Internet Service.
> As low as $9.95 a month -- Sign up today at 
> http://isp.netscape.com/register
>
> Netscape. Just the Net You Need.
>
> New! Netscape Toolbar for Internet Explorer
> Search from anywhere on the Web and block those annoying pop-ups.
> Download now at http://channels.netscape.com/ns/search/install.jsp
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************