by Alan Ross
Chapter 14
Bill Gets In
The IP addresses were calling him. Those numbers that machines used to connect to one another on the internet kept screaming at him to check them out. Bill was staring at the Visio diagram of Foundation’s corporate network, which was several layers deep and included very comprehensive information that shouldn’t be in the hands of anyone outside the company, let alone a convicted felon. He knew he should leave it alone, it had been fun enough to see how the various aspects of a large corporation’s information technology division worked together, he didn’t need to commit a crime by actually exploring those systems. But what was the harm in looking around?
“What you doing, son? Hoping that we can test that purchase order program today, both Margie and I have some time.”
“Hey Mom, just seeing how big companies document their environment, what some of the complexities are and how things fit together. As we grow, it’s important that we know how to grow.”
“I don’t know what you’re talking about as usual but I’ll take your word for it. Nice picture, whatever it is.”
“Thanks, how about we meet up after lunch to do the testing? I need to work on the program a little bit more and run a few tests but it should be ready to go by then.” The truth was that he had quite a bit to do and hadn’t touched it in the past couple of days, completely obsessed with finishing the documentation and then going through Foundation’s public websites to see how all of the content was put together and make sure he had the right information in his diagrams. Luckily he could probably finish the purchase order program in the next few hours so he got busy on it. Kathy walked away when he launched the program, knowing he was going into Jack mode and wouldn’t be saying anything else.
The database calls were working fine for the vendor but the update function and report generation was bare. Bill started to work on the database update functionality, writing the snippets of code that would take data from the purchase order form and update the database so there would be a record of the transaction. He was able to successfully get an entry in the database but when he went back to change a price or quantity the program crashed. It took a while to find the bug and then he moved on to some more testing, including invalid inputs and overwriting information before saving the final version. Things were going his way this morning because everything snapped into place within an hour or so. He grabbed coffee and ran into Margie.
“Hey Margie, how’s Joshua doing? Everything going ok these days?”
“Hi Bill, things are going fine, thanks. I find that each week it gets better from the work perspective and it’s actually good for Joshua and I to have some time apart, being together around the clock would take a toll. My childcare provider is very caring but doesn’t want to be his mommy so it’s working out just fine. How about you? Anything new and exciting?”
“I’m managing the recycling crew on Saturdays which is pretty interesting. There’s a good group of guys and it makes the weekends go faster. Other than that it’s pretty much the same old stuff for me.”
“Guess it would be, that was kind of a stupid question. I’m sorry Bill.”
“C’mon Margie, don’t be sorry, it’s a very common question.” He smiled at her but she was a bit shaken and left the kitchen with her head down. Bill stirred his coffee and looked in the fridge to see what Kathy had brought him for lunch. Spaghetti, which was one of Bill’s favorites. He needed to get that program done so he could eat, he knew there’d be salad and garlic bread too.
Bill had outlined what reporting features he wanted to enable for the purchasing program and started writing the database interface that would extract the key elements based on the authorization of the user. He needed to make sure that there were some limits in the system and that he adhered to them. He printed off the database schema and then mapped out the draft reports he’d indicated. The coding part was fairly straightforward and he made sure that during testing today they could at least print out reports of purchasing activity they had done during a given time period. He entered a few purchase orders using a couple of different test user accounts and then ran reports, making sure that he couldn’t run reports against different user accounts. Both of these worked fine so he had enough to go into the testing by Kathy and Margie after lunch. Glancing at the clock he saw that it was past eleven thirty so he saved everything and created a couple of quick documents that described how to use the system using screen prints and some basic text. Kathy and Margie could hand write some notes that Bill could use in the next version of the documentation. He printed two copies, stapled them and went to the kitchen for lunch.
The gang was all in today, talking about the comeback the Indians had the previous night, beating the hated Red Sox in the twelfth inning on a homerun by Grady Sizemore. Bill tried to follow but it wasn’t as fun when he couldn’t see or hear too many of the games. He preferred to spend his evenings in his cell as opposed to trying to hang around the common area where the prison gangs gathered under the auspices of being sports fans. The city loved when their sports teams were winning and died with them when they were losers. The Indians had come within an out of going to the World Series the year before last but had a tough season last year. Everyone was hopeful that they could return to form this year and spent lunch talking about when they were going to go to a game together. The prison office and their families usually attended one or two games a year with their families and it was something they all talked about. Bill heated up his food and enjoyed it, savoring the meatballs and garlic bread the most. The talk turned to the pending summer vacation and Bill tuned out a bit, thinking back to the Foundation company diagram.
Kathy and Margie were waiting in the conference room after lunch. Bill took a couple deep breaths to calm down and went in to run them through the process. They got the hang of it right away and each created some of the common orders they ran on a weekly or monthly basis to get the hang of it. They printed their orders and each ran reports to see what they’d done. “This is definitely going to make my life easier Bill, I really appreciate it.” Margie said.
