Group Accounts and Lab Servers - How a Dating Service Took Out the Network
By Clayton on Apr 22, 2008
Having just mentioned "The Cuckoo's Egg," I thought I'd share my first IT security experience. I started my career at a large enterprise on a team managing networks of servers and workstations from vendors like Sun, HP, Motorola, and the like. The events below took place in the early 90's.
User accounts were centralized using NIS (in some cases exported to files and distributed to individual machines) with home grown tools for doing everything from adding/removing user accounts to backing up servers.
Since we were a high-tech manufacturing company, we had many labs that contained specialized servers for testing. These specialized servers were generally wide open, with a large number of people holding privileged accounts (e.g. root). The lab machines were, of course, connected to the main network.
At the same time, many of the tools used on various servers required shared access, which was done through the use of group accounts. Since many of these tools were run by commands that would remote shell using that group account, it was typical for these accounts to allow direct access (i.e. without using commands like SU).
It should be pretty obvious after the last two paragraphs that we were set up for a train wreck. This train wreck was triggered by something unexpected:
Needless to say, someone at the company had apparently had an extremely bad experience with a dating service called "Heart to Heart". Rather than call the better business bureau or tell his friends to avoid the service, he (or she) decided to send everyone in the company an email with the simple phrase:
The email was sent using a group account on a Sun server running SunOS 4.0.3. The connection to that server was made from an open HP lab server. The connection to the open lab server came from another open lab server in another city and in another division.
All of the audit logs were enabled, but all of them simply logged that root or a group user had logged in and done some work. At no point was anything traceable to the user.
Because of the way the email was sent (large to lists, rather than bcc), large number of vacation mail messages were triggered that went back to the group account, which in fact had mail forwarding set up to the rather large group of people that had access to the account. This in turn triggered lots of other individual vacation mails, autoresponders, "bots", and so forth from every person on that list back to the same wide distribution list.
Within about 15 minutes, the entire email system was choking and it took hours to get things back to normal.
It could have been worse!
Ok, so technically the dating service itself didn't take out the network. We tightened things up significantly from that point on. I had no security responsibilities at the time and was not at fault, but the experience has stayed with me since.
If the person had been more upset with his or her employer than with a dating service, what untraceable havoc could have been caused? Probably a lot worse.
So I'll just leave this as a cautionary story to those of you who are in environments where only "the important systems" are under identity management. Lab servers, group accounts, and similar gaps reduce or remove accountability and can compromise the rest of your network.
Oh, and we can help. :-)