Blocking unauthorized remote access

Has anybody seen a comprehensive list of addresses used by the various
"services" that allow unauthorized users to remote into their work computers
from home, bypassing corporate security? These things work by making an
outbound connection from the target PC to a fixed external site. The user then
contacts the external site from their home PC or traveling laptop, and the site
uses the previously-opened connection to create a remote session for them. It's
not caught by normal firewall config, because the outbound ssl connection
appears to be legal.

I'm sure this is a valuable tool for some folks, but it breaks security policy
by allowing unauthorized remote access, so my client wants the ability to shut
it down. (They have a secure VPN solution for those with legitimate need; these
rogue connections are being used by folks without authorization.) Because of
the size and complexity of the business, it's really not practical to use a
"whitelist" approach to outbound connections. There are also several
mission-critical apps that depend on long-term connections, so limiting the
connection lifetime or access hours is out as well. It makes sense to me to
just block outbound connections to the specific IP addresses of these external
services, but that means I need to know where all of them are. I've got the
info for gotomypc.com and logmein.com, but there's at least half a dozen others
out there commonly in use, probably a lot more. Most of them provide no useful
tech information on their websites, as they're in the business of selling access
services to the users, not helping network admins enforce corporate policy.
Anybody dealt with this before, or know of a good resource?

Thanks!

Re: Blocking unauthorized remote access

Mike Dorn wrote:
> Has anybody seen a comprehensive list of addresses used by the various
> "services" that allow unauthorized users to remote into their work computers
> from home, bypassing corporate security? These things work by making an
> outbound connection from the target PC to a fixed external site. The user then
> contacts the external site from their home PC or traveling laptop, and the site
> uses the previously-opened connection to create a remote session for them. It's
> not caught by normal firewall config, because the outbound ssl connection
> appears to be legal.

http://www.agroman.net/corkscrew/

With such a tool, any site on the outside can be used.

I think, you have a social problem, not a technical one. Try to detect
open sockets or reconnecting sockets after working time and talk to the
people who are installing such things.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Volker Birk wrote:

> Mike Dorn wrote:
>
>>Has anybody seen a comprehensive list of addresses used by the various
>>"services" that allow unauthorized users to remote into their work computers
>>from home, bypassing corporate security? These things work by making an
>>outbound connection from the target PC to a fixed external site. The user then
>>contacts the external site from their home PC or traveling laptop, and the site
>>uses the previously-opened connection to create a remote session for them. It's
>>not caught by normal firewall config, because the outbound ssl connection
>>appears to be legal.
>
>
> http://www.agroman.net/corkscrew/
>
> With such a tool, any site on the outside can be used.
Obviously, but this is more of a tool for the serious "hacker" type. We're more
worried about commercial sites that just sell a "click here to use" service, as
any dummy can install them without knowing how it works or investing any serious
effort to set it up.
>
> I think, you have a social problem, not a technical one. Try to detect
> open sockets or reconnecting sockets after working time and talk to the
> people who are installing such things.
>
> Yours,
> VB.
Aren't all admin problems really social problems? Unfortunately, with hundreds
of users spread thru multiple sites and a complex 7x24 operation, we can't just
look for open sockets during "non-working hours". What we can do, however, is
look for traffic to specific addresses, once they are known.

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Leythos skrev:
> In article <4nnb1pFb87h1U1@news.dfncis.de>, seppi@seppig.de says...
>> chilly8@hotmail.com wrote:
>>
>>> I know that all the song swapping services, in their heydey, hired
>>> engineers whose job it was to make it difficult, if not impossible, for
>>> firewalls to 100 percent block their services, and they were wildly
>>> successful at that.
>> Blocking one specific tunnel end-point is trivial.
>>
>>> Kazaa and Grokster, in their heydey, were about as
>>> close to being a sysadmins worst nightmare, as you could get.
>> FUD
>
> I bet this is the same idiot (him, not you) that claimed he had
> engineers making an app that would allow people to watch the Olympics in
> real-time from work and there was nothing that admins could do to block
> it.
>

I believe that he is a total eclipse of figure-skating.

Re: Blocking unauthorized remote access

Leythos wrote:
> In article <12hc6h5e4l05r37@corp.supernews.com>, mrdorn@visi.com says...
>
>>Has anybody seen a comprehensive list of addresses used by the various
>>"services" that allow unauthorized users to remote into their work computers
>>from home, bypassing corporate security? These things work by making an
>>outbound connection from the target PC to a fixed external site. The user then
>>contacts the external site from their home PC or traveling laptop, and the site
>>uses the previously-opened connection to create a remote session for them. It's
>>not caught by normal firewall config, because the outbound ssl connection
>>appears to be legal.
>>
>>I'm sure this is a valuable tool for some folks, but it breaks security policy
>>by allowing unauthorized remote access, so my client wants the ability to shut
>>it down.
>
>
> It's really simple to block/stop - the first rule of security is ONLY
> ALLOW ACCESS TO REQUIRED SITES. That means if you allow outbound
> HTTP/HTTPS access without any restrictions, then you are not going to be
> able to block it. If you only allow outbound access to approved sites,
> well, they can't really connect to one of those sites.
>

Hmm.. I believe I already mentioned in my original post that a whitelist
approach was not really an option. It doesn't match the company's internet
needs, and would not be supported by their management. (I don't get paid to
build to ivory-tower ideals, only to meet the clients real-world needs.)

The entire concept of "approved sites" is pretty meaningless today for most
businesses in the real world. (Just out of curiosity--anybody here actually
attempting that? In what kind of business is it even practical?)

This particular company has a legitimate business interest in thousands of
diverse sites & applications, the precise selection of which would be extremely
difficult to pre-define, and which it is gnerally able to leave up to the
discretion of its users. Beyond that, it is not interested in heavily
curtailing most benign additional use of the internet by its employees, within
reasonable limits. (Porn, terrorism, illegal activities, etc.) Websense is
generally able to strike that reasonable balance for http (80) traffic, and will
draw our attention to anyone operating out-of-bounds.

What we have here is one specific type of application that needs an additional
measure of control. It's easy to block all traffic to a particular list of IP
addresses using an ACL on the firewall. All I asked for here, is whether or not
anybody already had such a list handy. "Sorry, I don't know" is a perfectly
legitimate answer.

Re: Blocking unauthorized remote access

On Sun, 24 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
<12hchs5l8q41pcc@corp.supernews.com>, Mike Dorn wrote:

>Volker Birk wrote:

>> Mike Dorn wrote:
>>
>>> Has anybody seen a comprehensive list of addresses used by the various
>>> "services" that allow unauthorized users to remote into their work
>>> computers from home, bypassing corporate security?

