Security failures - flashback

I’ve read very interesting text about 3D movie projectors used by cinemas and how bad security design led to worse end-user (viewer) experience. You can find full text here. But I want to write about something I’ve recalled after reading this text.

Few years ago I was working at call center for major Polish telecom (TP SA). I was help-desk for ADSL service called Neostrada. We were divided into two groups:

  • hosting - which supported hosting services associated with the main ADSL service, like mailbox and personal webspace
  • help-desk - support for the main ADSL service, like problems with modems, broken lines, etc.

I was part of second one. The main difference for us (employees) was that hosting group had access to Internet (as they’ve needed it for work, to be able to check user’s websites) and we didn’t. It was enforced by simply disabling all apps on our Windows based machines except the ones which we really needed and handling all network connections through proxy. And by disabling apps I mean complete cut off, we weren’t able to access filesystem, control panel, even start menu, nothing.

Situation changed when we’ve got equipped with FTP clients. Which obviously gave us access to filesystem and even provided simple text editor, so we could alter files. At this point it became easy. I’ve found the file which was responsible for proxy configuration, it was not hidden in the system as admins assumed that we don’t have access to filesystem anyway so why to bother, and you even didn’t need extra permissions to edit it, and switched our proxy IP to the one used by hosting group. Obtaining this IP was also easy as it was revealed by FTP client during connection to FTP server and we were all good colleagues after all:) Last thing you’ve needed to do was to log off and then log on to your workstation, so new settings got applied.
I was first to discover it, however I know that it’s not rocket science, and I was quite proud of myself back then. So I’ve shared the idea with colleagues and soon everyone got Internet access on his workstation. Still it took admins two weeks to find out what’s going on and block the access again, this time they’ve did it properly. There was even small investigation to find out the one responsible for this “security breach”, but fortunately my colleagues were more loyal to me than to company. And as admins were already discredited they didn’t want to push it really hard, so finally someone from upper management could get involved and they could be punished as well for lack of competence.

Remember to think about security before implementing it and don’t assume that some part of the system is secure just because users have no access to the other part which stands between. And read Schneier, he’s talking about it again and again.