It was mid-December 2002, and it was that rather nasty time of year when - in addition to having to deal with the snow - it was dark when I went into work in the morning and dark when I came home. Even though our company shut down over Christmas, I was going to be spending my holidays upgrading servers. Needless to say, I wasn’t really bubbling over with holiday joy.
My office was a long, skinny, windowless affair, and the only office furniture arrangement that made sense left me sitting with my back facing the door. Those of you who have worked in IT (and especially security) know that we tend to focus on the task at hand to the exclusion of all else, so - over the years - the staff had learned various techniques to gently rouse me from “concentrating” without startling the hell out of me.
Tap… Tap… Tap…
My office door was always open, so a preferred method of getting my attention was to gently tap on the metal door frame until I realized someone was there. The overall worst method was to simply walk into my office and say something - that was pretty much guaranteed to make me startle halfway out of my chair - resulting in a very unhappy Tom.
Tap… Tap… Tap…
“Wazzup?" I said, my eyes still glued to the script I was writing to wrangle something out of the logs.
“Something just showed up for you." It was the main receptionist, rather than the shipping clerk… something that didn’t sink in immediately.
“Ok… Can you just put it on my desk? Thanks…"
“No… You really need to come get it."
“Whaaaaa?" I turned around and noticed the big ol' shit-eating grin on her face. “Seriously? What is it?”
It was big. And chock full o' Christmasy touches - everything inside was either red or green. Some of it was both. It sat in the middle of the reception desk like a hulking, wicker ode to Holiday Spirit with the words “Harry and David” emblazoned on, literally, everything.
“Open it… Open it…" A small crowd had gathered. Getting something delivered wasn’t a “special” occurrence - rarely did a week pass where one of the ladies in the office didn’t get flowers delivered for a birthday or an anniversary - but I wasn’t a lady, and this wasn’t flowers.
“Settle down… let me look at the card first."
“Looks like someone has a secret admirer…" You can always count on that person whenever you’re in this situation. Generally, they’re silenced with an evil glare… and I’m really good at evil glares.
I opened the attached card. It turned out to be from a mid-sized manufacturing company somewhere on the East Coast. I remembered the company name well…
It was probably mid-Novemeber when I had first noticed that I had four or five consecutive IP addresses from that company “persist-trapped” in my test version of LaBrea (the “sticky” honeypot I wrote around the time the Code-Red worm first came out to play).
The initial version of LaBrea simply monitored the network for unanswered ARP requests, and when it saw that the router was trying to send packets to an empty IP address, would answer with an ARP reply, essentially creating a “fake” system on the empty address. When TCP SYN packets were forwarded by the router, LaBrea would respond with a SYN-ACK and then simply ignore anything else. This resulted in a drastic slowdown of the attack phase of a network worm - because it would complete the three way handshake and continue to try to send data until the connection timed out. Later versions of LaBrea incorporated the idea of “persist-trapping” connections by completing the three-way handshake, and then setting the TCP window size to zero - essentially telling the attacking system that it was busy processing the data it had received. LaBrea would then answer the attacking system’s “Window Probe” packets (packets that, essentially, say “Hey! Did you forget about me?") keeping it “on hold” indefinitely. Literally indefinitely. Seriously… I held “persist-trapped” connections open for six months or more…
I had called the company several times and left messages for their main IT manager, explaining that he had multiple compromised systems on his network - but the “persist-trapped” connections never went away. Finally, right before Thanksgiving, I got the man himself on the phone.
“Those systems can’t be compromised… we’re running AV on them."
God, how I hate those words…
I took a deep breath and explained that while running AV was a very important preventative measure, it wasn’t a silver bullet when it came to malware. I explained that if those were his IP addresses, that there was - literally - no doubt that his systems had attacked mine, and that unless he knew a reason they should be talking to my instance of LaBrea, that he really needed to check those boxes out. When I hung up the phone, I was about 90% sure he would just ignore me.
It was about a week later when I got a return call. That, in and of itself, was pretty surprising, but the story he told me was even better. After that first call, he had decided I was some kind of loony crackpot, but later that afternoon, one of his junior guys wandered into his office with a concerned look and a printout of some firewall logs. “So what," he’d said to the junior, “we’re getting hit all the time by worms on port 80…"
“But boss," had come the reply, “these aren’t inbound… they’re outbound."
The only thing that saved their company from being an enormous netmenace was that 99% of their machines needed to use a proxy for outbound HTTP access, and the worm they were infected with wasn’t proxy-aware. The other 1% had landed squarely in my tarpit.
He apologized profusely and explained that it had taken him several days to work up the nerve to call me. He also said something that has stuck with me over the years: “Sometimes the biggest mistake you can make is ‘knowing' that you’re right."
As it turned out, he must’ve also convinced someone at his company that they owed me a Harry and David gift basket.
Fast forward to today, and the story of Justin Shafer, a security researcher pulled from his home at 6:30am, handcuffed, and interrogated for the despicable crime of telling a dental software company that they had unencrypted patient data publicly available on an FTP server that allowed “anonymous” access.
Based on the information I’ve seen, Shafer did everything right when he discovered the patient data as a result of some Google searches. He worked with others to notify the affected company and made sure that no information on the disclosure was made public until after the data had been secured. It seems like he went above and beyond to be the epitome of “responsible disclosure.”
As a result, the affected company (who I won’t mention here because, God knows, they’ve already demonstrated that they’ve got a litigious streak a mile wide…) swore out a complaint against him claiming that Shafer had accessed the data on their unsecured anonymous FTP server “without authorization” and should be charged criminally under the Computer Fraud and Abuse Act (CFAA). Shafer was treated like a criminal and even had a bunch of his equipment confiscated while charges are being considered.
IANAL, but I find it beyond comprehension that ANY access to an unsecured anonymous FTP server could be considered “unauthorized.” The whole point of an anonymous FTP server is that it doesn’t require authentication and therefore everyone is authorized to use it.
How did this complaint possibly pass the smell test by the FBI (who were the ones arresting Shafer)? Doesn’t anyone over there know how an anonymous FTP server works?
The world has changed a lot since I first started working in security, and those changes haven’t always been for the better. Shooting the messenger is becoming an increasingly “acceptable” response of late, and its a trend that makes me wonder if trying to be a “good guy” is worth it anymore. When am I going to be dragged out of bed, handcuffed in front of my family, and face prosecution simply because I tried to explain to some random company that someone hacked their servers? When will reporting a netmence land me in jail?
I much prefer Harry and David gift baskets.
Owner, Principal Consultant
Bad Wolf Security, LLC
Senior Technical Engineer
May 31, 2016