Halloween is upon us! It isn’t just a time for Steven King movies and trick-or-treating, but it's also a time to reflect back on some of our own horror stories in IT. To help celebrate Halloween, we have asked some folks from the security industry to share their scary security stories with us. We hope you enjoy. Feel free to share your own stories in the comments below.
Leslie Sloan, Senior Systems Engineer at Tripwire
The year was 2013. I was contracted to a state government information security office to implement their vulnerability management program; part of this work included visiting the state’s correctional facilities. I pulled up to the address for the meeting and was expecting to meet the IT manager in an office building. Nope – their office was IN the correctional facility. It was just like on TV – high fences topped with coiled razor wire, guard towers with heavily armed guards. I was a bit freaked out, to say the least. I ventured in to meet with the IT manager. I left the device profiler in my car and only brought my credentials inside. After signing in and a trip through a metal detector, I was able to meet with the IT manager. An inmate was assigned to assist me in gathering the DP and installation hardware, all of which were closely examined by the door guard, counted, documented, and followed by a trip through an X-ray machine. The inmate accompanied the IT manager and me to the data center and assisted with the installation. It was a standard install and knowledge transfer at this point. It was so unnerving for me inside the facility, and many inmates were moving freely around the facility. It reminded me of how a high school operates. All went well. My only souvenirs of the day are memories. Even though I am a law-abiding person, this experience scared me. I NEVER want to return to another correctional facility again!
Irfahn Khimji, Strategic Account Manager at Tripwire
The scariest part of security is the cob webs – the more you delay cleaning them up, the bigger they get! As a security admin, cleaning the cob webs for me involves finding old devices still living deep in the crypt of our network. Someone did not want to deal with them, so they were ignored and ignored. Instead of being mummified, they were left alive and barely breathing! XP, NT, 98?! I’ll need to be the one to get the vacuum and clean up this mess. Hopefully Dracula is still asleep!
Adrian Sanabira, Infosec soothsayer
I've had many "OMG, I'm getting fired for this" moments in security, but the scariest was probably while doing a red team assessment in the Middle East during The Arab Spring. As part of this assessment, I was assessing physical security using social engineering, picking locks, and otherwise breaking into places that should have been secure. I got busted. The security guard didn't speak English, and I knew only a few phrases in Arabic. I had a business card for my point-of-contact, and the guard called him. After my POC showed up, everything was explained and smoothed out, but there were some tense moments before he arrived. You can read the full story here.
Ben Layer, Principal Software Engineer at Tripwire
My scariest moment in security was also my first. The year was 1995. I was wide-eyed and fresh out of high school. I was a junior systems administrator for a small university research network, and I performed software installations and hardware upgrades. But an ill wind was blowing. One morning, we made a spine-tingling discovery. Unbeknownst to us, a phantom intruder had left an unexplained backdoor user account on one of our Silicon Graphics IRIX workstations. Dread and terror set in as we set out to determine the depths of our abyss and how to remedy the situation. It was the crucible of my interest in system security, incident response, and intrusion detection, even the original Tripwire software. After wrestling with the devil, I emerged stronger for it; however, I am still afraid of spiders.
Anonymous (No, not that Anonymous)
A colleague who will remain unnamed told me that when they were still with the government and detailed to an undisclosed Intelligence agency, the ISSM came running in and stated every “special handling program” has been exposed/open to the entire agency. [Special handling programs are more sensitive than regular Top Secret Secure Compartmented Information (TS/SCI )]. When I asked how it happened, the ISSM stated someone un-clicked a button giving the rest of the agency viewing and access privileges. I asked how we would know if any changes were made and was told, “we will never know.” We had zero change management situational awareness across our nation’s most sensitive programs. The fix was to migrate all special handling programs to an isolated stove-piped network extremely costly for the tax payer.” Spooky indeed.
Steve Tipton, Senior System Engineer at Tripwire
I worked for a company that did penetration testing. Part of the testing we offered was social engineering. We sent an email to 100 recipients that pointed them to an external website that was a survey on how the company was doing. The promise was that each recipient would receive a $50 Amazon gift card. Users had to enter credentials and personal information. We received over 115 responses on 100 emails sent. People were forwarding it to their friends and even filling it out twice sometimes!
Zoë Rose, Cisco Champion and Splunk Architect
When asked about my ‘scariest moment,’ I immediately thought of a person who came to me after losing access to a popular social media account. This person, we will call Jordan, attempted to log in to this account per usual one Saturday morning. Unfortunately, on this Saturday, the password, email, and all details of their account no longer worked. Speaking with friends, Jordan realized their account was now sharing terrorist-like propaganda to more than two thousand new friends. Jordan immediately called the police Anti-Terrorism hotline that was able to confirm this was indeed a known terrorist group. The police also confirmed they were aware of this happening to others and said they could tie it all back to one hacker. The reason this is comes to mind is that Jordan realized this terrorist group knows their identity, location, family and friends information, and routines essentially, everything about Jordan’s life. Why did they target Jordan’s account? On an on-going effort to minimize the reach of these sorts of groups, social media sites make it harder to create alias accounts. Therefore, if they take over other legitimate accounts, they can almost go under the radar. This is a security issue not only from the perspective of being hacked but also from operational security. Realize that information shared online has the potential of being shared with others you are not expecting.
Stuart Peck, Director of Cyber Security Strategy at ZeroDayLab
I spend a lot of time responding to high profile and devastating breaches. However, this year has been particularly scary. One event that really sticks out due to the damage, exhaustion, and scale of the incident was a client that got hit by the NotPetya outbreak! I had just landed into New York, checked into my hotel, and as my head was hitting the pillow, my mobile started to ring from the UK Incident Response center with a report of a customer who was experiencing significant issues with a virus. Five minutes into the call, the sheer magnitude of the incident became clear. This was a perfect storm in the making! We immediately started setting out containment actions to stop the spread of the outbreak and gathering the client’s troops to get every computer off the network. Being remote and the nature of the global outbreak (computers and servers force rebooting with MSBF records encrypted, and the speed of lateral movement through Mimikatz, WMIC and PSExec) meant I was intel-blind. The first few days of trying to work out patient zero whilst coordinating client resources over multiple countries to assist in containment and eradication was something very few had prior experience in. The incident lasted for over four weeks, with manual rebuild and recovery of servers, networks and client machines. It’s something I hope I never to have to respond to again, but if another prefect storm hits, I’ll be ready and forearmed.
PJ Norris, Senior Sales Engineer at Tripwire
Whilst working for a large energy company in the UK, one of my roles working in information security was to visit off shore sites and conduct technical security audits based on ISO27001. In May 2012, I was on one of my many visits to India conducting a review. I attended a brand-new facility of one of our suppliers, which had gone live. As part of the audit, I reviewed the six backup generators and how often they are tested, etc. I was shocked to see that two of the six generators were running at the time of my visit. Initially, I was informed they were being tested at that moment in time, but subsequently, I learnt that the entire site had not been supplied with commercial power from the local grid, so the entire site had been running on generator power for the past nine months! Furthermore, I discovered they had not acquired the license from the authorities to store diesel in the 70,000 litre silos on site. Instead, they were receiving a daily shipment of ten barrels. A tube was stuck in to the top, and an electric pump was pumping the fuel through a hole that was created in the wall in to a tank that fed the generators. In disbelief, I took the photo below. Note that the sign on the wall says ‘no phones’, yet the men stood next to me were smoking! Incredible experiences in India.
Got a security horror story of your own? Let us know in the comments. And have a Happy Halloween!
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.