UhOh - I pissed off IT security

[Armitage]

I'm working on a project where we need to receive data from a remote sensor via an Iridium modem. If you don't know, Iridium is a satellite system - basically a cellphone on steroids. This data has to be published to the rest of the research team.

So no problem - I hook up an external serial port dialup modem to my desktop (running Fedora Core 5) and write a program to grab the data off the serial port and write it to a file. Then wrote a CGI script to serve up that file on a simple web page - both the raw binary file, and a parsed version complete with a google map of the position as reported by the GPS receiver in the sensor package!

The modem is configured via kermit, and the program that receives the data reads it a byte at a time out of the serial port and writes it to a file. Never looks at it, and again - a byte at a time, so no possibility of a buffer overflow. PPP is not even installed on the machine. Kermit and the receive program are running as root at the moment - that will change soon.

So - this a.m. I get a broadcast email from our IT folks warning that any network equipment "including wireless access points and modems" must be approved by corporate IT. So, I dutifully ask what I need to do to get my modem approved. Well, as I hear it, they're still unscrewing the director of IT security from the ceiling back at HQ :Q And by the way, I'm not supposed to be running a web server either

So ... needless to say, the modem is unplugged at the moment. But, given the configuration I've described, is it really a risk? You can't establish any sort of terminal connection with it - if you dialed it up, my system would just log everything you sent across. If there is a risk, how can I fix it?

 

[skyking]

My suggestion? Run the application server and modem remotely offsite. Put them at home, for instance, if you can ssh into it from work. Push the files to a cheap server on the net, and then give out that IP or domain name to the folks at the office who need it.
That will totally please the IT department, since nothing is on THEIR network.
Of course it all hinges on you being able to ssh back to that server.

 

[spidey07]

This risk is sm@ll, but it's there.

Just tell them you need @ modem @nd get it @pproved.

 

[Armitage]

Originally posted by: skyking
My suggestion? Run the application server and modem remotely offsite. Put them at home, for instance, if you can ssh into it from work. Push the files to a cheap server on the net, and then give out that IP or domain name to the folks at the office who need it.
That will totally please the IT department, since nothing is on THEIR network.
Of course it all hinges on you being able to ssh back to that server.

Yep, I suspect this is the route we may go. It actually would clear up some other problems as well - such as other organization not being allowed thrugh our firewall to get to the data. And SSH is no problem.

 

[Armitage]

Originally posted by: spidey07
This risk is sm@ll, but it's there.

Just tell them you need @ modem @nd get it @pproved.

I don't think that's going to happen. I'm scheduled for a telecon to discuss the issue on Monday.

Something wrong with you 'A' key?

 

[spidey07]

If you c@n show th@t you need it to do your job, then you're fine.

Yes. Too much coke in my left h@nd on the l@ptop.

Re@lly the "no modem" policy is good from @ security perspective. But if it is truly required then security needs to let it be.

modems on computer @re however the gre@test security risk. It's not monitored/controlled.

W@nt to re@lly bre@k into @ corporte network? w@r di@l. You're bound to find pc@nywhere th@t will @nswer. bingo - you've byp@ssed @ll network security.

 

[halfadder]

A modem is a huge potential security risk. As is any network connection. Minimize the risks to minimize the hacker/cracker potential.

Security is a *HUGE* issue in the world we live today. You'd better work something out with your IT department if you want to keep your job, or in an extreme case, want to stay out of jail. You should take a close look at your employment contract too.

 

[Armitage]

Originally posted by: halfadder
A modem is a huge potential security risk. As is any network connection. Minimize the risks to minimize the hacker/cracker potential.

Security is a *HUGE* issue in the world we live today. You'd better work something out with your IT department if you want to keep your job, or in an extreme case, want to stay out of jail. You should take a close look at your employment contract too.

So, given the configuration I described, what is the risk, and how can I guard against it?

 

[Armitage]

Originally posted by: spidey07
If you c@n show th@t you need it to do your job, then you're fine.

Yes. Too much coke in my left h@nd on the l@ptop.

I see

Re@lly the "no modem" policy is good from @ security perspective. But if it is truly required then security needs to let it be.