Wrong concept - you don't "block", you "permit". Does the user have a
legitimate need to connect to LOCUS.GOV? Yes, then you poke a hole through
an otherwise complete block of everything. (You may find using a restrictive
proxy server a solution for some services.) You don't try individually
blocking all 2,357,975,546 IPv4 addresses that were allocated/assigned by
ICANN as of a week ago. You don't try to individually block the 74,791
network blocks that encompassed those addresses, any more than you'd
individually try to block people from entering your facility.

>>> It's not caught by normal firewall config, because the outbound ssl
>>> connection appears to be legal.

Is the outside immediate destination an "approved" site? Why was the
connection possible? Was the immediate interior destination (someone's
workstation probably) in need of such connection? Why exactly does the
user require an encrypted connection to somewhere? Or is the user using
the connection for other reasons? Has the connection existed for longer
than (example) bringing up a web page, or FTPing in a file?

>Obviously, but this is more of a tool for the serious "hacker" type.
>We're more worried about commercial sites that just sell a "click here
>to use" service, as any dummy can install them without knowing how it
>works or investing any serious effort to set it up.

Why does the user have the capability to install such software? Are you
still running MS-DOS 3.3/Windoze 3.1, with something like Trumpet Winsock
to get networking, or something similarly lacking in control?

>> I think, you have a social problem, not a technical one.

I can agree with this

>> Try to detect open sockets or reconnecting sockets after working time
>> and talk to the people who are installing such things.

There shouldn't be open or reconnecting sockets, because the crap shouldn't
be allowed through the firewall in the first place. As for talking to the
users... before that occurs, there MUST BE _written_company_policy_ in
place prohibiting such activities, and _ALL_ employees aware of that policy.
It is not the network administrator's job to create or enforce that policy.

>Aren't all admin problems really social problems?

Discuss this with the Powers That Be(tm), and then know that the resulting
policy has been officially signed off by those powers. That includes them
running the policies past the company legal advisors who would have to
defend any resulting legal actions a dismissed employee may try to bring.

>Unfortunately, with hundreds of users spread thru multiple sites and a
>complex 7x24 operation, we can't just look for open sockets during
>"non-working hours".

Oh, poor baby. I can't post from work because of an NDA, but I've got
roughly 1700 users on site here, and the company has over 100,000 world
wide. With proper policy in place AND ENFORCED, and with a 'white-list'
firewall that _allows_ access to sites, rather than trying to block
individual sites/addresses/address-ranges, it's relatively easy.

>What we can do, however, is look for traffic to specific addresses, once
>they are known.

Why do you like looking for needles, when access to the haystack should not
be permitted in the first place?

Old guy

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

"Leythos" wrote in message
news:DzzRg.1193$Cq3.952@tornado.ohiordc.rr.com...
> In article <12hdfgifct3dibb@corp.supernews.com>, mrdorn@visi.com says...
> > Leythos wrote:
> > > In article <12hc6h5e4l05r37@corp.supernews.com>, mrdorn@visi.com
says...
> > >
> > >>Has anybody seen a comprehensive list of addresses used by the various
> > >>"services" that allow unauthorized users to remote into their work
computers
> > >>from home, bypassing corporate security? These things work by making
an
> > >>outbound connection from the target PC to a fixed external site. The
user then
> > >>contacts the external site from their home PC or traveling laptop, and
the site
> > >>uses the previously-opened connection to create a remote session for
them. It's
> > >>not caught by normal firewall config, because the outbound ssl
connection
> > >>appears to be legal.
> > >>
> > >>I'm sure this is a valuable tool for some folks, but it breaks
security policy
> > >>by allowing unauthorized remote access, so my client wants the ability
to shut
> > >>it down.
> > >
> > >
> > > It's really simple to block/stop - the first rule of security is ONLY
> > > ALLOW ACCESS TO REQUIRED SITES. That means if you allow outbound
> > > HTTP/HTTPS access without any restrictions, then you are not going to
be
> > > able to block it. If you only allow outbound access to approved sites,
> > > well, they can't really connect to one of those sites.
> > >
> >
> > Hmm.. I believe I already mentioned in my original post that a whitelist
> > approach was not really an option. It doesn't match the company's
internet
> > needs, and would not be supported by their management. (I don't get
paid to
> > build to ivory-tower ideals, only to meet the clients real-world needs.)
> >
> > The entire concept of "approved sites" is pretty meaningless today for
most
> > businesses in the real world. (Just out of curiosity--anybody here
actually
> > attempting that? In what kind of business is it even practical?)
>
> Most businesses can work with "Approved" sites, but there are so many
> people in management that don't want ot give up their MSN News or their
> stock trading, or their ElvisSightings.com access. In reality, most
> businesses don't need unlimited web access.
>
> > This particular company has a legitimate business interest in thousands
of
> > diverse sites & applications, the precise selection of which would be
extremely
> > difficult to pre-define, and which it is gnerally able to leave up to
the
> > discretion of its users. Beyond that, it is not interested in heavily
> > curtailing most benign additional use of the internet by its employees,
within
> > reasonable limits. (Porn, terrorism, illegal activities, etc.)
Websense is
> > generally able to strike that reasonable balance for http (80) traffic,
and will
> > draw our attention to anyone operating out-of-bounds.
> >
> > What we have here is one specific type of application that needs an
additional
> > measure of control. It's easy to block all traffic to a particular list
of IP
> > addresses using an ACL on the firewall. All I asked for here, is
whether or not
> > anybody already had such a list handy. "Sorry, I don't know" is a
perfectly
> > legitimate answer.
>
> White lists are built based on a customers needs, we use them with every
> company, and we have multiple levels of filtering based on the user
> type/group/level. As an example, basic level employees don't even get
> internet access in most companies, medical claims people only get access
> to the claims partner websites, managers get a very locked down set of
> site definitions, even IT has restrictions.
>
> The idea that you "Need" access is a myth, very few businesses "Need"
> unlimited web access, but few are willing to understand that.

Its not a matter of that, its a matter of how much work IT is
willing to do. It is far easier to slap WebSense, Cyblock, etc,
etc, on the network, select the site categories they want
to block and be done with it. These programs require
far less work than setting up a whitelist.

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

IF I were building the ideal secure network from scratch, whose only goal was
protection, without the need to work with or accommodate the business or its
users, then this "whitelist" discussion would have some merit.... except that I
already knew all that anyway--it just wasn't what I was asking about.

What I expect I'll end up doing is just what I started to do before contacting
this group. I'll analyze the remote-access sites I'm able to find, and build
the best blacklist I'm able to in the time available. This will take FAR less
time than any attempt to query nearly a thousand established users to determine
their real "needs" in order to build & maintain the whitelist you suggest.
After all, we don't have unlimited resources--one network engineer and one
network security admin, and we both have plenty of other responsibilities beyond
this issue.

