[Dshield] Spam Surge and funny things with auditors

Sue Young sforslev at gmail.com
Sat Sep 1 17:56:53 GMT 2007

Auditors are my biggest security problem.  A few weeks ago I checked my
Snort box in the morning and saw it had 10,000 attempts to send out smtp
mail.  This was at 9:30 am so now you know why you get so much spam, this
thing was only up for 20 minutes.  I saw the machine was an outside computer
on our  internal network.  After searching the whole floor, I found 2
auditors in a closed office.  One had a badly infected machine.  Of course
they're from a major auditing firm and were charging big bucks to do  a SAS
70 audit.  I moved them to our public network, and gave them one of our
clean laptops to do the work they needed on our internal network.  I don't
know if this guy ever got his laptop clean - I told him to have it
reimaged.  We have a policy of not letting outside machines on our internal
network but the end users ignore it all the time.

Last week the people on that floor suddenly started getting ip addresses on
our public network that is not physically connected to our internal
network.  It turns out that our very expensive auditors had taken the
network cable that was plugged in to our internal network, through an IP
phone, and plugged in the other end to the public network, creating a bridge
to open our internal network to the less protected public network.  The hop
to the public dhcp server was a little faster so the internal machines got
an external address.

We no longer allow any wired access to the public network.  It's wireless
only now. I've never had one of my users put two ends of the same cable in
the wall but I've had auditors do it regularly and a painter did it once.

Sue Young, CISSP

On 8/31/07, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
> On Fri, 31 Aug 2007 11:37:50 +0200, Ulf Bahrenfuss said:
> > direct recommendations. Among them the most glaring "immediate action
> > point" was the report about my internal DNS servers. They were obviously
> > outdated and a security risk because they answered to a version request
> > with "their" version number. The number I configured to give back was
> > 6.6.6 and that is well below known secure numbers :-) The recommendation
> > was to update and change the config to give back a false number or no
> > number, hmmmm okay
> If you tried the snarf-the-version trick against the NSA's public-facing
> nameservers a while back, they'd report the version string:
> "These are not the nameservers you are looking for..."
> (And yes, a *high* fraction of "security auditors" are bozos who can't
> even run Nessus and interpret the results for themselves - looking at a
> version number 6.6.6 and not cluing in is about par for the course....)
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)

More information about the list mailing list