It is required, but it's not likely that security will "let it be" or attempt to work with me on it. We'll probably have to go to a hosted box somewhere.

modems on computer @re however the gre@test security risk. It's not monitored/controlled.

W@nt to re@lly bre@k into @ corporte network? w@r di@l. You're bound to find pc@nywhere th@t will @nswer. bingo - you've byp@ssed @ll network security.

 

[spidey07]

In that case then you're fighting the 8th layer.

politics.

Make your case and only you can decide the best course of action. Security has a valid concern. But they are not there to prevent you from doing your job.

 

[Armitage]

Originally posted by: spidey07
In that case then you're fighting the 8th layer.

politics.

Make your case and only you can decide the best course of action. Security has a valid concern. But they are not there to prevent you from doing your job.

I see your a's are back!

The problem is that security has no incentive to help us - it's not just on this issue by a long shot. It would only make their job more complicated and possibly exposes them to more risk, while just saying no costs them nothing. They have nothing to gain by the success of this project, and nothing to lose by its failure or delay.

Anyway, I'll work with them and see what can be done but I'm not hopeful.

 

[Smilin]

Spidey, that broken keyboard is funny as ******.

 

[cmetz]

Armitage, have them provide you a dedicated PC and air-gap it. Label the PC so people know it's special. Not allowed on the network, tape over the LAN jack, and give the IT folks the MAC address to blacklist. To move things back and forth, use a USB key.

If your management is on your side, you might even find that not being in any way on the corporate network and being reasonably protected aganist being accidentally put on the corporate network means you can just ignore your corporate IT people entirely. Then the corporate IT people will have to expend effort in order to claim jurisdiction over that PC and be put in the position of having to explain how it's a threat, not being connected to anything.

Sometimes a good way to win poltical battles is to change things so that the easy answer for your lazy opponent is to do what you want them to do

 

[Armitage]

Originally posted by: Smilin
Spidey, that broken keyboard is funny as ******.

Heh - I'm not sure it's actually broken.

 

[Armitage]

Originally posted by: cmetz
Armitage, have them provide you a dedicated PC and air-gap it. Label the PC so people know it's special. Not allowed on the network, tape over the LAN jack, and give the IT folks the MAC address to blacklist. To move things back and forth, use a USB key.

If your management is on your side, you might even find that not being in any way on the corporate network and being reasonably protected aganist being accidentally put on the corporate network means you can just ignore your corporate IT people entirely. Then the corporate IT people will have to expend effort in order to claim jurisdiction over that PC and be put in the position of having to explain how it's a threat, not being connected to anything.

Sometimes a good way to win poltical battles is to change things so that the easy answer for your lazy opponent is to do what you want them to do

The air-gap bit is what they are proposing, but it's important to be able to track this data in near real time. So as I said before, we'll likely take it even further out of their hands and get an outside box. It's just more expense on an already barebones program.

 

[spidey07]

Originally posted by: Armitage

Originally posted by: Smilin
Spidey, that broken keyboard is funny as ******.

Heh - I'm not sure it's actually broken.

It is. But when I feel like it I open notepad, copy a and then just paste it when needed. It's only when I'm in the home theater with my ancient laptop.

Try logging into win2000 with no alt key. fun, fun.

 

[Woodie]

Originally posted by: Armitage

Originally posted by: spidey07
In that case then you're fighting the 8th layer.

politics.

Make your case and only you can decide the best course of action. Security has a valid concern. But they are not there to prevent you from doing your job.

The problem is that security has no incentive to help us - it's not just on this issue by a long shot. It would only make their job more complicated and possibly exposes them to more risk, while just saying no costs them nothing. They have nothing to gain by the success of this project, and nothing to lose by its failure or delay.

Anyway, I'll work with them and see what can be done but I'm not hopeful.

Since I'm the IT guy who would have to review this... (ok, not at his employer)
What Spidey said is right: I'm not here to prevent you doing your job, I'm here to protect the enterprise from bad things. My role is to guide you into ways of doing things that are safer.