“Ditto here, Jack. Do you want us to test the approval process, I want to be sure that I can explain it to Don so he doesn’t have a panic attack.”
“Sure thing, who wants to be Don?” they laughed and then Margie entered the purchase order and saved it. Kathy logged in with Don’s privilege level and was prompted to review the purchase order that Margie had entered. She approved the purchase order and then ran a report showing everything that had been entered into the system for the past thirty days.
“Everything’s working as usual Jack, this is going to save us a lot of time and trouble, thanks so much.”
“Thanks for the lunch, it was awesome, especially the meatballs. And no problem on the purchase order system, I think this might end up being Don’s next thing. If we can get integrated purchasing system throughout the entire prison system that will be a huge cost saving and tie directly to the work Don’s been doing on single vendor sourcing.”
“Couldn’t agree more on the purchasing system and I’m glad that you liked the meatballs, I tried something different and used a recipe from Food Network. Instead of bread crumbs they have shredded bread that’s been soaked in milk. They looked so good on TV that I had to make them.”
“They’re a keeper for sure. I’m going to get back to work, thanks for the testing and if you have any other thoughts let me know and I’ll get them worked in to the program. I plan on finishing up later this week and we can move to the electronic system the first of next month so there isn’t any confusion with accounting.” Bill went back to his desk and put his headphones on but didn’t turn on the music. He didn’t want anyone to be able to sneak up on him. The Visio diagram was open on his desktop and he looked it over once again, thinking about how he should investigate the network. Based on the system names and information he’d found in the recycling it didn’t appear that they were running any kind of ne
twork intrusion detection system so he thought the first thing that he could do would be to run a simple port scan to see what services were listening for connections on the machines that were public facing, which meant available to users on the internet.
He had downloaded a few scanning programs for network testing on the prison system a few months ago with Don’s permission and had learned his way around some of the common tools that system administrators and the bad guys used to explore networks. NMAP and Nessus were two scanners that he had become somewhat familiar with. He started with NMAP in its least intrusive mode, turning off anything that might trigger alarms and set the IP address range to the range that appeared in the network diagram. It looked like Foundation had a reasonable address block allocated to them. Companies and organizations acquired address space so that there wouldn’t be confusion or collision on the internet. Bill set the scanner to provide information on which ports were listening and the scan ran in about two minutes, during which time Bill didn’t know if he took a breath. When the scan finished he saved the report and closed NMAP as well as the Visio diagram and switched his screen to the source code for the purchasing system. His heart was in his throat and he noticed that he was gripping the arms of his chair as though he was riding a roller coaster.
After his heart rate dropped below one hundred and fifty beats per minute he looked around and saw that nobody was around. He opened the Visio diagram and the scan results and took note of the open ports, adding the information to the servers in the diagram. Bill noticed that they had a lot of ports open, which were connection points that were listening for communication. Most companies limited the number of ports they listened on because it meant that attackers had more places to attack. This was commonly referred to as the attack surface. There were some really insecure ports available to some of the servers including Telnet, which is a service that allows for remote connectivity to a server but sends all of the information that’s transmitted back and forth in the clear, which meant that anyone who could intercept that traffic could determine the usernames, passwords and data and use that information. Telnet had been replaced by SSH, the secure shell, and Bill thought that all companies would have moved to SSH for all public facing services.
He saw that Telnet was even available to the firewall, which was a critical mistake because if an intruder could compromise the firewall then they could gain access to anything behind the firewall and cover up their tracks. Bill finished the document and determined that the chemical company was as insecure as possible. The responsible thing to do at this point would be to report to the company administrators or at least let their human resources department know anonymously that they should investigate. Bill knew that he should do that but thought that as long as he didn’t steal any information or disrupt services it should be ok to look around. He was bound to learn something interesting and once he was done playing around he could let the company know.
The office was still quiet so Bill tried one of the username and password combinations he’d found for one of their web servers. He connected using the Telnet application and entered the logon information. A few seconds later he was rewarded with a directory prompt and was able to look around the system. He found out which web server they were using, which is the program that organized the information on the web pages and where administrators set up the rules of the website, how information was gathered and presented and who had access to make changes, add web pages, etc. Bill added the web server name and version to the Visio diagram so he could look it up later but he guessed that it was an out of date version that was also vulnerable to compromise.
Bill was afraid to probe any deeper using tools because the systems were more likely to crash while being probed if they were out of date. He walked through a few systems, connecting from the server he had originally connected to so he would minimize his footprint in case they were tracking outside access. It was a similar story across their network, with servers and applications that were out of date and easily accessible. He spent the rest of the afternoon gathering information and documenting what he found. That night he pieced it together further and had a great deal of knowledge about how he would go about fixing the network at the company.