Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | >> (show all)   Print Thread
Standard User Rygar1
(experienced) Mon 20-Apr-15 09:26:11
Print Post

Realistic risks - drive jumping viruses & hackers


[link to this post]
 
I have a friend who has got herself into a bit of bother at work because she disabled monitoring & antivirus software used by her companyís 3rd party IT support. She works 50% from home, 50% in the office, it was while working from home that she did this on her company laptop.

Now support are making all sorts of claims about the risk she caused to the company, some of which I think are pretty exaggerated to say the least. She was definitely silly & wrong to do it but there seems to be a big overreaction. She is facing serious disciplinary action, she may even lose her job.

Their specific beef seems to be based around the fact that the laptop could have became compromised and spread viruses to other machines in the organisation and a central data hard drive that only contains documents, and that hackers could have gained access to her laptop as well as other machines in the company and this central data-only drive.

Iím trying to establish how realistic/likely these threats are. Specifically I want to know is there any viruses that can spread from hard drive to hard drive across a LAN/VPN? I see a lot of assumptions on the internet that viruses can spread in this fashion but Iíve never personally seen a virus make a copy of itself to a different physical hard drive across a LAN, especially when that second drive only contains data as is the case in this situation. Does this actually happen? Which viruses actually do this? To my mind viruses affect operating systems, I cant see how they can do much damage on a separate data-only drive unless actually executed on that drive. Iím looking for any good links/articles/papers on this topic especially if itís the case that such risks are minimal or non-existent.

Also how serious a threat is direct hacking* when you are behind a router & software firewall? Again any links would be great (*Not the type of hacking that involves someone getting access to your machine because you clicked on a link in email or opened a dodgy attachment etc, actual proper hacking).

I have searched myself but they can be tricky topics to find good info on due to the real risks that exist in IT security but there also seems to be a lot of exaggeration & hysteria out there. Like I say she was definitely wrong but I guess Iím looking to bring some balance to the discussion, maybe point to something she can cite to defend herself or show that the risks aren't as bad as they claim.
Standard User bobble_bob
(fountain of knowledge) Mon 20-Apr-15 09:50:56
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Im guessing only virus that could takeover a LAN is one that attacks the router and changes the DNS servers to some dodgy ip?
Standard User TheEulerID
(member) Mon 20-Apr-15 10:44:54
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Once a virus is established on a machine, there are several ways it can spread. The most obvious is by the sharing of infected files. Not only is there email, but many companies will have shared storage systems. Infected files can be stored there. There are all sorts of file types which can harbour viruses, not just executables.

It's also possible for an infected machine to place infected files on shared file systems without involving the user at all. Indeed, once an infected machine has read/write access to a shared file system it can do what it likes. It could encrypt files (ransom-ware attacks). On a well managed network, simple shared file systems like this are not considered very sophisticated due to such vulnerabilities, but they are still extremely commong in small and medium sized organisations.

Of course other machines on the network ought to be protected against these things (and corporate file systems should be regularly scanned), but nothing is perfect.

There are, potentially, other things that could happen. If there are vulnerable machines on a corporate network, it's even possible to infect then with worms. In theory all machines on a network should be kept up-to-date, but it's not always the case, and it has caused chaos in past times.

In many companies, disabling virus protection on corporate machines could result in disciplinary procedures. There really has to be an extremely good reason to disable it.


Register (or login) on our website and you will not see this ad.

Standard User Malwaremike
(committed) Mon 20-Apr-15 11:06:05
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
She was definitely silly & wrong to do it but there seems to be a big overreaction. She is facing serious disciplinary action

Most companies have rules governing employee use of the internet as part of the workplace contract. In your friend's case the management has engaged a contractor to maintain and protect its IT systems. If everyone fiddles with company IT systems and disables AV protection of all things, there will be chaos.

I don't understand why your friend found it necessary to disable her employer's AV protection. Maybe she considers it a minor matter which might have resulted in the company systems being only a little bit hacked. Cybercrime being a huge and growing problem for employers, I'm not surprised there should be 'a big overreaction'.
Standard User bobble_bob
(fountain of knowledge) Mon 20-Apr-15 11:16:19
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: TheEulerID] [link to this post]
 
Our IT department once banned usb fans as they said they could spread a virus. I continued to use them as they were clearly talking nonsense. Now they allow them

A normal user shouldn't have permissions to disable the AV anyway
Standard User eckiedoo
(experienced) Mon 20-Apr-15 11:19:34
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
And working "from home", does her home network have a similar level of security as her company network?

