Holy Crap My Hair Is On Fire

Tales from Craigslist: The Boss is in my network.

by TheRealEdwin on 01/07/10 at 7:00 am

I have a Linksys BEFSX41 router for sale on Craigslist. While that’s not unusual, the call I got asking about it was very unusual. A gentleman in Broward called asking if he could VPN to a Watchguard firewall but not exactly. He was unable to describe what exactly he was trying to do so I asked him what his goal was. He wanted to add another layer of connection authenticity into his network to prevent someone from getting past it an in. Basically, he notices that someone is hacking around in his network.

The jist is, for years, there has been a cat and mouse game with a hacker, which just happens to be his boss, snooping on his network with a packet sniffer, trojan and key logger. He see’s it in his logs but he’s powerless to do anything. The crimes are too small to take to the local district attorney and suing his employer in civil court will cost him his paycheck. Man’s got to feed his family, especially considering how the local job market is in South Florida, can’t say I can blame him.

Mr. Hacked Employee (MHE) has a serviceable firewall. So why is this guy still in his network? MHE got lazy and used Internet Explorer to log into his work network while not using a proxy. It doesn’t matter if you use the NSA’s own homebuilt firewall. If your own PC has been compromised, whoever infected you, usually has free reign within your network. Since we didn’t know to what extent his systems were compromised, I ordered a full planetary bombardment. It’s the only way to be sure. That means we assumed he had a way to see everything, what was typed, what sites he visited, everything. Here is what you should do if you find yourself in a similar situation.

Pull The Whole Network Offline

This is an absolute must step to get your house in order. Once you are offline, everything can be done without fear of re-infection and minimizes the chances your systems and network will be compromised to nearly zero. I say nearly zero because MHE runs a wireless network at home that leaves him vulnerable there. In this case, we have a general location of this hacker to another state so we don’t really have to worry about this wireless network being compromised by him. In either case, setup WPA2 and authentication whether its via LDAP, Active Directory or RADIUS. In the case of MHE, his Watchguard firewall handles all of those and much more.

Re-format All Hard Drives.

Purge the infection from the host. Nothing sucks more than reinstalling your OS on a partition that is already infected. Make your life simple and get rid of every infected and uninfected file. It will probably take too long to try and find the infection so just go ahead and get rid of it all. It’s simple and effective.

Re-Install All Operating Systems.

Once your hard drives are clean of anything malicious, it’s time to get yourself back up and running. I highly recommend MHE to get Windows 7 and NOD32, the best anti-virus ever,  if he absolutely must have Windows on his computer. In his extreme case of being actively targeted, I instructed him to get a Virtual Machine running for his Window’s needs. This protects the host from infection directly and gives you a sandbox to do whatever you want. If his virtual machine was compromised, he could very easily just reload from the last snapshot or even just blow it away and create a new virtual machine. This gives him a chance to use a clean and fresh machine every single time. Virtual Box was recommended because it’s free and it works well enough to web browse and work.

Reconfigure Your Firewall

If you got a firewall that’s as good as the Watchguard, use all of it’s nice advanced features. It will protect you from a good amount of attacks no matter who it’s coming from. Stateful packet inspection, deep packet inspection, proxy firewall, all are useful and should be employed to protect you from maniacs like MHE’s boss.

Reset Modem To Obtain New IP address & Use TOR

While obtainning a new IP address will only be useful till MHE re-connects to his work network, thereby revealing his IP address, this will give us time to do what we need to do. The Onion Router (TOR) is a wonderful piece of software by the lads at the EFF, and will do wonders to prevent MHE from revealing his IP address to his maniac of a boss. Ramping up the amount of TOR nodes (servers that bounce your connection between origin and destination) between himself and his employer gives him that much anonymity. Here is a great explanation and graphics that explain how TOR works to protect yourself.

Change Every Password

Everything MHE had from his email down to his AT&T DSL password. All bank accounts, websites, everything. Any combination of packet sniffer, key logger, and trojan probably gave his boss the hacker, everything he ever wanted. Once MHE brings his network and systems back online, inside his new, clean virtual machine, it’s time to go around and change all passwords. If MHE can call the various companies to change passwords, the better, as that can remove any chances of it being intercepted by your boss.

Find Another Job

I know the economy is tough, but Jesus Christ. Do you realize all the effort you just went through to prevent your boss from gaining access to all your things that she not have access to? Once you find another job, gather evidence and freaking sue the bastard into oblivion. Unless he has more money than you, then you’re probably boned.

Conclusion

After spending nearly two hours on the phone with MHE helping him out, I left him with a laundry list of things to do and a clear plan on what to do. While this maybe simple for me to do, MHE isn’t as well versed in this. It still surprises me how programmers (MHE’s occupation) are ill suited for general IT stuff. If you read this MHE, I wish you the best of luck. You’re in a tough situation with no clear way out. The sooner you get out of that hostile work environment, the better you are going to be. I know I covered a lot of concepts and terms, so please do not hesitate to ask for further clarifications in the comments. As for me, if you need a good router with a firewall and VPN capabilities, contact me.

Do you have a security, tech or other question? Leave me a comment and I can help you out!