We have lots of modems still in place. Our job is to identify them, and make sure they're documented, and each one has an exception approved for it. Then, we work with the "owner", to make sure that it's configured as securely as possible. eg, turned off except when vendor calls helpdesk to resolve problem, no auto-answer turned on, no PCAnywhere installed, etc. It's up to your manager or the CIO to accept the risk to the Organization of your having a modem. I don't really care one way or the other, as long as it's documented, and management has accepted the risk.

In this case, maybe it would be more cost-effective to host it off-site. On the other hand, properly configured, I don't think your modem is a huge risk to your enterprise. BUT...it's not my call, since I don't know what your risks are.

 

[spikespiegal]

A modem is a huge potential security risk

BS - steaming BS.

Ask any credit card clearing house if they'd prefer their clients to use modems or the internet for transactions, and which is safer. 99.99% of them will prefer you to use a modem because it's more secure.

I say hack the IT dept's Windows servers, and replace their IIS front page with a carefully photoshopped picture of the IT manager doing obscene things with a donkey in a hotel room.

Or, snag the help-desk's administrator password by bribing them with a snickers bar, then set a GPO in active directory to set all Domain PC's Internet Explorer home page to any one of a thousand malicious web-sites that will install a root-kit that your over-priced network content filter won't touch.

Nah, that will get you fired, but you get the point.

 

[NuroMancer]

Originally posted by: spikespiegal

A modem is a huge potential security risk

BS - steaming BS.

Ask any credit card clearing house if they'd prefer their clients to use modems or the internet for transactions, and which is safer. 99.99% of them will prefer you to use a modem because it's more secure.

I say hack the IT dept's Windows servers, and replace their IIS front page with a carefully photoshopped picture of the IT manager doing obscene things with a donkey in a hotel room.

Or, snag the help-desk's administrator password by bribing them with a snickers bar, then set a GPO in active directory to set all Domain PC's Internet Explorer home page to any one of a thousand malicious web-sites that will install a root-kit that your over-priced network content filter won't touch.

Nah, that will get you fired, but you get the point.

Dude,
ur It department piss you off or something? Depending on where you are it can have a huge difference. For example, where I work right now we are getting our audit done for SOX compliance, if something like that existed, was not documented, and the auditor found it, we would fail....... Not a good thing to do because non-sox compliance can mean jail time for the CEO...........


So, please pull your head out of your ass.

 

[Armitage]

Originally posted by: Woodie

Originally posted by: Armitage

Originally posted by: spidey07
In that case then you're fighting the 8th layer.

politics.

Make your case and only you can decide the best course of action. Security has a valid concern. But they are not there to prevent you from doing your job.

The problem is that security has no incentive to help us - it's not just on this issue by a long shot. It would only make their job more complicated and possibly exposes them to more risk, while just saying no costs them nothing. They have nothing to gain by the success of this project, and nothing to lose by its failure or delay.

Anyway, I'll work with them and see what can be done but I'm not hopeful.

Since I'm the IT guy who would have to review this... (ok, not at his employer)
What Spidey said is right: I'm not here to prevent you doing your job, I'm here to protect the enterprise from bad things. My role is to guide you into ways of doing things that are safer.

We have lots of modems still in place. Our job is to identify them, and make sure they're documented, and each one has an exception approved for it. Then, we work with the "owner", to make sure that it's configured as securely as possible. eg, turned off except when vendor calls helpdesk to resolve problem, no auto-answer turned on, no PCAnywhere installed, etc. It's up to your manager or the CIO to accept the risk to the Organization of your having a modem. I don't really care one way or the other, as long as it's documented, and management has accepted the risk.

In this case, maybe it would be more cost-effective to host it off-site. On the other hand, properly configured, I don't think your modem is a huge risk to your enterprise. BUT...it's not my call, since I don't know what your risks are.

Wow - a voice of reason in IT security? Can I send you our current job openings?
Seriously - a rational discussion such as you've just presented hasn't been a part my dealings with these people in the past.

