Security Basics mailing list archives
RE: Allowing scanning from home (or how I was really stupid)
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Sat, 30 Oct 2004 17:00:19 -0400
Allow me to share an experience that may be relevant here. During the course of a pen-test, we crafted a very nicely forged email from a customer's ISP. I sent this using my home cable modem as a relay to further mask the origin of the probe. The email was designed to coerce a user into clicking a link, and running a simple .bat file that pinged the corporate firewall with a specific payload size that would show up nicely in our firewall logs. The hope was, that the user would run the bat file, we'd see it in the logs, and it would be a "gotya" situation. Well, things didn't quite go as planned. I left work a little early that day to do some personal stuff. When I came home, my wife was frantic. Our ISP had called, terminated our service, and indicated that law enforcement may or may not be involved. She was pretty much completely freaked out. I of course replied "well dear, what in the world did you *DO?* Wow, I bet you're going to jail!" She was not amused. What happened: The recipient user of my email was much more savvy than we gave them credit for. They called their ISP, who called my offices (since we were the recipient of the pings) and called my provider (the ip being right in the headers) and reacted most severely. It took several days of phone calls and apologies, a box of donuts (to the customer's ISP, we felt really bad for freaking them out), lots of explaining and pleading to my home ISP including the provision of documentation (security testing type activity is a CLEAR violation of most ISP terms of service), and I'm *STILL* trying to get forgiveness from my wife. How all of this could have been avoided: If I'd used my corporate networks to originate the test, none of the above would have happened. Most of the target network admins were not aware of our pen-testing, but enough were that they could have put the brakes on the whole "we better call the feds" thing as soon as they saw the IP headers of my nicely faked email. I guess the point is this. If someone doesn't recognize your home IP, and this ip is doing noisy portscans and running nessus and trying SQL injections, and all other manner of crap, you could be in a world of hurt (as I was). And the PITA factor very well may not be limited to the termination of your service by your ISP. It could get a whole lot worse. You could find yourself in a room with one-way glass explaining to a couple of guys in suits with funny bulges under the breast pocket how you REALLY REALLY HAD PERMISSION TO ACT LIKE A LEET HAXOR! HONEST! and asking if you need a lawyer.
-----Original Message----- From: ericaldrc51 () netscape net [mailto:ericaldrc51 () netscape net] Sent: Thursday, October 28, 2004 2:05 PM To: security-basics () securityfocus com Subject: Allowing scanning from home What's the group's consensus on allowing security staff to scan the company's external interfaces from their home, to get a true external assessment. I personally don't agree with this for audit and other reasons. Just looking for some other professional viewpoints. Thx. __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp
************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** **************************************************************************************************
Current thread:
- RE: Allowing scanning from home (or how I was really stupid) Keith T. Morgan (Nov 02)