Security, compromised

[yogurtu]

Why do I have the horrible, horrible feeling that you aren't entirely aware of what these people are/have been doing?

You just hit in the nail. We don't have an IT Security department. We detected them because they committed the error of asking the wrong questions, so made us wonder whay would they ask that, and we went through the logs, and found that they were using our systems in an unappropriate manner.

If they could carry out their "business operations" after a valid login with your existing system why would they go to all the trouble they have in order to to so?

If they couldn't carry out those "business operations" did they _ever_ request the ability to do so through proper channels and if they did how did the proper channels respond?

Basically this is the scenario. We have EXE files distributed to every desktop, and a web interface. They have their own web interface, so they requested us to provide them with Web Services, which we did. They said these WS were not responsive enough. Unfortunately they were right; we had an array of problems (mostly connectivity and firewall issues) which ultimately led to unresponsiveness of our Web Services.

People simply don't go through the amount of effort required to do what they have done for no reason. I can understand if they needed to do something that your system did not easily provide them and your company would not alter things - but then you would be aware of this partner's needs. It seems to me that you aren't and therefore it further seems to me that there is no pressing reason for this activity. That being the case this is malicious, probably criminal and I would block all access to your servers until further notice.

Well, they did presented complains about our services, and for some reason, everyone here was saying something like 'oh, this is not _my_ problem'; when I came across this thing, it was already burning, and they were already using our servers.

Since I was asked to 'solve' this, I was able to diagnose the problems and to perform corrective actions so our web services were up and running. Last friday near COB we received an email from them that stated that our web services were now reliable and they said the will use the proper channels from then on.

I myself don't trust them. I think that once they had the 'intention' of cracking our systems, they are not to be trusted, so I still have to think of ways of protect our systems, and I have to implement some Intrusion Detection System.

Also this was a very 'nice' warning that our systems are very insecure, and that we have to think seriously on how to secure our servers.

Thanks

[nihil]

Thank you yogurtu

I am very glad to hear all that. Please allow me to explain, I come from a finance and auditing background, so I do tend to "spit my dummy" when I hear of such goings on

Our management decided that it was better if we kept this quiet, so other clients don't think of our systems as 'not secure'.

Yes, that was one of my concerns also. It is also a good idea to keep it quiet, as publicity may damage your case in court.

I was asked to secure the systems, because if our managment decides to launch legal action, we have to be certain that we can defend ourselves from a full scale attack.

I agree; you need to do this anyway. It is not my area, but there are people on this forum who I am sure will be able to help you.

I will keep an eye on this thread and add any ideas I might have on "fringe security" such as audit and exception reports (transaction data), audit trails, control accounts and checks and balances.

I am sure that you appreciate that securing your computer systems is only a part of your corporate security model.

Good luck!

[yogurtu]

The issue here is the use of a two-tiered application.
Basically, the flaw here is that you're trusting your client application, which is by definition NOT thrustworthy.
This is much the same as trying to do web app validation in client side javascript.

Yes, I tried to explain my self to management in terms of 'as long as the client runs an executable file, they would be able to see what the exe is doing, and the location of our db servers'.

Ultimately, I see two possibilities for you:
1- Implement some accountablitity in your system: drop the generic users and assign private database user accounts to all clients.

Well, though this is a good idea, this would be very hard to do, because the application is installed in about 6000 workstations.

2- Make sure all validation logic in the client app is replicated in your stored procedures.

This is the very first thing we tought of. We found that this is not doable in the short term. There is a huge amount of validations, and to do this we may spend several months. In that time we could complete the development of the new version.

All efforts at securing the system at the client app layer is mear obfuscation and are bound to fail sooner or later. You will never be able to trust the client app since it runs on an untrusted machine and network.

I totally agree with you. For instance, we decided to use Exestealth (http://www.webtoolmaster.com/) to encrypt the exe. But, once they figure out how did we encrypt the file, they may locate this (http://www.cobans.net/unstealth.php) to decrypt it.

For us, the final solution is to develop the application entirely web based. We have decided to protect our systems the best we can in one or two weeks and then put all of our guns into the new development.

Thanks

[Tiger Shark]

Ouch.... You are in one of those touchy situations that is probably all controlled by your contract. This means you are somewhat between a rock and a hard place. You contracted to provide services, for whatever reason you failed to provide them as stated, they, (will tell you), used only authorized logins and passwords to gain access to the functionality they needed. See, because you had the secondary login packaged in an executable that you placed on their systems that login was authorized and was only placed there for their convenience.... Any decent lawyer will make your position untenable and will probably actually shred your arguments in a courtroom.

I don't know the exact situation there between your company and the offending client but, were it an "appropriate" relationship I would seriously consider a meeting between yourself and the people that effected this "non-standard functionality improvement" and see if between the two of you you can't help eachother... In the long run it may benefit both of you and it would certainly do wonders for the level of trust, (or lack of), between you right now.

[yogurtu]

www.sqlsecurity.com

Great place!

www.oswap.org

I couldn't get to this site.