I keep forgetting, this is Usenet. People never answer the question you
actually asked; they simply repeat the answers they've already got. I'll take
that as a "Sorry, none of us have seen such a list," and move on.

Re: Blocking unauthorized remote access

"Mike Dorn" wrote in message
news:12hdosqeora5je0@corp.supernews.com...
> IF I were building the ideal secure network from scratch, whose only goal
was
> protection, without the need to work with or accommodate the business or
its
> users, then this "whitelist" discussion would have some merit.... except
that I
> already knew all that anyway--it just wasn't what I was asking about.
>
> What I expect I'll end up doing is just what I started to do before
contacting
> this group. I'll analyze the remote-access sites I'm able to find, and
build
> the best blacklist I'm able to in the time available. This will take FAR
less
> time than any attempt to query nearly a thousand established users to
determine
> their real "needs" in order to build & maintain the whitelist you suggest.

And that is, in my opinion, the way to go. Blacklists are far less
work than whitelists. What some people, like those who advocate
whitelists, dont understand, is how Gen X and younger(anyone roughly
42 years of age, or less) values convenience over all else, and
are willing to pay for it, which is why SurfControl, WebSense, etc
have made a lot of money, even when the rest of the tech
industry was imploding. Gen Xers, when I am one of, believe
that convenience comes first, no matter how much it costs.
WebSense, CyBlock, SurfControl, etc, etc, know this, and
that is why their products are big sellers. Convenience sells.
Make it convenient, and they will buy it.

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

On Sun, 24 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
<12hdosqeora5je0@corp.supernews.com>, Mike Dorn wrote:

>IF I were building the ideal secure network from scratch, whose only goal was
>protection, without the need to work with or accommodate the business or its
>users, then this "whitelist" discussion would have some merit.... except that I
>already knew all that anyway--it just wasn't what I was asking about.

Oh, so do you really mean that management hasn't got a policy, and you can't
restrict on your own, or you don't even know what traffic is on your net.

>What I expect I'll end up doing is just what I started to do before contacting
>this group. I'll analyze the remote-access sites I'm able to find, and build
>the best blacklist I'm able to in the time available. This will take FAR less
>time than any attempt to query nearly a thousand established users to determine
>their real "needs" in order to build & maintain the whitelist you suggest.

That game is called "wack-a-mole" and you'll find you'll waste far more time
trying to shut down a _single_ problem than if you bit the bullet and set the
defaults to block. If your management doesn't want to or doesn't understand
the need to support you - that makes it harder still. But don't bother looking
outside trying to find some magic list - look at the traffic ON YOUR WIRE.
That _may_ give you a clue of who you should watch more closely.

>After all, we don't have unlimited resources--one network engineer and one
>network security admin, and we both have plenty of other responsibilities
>beyond this issue.

But you'd rather waste the time chasing phantoms.

>I keep forgetting, this is Usenet. People never answer the question you
>actually asked; they simply repeat the answers they've already got. I'll take
>that as a "Sorry, none of us have seen such a list," and move on.

No, some of us know better than to waste time. You haven't learned that lesson.

Old guy

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

On Sun, 24 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
, Leythos wrote:

>ibuprofin@painkiller.example.tld says...

>> That game is called "wack-a-mole"

>Moe - I hope you don't mind, but I'm going to remember that analogy and
>use it in other discussions :)

Not a problem. It's an accurate description of trying to stop crap, one IP
address at a time - same as one ant at a time. As of mid-month, there
really were 2,357,975,546 IPv4 addresses out there. Some one wants to
stop "the bad ones"? Totally useless.

Old guy

Re: Blocking unauthorized remote access

"Moe Trin" wrote in message
news:slrnehe2ll.p8f.ibuprofin@compton.phx.az.us...
> On Sun, 24 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in
article
> <12hdosqeora5je0@corp.supernews.com>, Mike Dorn wrote:
>
> >IF I were building the ideal secure network from scratch, whose only goal
was
> >protection, without the need to work with or accommodate the business or
its
> >users, then this "whitelist" discussion would have some merit.... except
that I
> >already knew all that anyway--it just wasn't what I was asking about.
>
> Oh, so do you really mean that management hasn't got a policy, and you
can't
> restrict on your own, or you don't even know what traffic is on your net.
>
> >What I expect I'll end up doing is just what I started to do before
contacting
> >this group. I'll analyze the remote-access sites I'm able to find, and
build
> >the best blacklist I'm able to in the time available. This will take FAR
less
> >time than any attempt to query nearly a thousand established users to
determine
> >their real "needs" in order to build & maintain the whitelist you
suggest.
>
> That game is called "wack-a-mole" and you'll find you'll waste far more
time
> trying to shut down a _single_ problem than if you bit the bullet and set
the
> defaults to block. If your management doesn't want to or doesn't
understand
> the need to support you - that makes it harder still. But don't bother
looking
> outside trying to find some magic list - look at the traffic ON YOUR WIRE.
> That _may_ give you a clue of who you should watch more closely.
>
> >After all, we don't have unlimited resources--one network engineer and
one
> >network security admin, and we both have plenty of other responsibilities
> >beyond this issue.
>
> But you'd rather waste the time chasing phantoms.
>
> >I keep forgetting, this is Usenet. People never answer the question you
> >actually asked; they simply repeat the answers they've already got. I'll
take
> >that as a "Sorry, none of us have seen such a list," and move on.
>
> No, some of us know better than to waste time. You haven't learned that
lesson.

If you want to take the whitlest approach, the best way to do
it would be with the CyBlock filter. It has a category called
"Other". If that is selected to block, access will only allowed
to the other categories that are set to "allow". Of course,
as I have said before, if you are going to use CyBlock,
you will need to configure your firewall to close a gaping
hole that Wavecrest still has not fixed. You will need to
restrict incoming access to the CyBlock proxy to your
subnet, and restrict outgoing traffic on CyBlock to
ports 80 and 443.

That is one approach that Mr Dorn could take to the
problem. Have his client install CyBlock on their
network, and then turn the "Other" category to
block. That would solve a lot of the problem.
This is where CuyBlock has the advatage over
a hardware appliance. It can do whitelist blocking
far better than a hardware appliance could.
CyBlock can block/allow in 72 categories of
content. No hardware firewall made can do
that yet.

Anyone taking the whitelist approach may want to
take a look at CyBlock. It can implement a
wihtelist approach with very little work on the
part of IT. Just install and configure the software,
and then simply E-mail instructions to the users
on how to configure their Web browsers to use
the new proxy, and you are done.

Re: Blocking unauthorized remote access

Moe Trin wrote:
> >> Try to detect open sockets or reconnecting sockets after working time
> >> and talk to the people who are installing such things.
> There shouldn't be open or reconnecting sockets, because the crap shouldn't
> be allowed through the firewall in the first place.