Looking at it another way, would her employers be happy for her to take "any old laptop" in to work and connect it directly to the company network, without vetting by the "3rd party IT support"?

-------------------

Say she had a company car; and that it had one of the recent tracking devices fitted by the company, to help keep insurance costs down.

What would be the reaction if she deliberately and knowingly disabled that device, thus invalidating the insurance?

Edited by eckiedoo (Mon 20-Apr-15 11:20:48)

Standard User mixt
(fountain of knowledge) Mon 20-Apr-15 11:26:53
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
In reply to a post by Rygar1:
Now support are making all sorts of claims about the risk she caused to the company, some of which I think are pretty exaggerated to say the least. She was definitely silly & wrong to do it but there seems to be a big overreaction. She is facing serious disciplinary action, she may even lose her job.

She should have signed something where she agreed how to use (and how not to use) the equipment and access given and granted to her. If she broke this agreement, they have every right to commence with disciplinary action.

Every company is different. The one I am at right now is quite small and lenient. They haven't even issued me a company laptop, and are happy for me to VPN in from home using my own equipment. The previous company I worked for was an entirely different story. Only company vetted and administered equipment could be allowed to connect to company networks. Even down to mobile phones connecting to wireless etc (if it wasn't a company phone, it could only connect to the guest network in the office etc).

Companies have these policies in place for a reason. Phones can pickup viruses as well and become a liability to the rest of the network they are connected to.

Regardless of what you think etc, it is about what she agreed to with her terms of employment. If she's broken those, then she'll have to accept disciplinary action and deal with it.

Zen Unlimited Fibre 2 (60/20Mb FTTC) | IPv6 via HE | » Automated Hourly HTTPx5 TBB Speed Tests «
Previous ISPs » aaisp.net (40/10Mb FTTC) | Virgin Media (50Mb/Cable) | Be* Un Limited (ADSL2+) | Zen (ADSL)
Download Maximiser | BIND GeoDNS | Are you being blÝcked?
Standard User micksharpe
(legend) Mon 20-Apr-15 12:44:09
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
The company that I used to work for had a serious infection that spread over the UK network. It caused the IT department an awful lot of hassle checking thousands of PCs and reinstalling the software (whilst preserving users' files). Fortunately, the infection did not spread to other countries where we had a presence.

IT tightened everything up after that. A standard distribution of Windows was rolled out across the entire UK operation and PCs were upgraded where necessary. Users were prevented from installing new software by removing all administrator rights. Most users accepted this but us techies found it very frustrating and we moaned like hell. Eventually, IT relented and allowed us to administer own own machines providing we promised to be on our 'best behaviour' and fix any problems ourselves. We had to use Internet Explorer and Outlook though, which was a bit silly since they were less secure than the alternatives, but there you go.

Faced with the choice between changing oneís mind and proving that there is no need to do so,
almost everyone gets busy on the proof. -- J.K. Galbraith
Standard User tommy45
(knowledge is power) Mon 20-Apr-15 12:51:36
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
If all the other companies machines are protected by an AV solution, with real time protection then they should detect any infected files, so unless someone else disables it, the virus can't spread, (none that the AV solution can detect)unless the companies AV solution is useless,
As for hacking ,why would someone want to hack your friends IP address or hardware behind it at random (without knowing if it will be worthwile) hackers tend to specifically target people/companies

Edited by tommy45 (Mon 20-Apr-15 12:53:28)

Standard User Rygar1
(experienced) Mon 20-Apr-15 12:52:23
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
I essentially agree with everything that's been said regarding terms of contract etc.

There were reasons she did this that I won't go into but keeping the discussion related purley to the technical aspects what were the real risks of doing this once while at home? Keep in mind a restart reenabled everything. My main thought was encryption ransom virus on her own machine (which is backed up regularly btw) but could such a virus really jump to the central data drive and execute? I'd like to see cites for this happening as that is one of the specific accusations being made. Which specific viruses are known to jump direct from drive to drive over lan or vpn?

Another accusation relates to hacking. How prevelant is successful hacking on a machine behind router and software firewall?

I should add this lady is not IT illiterate, she is aware of common threats from email links/attachments, free software, phishing etc.

