- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Mar 7, 2002 (Vol. 7, #19 - Issue #350)
Postmortem: How Sunbelt Got Hacked
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Postmortem: How Sunbelt Got Hacked
  2. TECH BRIEFING
    • Run Active Directory? Run it from WinXP Pro
    • More W2K Gotchas
  3. NT/2000 RELATED NEWS
    • W2K Service Pack 3: Waiting For Security Fixes
    • MS Confirms .Net Delay
  4. NT/2000 THIRD PARTY NEWS
    • Sunbelt Adds New Exchange Tool: Policy Patrol
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • Journey to the Center of the Internet: Now Showing in 3-D
  SPONSOR: U-Promote
Need To Change Member Servers to BDC and back? Use U-Promote.
Q: "I need to rebuild several Domain Controls for a major domain migration
project. This tool seems like a tremendous time saver". Does it work?
A1: "It's worked very well for us. No problems to report.
A2: "I have used it on 2 machines in our domain. Changing a member server
to a BDC and a BDC back to a member server. Worked very well. Easy and
quick. Price? Online a Steal: Single copies: $99.95 - Unlimited: $239.95
Visit U-Promote for more information.
  EDITORS CORNER

Postmortem: How Sunbelt Got Hacked

It's just one of these things. You talk about security for years, you warn people once a week, protect your domains with many layers, and then some hacker walks right into your own open back door. [grin] At the end of this cautionary tale I will tell you what to do to prevent it in your own organization.

Here is how this whole thing went down, it's not as bad as it could be, and our domains were never compromised. But it is egg on our face! Someone hacked into our phone system. It's called phreaking, and has been done for decades. Lucky for us he was just talking to people instead of using it to (try to) break into other systems.

How it started? Last Thursday one of our Reps found she could not use her voice mail box anymore. It was forwarded to some strange number. The Admin in charge frowned, reset it, and things worked again. Then last Friday, it happened again, and with not just one but with a few mailboxes. Now we really started looking!

What the hacker did not know is that we have an advanced phone system that really is just software. The whole system is a W2K server in a special frame with 20 expansion slots. Each slot holds a card for 8 extensions. The software is powerful and allows you to reconfig anything on the fly instead of having to call your PBX vendor all the time if you move a few staff to new spots. The brand is Altigen.

We started to look in the Altigen console, and found a few mailboxes that were forwarded to far away countries. When we started to trace these down, it turned out they were Pakistan, Saudi-Arabia, Kuwait and the Philippines. Anyone that has followed the news recently can draw their own preliminary conclusions. So did we.

Since we can see everything in real-time coming in and out of the system, it was clear that a hacker had compromised a few mailboxes and was using these to break into other companies' systems as well and create a chain of compromised PBX-es. In some cases we were the end of that chain, so we knew the final destination. The hacker was fairly smart in trying to hide their trail by dialing in, dialing out, and then dialing in again and use another mailbox.

However, since we could see and change things in real time, we took him off the voice T1, and rerouted him to a copper trunk which we could tap. And sure enough a both American and Arabic speaking male voice was busy making calls, through several other companies systems that he already "owned". So while he was happily tapping away, we recorded what he was doing and called the FBI.

They actually are in a building 5 minutes from here so shortly they were over and listening in. And since Altigen dumps all the data into a SQL database, we were able to give them both the voice recordings and a detailed track of all the calls, their origination and destination points and duration. They were happy we could provide them with all the data immediately burned on a CD so they could start their analysis, using Excel.

The FBI agents told us that phone system hacking is happening thousands of times every day! And we had to shamefacedly admit that the password used for the compromised mailbox turned out to be the same as the extension. OUCH! The hacker simply cracked these mailboxes using this very simple trick. DUH. And me scoffing at the New York Times for using the last four digits of someone's social security number as their default passwords...[grumble]

Luckily for us, the hacker never got into our W2K domains, and never used it for actual computer cracking, but a simple trick like this can cause damage in many other ways. Especially if one deals with a bit more sophisticated criminal elements. So we compiled all the evidence necessary and turned it over to the FBI Computer Crime Special Agents.

We then shut the hacker down, and changed all mailbox passwords to something a bit more sophisticated. We also shut down all international calling ability for mailboxes that did not need it, which was about 95%, and made some other configuration changes in the Altigen console which I'll not go into. And to the hacker, if you read this, you were caught. Expect a tap on your shoulder any minute now.

Lesson learned: USE STRONG PASSWORDS FOR THE PHONE SYSTEMS AS WELL. Monitor your phone system logs for unusual activity and out of normal range events or durations, just like you would your networks and set red flags. You could dump that stuff into a flat file and use a tool like ELM to ping you when things are out of the ordinary.

This week's XBOX Winner is Doug Taylor from Huntsville, Alabama. Congrats Doug! To have a chance in winning yours, refer up to three friends here:
http://www.W2Knews.com/lookup.cfm

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: pcAnywhere Killer
Sunbelt Remote Admin Declared "pcAnywhere Killer" By User
You might want to give Remote Admin a try too. Currently the version
under NT4.0 is blisteringly fast. It's as if you are there, with all
the admin tools to control remote systems. This puppy was "made by and
for" system administrators. Pricing is dirt cheap, and now available
on the OnlineShop. Get your 30-day eval here:
Visit pcAnywhere Killer for more information.
  TECH BRIEFING

Run Active Directory? Run it from WinXP Pro

If you manage Active Directory, it makes sense to do that from a WinXP Pro Box. You can add Windows XP Pro workstations to your AD domains and they will respond to existing GPOs just like Windows 2000 Pro. That is a significant bit of information. Much more important though is that if you update Windows 2000 Active Directory with the new security templates that shipped with Windows XP Pro, significant new functionality becomes available to the AD administrator using XP Pro as the admin console. For this reason, Windows XP Pro is now the preferred management console for Windows 2000 Active Directory. Found this tidbit at is-it-true.org. See:
http://www.w2knews.com/rd/rd.cfm?id=020307TB-WinXP_Pro

More W2K Gotchas

Gotcha number one: SID history makes you see double accounts
Thought every account and group could only exist once in the permission-list of a resource? Well, during the migration phase, you will often see the AD account twice in the permission-list - once as the AD SID resolved against the AD domain, and once as the NT4 SID resolved against the AD domain when using SID History!

