Re: Perhaps the most OBVIOUS question you will ever see.

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/28/05 

Date: Thu, 27 Jan 2005 23:23:53 -0500

First off, I think you cross-posted this a bit excessively. Bad etiquette.

Second off, you are being far to flippant about this I think. You could be
terminated on your attitude probably all on its lonesome. How you proceed is
entirely up to your thoughts on how you feel about your job. Attacking your boss
generally isn't a way to form a career somewhere. At the very least it puts you
in a hostile environment that isn't fun to work in.

Finally, the number of ways you could be compromised varies. It is possible,
however unlikely, that you guys are actually locked down to the point that this
could be safe. Again, I think it is unlikely given the impression I have of the
technical knowledge and security conscience the company appears to have. But it
isn't entirely impossible.

I think the most effective way to handle this would be to go and get your own
laptop, don't use any work resources whatsoever, and drive around the location,
do not trespass onto the property, stick to public accessable areas and try to
pick up the connection. If you do connect, try various things, such as network
sniffing, etc to find what others would find. Do a network scan (based on the IP
address you get from DHCP) and see if you can find machines with services
available, SMTP would be a really good one to find. DO NOT use your knowledge of
the environment to just go straight to an SMTP server you are aware of. Now try
to send an anonymous email to some external email address that you have.
Possibly try to scan for machines with open shares or mounts that allow you to
read unauthenticated or write unauthenticated. Look for any SQL servers with
blank SA accounts, etc. Again do all of this without using any knowledge you
have of the environment, if you don't think you can, have a friend do it and
don't give them any hints.

Now if you are successful, this is a great example that anyone will understand.
Walk your BOSS out to where you were, use your non-work laptop and walk through
the process you used previously. As a finale, send an email to your boss from
his boss or the president of the company or something like that with your boss
standing their watching you. If he doesn't get the picture, and you really feel
you need to, do this with your bosses boss or whomever.

Basically try to convince your boss to be your ally and to do that, you need to
prove that there is an issue.

Now there is one thing you need to do before this. I doubt you do, but if you
have security group, you need to alert them that you are going to do this.
Explain why you are doing it. Again I doubt you have that in place. So what you
do in that case is ask your boss if he minds if you test the security and try to
do what it is that you think can be done. This is a key step, if you don't do
it, you could find yourself getting in trouble for doing it since a big part of
the whole thing is publishing to your superiors that you did it to prove the point.

   joe 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Curious George wrote:
> Dear Colleagues:
> 
> For the life of me I don't know why I have to ask this question since the
> answer is so obvious, however, I need to have others tell me that I am not
> completely insane.
> 
> I work at a place where we have a myriad of wireless access points and NO, I
> am not writing from there at present.
> 
> NONE of the wireless access points has any form of security on them
> whatsoever.  No WEP, no CHAP. . . no nothing.  Everything is open so you
> could walk into our joint, grab an IP address and surf the web to your
> heart's content.
> 
> Here is the problem.  My boss insists that its "no big deal" and that since
> the servers are on the inside and protected, we really don't have a thing to
> worry about.  Furthermore, my boss is under the impression that since we are
> situated in a wide area, that nobody would be able to get into our network
> because of this distance.  Needless to say, my boss does not consider
> somebody sneaking into a parking lot with a laptop, a good network card and
> a directional bazooka antenna a possibility.
> 
> So here is what I have to explain to my boss' boss and, perhaps, the board
> of directors. . . and here is where I can't help but laugh.  I hope that I
> will be able to keep a straight face come Monday when I have to explain
> myself to people why its important.
> 
> Okay, so I know the analogies.  For example, I understand that not having a
> secure wireless network with many Waps and high gain transmission antennas
> is the same as putting cables out to anybody within 'x' amount of yards with
> a sign that says "free internet access", but since I am going to be asked
> these obvious questions, just what type of damage could somebody do?
> 
> Yeah, I know about denial of service attacks, yeah I also know about
> enumeration and password guessing, but considering that we have an SQL
> server on the inside of our network (no, the sa account password is not
> null) what are we talking about.
> 
> I can envision so many things.  Like somebody just sitting there caputring
> packets to get things like usernames, passwords and the like, but come on. .
> . what else could they do.
> 
> I have read my boss the riot act many times, but this is now going to go in
> front of somebody over my boss' head, so, aside from giving them worst case
> scenarios, end of the world analogies, etc., how else could people break in.
> 
> Creative responses are appreciated and will be rewarded with much praise.
> 
> I can't believe that I have to actually explain this to people, and this
> entire thing would last about two seconds when it comes to talking with a
> computer professional, but you see, my boss is under the impression that
> they are a computer professional because they received a Master's degree in
> Comp Sci back in the 80's.  I know that this line of thinking is dangerous,
> but I really want some creative answers to put my point across strongly, and
> yet professionally.
> 
> Although I realize that this post will likely be the *** of many jokes
> (which I will appreciate immensely) I never the less would appreciate a bit
> of useful information in your responses.
> 
> I am going to have a serious drink now, and then bang my head against the
> wall.
> 
> Thanks in advance,
> 
> CC
> 
>
Loading