From a risk perspective I would say this one specific action of hers posed a low risk to her own machine and very low risk to the company network. Would anyone disagree with that assessment?
Standard User bobble_bob
(fountain of knowledge) Mon 20-Apr-15 13:37:10
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: micksharpe] [link to this post]
 
Makes me laugh when companies are paranoid about security yet use outdated software. Working in the NHS our tech department are so precious about security (and rightly so) but use IE9 and Adobe Acrobat 9 and take an age to deploy Windows Updates. OK IE9 might still be getting security updates but Adobe have stopped for Acrobat 9

Edited by bobble_bob (Mon 20-Apr-15 13:37:33)

Standard User Kenneth
(legend) Mon 20-Apr-15 20:46:21
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
How secure are Routers - most hacks will be automated. The biggest risk is if the DNS setting has been changed at which point broswing web becomes dangerous, but then web browser and their plugins (Acrobat, java etc) flaws are biggest risk to most people who don't click attachments

We had a virus spread at work via shares - basically it hid all folders on shares and replaced them with an executable with same name and standard folder icon - it was obvious with show hidden folders and all file extensions visible, but to most people it looked like the files were vanishing and they run the virus when they tried opening a folder. The Ant-virus wasn't detecting the issue, well if they insist on Symantec what do they expect

Ken

Nostalgia is memory with the pain removed

Edited by Kenneth (Mon 20-Apr-15 20:47:20)

Standard User Pipexer
(eat-sleep-adslguide) Mon 20-Apr-15 21:29:49
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Did anything actually happen as a result of her disabling the AV? How did they detect she had disabled it and how did all this come about?

How big is the company?

Where does it state in the acceptable user policy she must not disable the antivirus?

In reply to a post by Rygar1:
I should add this lady is not IT illiterate, she is aware of common threats from email links/attachments, free software, phishing etc.


Typo? I read it as she IS illiterate -- and I figured that is why she actually disabled it. I mean if she was IT illiterate maybe she was the victim of a scam phone call and they told her to disable it, because she doesn't know what she is doing she assumed it wouldn't be a problem. Or maybe she just clicked loads of mouse buttons and accidentally disabled it.

Surely that is what you meant, right?....

AAISP Home::1
Standard User rogerfp
(member) Mon 20-Apr-15 21:49:18
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Staff using a company laptop should not have admin permissions to allow them to disable security software. IMHO, they shouldn't even have the ability to install any software or hardware either. It's a work tool and the IT department should lock it down to be able just to do what the employee needs to do for their job and nothing more. If staff want a PC to do their own thing, then they should buy their own for home use.
Having said that it's entirely fair that their employment contract specifically states what they can and can't do with it. If she has broken that contract then more fool her. However she can argue that the company is complicit by not locking down the laptop. Most major organisations don't give admin rights. They should work on the assumption that most staff and users are IT dumbos.
Standard User bobble_bob
(fountain of knowledge) Mon 20-Apr-15 22:12:56
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: rogerfp] [link to this post]
 
How far can you take the "contract doesnt states x" argument? For example its probably not in a contract that you cant open the case up and start installing your own hardware, but an employer wouldnt take kindly to you doing that

Edited by bobble_bob (Mon 20-Apr-15 22:13:25)

Standard User rogerfp
(member) Mon 20-Apr-15 22:27:43
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: bobble_bob] [link to this post]
 
That's a fair point. Probably covered by a general condition that the user takes good care of the laptop, uses it just for business and make no unauthorised hardware or software changes to it. However you have to assume, probably wrongly, that an employee has some common sense when it comes to IT. Assuming that the laptop is on a server based network, then you can control everything that a user can or can't do via Active Directory. That's what the company has done wrong in not locking it down. If you give staff a gun AND the bullets you've got to assume that that someone will shoot themselves in the foot.
Standard User Rygar1
(experienced) Mon 20-Apr-15 22:47:58
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Pipexer] [link to this post]
 
No. With hindsight giving the background to this issue was probably a mistake as its served as a distraction to the real reason behind my post but in for a penny in for a pound. A known false positive activated the AV and stopped her from doing an important time critical task. This was the reason she disabled it. No computers or animals were harmed during the disabling of this software.

Its a small company and the management dont know anything about IT. They used to have a bloke that did their IT but it wasnt his actual job there, he just knew most about it and got lumbered. He left a few months ago so they got this 3rd party to look after their needs. Not knowing much about IT the management take whatever this company tell them as gospel.

Some fairly specific technical claims are being made i.e that her actions put the company's systems at serious risk of LAN/VPN virus infection & attack from hackers. All I'm saying is that one remote user disabling AV for an hour isn't as big a danger as they are claiming. Firewalls anyone? Its not like she connected via a USB modem on windows 95.