I googled a lot, and I saw an awfull amount of things that may be done with a simple login. We cannot continue to provide everyone with the connection information (server + user + pwd). It is unacceptable from now on (I mean for the new versions).

We can't do much at this time. All we can do to provide a final solution is to build the web based app and once it is complete, the db servers will not be required to be public anymore.

Thanks heaps!

[yogurtu]

Thank you nihil!!

I am sure that you appreciate that securing your computer systems is only a part of your corporate security model.

Well.... Er..... I will elevate this idea to management. I don't think that they are thorough on the security matters when designing the contracts. There is much space for improvement here, so your suggestions will surely have repercussions from now on.

Once again, thanks.

[yogurtu]

Thanks Tiger Shark,

Ouch.... You are in one of those touchy situations that is probably all controlled by your contract. This means you are somewhat between a rock and a hard place. You contracted to provide services, for whatever reason you failed to provide them as stated, they, (will tell you), used only authorized logins and passwords to gain access to the functionality they needed. See, because you had the secondary login packaged in an executable that you placed on their systems that login was authorized and was only placed there for their convenience....

Well, yes! It is a very difficult situation, because unless we initiate legal action, we are bound to provide the service. We cannot just shut them down. Not unless we are in a position to defend ourselves legally and technically.

Any decent lawyer will make your position untenable and will probably actually shred your arguments in a courtroom.

The law here is very incomplete in these matters. And trials lasts somewhere between 2 and 10 years. We don't want to go in there. One possiblity is to wait for the contract to end (I think that should happen sometime in the next three months).

I don't know the exact situation there between your company and the offending client but, were it an "appropriate" relationship I would seriously consider a meeting between yourself and the people that effected this "non-standard functionality improvement" and see if between the two of you you can't help eachother... In the long run it may benefit both of you and it would certainly do wonders for the level of trust, (or lack of), between you right now.

Well, we did, I wasn't invited to that meeting, but it was more like a 'show intention of good behaviour' thing. They had reasons to criticize our systems. I don't excuse their actions, but they had grounds to state that we were not providing responsive services.

Late last week, we solved the issues they complied about, and since last friday COB they said they would continue to use the proper channels. I don't know, because now I don't trust them. Anyway this is a reminder of the fact that our systems can be cracked, our servers can be accessed, and we are more vulnerable than what we would like to admit.

Thanks a lot.

[Tiger Shark]

Well, we did, I wasn't invited to that meeting, but it was more like a 'show intention of good behaviour' thing.

I was referring to a geek-to-geek meeting not a fuzzybrained manager-to-fuzzybrained manager meeting..... They were thinking corporate liability, contract law etc. You need to glean what you can from their geek(s) that did this, (it wasn't one of the fuzzybrained managers - that's for sure), about how they did it and what else they did that you haven't seen. Ask for their advice and encourage their participation in assisting you in better securing your system packaged as your attempt to therefore better secure their data from others .

PS. You will need the OK from your top guy on this - do not do it on your own.... No telling what passes through those fuzzy brains when they smell lawyers in the water.....

[yogurtu]

Thanks Tiger Shark,

I was referring to a geek-to-geek meeting not a fuzzybrained manager-to-fuzzybrained manager meeting..... They were thinking corporate liability, contract law etc. You need to glean what you can from their geek(s) that did this, (it wasn't one of the fuzzybrained managers - that's for sure), about how they did it and what else they did that you haven't seen. Ask for their advice and encourage their participation in assisting you in better securing your system packaged as your attempt to therefore better secure their data from others .

PS. You will need the OK from your top guy on this - do not do it on your own.... No telling what passes through those fuzzy brains when they smell lawyers in the water.....

Well, as our software has errors, so has our company
This is a very small company (less than 50 employees).
Formally, I hold a position of some importance here, but some things are not handled correctly. I am probably the most technically skilled (I'm not saying that I am that good, just around here), but my bosses think in a 'bossy manner' (sorry!). My direct boss has some technical knowledge, which makes this worst. He went to this meeting and he confronted the author of this, without having the possibility of arriving to conclussions (that we could not reach by our own), and without asking for his help. As a result of this meeting, reluctantly they agreed that they would collaborate in giving us more time to make our web services more reliable. This they did.

I will ask my boss to have a peer to peer meeting with the guy who did this. I don't think he'll agree, but I don't loose by trying.

I believe in making friends, not enemies, and in building alliances, not wars.

Thanks again!

[judgement]

I usually lurk but thought that a critical item has been overlooked. Were you able to determine what information has been accessed that shouldn't have been? Depending upon which state your company resides may dictate whether you may remain quiet about the breach of security or not. It is great you have taken steps to harden your systems but you should talk with legal about existing liability for the breach and verify that you are not in state or federal disclosure violation. Having a security breach is bad enough; being fined for not disclosing when appropriate is worse PR. If it was my personal information compromised, I would want to be notified SOONER that later. Nuff said, I'll go back to lurking now....