Thursday, April 30, 2009

Laptop PWN3D!


It took three tries and as usual OpenVPN stability was an issue, but I finally stole my own laptop without ever touching it.

It took almost thirteen hours, but that's within the limits of an unattended laptop in a "secure" location. Not everyone takes their laptop home, and if you work in an environment like I do, nobody likes to log off or reboot because it takes at the very least twenty minutes for your system to get back to normal (our specific problem is Outlook - it really has a hard time waking up in the morning).

Granted, the hard disk only had 20G of data on it. A bigger drive would have taken more time, bleeding into working hours and increasing the likelihood of an OpenVPN interruption, but as a Proof of Concept (PoC) the results are valid.

It would have taken four hours had the VMware vConverter taken full advantage of my cable connection. It never went over 585kBps for the duration of the transfer.

The first two attempts never went over 400. On those runs I was using vConverter 3.x. I upgraded to 4.x before the final run. I have a feeling, which I can't prove, that the free versions of the VMware Infrastructure tools might be crippleware. There is no reason for it not to have taken full advantage of my pipe. I have gotten the full bandwidth in other file transfer exercises between home and work and the CPU utilization on the source and destination systems was minimal-to-nothing.

As an added bonus, it turns out that nothing on the network even noticed that gigabytes of data were being sent out to the Internet for three full days! No alarms went off. No red flags went up. It didn't even show up in the reports generated every day by the Microsoft ISA (Internet Security & Acceleration) servers that "control and monitor" access to the Internet.

Unbelievable! Especially considering it was me who set those reports up (and I wasn't even trying to hide anything).

The skeptics (I among them) will say, "Sure, you had admin access to the machine, what is so special about this 'hack'?"

That, my friends, is the whole point of this PoC. The environment I work in has 50+ "DesktopSupport" personnel that have admin access to every PC in our multi-campus WAN. Some of these people are complete, utter bozos who have been known to do idiotic things like Google for "flash upgrade" and then complain because the file they downloaded from a Ukrainian Web site gets pounced on by the anti-virus.

They are not too bright. Maybe that was an upper management decision. I could see the logic in that, but in my opinion stupid people are dangerous.

The problem is the smart ones, and the smart ones who act dumb (the dumb ones who act smart usually blow their own cover anyway).

This group of support personnel should be split up to support the different campuses, but with sick days, vacations, and scheduling conflicts it's just easier to give them access to everything.

Luckily, almost no one trusts them. But there is the "out of sight, out of mind" problem.

That aside, the Really Scary Issue - in my own mind - is my Big Shot Boss, the Chief Security Officer, cannot seem to grasp the power they have. Sure, the guy's at 35,000 feet and everyone looks like ants, but he's been out of the trenches for so long he doesn't realize what people can do with the access they have been handed on a silver platter.

He doesn't know that, by utilizing the tools built-in to Windows, these jokers can slurp up any file on any hard drive on any desktop across the Enterprise, deleting the security logs as they exit. If those logs were turned on, which they're not.

To him, and the rest of his ilk, the security problems we face are all about servers. Nobody cares that the desktop is an accident waiting to happen. When the desktop is pwn3d, the servers, the network, and the data will surely follow.

It's never the other way around.

No comments:

Post a Comment