Danger inside the firewall

Between the latest firewall technology and advanced intrusion detection systems, IT professionals are breathing a little easier. This is a big mistake. It may be easier to protect the network from external attack these days, but the greatest security risks still come from inside the DMZ.

I work for a small, single-branch credit union in Minneapolis, and I am a one-man shop. If there’s a technical problem, I’m the guy who has to fix it. Once a year, auditors from a large accounting firm come in to perform an audit for our year-end financial statements. In the past, the only tech support I needed to provide was to set up a local printer they could use from their laptops. I couldn’t have given them access to my network if I wanted to, as their techs had their laptops locked down, and I couldn’t make any changes to their setup.

This year the accountants brought their own printer, so they didn’t need any assistance at all. Fine with me; I always have plenty to do. They showed up on Monday. Tuesday morning I arrived for work, opened up my laptop, and was suddenly asked if I would like to join wireless network xx-xx. I recognized the SSID as belonging to our auditors. My first thought was that one of them had left her laptop running in our boardroom overnight and had somehow screwed up the network settings, allowing it to accept connections. I immediately joined this network to see what was going on.

I had no trouble connecting to the router at 192.168.1.1 via port 80, and signing into the management console with the default password. I now had full access to the router, and I used nmap to scan all the computers connected to it. They all had the same ports open, including 135 and 139. All our financial data was potentially at risk.

Moments later I was running down the hall to the boardroom where the auditors were encamped. The first thing I saw, in the middle of the boardroom table, was a nice, new Linksys wireless router with a network printer cabled to it. Wow! It might as well have been a ticking bomb! How could their techs send them out with this equipment, especially configured this way, without security training?

When the accountants arrived half an hour later, I asked them if they were aware that the wireless router and the laptops were unsecured. They had no idea what I was talking about. They assured me that they weren’t even using the wireless functionality; sure enough, they were all cabled to it directly.

I phoned the auditors’ supervisor and told him I was seriously unhappy about our confidential financial data residing on laptops that were unsecured. He told me to calm down; even if the auditors’ laptops were on a wireless network, what could intruders do without a username and password to connect to the shares?

I don’t know about you, but my faith in Windows security on an open network, especially without additional firewall protection, isn’t that high. So, using the router’s Admin console, I disabled its wireless functionality altogether. I was further tempted to change the router’s password, or maybe leave some ominous messages on the auditors’ laptops just to prove a point. But I didn’t. They’ll have to learn their lesson the hard way, at a later date, with some other company’s data.