If you can prevent from in a sensible way. You seem to see "whitelisting
the web" as a sensible provision, while I don't think that this is a
good idea.

> As for talking to the
> users... before that occurs, there MUST BE _written_company_policy_ in
> place prohibiting such activities, and _ALL_ employees aware of that policy.

I agree.

> It is not the network administrator's job to create or enforce that policy.

That depends on policy ;-)

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Leythos wrote:
> In article <1159136477.455577.192410@m73g2000cwd.googlegroups.com>,
> chilly8@hotmail.com says...
> > X-No-Archive: Yes
> >
> > Leythos wrote:
> > > In article <1J6dnURXcOpuT4vYnZ2dnUVZ_qidnZ2d@comcast.com>,
> > > charlesnewman1@comcast.do.not.spam.me.net says...
> > > > > White lists are built based on a customers needs, we use them with every
> > > > > company, and we have multiple levels of filtering based on the user
> > > > > type/group/level. As an example, basic level employees don't even get
> > > > > internet access in most companies, medical claims people only get access
> > > > > to the claims partner websites, managers get a very locked down set of
> > > > > site definitions, even IT has restrictions.
> > > > >
> > > > > The idea that you "Need" access is a myth, very few businesses "Need"
> > > > > unlimited web access, but few are willing to understand that.
> > > >
> > > > Its not a matter of that, its a matter of how much work IT is
> > > > willing to do. It is far easier to slap WebSense, Cyblock, etc,
> > > > etc, on the network, select the site categories they want
> > > > to block and be done with it. These programs require
> > > > far less work than setting up a whitelist.
> > >
> > > While one requires more work, they do not result in the same level of
> > > protection nor the same level of access.
> > >
> > > With most quality firewalls and a web-blocking service, I can eliminate
> > > IM, WebMail, use of Proxy services, and connections to most sites that
> > > would allow people to reach home/their computers. The problem is that
> > > people expect their work to provide them play time while at work, which
> > > is not ethical. Many businesses are moving to no-internet access except
> > > for those that have a real business need and then it's based on a white
> > > list.
> > >
> > > It's not more work, as there are a limited number of sites for most
> > > businesses that they need to approve.
> > >
> > > One of these days, Charles, you will understand how easy it is to
> > > protect a network, and not using the toys you know about.
> > >
> >
> > There is one thing you and Charles both overlook. That is the fact
> > that citywide WiFI is available in many areas, either provided by the
> > city, or through a commercial venture. Wireless ISPs (wISPS) use the
> > same 802.11 standard as your home of office access point. Someone could
> > disconnect from the office network and sign on to the citywide WiFI
> > network, and totally bypass your firewalls and everything else. If thre
> > is any citiwide WiFi network, whether provided by the city, or by a
> > commercial venture, watch out. Someone may well disconnect from the
> > ofice network and sign on to the citywide WiFi network. Since it would
> > be the wISP that wold be handling the traffic, the activity would not
> > show up in any of the network logs. Heck, someone could even bring in
> > their own laptop and plug into the citywide WiFi network (if your city
> > has one).
> > And there are ways to hide ones activity. There is the caller to
> > my online talk show, whoj called in from her workplace in Vegas, and
> > she was able to do it in a way where the boss would have NO CLUE as to
> > what she was up to. And being that I only stream at 24K, when I do my
> > talk show, that would only amount to a few megabyts a day, overall, if
> > someone listened to the entire 2-hour program. That would be no more
> > than than an average days Web browsing, so it would not stand out for
> > any ecessive bandwidth usage. And I am seeing more listeners coming in
> > from workplaces all over the USA, when my talk show is on the air.
> > Because of the low bandwidth usage, the boss would have no CLUE they
> > were listening to an online talk show for 2 hours.
>
> Wrong, wireless would mean they have to have some control, and it would
> typically also generate packets we would see during a network transition
> - provided they could do it on their computers.
>
> If a call is made from a facility, using the network or phone system, it
> can be seen.
>
> You are only seeing traffic from improperly secured networks.

Well, what hour of the day I do my show depends on where I am in the
world. I was in the USA the other day, and was on during the "working
hours" in the western USA. That is when I had the caller from Vegas on
my program.
I am in Europe for a couple of weeks to cover figure skating
comeptitions here, and I was doing my show during the hours of 10AM to
12PM CET, and I could see a lot of connections from wokplaces in Europe
during that time. In the chat room I have asscociated with the show,
there were a lot of European listeners sneaking onto their home
computers (broadband is more widespead in Europe) and listening to my
show that way. I did also see a lot of connections via Tor and
Corkscrew nodes.
If I keep the bitrate down, and the bandwidth usage low, listening
to the entire 2 hour program would amount to no more than a few
megabytes per day, well below what might trigger any suspicion, since
it would look like normal Web traffic coming in via the HTTP protocol
Any European syadmins monitorong their systems between 10AM and
12PM CET would have seen some strange traffic on their networks, but
the low bandwidth usage would make it look like normal Web traffic, on
port 80, and they would have NEVER been the wiser to what was really
going at a particular users workstation.
I wonder what will happen when we go to do live audio from the
Nebelhorn trophy later on this week. On Thursday and Friday, it will be
during the working hours in Europe. Parr of the Friday schedule falls
during hte working hours in the Eastern USA, so admins in the USA might
have a few problems detecting it as well.

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

On Sun, 24 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
, Leythos wrote:

>In article <1159136477.455577.192410@m73g2000cwd.googlegroups.com>,
>chilly8@hotmail.com says...
>
>> X-No-Archive: Yes

You do realize that has no effect on quoted articles. Your statements are
there for all time, so that people can later see how clueless they are.

>> Leythos wrote:
>>> In article <1J6dnURXcOpuT4vYnZ2dnUVZ_qidnZ2d@comcast.com>,
>>> charlesnewman1@comcast.do.not.spam.me.net says...

Oh, I'd partially forgotten about this "expert"

>>>> Its not a matter of that, its a matter of how much work IT is
>>>> willing to do. It is far easier to slap WebSense, Cyblock, etc,
>>>> etc, on the network, select the site categories they want
>>>> to block and be done with it. These programs require
>>>> far less work than setting up a whitelist.

Our expert never heard of packet sniffing - never heard of awk, and sort.
For clues Charles, when we first set up a white list, we captured packet
headers for a month. That was an unattended operation that took roughly one
minute to set up. At the end of the month, we took the logs, and snarfed
outbound destination, outbound port, inbound source and inbound port. We
had already put a rule in place blocking "new" inbound connections (no,
we don't offer services to the world from "this" or "that" address range,
and all of our public servers are in DMZ blocks separated from "userspace").
The result was about 350 Megabytes of logs. You claim to have some accounting
skills, so you _might_ comprehend the relative ease of data analysis. It
took two guys less than two days (under 16 man-hours) to ID all of the
remote sites. The data showed something like 200 firewall rules were needed.
Since then, our users have requested access to roughly three times as many
sites, and _most_ had holes poked through the firewall for them. Done. No
surprises of new sites or services needing to be blocked, and no complaints
from the users.