I was looking for any info on viruses that jump directly from drive to drive as I'd often heard this but never experienced it. I've since read up on conficker as one such example but I still believe that most viruses these days dont exhibit such behavior. I was also looking for any good links/articles that may say something along the lines of "if you are behind a router & software firewall and you dont do anything silly, chances are you will be safe from hacking" Just something she could show her bosses to try and make them understand it wasnt quite as bad as support are making out.
Standard User rogerfp
(member) Mon 20-Apr-15 23:22:16
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Think you may have a real problem trying to find proof, that there is little or no risk, because as we all know what is not possible today in the world of IT could quite realistically be possible tomorrow. Never say never, springs to mind. Even the smallest vulnerability can be a risk.
I'd say her best bet if it comes to disciplinary is to say that if they don't want staff to be able to disable security software then they should lock down the laptop so that it's not possible. In other words the company is complicit in the "crime". That should work at a tribunal if it came to it, which I hope it never does. Hopefully they will see sense and back down.
Standard User micksharpe
(legend) Tue 21-Apr-15 00:04:12
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
I wouldn't bother looking at the technical issues. That's the IT company's job.

Until now, your friend has had to disable AV temporarily in order to carry out her duties. This needs to be stated in writing. If her actions are not acceptable to her employer, then they must provide a way for her to do her work without disabling AV. If they refuse to do so and fire her, then she can claim for constructive dismissal. If, on the other hand, she is disciplined either formally or informally, she should make a written complaint since her actions were entirely reasonable.

It is the IT company's job to provide a workable solution as directed by her management.

Faced with the choice between changing oneís mind and proving that there is no need to do so,
almost everyone gets busy on the proof. -- J.K. Galbraith
Standard User ian72
(eat-sleep-adslguide) Thu 23-Apr-15 15:14:02
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: micksharpe] [link to this post]
 
The question is whether she contacted the IT support when the file was blocked as a false positive - and how could she be 100% certain it was indeed a false positive?

The actual risk was probably relatively low. However, if people "get away" with this then more and more people do it and it will end up with people routinely disabling the protections. Personally I would throw the book at anyone who knowingly turns off security measures without first getting approval to do so. At the very least she could have raised the issue with her line manager to get their approval.

The problem is that many people do these things without understanding that there are risks and that is how issues start.

Viruses can and do take down whole companies and cost large sums to eradicate. Some viruses are incredibly good at spreading through a network via relatively unknown exploits (SQL slammer is a worm that caused mayhem in a number of companies).
Standard User jamie543
(regular) Thu 23-Apr-15 19:58:45
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
All i can say is the AntiVirus system must be rubbish if a user can disable it. I work for an IT firm and look after parts of our AntiVirus software we have it set so that users cannot turn off on access scanning etc without knowing a pasword setup via McAfee EPO we also have alerts setup for when our Antivuris detects viruses/malware and what action the Antivirus software has taken to remove the threat.
I can understand the need to disable on access scanning some of the time especially when installing software such as Oracle as on access scanning really slows the install process down.

Standard User nemeth782
(member) Thu 23-Apr-15 21:53:04
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Take ransomware as an example, it could encrypt any files it has write access to. That includes files on a shared drive, it doesn't need to execute on the file server.

A trojan allowing remote access and control of the laptop could have provided a hacker with a point of entry to the company network, within the company firewall. It could be executed on the laptop while at home with av disabled, then stop the av from later working correctly, then phone home when on the company lan and be used to access other machines.

Its all conjecture but the company are right to take it seriously.
Standard User majika2007
(member) Fri 24-Apr-15 00:42:27
Print Post

Re: Realistic risks - drive jumping viruses & hackers


[re: Rygar1] [link to this post]
 
Hi Rygar1,

some of which I think are pretty exaggerated to say the least


I would personally consider any breach in security a very serious matter which opens the company up to all manner of possible issues.

FYI: Even the most up to date AV/ IDS systems can still be fooled via any number of tricks and techniques such as custom "undetectable" stubs and modifications of the PE in the case of a .exe/.scr/.pdf, etc.

Many windows (and other platforms) have many exploitable runtimes as was mentioned previously a good example of a fairly insecure and easy to exploit runtime and is installed on most *win based OS'es is Java JRE/JDK/JIT.

Even when processes are sandboxed you can break out and escalate and run arbitrary code. Several *new* vector have recently been discovered and disclosed to general public. as per the CVE's not so long ago.

JAVA is used here as one example, however there are many, many more holes which are 0day, 0sec exploits. many documented and many are not.

In answer to your question as soon as a "hacker". (lol) gains a foothold in your system and is actively targeting your network(s) your in obvious trouble. Furthermore once a machine is exploited it remains vulnerable to any number of follow up attacks (until patched) which can be launched from or targeted further towards the system(s) in question. In gaining the initial foothold via whatever means was used in your case this could only be the start of a larger scale attack.

