Vernon Washington punched the call button for a fleet car. Per regulations, he set his watch for atmospheric sampling. Planes were on fire, fuel dumps had been hit, who knows what else was fouling up the air? External drives in the pockets, camera in the contact lens, radio in the earpiece, everything else was ready for gathering information.
Vernon stepped out of Terminal D and into the waiting fleet car. “Datacenter, evasive.” Debris everywhere, smoke hovering over the eastern terminals, psyops staff walking around with man-portable loudspeakers, alarms sounding, fire and emergency crews everywhere… the only thing missing from the scene were the screams of the mourners. Vernon wasn’t in that response crew, though. Those sights were for someone else’s nightmares.
The car made its way deliberately to the datacenter building. It was almost totally new, shining in its energy-efficient, up-do-date architecture. Vernon made a silent bet with himself about how many old problems were simply moved from the old DC into the new that were involved in this breach. He was pretty sure there were thousands of problems, but how many were involved in today’s disaster? Vernon counted on his fingers… five.
The car pulled up to the curb. Vernon got out and the car went to go park itself. A guy with a DFW staff badge was there to greet Vernon. “You the guy with [REDACTED]?”
Vernon tapped the badge above his left shirt pocket. “I’m a federal agent. Are you my escort?”
The guy went from cocky to sheepish in a flash. His name badge read “Edwin Lu”. He badged in and held the door for Vernon. Vernon rolled his shoulders and walked up to the reception desk. “Do you need me to sign in?”
“No, we’re just coming up to my office.”
Wrong answer, Edwin. Vernon stayed by the desk. “I wasn’t really asking. Where’s the visitor ledger?”
Edwin smirked in puzzlement as he produced a ledger. “You’re not auditing us, are you?”
“No, I’m not. But you probably should expect one very soon in light of today’s events. Security is all the rules, all the time, documenting when they’re bent or broken.”
Edwin’s expression indicated that the business culture here hadn’t been stressing security for at least some time…
As they approached Edwin’s cube, Edwin grabbed a chair out of a conference room. “This is more comfortable.” Vernon was thankful for the comfy chair, but felt a little uneasy about how the “Do not remove chairs from conference rooms” sign was ignored. Still, he only expected five problems for this breach.
“OK, Edwin, do you use a RADIUS server for authenticating your wireless devices?”
“Yes.”
“Let’s take a look at the configurations. See if there are any new entries on the MAC bypass list.”
“OK…” Edwin started up a console to look at the RADIUS server. “Uhm… how will I be able to tell if the entries are new? They’re all sorted alphabetically.”
“How about a change log?”
“Um, OK…” Edwin clicked on Tools > Security > Admin Log.
The screen filled up with times, dates, usernames, and changes. Edwin and Vernon leaned forward and squinted. As they read, another log entry popped up at the top of the screen. Vernon asked, “Do you have circular logging enabled?”
“Ah… well, I dunno.”
Vernon assumed that meant yes. “Copy all the admin log files to a backup directory. Now.”
“Well, we do backups every night at 3 AM.”
“This is different. Copy them now. As in now.” Vernon didn’t want to say NOW: it was better for the working relationship if he didn’t go all caps on the guy. “It’s for forensics.” Vernon felt better when he added the why.
“OK then, just a sec.” Edwin went to the directory on the RADIUS server where the logfiles were kept and did a CTRL+A CTRL+C move and then did a CTRL+V to copy them to his local PC. “Yeesh. This is gonna be a while.”
“True. But now we have a copy of them from this time.” Vernon looked at the three newest entries in the logfile. They were identical, each 90 seconds apart. Unable to reach device at 10.9.177.12. Most likely a switch or wireless controller that had been deactivated long, long ago and nobody bothered to tell the RADIUS server. “Edwin, any way we can filter those out?”
“Well… I only know how to find stuff in this interface, not unfind them.”
“All right then, page down. We gotta read this over until we know what we’re looking for.”
“Why not check the SOC for unauthorized access events?”
“Because I’m betting dollars to donuts this is authorized access.”
“What, one of us did it?”
“Keep it down, Edwin. I’m not accusing anyone. I have no data, for starters.”
Page down. Page down. Page down. Page down. Those 90-second intervals really pile up, don’t they?
Hang on… “OK, highlight that.” Vernon pointed at a line on the screen that had nothing to do with 10.9.177.12. Edwin clicked on it, putting a nice blue tint on the text. The text noted that WANNA.SAMUE added a few addresses to the MAC bypass list.
The voice said in Vernon’s ear, “We’re getting it just fine. Maintain distance.” Good, the camera was working.
Edwin asked, “Sam did this?”
“Who’s Sam?”
“One of the security admins. Sam Wannamaker. That’s his account.”
“OK, noted. But let’s not jump to conclusions. That’s his account, probably wasn’t him. Look at the timestamps on those events.” Those addresses were added around 6:15 AM, last Saturday. “This guy Sam, when does he usually work?”
“9 to 6, like most of us. We didn’t have any changes scheduled for Saturday.”