>>> The problem is that people expect their work to provide them play time
>>> while at work, which is not ethical.

One problem we encountered was people wanting to be able to access several
"news" sites such as cnn.com. Radio reception within our buildings is quite
poor due to the construction, and we found it useful to add several "radio"
channels as multicast.

>>> Many businesses are moving to no-internet access except for those that
>>> have a real business need and then it's based on a white list.

That's been the case here for years.

>>> One of these days, Charles, you will understand how easy it is to
>>> protect a network, and not using the toys you know about.

I doubt that in the extreme. Remember, he has no technical background,
and no desire to learn anything.

>> There is one thing you and Charles both overlook. That is the fact
>> that citywide WiFI is available in many areas, either provided by the
>> city, or through a commercial venture. Wireless ISPs (wISPS) use the
>> same 802.11 standard as your home of office access point. Someone could
>> disconnect from the office network and sign on to the citywide WiFI
>> network, and totally bypass your firewalls and everything else.

Oh, please. First, if I go out into the parking lot, and use a 36 inch (91
cm - about 23.3 dBi) dish, I can detect _two_ access points - they're in a
residential neighborhood and are probably home systems. Without using the
dish, we can't even detect those, as the signals are that weak. None the
less, we do have monitors looking for wireless signals. They cause the same
alarms that unidentified systems on our wires trigger. Sorry, but you
really shouldn't believe those Verizon commercials.

>> Heck, someone could even bring in their own laptop and plug into the
>> citywide WiFi network (if your city has one).

No - corporate wide policy prohibits that, and the employees are aware of
the rules. Also, there are big signs at ALL of the entrances reminding
everyone that unauthorized computers are subject to confiscation.

>> Because of the low bandwidth usage, the boss would have no CLUE they
>> were listening to an online talk show for 2 hours.

Keep dreaming - the traffic would stand out like a sore thumb. To bad your
"engineers" don't tell you these things. And lest you think otherwise, I
know what the traffic looks like, because as noted above, we have such
service on our wires now. Like Charles, you have no technical skills, and
don't understand what signals look like on the network. Thus, you don't
understand the words "normal" and "abnormal", and how they pertain to
network traffic.

>Wrong, wireless would mean they have to have some control, and it would
>typically also generate packets we would see during a network transition
>- provided they could do it on their computers.

Actually, we have several systems sniffing for WiFi, and detected two
instances over the past two years. One was a "gift" from the boyfriend
of a secretary, and the other was a vendor who had a system in his truck.
Both were found and shut down within five minutes.

>If a call is made from a facility, using the network or phone system, it
>can be seen.

One of the blessings of working in a secure environment - no cell phones,
and no pagers. Again, those signs at the door.

Old guy

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

On Mon, 25 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in
article , Leythos wrote:

>ibuprofin@painkiller.example.tld says...

>> One of the blessings of working in a secure environment - no cell phones,
>> and no pagers. Again, those signs at the door.

>It was hard to read your reply, sometimes I was unsure if you were
>replying to him or me.

A long post when there are three individuals/levels of quoting does make things
a bit confusing, I'll admit.

>We did a couple DOD sites, and it's amazing how well they let us lock
>things down.

Fifteen years ago, I was still at our San Francisco Bay facility, and we had
a few government contracts there. This was about the time we introduced our
no-visiting computers policy corporate wide (for internal reasons, not
military). The first visiting computer we nailed was (naturally) the
laptop owned by president... the same guy who had signed the policy several
days earlier. The second one was being used by the DoD security auditor who
was visiting to lecture us on security. Gotta love it.

We've always run a fairly tight ship, as we are a research facility, and
after an incident where an individual was caught doing a st00pid, security
got a royal reaming with the Wire Brush Of Enlightenment. Then someone else
got nailed at one of our European manufacturing facilities and someone else
got nailed in South America less than a month later. Corporate lost it's
temper, and a few (fairly high) heads rolled. It should be no surprise that
this got everyone's attention.

Old guy

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

"Moe Trin" wrote in message
news:slrnehh734.fat.ibuprofin@compton.phx.az.us...
> On Mon, 25 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in
> article , Leythos wrote:
>
> >ibuprofin@painkiller.example.tld says...
>
> >> One of the blessings of working in a secure environment - no cell
phones,
> >> and no pagers. Again, those signs at the door.
>
> >It was hard to read your reply, sometimes I was unsure if you were
> >replying to him or me.
>
> A long post when there are three individuals/levels of quoting does make
things
> a bit confusing, I'll admit.
>
> >We did a couple DOD sites, and it's amazing how well they let us lock
> >things down.
>
> Fifteen years ago, I was still at our San Francisco Bay facility, and we
had
> a few government contracts there. This was about the time we introduced
our
> no-visiting computers policy corporate wide (for internal reasons, not
> military). The first visiting computer we nailed was (naturally) the


Rather than do that, why not just build a big Faraday cage
inside your building, so that mobile computers cannot
communicate with any wireless access points on the outside.

I read that some schools in England are considering that for their
exam halls, with the problem of high-tech cheating. Using a
Faraday cage might eliminate the problems that "visiting"
computers can have.

Re: Blocking unauthorized remote access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

On Mon, 25 Sep 2006 05:18:07 -0700, chilly8 wrote:

> X-No-Archive: Yes
>
> Leythos wrote:
>
>> You're not thinking again - there will be an event entry in the local
>> workstation, and any good admin already has a setup that monitors the
>> logs for various entries...
>
> Event logs could be erased though. Some tests with Evidence
> Eliminator indicate that EE will clear the event logs. You dont have to
> through the entire elimination process, just let it go past the point
> where it says "Erasing Start Menu Click History". When it does that, it
> erases the entire event log.

We fired people for that!
Blank/erased logs on the local box?
Blank history on the local browser? Erased Chache on the same box?
Check the log on the firewall!
-- Back then we had a policy of "Allow everything" --
--> The firewall logs showed that this induvidual was accessing
kiddy porn! He got three warnings :
-The first, the only and the last warning! :-)
--> pack up and leave!

