Ignorance Without Bliss: a J! True Security Story

Sometimes when I’m flipping through the television stations, I see the ‘E! True Hollywood Story’ shows, in my case on Time Warner’s channel 62. If you haven’t seen them, the series offers a documentary-style look at the ‘true’ lives of Hollywood’s top A-listers and their story of chasing fame and fortune.

Perhaps not quite as interesting, but equally puzzling an outrageous, I’ve decided to log my own chronicles of astounding and crazy true InfoSec stories- henceforth to be known as: a J! True Security Story.

A J! True Security Story Episode 1: Ignorance Without Bliss, an SMB Security Schmuck

I don’t get worked up often, but when I do it’s quite an occasion for friends, family, co-workers and customers (if they get to witness it). Today is one of those days.

Being in ‘the IT” industry as we are, we get regularly volunteered by friends and family to ‘fix computer problems’. That infamous question…. “hey, I’m having problems with my ___, could you look at it for me?”. Feel free to fill in the blank- computer, printer, router, Internet, vcr– sometimes even toaster. UGH. Usually I cringe within the first few syllables, and politely inform the requestor that I’m actually a network person, not a computer person, and I’m blonde and – therefore, know nothing about computers themselves. Sometimes it works, sometimes- not so much. However, there are a few friends, mostly some key SMB owners, that I enjoy helping and am genuinely interested in their success. So, for these few, I offer my advice and help whenever needed.

And this, my friends, is how Episode 1 begins.

Names and locations have been changed to protect the innocent (if there are any). We’re going to call this business This Office. This Office is a small business, with several nice people, including the owners. There is also the target of my rants, ‘the security schmuck’ we’ll call him Stan. Stan is an employee of This Office.  

I found, during several trips to This Office to fix various things, that Stan had been habitually abusing the poor office computer. To give you a general idea of what I had been dealing with (for example) Stan had at one point uninstalled Window XP Pro and installed Windows ME. Stan also uninstalled Symantec AV and installed several free-ware antivirus programs… and a keylogger (yep, I had at least 2 people’s Bank of America logins just from glancing at the log file). The list continues.

So, This Office recently purchased a new computer with Vista and an integrated Credit Card reader that used the PC and its Internet connection to process payments. On a recent trip I find that Stan has installed four (4, fooooor, 1-2-3-4) file-sharing apps, including BitTorrent, Limewire, Sharezza, etc and was using them to download large games. I was called by This Office’s management because they couldn’t browse online or get office email. It also appeared as though Stan was either accessing the office computer remotely from home, or vice versa. I explained to the Onwers what was going on, and why we needed to put a stop to it, with discussions of both PCI Compliance and productivity. With the Owners’ permission, I stopped and uninstalled all the file sharing apps, previously downloaded games and other ‘things’ that didn’t need to be there.

About 3.5 hours and 2 lattes later, we had a fresh start and a functioning PC. The Owners did not wish to lock anyone out or restrict access, so, against my better judgement, I left it as it was. I did send a ‘nasty-gram’ via email the following morning explaining what I uninstalled and why. Included was a list of acceptable and unacceptable uses of the office PC, and the whole thing was to be read at the staff meeting that day.

And it was… And it obviously p***ed off Stan, because the next opportunity he got, Stan designated his account as the only Admin account, created a new low-permission account for the office managers use, locked down their access (even to email and Internet) and re-loaded ALL the file sharing apps again. Bad idea for Stan, because now the owners, the office managers and I are all p***ed off ourselves. Even after much pleading and begging, Stan refuses to deliver the correct password to the admin account to the owners. Stan says it’s “Can’t stop me”, noting the capital ‘C’. After a couple of days, he claims to also be locked out (which is horse poo, because I can see he’s logged in).

Finally an owner lures him into the room, slips out, and gives me 5 minutes alone with him. I try to nicely explain why I’m there, what I do, and that I’m not buying his story. He still insists he doesn’t know the password. We go round & round until I finally tell him he can either magically recall the password now, or I’ll be taking the computer with me and he won’t like the condition of it when it’s returned.

His reply? “Fine, do what you have to- I’ll just break into it again”.

Oh no he didn’t.  I usually have very low blood pressure, but I felt it rising quickly at this point. I let him go, we waited until he left, I disconnected everything and took the computer. (FYI, during the dis-connection I found he had installed an unsecured Linksys Wireless Router to everything too. The Owners were not aware of the wireless device, and This Office is directly adjacent to a couple of hotels, so we took that out too.)

What happened next was pretty fun. I found that Vista does not use the LM hashes for password files (the rainbow tables for which are readily available for free online). It uses NT hash files, and those rainbow tables cost a few hundred dollars. Figuring the Owners didn’t want to spend money on our Schmuck, I extracted the password hash files, saved them, then used a pre-boot utility to create a new Admin account for the system. I was curious if the password Stan kept giving us was close to what it actually was, or if he was just lying.

Luckily some new-found security friends in Switzerland took the hash file that was extracted and ran it against their tables there and discovered the password. In about 15 minutes I received a text on my cell phone “2slow4me”.

When I returned the computer, I reprovisioned the accounts, locked his down and changed his password to ‘2fast4you’.

Hey, I needed some type of amusement after the many hours of dealing with this schmuck.

Moral of the Story. I hope my Ignorance Without Bliss story will be an eye-opener for all SMB owners out there. This business did not have an acceptable use policy, nor did they have any knowledge or control over what was being done to their primary office computer. This computer contained a variety of customer information (including some medical data), was processing credit cards, and was left vulnerable to a variety of security threats because of an employee’s actions. Fixing these issues in all could have easily cost a few thousand dollars, and that’s nothing compared to the fines and lawsuits that would have followed an exposure.

# # #