As what was correctly mentioned above there are a number of methods employed to get arbitary code to execute, as a example even in a simple jpeg file can be corrupted to run malicious code via EXIF tags (http://en.wikipedia.org/wiki/Exchangeable_image_file_format)

To conceal any sensitive information captured from your corporate lan can also be easily transferred in/out and pushed through any F/W policies by simply using basic Steganography techniques (http://en.wikipedia.org/wiki/Steganography) and masquerading as another data type, etc.

To take this example further infected data can be passed on to your networks shared resources and propagated even further and could prove another method to get malicious data to "jump" from machine to machine.

Again, these are all simple example's, however these are all quite easy to accomplish and quite simple to "chain together" coupled with a rootkit and a undetectable header can fool most heuristics based AV scans, it all depends on the level of skill the attacker has, the value you data holds to the hacker 'or his/her employer' would give you a good idea about the approximate risks which you are facing.

From a personal perspective I have been both a target and also the one who had to "clean up" the mes of such cases as outlined in your OP.

Simple tools for penetration testing can reveal a great deal of holes in your system. these same tools can also be used to see what exactly has gone on if used in a whitehat perspective. The transportation methods used to get in/out of the infected system doesn't matter and can easily be "worked around" whether its PPTP, L2TP, SSTP or PPPoE or whatever.. The point is that "in the wild" there are payloads which exist to specifically tackle each and any obstacle in the attackers path. The key part which seems to already have occurred is that a foothold has already been achieved.

Regarding actual viruses this is a broad subject; A polymorphic based viruses/worm which mutate leaving the original algorithm intact can and will quite easily hop over to a second logical/physical disk, network attached or whatever.but a distinction should be made as to whether you are talking about a virus or a worm which could be a metamorphic based algorithm or a trojan/rat, dropper, etc.
Any number of mechanisms can be used by the algorithm to propagate/replicate

Worms are self managed/standalone. kind of like this:-

1) Infected host
2) Cloned itself into all .pst/.ost, etc files
3) used 6060 and irc to communicate to C&C
4) scanned a range of IP's within the initial target subnet and then random
5) used a dictionary based brute force attack to login to common network services
6) Downloaded a cacophony of other modules like CodeRed/Slammer, etc
7) scanned for open ssh/ftp/ ports and bruteforced.
8) sends itself to any number of vulnerable hosts found in the previous steps above,
9) rinse and repeat, etc..

Viruses work like this:
A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels.

1) infected
2) makes a copy of itself and inserts into another program (it may also change in the process)
3) transmits on execution of the infected file.
4) ...
5) ...
6) etc, etc


I dont feel comfertable with sharing detailed instructions on how to find virus source code on a public forum and the same can be said for trojans etc. but a good port of call to begin with can be metasploit which was part of the Backtrack live boot *nix distro which has been forked to Kali (https://www.kali.org/) this will get you started but with respect to researching live virus code I dont think sharing information here would be a good idea there are several open FTPstros which contain some "older" code samples and there are plenty of open (public) forums but the more modern "script-kiddie" one-click mallicious tools are found predomnantly on closed forums which provide more "custom" stubs, which are most likely still classed as undetected by AV scanners which you could take a look at and im sure should not be to hard to find.

Tips. if you are trying to learn about virri code i suggest you make a Virtual machine or better still use a air-gapped old machine.

Make use of virustotal.com to be sure that you are not accidentally infecting yourself prior to executing any test code which you maybe researching.

If possible always try to grab the source code along with the binary or better still compile yourself with VS2013/MinGW etc.

If you insist on learning about this stuff a great resource is always the vulnerability databases to aid with your searches. (http://www.securityfocus.com/) <== there are also some useful tools here to.

Further reading on the differences: Viruses, Worms, Trojans, and Bots:
http://www.cisco.com/web/about/security/intelligence...


Also how serious a threat is direct hacking* when you are behind a router & software firewall? Again any links would be great (*Not the type of hacking that involves someone getting access to your machine because you clicked on a link in email or opened a dodgy attachment etc, actual proper hacking).


METASPLOIT :!:

All the tools/payloads/penetration testing tools are in there .
Scan a net range of your target,
once you map out the network
Identify a common vulnerability. nmap will help here
test and check to see if a segment of the mapped network is vulnerable open to exploits
Find a payload. Change some bitecode
send it off..
gain foothold.
come back later.
something like that...

Pages in this thread: 1 | 2 | 3 | >> (show all)   Print Thread

Jump to