--> we check the log a bit better now! <--
--> we changed the policy on what we tolerate! <--

Rudy

Re: Blocking unauthorized remote access

"Leythos" wrote in message
news:BB8Sg.2135$Cq3.34@tornado.ohiordc.rr.com...
> In article ,
> charlesnewman1@comcast.do.not.spam.me.net says...
> >
> > "Moe Trin" wrote in message
> > news:slrnehh734.fat.ibuprofin@compton.phx.az.us...
> > > On Mon, 25 Sep 2006, in the Usenet newsgroup comp.security.firewalls,
in
> > > article , Leythos wrote:
> > >
> > > >ibuprofin@painkiller.example.tld says...
> > >
> > > >> One of the blessings of working in a secure environment - no cell
> > phones,
> > > >> and no pagers. Again, those signs at the door.
> > >
> > > >It was hard to read your reply, sometimes I was unsure if you were
> > > >replying to him or me.
> > >
> > > A long post when there are three individuals/levels of quoting does
make
> > things
> > > a bit confusing, I'll admit.
> > >
> > > >We did a couple DOD sites, and it's amazing how well they let us lock
> > > >things down.
> > >
> > > Fifteen years ago, I was still at our San Francisco Bay facility, and
we
> > had
> > > a few government contracts there. This was about the time we
introduced
> > our
> > > no-visiting computers policy corporate wide (for internal reasons, not
> > > military). The first visiting computer we nailed was (naturally) the
> >
> >
> > Rather than do that, why not just build a big Faraday cage
> > inside your building, so that mobile computers cannot
> > communicate with any wireless access points on the outside.
> >
> > I read that some schools in England are considering that for their
> > exam halls, with the problem of high-tech cheating. Using a
> > Faraday cage might eliminate the problems that "visiting"
> > computers can have.
>
> LOL, there are a LOT cheaper ways to block WI-FI, and it doesn't take a
> large investment. Charles, please go back to school, this time learn
> something current, like new in the last 5 years.

Thre are, but not exact;y legal. The only other way to do it
would be to use a jamming device, but those are illegal in
the United States.

Re: Blocking Unauthorized Remote Access

God Rudy wrote:
> On Mon, 25 Sep 2006 05:18:07 -0700, chilly8 wrote:
>
> > X-No-Archive: Yes
> >
> > Leythos wrote:
> >
> >> You're not thinking again - there will be an event entry in the local
> >> workstation, and any good admin already has a setup that monitors the
> >> logs for various entries...
> >
> > Event logs could be erased though. Some tests with Evidence
> > Eliminator indicate that EE will clear the event logs. You dont have to
> > through the entire elimination process, just let it go past the point
> > where it says "Erasing Start Menu Click History". When it does that, it
> > erases the entire event log.
>
> We fired people for that!
> Blank/erased logs on the local box?
> Blank history on the local browser? Erased Chache on the same box?
> Check the log on the firewall!

If, however, they have managed to connect to the any citywide Wi-Fi
network (if your city has one), your firewall logs would show nothing.
There are citiywide networks, both commercial and city-operated,
showing up. If they connect to one of those, then it would be the wISP
that would be carrying the traffic instead of the firewall. Using
Evidence Eliminator, BC-Wipe, Killdisk, or a similar utility will wipe
out any event logs that any version of Windows NT or XP may be keeping
on the local machine.
With a high-gain antenna, they could sign onto any wISP they
subscribe to, and it wold be thier ISP handling the traffic instead of
your firewall. There are also 3G and 4G cellular phone services that
also act as a wISP.

Re: Blocking Unauthorized Remote Access

On 26 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1159293109.523516.40920@m73g2000cwd.googlegroups.com>, chilly8@hotmail.com
wrote:

>Using Evidence Eliminator, BC-Wipe, Killdisk, or a similar utility will wipe
>out any event logs that any version of Windows NT or XP may be keeping
>on the local machine.

An no one would _ever_ notice that

> With a high-gain antenna, they could sign onto any wISP they
>subscribe to, and it wold be thier ISP handling the traffic instead of
>your firewall.

Likewise, no one would EVER EVEN GUESS what that 24 inch dish was doing pointing
out the window. You're believing to many TV commercials. You know, Gillette
is going to be coming out with a razor with eight blades to give an even
closer shave.

Old guy

Re: Blocking unauthorized remote access

On Tue, 26 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
, Leythos wrote:

>charlesnewman1@comcast.do.not.spam.me.net says...

>>ibuprofin@painkiller.example.tld says...

>>> Fifteen years ago, I was still at our San Francisco Bay facility, and we
>>> had a few government contracts there. This was about the time we
>>> introduced our no-visiting computers policy corporate wide (for
>>> internal reasons, not military). The first visiting computer we nailed
>>> was (naturally) the
>
>> Rather than do that, why not just build a big Faraday cage
>> inside your building, so that mobile computers cannot
>> communicate with any wireless access points on the outside.

I realize that 15 years ago is a terribly long time - but 802.11 wireless
wasn't _available_ at that time (there was some experimental gear in the
915 MHz band used for point-to-point links, but quite rare, and the
performance was comparable to dual ISDN - ever work with that?). Or did you
forget the fact that your "instructor" didn't mention wireless?

>> I read that some schools in England are considering that for their
>> exam halls, with the problem of high-tech cheating. Using a
>> Faraday cage might eliminate the problems that "visiting"
>> computers can have.

Charles - you completely miss the whole _concept_ - why am I not surprised?

>LOL, there are a LOT cheaper ways to block WI-FI, and it doesn't take a
>large investment. Charles, please go back to school, this time learn
>something current, like new in the last 5 years.

Leythos, that would be a complete waste of time. We've been trying to
tell him to study something current, but he doesn't have _any_ desire to
try. It might be due to his reading problem - he completely missed the fact
that I discussed wireless up-thread in two places, but this occurs constantly
with his "replies". And actually, I think he's been dis-illusioned by the
"computer training" he received in the past. Every time he tries to parrot
something he thought he remembered, people are laughing and telling him that's
not the way it works.

Old guy

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

On 26 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1159304657.070483.214780@m7g2000cwm.googlegroups.com>, chilly8@hotmail.com
wrote:
>X-No-Archive: Yes
>
>Moe Trin wrote:
>> On 26 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
>> <1159293109.523516.40920@m73g2000cwd.googlegroups.com>, chilly8@hotmail.com
>> wrote:
>>
>>> Using Evidence Eliminator, BC-Wipe, Killdisk, or a similar utility will wipe
>>> out any event logs that any version of Windows NT or XP may be keeping
>>> on the local machine.
>>
>> An no one would _ever_ notice that

> KillDisk, DriveSweeper, and EE all erase data to the point where
>even forensic equipment used by law enforcement cannot recover data.

And no one would EVER notice the squeaky clean files. I bet you still don't
know how your mummy knew it was you who raided the cookie jar, or how the
cops can identify drunk drivers from a half mile away.

>These programs have actually become the bane of law enforcement.

Yes, but the policy doesn't give a flying f..k about what law enforcement
can and can not do - but you don't understand that. Mess with the box, and
you're history, with a interesting hole on your employement record.