 

[Nothinman]

My suggestion? Run the application server and modem remotely offsite. Put them at home, for instance, if you can ssh into it from work. Push the files to a cheap server on the net, and then give out that IP or domain name to the folks at the office who need it.
That will totally please the IT department, since nothing is on THEIR network.
Of course it all hinges on you being able to ssh back to that server.

So now a part of your business is relying on Armitage's home Internet connection? Doesn't sound like a very good idea to me.

Wow - a voice of reason in IT security? Can I send you our current job openings?
Seriously - a rational discussion such as you've just presented hasn't been a part my dealings with these people in the past.

What Woodie describes is how it should work, but as you say that's not always how it goes down. If you have a valid business case for this and the higherups in the company want to use it the security guys shouldn't have any choice but to make an exception and document that if anything goes wrong the CEO (or whoever) said it's ok and takes responsibiilty.

 

[Armitage]

Originally posted by: Nothinman

My suggestion? Run the application server and modem remotely offsite. Put them at home, for instance, if you can ssh into it from work. Push the files to a cheap server on the net, and then give out that IP or domain name to the folks at the office who need it.
That will totally please the IT department, since nothing is on THEIR network.
Of course it all hinges on you being able to ssh back to that server.

So now a part of your business is relying on Armitage's home Internet connection? Doesn't sound like a very good idea to me.

Yep, that's just not going to happen. I've seen bad things happen to people using their own equipment for company business - as in all drives and backups confiscated, never to be seen again :|

I'll use my DSL to VPN into work with a company laptop. That's it.

Wow - a voice of reason in IT security? Can I send you our current job openings?
Seriously - a rational discussion such as you've just presented hasn't been a part my dealings with these people in the past.

What Woodie describes is how it should work, but as you say that's not always how it goes down. If you have a valid business case for this and the higherups in the company want to use it the security guys shouldn't have any choice but to make an exception and document that if anything goes wrong the CEO (or whoever) said it's ok and takes responsibiilty.

 

[Oakenfold]

What's your SOP on this? I would stop any activity on the corporate network that isn't authorized from above. It would really stink to get canned over something trivial or get someone else in trouble for what you did.
If you need another reason someone in this thread mentioned an interesting term SOX Compliance, Spidey knows what this term is about .

Stuff that has any risk, even the slightest can spell a bad day for your entire organizations IT/ISD departments. Granted there are always risks but management tends to like to make those choices, not the users on the network.

 

[Armitage]

Originally posted by: Oakenfold
What's your SOP on this? I would stop any activity on the corporate network that isn't authorized from above. It would really stink to get canned over something trivial or get someone else in trouble for what you did.
If you need another reason someone in this thread mentioned an interesting term SOX Compliance, Spidey knows what this term is about .

Stuff that has any risk, even the slightest can spell a bad day for your entire organizations IT/ISD departments. Granted there are always risks but management tends to like to make those choices, not the users on the network.

Yea, the modem is unpluged until this is resolved - but we hae another test coming up. As far as SOX - we're not a publically traded company, so I don't think that applies to us. But I don't know much about it, so I'm likely wrong.

 

[Oakenfold]

Originally posted by: Armitage

Originally posted by: Oakenfold
What's your SOP on this? I would stop any activity on the corporate network that isn't authorized from above. It would really stink to get canned over something trivial or get someone else in trouble for what you did.
If you need another reason someone in this thread mentioned an interesting term SOX Compliance, Spidey knows what this term is about .

Stuff that has any risk, even the slightest can spell a bad day for your entire organizations IT/ISD departments. Granted there are always risks but management tends to like to make those choices, not the users on the network.

Yea, the modem is unpluged until this is resolved - but we hae another test coming up. As far as SOX - we're not a publically traded company, so I don't think that applies to us. But I don't know much about it, so I'm likely wrong.

I was using SOX as a general topic, it is interesting to note though that SOX may be extending it's reach beyond publicly traded companies only time will tell. Does your company have an audit department? Are they routinely audited by external auditors?
Even if your company isn't required to comply with Sarbanes-Oxley there are other avenues where the lack of controls in the IT enviornment could spell trouble for someone.
Good Call on stopping what you were doing until it's resolved. Just make sure you keep documentation of what the outcome is for future reference.