“Is he in today?”
“Yeah, you want him?”
“Not yet, what’s the IP of where Sam logged in from?”
Edwin scrolled to the right on the logfile display. 10.1.1.15. “That’s our jump box for DC access.”
“OK, we need to check the event log on that box for where someone logged in with Sam’s account.”
“You want to do that now?”
“Yes, now. Can you hit that box from here?”
“Sure, just a sec.” Edwin fired up an RDP session to 10.1.1.15. A little while later, he had the event viewer up and filtered for logon events. 6:15 on Saturday showed that WANNA.SAMUE logged in from 84.246.99.90.
“Hold the screen there, sir.” Vernon awaited the voice in his receiver.
“That’s the University of Zagreb Computing Center.” Thank you, voice.
Chances were, Sam wasn’t in Croatia over the weekend. And whoever was in Zagreb or connected to a device in Zagreb, that was for the people next to the voice in the earpiece to resolve. Vernon was here to document what had gone on at DFW. For that, he asked Edwin, “Do you guys remote in to this jump box normally?”
“Yeah. Makes it easy for us.”
“Do you VPN in for it?”
“Well, no, not always. Our choice of VPN differs from your choice of VPN and so, has been really unstable for the last, like, year… and we don’t always want to have to drive in to do work.”
“So…?”
“So it’s opened up on the firewall.”
That was one. Sam’s account was two, dollars to donuts. “Let’s go see Sam. He sit near here?”
“He’s two rows over.” Edwin led the way. When they arrived, “Hey, Sam, this is…”
“Vernon Washington.” Let Edwin give the rest of the info.
“Vernon Washington, a federal agent. He’s here investigating, the, uh, thing today.”
Vernon smiled. “Hi Sam. I want to get directly to the point. Can we take a look in your email?”
Sam was too confused to be scared about that question. “Umm, OK.” Sam brought up his email client. “What do you want to look for?”
“Can you search for emails with links in them?”
“Ummmmmm… yeeaaaaaah… yeah. Here we go.” Sam typed the filter into the search box. Tons of marketing emails popped up in the results.
“We need to look at all of these, from before this last Saturday morning. Say before 7am.
“OK.” Sam’s cooperation was pretty natural, not typical for a suspect. Which made sense, since Vernon didn’t suspect Sam the man. Just Sam the account.
The procedure was straightforward: look at the link in the email. Ask Sam if he clicked on it. Hover over the link and see if it goes to where the email claimed it would go. If nothing noteworthy came up, move on to the next email. As it turned out, Sam ignored almost all of the marketing stuff. Lots of looking, lots of scrolling…
Then there was the email from Rhonda, the group coordinator. Sam had clicked on the link and the hovering mouse said it was to an IP address that was nowhere inside the company.
The voice in the earpiece said, “Nothing there now, but it was in Argentina.”
Vernon counted the third problem. No spear phishing training. Or if there had been training, Sam here was in the 1% of computer users that training had no effect on. Sam had clicked on the link, provided a credential, someone used it to try the RDP box open to the Internet, got in and set up the MAC addresses of the grenade launchers to be permitted on the wireless network… and this jump box would also be a likely point of origin for the signals sent to the passenger vans and grenade launchers alike.
Two more openings to find.
First, Vernon collected pertinent files on his external drive. As he made the copies, he asked, “Who’s in charge of the passenger vans?”
Sam and Edwin looked at each other. Sam said, “Facilities?”
That wasn’t going to get anywhere. “How about the IP range for the vans?”
Sam clicked around and brought up the IP management interface. A few more clicks and he had the answer. “10.100.100.0/24.”
Vernon asked, “How about doing an SSH to an address in that range?”
Sam tried. He got a connection refused error message.
Vernon groaned inside. “Try telnet.”
When that made a connection, Vernon asked Sam, “Do you know the username and password to use?”
“No.”
“Try admin/admin.”
Sam typed and got in. Everyone felt ashamed that it had worked, and on the insecure telnet protocol, to boot. Vernon figured whoever was able to send commands to the vans didn’t even have to try – just being in the area would allow anyone to get an unsecured copy of everything sent to the vans. Not just the default, unchanged username and password, but also the commands used to maneuver the vehicles. Pretty darn handy.
And that default credential set was problem number four. One more to go, and that would be no limitation on what devices could send commands to the vans. Obviously, that was wide open.
There wasn’t much more Vernon could do. He made some small talk with Sam and Edwin, handed out cards, asked them to contact him if they had any more informa- say, the lights were flickering.
Then they went out. The air conditioning also cut out. But the computers and monitors didn’t. Vernon made a guess that the power wasn’t cut – something else was getting messed up.
Edwin asked, “What the hell’s going on?”
Vernon made a guess. Given the state of security there, it was a pretty good guess to make. “You guys got licensed hardware?”
“Yeah.”
“Well, check your licenses. Betcha someone’s zeroed them out. You really need to change those default admin passwords.” Vernon figured he’d gather some more data while he was here. It wasn’t his first license blasting case to investigate, that was for sure…