>>> With a high-gain antenna, they could sign onto any wISP they
>>>subscribe to, and it wold be thier ISP handling the traffic instead of
>> >your firewall.
>>
>> Likewise, no one would EVER EVEN GUESS what that 24 inch dish was doing
>> pointing out the window. You're believing to many TV commercials. You
>> know, Gillette is going to be coming out with a razor with eight blades to
>> give an even closer shave.
>
> You would not need a 24-inch dish.

You have the same reading comprehension problem as the other troll. I wrote
that using a 36 inch (91cm - about 23.3 dBi) dish, I can detect _two_ access
points - they're in a residential neighborhood and are probably home systems.
Without using the dish, we can't even detect those, as the signals are that
weak. But these words don't fit your imaginary scenario, and therefore you
can't seem to see them. None the less, here they are again: NO EXTERNAL ACCESS
POINTS WITHIN REACH.

>With a city-wide WiFi network, you could connect using much smaller high-gain
>antennae that could do the job. You could use a Pringle can antenna, or a
>SuperCantenna, either of which could easily be hidden inside a desk drawer,
>so nobody would see anything.

Four problems with your imagined setup: 1. NO ACCESS POINTS WITHIN RANGE.
2. A cantenna doesn't work worth shit inside a steel desk. 3. No wireless
cards in the company systems. 4. No visiting PCs. In other words, your
position is meaningless, because none of your expectations are met. Then
there is the fifth point - a tool like netstumbler or kismet. Of course,
you can't imagine the security guys using those, can you?

> Some systems will even use repeaters mounted in lightpoles. So, if
>your office window has a view to any lightpoles or traffic lights on
>the street below, you could point your Pringle Can, SuperCantenna, etc,
>at the nearby lightpole, and connect to the WiFi network. Some citywide
>WiFi systems are planned with repeaters mounted atop lightpoles and
>traffic lights and/or inside red-light cameras. And depending on how
>string the signal is, a high-gain antenna could be hidden inside a desk
>drawer.

See above. Of the facilities in North America, Europe, South America and
Japan that I've visited, only the sales offices have even a hint of
wireless coverage, and guess what - they aren't on the company network.
All of the facilities that are on the network do not have wireless access.
I know that must seem terribly old fashioned to you, but no one cares about
your imaginary world.

> Then there is still the other issue of 3G and 4G cell phones, that
>come with unlimited wirless internet plans. The 4G systems that are
>planned will have, unlimited plans, for abour $100/month, that will
>have 4 megabits download and 1 megabit upload.

No cell phones. Isn't it _terrible_ ???

>Just plug the computer in and your are good to go.

right out the door. We have RF monitors, remember? Then there is that company
policy that says ''users don't mess with the hardware''.

>With mobiles getting smaller, one could be hidden inside a desk drawer
>quite easily. I have a mobile/MP3 player combo that is no bigger than a
>small pocket calculator, and could be hidden in a desk drawer quite easily.

Funny thing is, they radiate RF energy - I bet you are sure that no one
would ever have a CLUE about that. Mainly because you don't have the clue
either. Maybe if you talk to your Hewlett Packard sales rep, and ask him
to demo a spectrum analyzer...

Old guy

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

On Tue, 26 Sep 2006 10:51:49 -0700, chilly8 wrote:

>
> God Rudy wrote:
>> On Mon, 25 Sep 2006 05:18:07 -0700, chilly8 wrote:
>>
>> > X-No-Archive: Yes
>> >
>> > Leythos wrote:
>> >
>> >> You're not thinking again - there will be an event entry in the local
>> >> workstation, and any good admin already has a setup that monitors the
>> >> logs for various entries...
>> >
>> > Event logs could be erased though. Some tests with Evidence
>> > Eliminator indicate that EE will clear the event logs. You dont have
>> > to through the entire elimination process, just let it go past the
>> > point where it says "Erasing Start Menu Click History". When it does
>> > that, it erases the entire event log.
>>
>> We fired people for that!
>> Blank/erased logs on the local box?
>> Blank history on the local browser? Erased Chache on the same box? Check
>> the log on the firewall!
>
> If, however, they have managed to connect to the any citywide Wi-Fi
> network (if your city has one), your firewall logs would show nothing.
> There are citiywide networks, both commercial and city-operated, showing
> up. If they connect to one of those, then it would be the wISP that would
> be carrying the traffic instead of the firewall. Using Evidence
> Eliminator, BC-Wipe, Killdisk, or a similar utility will wipe out any
> event logs that any version of Windows NT or XP may be keeping on the
> local machine.
> With a high-gain antenna, they could sign onto any wISP they
> subscribe to, and it wold be thier ISP handling the traffic instead of
> your firewall. There are also 3G and 4G cellular phone services that also
> act as a wISP.

There was/is no city wide WiFi here (only planed). At that point the
offender was on wired connections with no way for other connection.
What gave it away where the EMPTY history and EMPTY logs!
Other people using the same computer noticed that after one certain user
all history war -- gone! Every time he used it he erased the history,
cache and whatnot to try to hide what he was doing!
That was why we started looking at the logs on the firewall ...
He did not even know that there was another computer/firewall/router/...
inwolved.

If that individual would have used his own computer on his own line, we
would have not known.

----------------

I have been working in high security buildings.
- Rules:
- NO cameras
- NO radio
- NO tape recorders of ANY kind
- NO electronic gadgets/toys of ANY kind
- NO magnetic media of ANY kind --> leave your credit cards in a locker!
- NO outside pagers/beepers
- NO cellphones
- NO wireless phones
- NO computers/Laptops ...
- ALL briefcases, bags, boxes ... WILL be hand inspected!
- DON'T bring any paper in or out without written permission!
- if possible leave your coat, jacket ... in your locker.

- ANY break of those rules was a reason for IMMEDIATE termination AND
prossecution!

Did i mention that all windows from the ground up to the third floor are
bullet proof? That means you cannot open any window! All doors had access
controll with badges and pin code. We where also aware that somebody could
be listening on the phones.

That was from about 1980 until 1995. I don't think that they relaxed the
rules :-)

Rudy

---------------------

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

On Wed, 27 Sep 2006 11:10:27 -0700, chilly8 wrote:

>
> I dont know you could prosecute them for, but even so, you could
> avoid prosecution by getting out of town before anyone came to arrest you.
> Just head for the airport, get on a plane and get the hell OUT of the
> country. And any warrants for your arrest are computerised and can be
> erased. All you would have to do is BREAK IN to the computers ERASE the
> warrants for your arrest, then that would be the END of it.
> I know about hacking into computers, becuiase I DID that when I was
> 17, to get my parents out of a jam. What happened was that in shop class,
> I put some kind of strange setting on a wood-smoothing machine that
> totally ruined it, so I borrowed a friednds portable PC, and accoustic
> coupler he had, and then BROKE IN to the school's computer network from an
> off-campus pay phone and ERASED the $2,582 bill. My parents never got the
> bill and never had to pay it becuase I erased it from my record. I just
> simply altered the books to say that debt was paid. To cover my tracks, I
> erase all the logs, so that they would not know what happened. By using a
> pay phone in a nearby strip mall, I made myself uidentfifable. With the
> logs erased, they could not figure out what was done. They knew something
> was up, and send out a form letter wiht the next grade report advising
> parents to keep an eye on their children's records becuase "sophisticated
> hackers or hacker" had broken into the school's computer network, and that
> they could not identify who.