Gotcha number two: Thought your global group would be great for eMail DLs?
Until you notice, that Exchange 2000 won't be able to resolve members of Global Groups from a different domain in the forest, as it only queries one Global Catalogs at a time. What do we learn? Only use Universal Groups for DLs and only nest Universal Groups for DLs - no Global or Local Groups as DLs, in a multi-Domain environment!

Gotcha number three: Like looking for locked out accounts?
Locked out accounts after Password changes is one of those Kerberos surprises: when you have a second machine (e.g. test-client) that you are logged onto and you change your AD password via your first machine, the second machine will soon lock your account in AD, when the Kerberos Ticket tries to refresh its token!

Guido Grillenmeier
Hewlett-Packard Germany

  NT/2000 RELATED NEWS

W2K Service Pack 3: Waiting For Security Fixes

Well, the news about W2K is that there is still no news. We're still stuck on the original beta release but it appears that there is finally some movement on that front again, for the first time since November last year. On March 4 a note appeared in the SP3 announcements newsgroup:

"Many of you have questioned when SP3 RC will release. Windows Sustained Engineering Team is working hard on this project so please expect further information in the near future. Thank you for your interest in testing the service pack."

It is very likely that the delay is due to the new security emphasis - a number of hotfixes released for Win2K in recent weeks appear to be slated for SP3 (as witnessed by the name of the downloaded executable - it contains the string 'SP3'). I'll keep you up to date the moment we know more.

MS Confirms .Net Delay

I actually already mentioned this in an earlier issue, but now MS is officially pushing the release date for .NET Server to the second half of this year. They said that the reason is to ensure a proper security review, as per BillG's Trustworthy Computing initiative. So this means it could even be early next year and I think no one will cry in their beer about that either.

.NET Server is a so called incremental release. So, since WinXP is really NT V5.1, let's call Win.Net NT V5.2 and we're close to reality. The new stuff is technology to build and distribute XML Web services. It will also have the .Net Framework and the MS Passport authentication service built in, enabling easy adoption as Microsoft unveils more .Net technology. Other improvements are added features to Active Directory.

A delay is actually not so bad. We're still moving to W2K for crying out loud. And we want our domains to be secure. Writing code that does that requires discipline and code review. Millions of lines of code take more than a few months of review. They better do it right this time or they will 'lose face'. Apps will be communicating to each other, and swap a lot of data. Buffer overflow holes become highly critical in an environment like that. So, we have some breathing space to get to W2K and AD.

  THIRD PARTY NEWS

Sunbelt Adds New Exchange Tool: Policy Patrol

Policy Patrol adds disclaimers to your internal and external emails. It includes advanced features that other products do not offer, such as merge fields and support for formatting (HTML and rich text formats).

Product Features:

Policy Patrol is an add-on for Microsoft Exchange server and Lotus Notes that allows you to add user based disclaimers to your internal and external emails. The program includes some advanced features that are not yet available in other products. These advanced features, such as merge fields and formatting, are geared towards making the disclaimer notices more relevant and distinguishable and therefore improve their weight and effectiveness.

Policy Patrol offers the following features:

  • Global & user based disclaimers
  • Formatted disclaimers
  • In- and external disclaimers
  • Append & Prepend notices
  • Merge Fields
  • Company slogans
  • Signatures
  • Sample disclaimers
  • Remote management
  • Integration with Windows 2000
  • User licensing
You can find it, and a 30-day eval here:
http://www.w2knews.com/rd/rd.cfm?id=020307TP-PolicyPatrol
  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • Ever wanted to build a switch into a teddy bear? These guys did it.

  • http://www.w2knews.com/rd/rd.cfm?id=020307FA-TeddyBorg
  • The Universal Command Guide is a book that defines, spotlights examples, and cross references every command with all OSes. It's a cool concept.

  • http://www.w2knews.com/rd/rd.cfm?id=020307FA-Command_Guide
  • Great checklist if you have anything to do with securing a group of servers.

  • http://www.w2knews.com/rd/rd.cfm?id=020307FA-Securing_Servers
      PRODUCT OF THE WEEK

    Journey to the Center of the Internet: Now Showing in 3-D

    This time not for you, but for your kids, family and/or newbie users that you'd like to understand what you really do on the Net. This is not your typical computer book. It's fun! Stuff like:

    Who runs the Internet? How can you connect to a computer thousands of miles away? How does my email leave my computer and end up at my aunt's house, two states away? At any point in time, how many people are on the Net? What website has the most content on it -- and how did it all get there? How do search engines find and access all that information? This book demystifies the technology, allowing anyone to understand the "stuff" that makes the Internet run.
    http://www.w2knews.com/rd/rd.cfm?id=020307BW-Journey