You seem to have a problem understanding security!
In that building, you cannot get in OR out with ANYTHING forbidden!
When in doubt, they stop you in a secure area, until they are sure that
you are "clean"!
Or in the simple case of a badge fogotten at home:
- Good morning mister xxx. So you have NO badge? NO other ID?
- Somebody from the inside has to come and vouch for you. This
Person has to be on a special list. This list is NOT on a computer!
- Security does not care if you would have to go home and get your
wallet. Hey, they have to protect the building and the content,
If you miss work because of this, tough cookie!

Everybody who works in those buildings has to sign a lot of forms about
secrecy, secrets and security. We also had to give permission for yearly
background checks (local to federal level!). Anything "funny", and you
have to explain.

They had NO dial-up phone lines comming in (to computers). (Also no
DSL or other services) All modem lines to the outside have been (and still
are) heavy encrypted.

Rudy

P.S.
Before you do more confessions, read up on:
US Code TITLE 18 > PART I > CHAPTER 47 > § 1030
--> § 1030. Fraud and related activity in connection with computers

Other countries have similar stuff!

Re: Blocking Unauthorized Remote Access

On 26 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1159325589.925269.129600@h48g2000cwc.googlegroups.com>, chilly8@hotmail.com
wrote:

>> Yes, but the policy doesn't give a flying f..k about what law enforcement
>> can and can not do - but you don't understand that. Mess with the box, and
>> you're history, with a interesting hole on your employement record.
>
> Then there is the old say "Money talks, bullshit walks".

And you are trying to sling it quite deep. You know nothing of technical
issues, and you know even less about how employment verification works.
Kindly take your useless whining over to alt.clueless.newbie.whine.whine.whine
where someone may care. Hmm, on the other hand, a more appropriate group
might be alt.fantasy.charlesnewman which I found while looking for
alt.fantasy.internetworking.for.braindead.hamsters which would be even more
appropriate for you.

And you _still_ don't know how to read.

In your post "Corporate firewall location" you moan about not understanding
how company networks might be configured. Try reading RFC1180, which is
available all over the web - who knows, you might even notice the
fundamental concept you are missing.

Old guy

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking Unauthorized Remote Access

Post removed (X-No-Archive: yes)

Re: Blocking unauthorized remote access

Volker Birk wrote:
>
>> As for talking to the
>> users... before that occurs, there MUST BE _written_company_policy_ in
>> place prohibiting such activities, and _ALL_ employees aware of that policy.
>
> I agree.
>
>> It is not the network administrator's job to create or enforce that policy.
>
> That depends on policy ;-)
>
> Yours,
> VB.

without enforcement, it's only a paper tiger. yea, sure IF one gets
caught you get shown the door, but the horse is also already out of the
barn.

BUSINESS needs, imo, need VPN solutions for corporate-corporate
transactions, and client-corporate access is web based. Client to
internal Lan systems is a mindless faux pas to be avoided at all cost.
--
try a random act of kindness today -- you just might surprise even
yourself :)

Re: Blocking unauthorized remote access

On Fri, 29 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
, Jeff B wrote:

>Volker Birk wrote:
>>
>>> As for talking to the> users... before that occurs, there MUST BE
>>> _written_company_policy_ in place prohibiting such activities, and
>>> _ALL_ employees aware of that policy.
>>
>> I agree.
>>
>>> It is not the network administrator's job to create or enforce that policy.
>>
>> That depends on policy ;-)

> without enforcement, it's only a paper tiger.

My statement above was meant to imply that the network administrator doesn't
do this on their own. There has to be direction and approval from on high.

> yea, sure IF one gets caught you get shown the door, but the horse is also
> already out of the barn.

A lot depends on what else is in that policy, and what the employee has
agreed to. At one extreme, if you get caught handing over state secrets
to spies from another country, you are most certainly toast, and will be
a guest of your countries "correctional" institutions - possibly for the
rest of your life (however long or short that may be). Very far down
the scale, but still a factor - non-disclosure agreements you may have
signed. Break those, and you can be punished in some manner.

>BUSINESS needs, imo, need VPN solutions for corporate-corporate
>transactions,

"Sensitive" transactions are either encyrpted, or simply do not go
over the wire. Transactions that are officially classified go by courier.
It's not as if this hasn't been thought out in the past.

>and client-corporate access is web based.

Perhaps, but the world wide web us a comparatively new service even when
compared to the Internet itself, and is far from the only protocol used.

>Client to internal Lan systems is a mindless faux pas to be avoided at
>all cost.

Not entirely clear what you are saying here. If you mean public (even
privileged public) access to the LAN - any serious company has been
blocking that since they got Internet access - in case you aren't aware,
the _current_ standard for the Internet Protocol (RFC0791) is dated
September 1981, and that replaced an earlier standard (RFC0760) dated
January 1980. "Inter-networking" (not using the Internet Protocol) goes
back a number of years before that - see RFC0602 dated December _1973_ for
cautions about outsiders gaining remote access to sensitive computer
systems. _Some_ of us got that word then. Some didn't. For perspective,
IBM introduced the PC on August 12, 1981 with PC-DOS 1.0, and that device
was not _capable_ of networking other than as a remote terminal. If you
are an Apple phreak, the Apple I was introduced in 1976 (the ][ came out
a year later) - also without networking.

Old guy

Re: Blocking Unauthorized Remote Access

wrote in message
news:1159180429.869947.242170@d34g2000cwd.googlegroups.com.. .

>[snip]

Check your logs and see how many connections you get from Sacramento.
One receptionist at the dentist I go to apparently listens to your channel.
I curiously asked her what she was doing with headphones on, and she
is doing two things. She takes incoming calls on their Skype-In number
to schedule appointments, but she apparently uses that same headset
to listen to your channel, without the boss knowing about it. She
mentioned figure skating, and I knew right away that it had to be
you, Chilly. Using the same headset for both means that the Doctor
would probably have no clue what was going on.

So check your logs and see how many connections you are getting
from Sacramento, and what time of day. It could be the staff at
this one dentist's office tuning in to your station. Oh, by the way,
they do like the automated music program you have on when you
are not broadcasting live. Just thought I would pass that on to
you there, Chilly. Seems like your online radio station is starting
to pick up a following. Seems like you might be going places
there, Chilly.