back to article Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up'

An NCC Group graduate trainee who emailed 300 coworkers to ask for help with what she deemed to be "unusual" behaviour from her Kali Linux VM; contacted the firm’s incident response team to complain about a faulty laptop; and said the machine had been "deliberately sabotaged", has had her victimisation claim thrown out by an …

Page:

  1. Waseem Alkurdi

    Would have expected this from a luser.

    But from a fscking infosec 'consultant'? HACKED YOU SAY?

    Okay, test your own defenses!

    1. Lee D Silver badge

      Re: Would have expected this from a luser.

      You'd think an infosec consultant would be able to install something to, say, monitor login accesses to her computer, or at the very least record footage on the webcam or something.

      Because it would be really hard to go to court when your own evidence basically says "Oops, that happened when I pressed Ctrl-Alt-Delete to logoff not knowing that usually means 'reboot' in Linux", or "Nobody but me ever went near the machine".

    2. LucreLout

      Re: Would have expected this from a luser.

      But from a fscking infosec 'consultant'? HACKED YOU SAY?

      Okay, test your own defenses!

      I've upvoted you because I agree with what you say, however, it may also be fair to reflect on the fact that this was a trainee infosec consultant and so the usual expectations of cabaility may not apply.

    3. Mark 85

      Re: Would have expected this from a luser.

      A certain amount of paranoia should be part of any InfoSec's personality. This does seem a bit intense and overboard on her part. Have an upvote for not testing one's own defenses as this could have part of the probationary process.

  2. Herring`

    I know it's unlikely

    But I have seen one instance of an employee messing with another employees computer in order to mess with their head. This was made easier in an environment where credentials required to just get stuff to run were widely shared.

    But Hanlon's Razor and all that.

    1. Anonymous Coward
      Anonymous Coward

      Re: I know it's unlikely

      I did this year ago with batch scripts etc. Set up a little script that'd copy itself into startup and eject the laptops CD drive every time it booted. The analyst put up with this for two years before wiping the drive and announcing he'd "fixed it".

      I did this purely out of being an immature IT tech who worked in a joke-laden environment where all of us were constantly doing random stuff like this.

      In this instance though I suspect what we have is a post grad out of their depth and using deflection to delay having to do any work. Yes it's impossible to say from what little we know but having worked with many staff over the past 25 years in IT I honestly doubt it's the organisation or anyone malicious - it's too easy to check for the type of access required to pull off this stuff.

      Laptop unlocking itself - chances are the user didn't lock it and when challenged claimed they did..

      Problems with windows - pfft it's windows.. this happens sometimes.

      Being at work for only a few days and annoying someone so much they feel they need to hack you constantly for months.. - unlikely!

      1. MrSuntan
        Thumb Up

        Re: I know it's unlikely

        "I did this year ago with batch scripts etc. Set up a little script that'd copy itself into startup and eject the laptops CD drive every time it booted. "

        I remember doing something very similar in my first IT support job to colleagues using the Back Orifice "remote access tool". Much amusement. Fun times. I then went onto a very lucrative career in penetration testing :)

    2. StripeyMiata

      Re: I know it's unlikely

      Back in the days when wireless mice were rare we stuck a USB receiver in the back of our bosses laptop and every now and again would move his mouse pointer around the screen.

      We got away with it for about 6 months.

      1. Anonymous Coward
        Anonymous Coward

        Re: I know it's unlikely

        I thought that was a mandatory activity when they first came out. We always kept a spare wifi mouse and keyboard just to wind up people who were annoying us. The surprising thing was the range where you could get some mouse movement, as we couldn't see the screen from the other end of the office it didn't even matter that not all mouse movements were received, it was enough just to drive the poor dev we were persecuting crazy. We would wait until a service desk call was placed then one of my desktop colleagues would go and 'fix' the offending pc by removing the transmitter.

      2. jcitron

        Re: I know it's unlikely

        A coworker pranked another in an office I supported with a wireless keyboard and mouse. Periodically words would be changed in emails or documents, and the victim's mouse would move randomly.

        I got a call from both the prankster and the victim and played along with it for a few months. Eventually the victim discovered the wireless dongle when he went to plug in a thumb drive.

      3. baggins84

        Re: I know it's unlikely

        Working in digital forensics a member of my team did this to a new grad. They then told him that it was his mobile phone interfering and that he should put his phone in airplane mode. The poor guy believed him and spent the next however long with his phone in airplane mode. Eventually they confessed to it. The 'victim' had a digital forensics degree. You'd have thought he know better.

    3. Len
      Devil

      Re: I know it's unlikely

      One of my proudest pranks is from the late 90's. The whole office was using Eudora as an email client. There was a 'ping' sound that Eudora would play every time you received an email. The sound was stored in a file called newmail.wav or something along those lines.

      I took the full version of Frank Zappa's Peaches En Regalia, downsampled it to an 8 bit mono wav file to make it not too resource heavy and replaced the original newmail.wav with my version. Now, every time he would receive a new email, he would be treated to the full minutes long track. Every. Single. Time.

      1. jelabarre59

        Re: I know it's unlikely

        Now, every time he would receive a new email, he would be treated to the full minutes long track. Every. Single. Time.

        Now you just have their browser automatically load up the caramelldansen 10 hour swedish loop video.

    4. swm

      Re: I know it's unlikely

      I once hired a co-op and one day she came to me and said that there was something wrong with her X-terminal. I went and looked and saw a small rectangle in the upper left corner of the screen. Every 30 seconds a flying saucer would be launched from this box and chase down the cursor. When it caught the cursor, it would drag the cursor back to its base. You could evade the flying saucer because it was slow but until it succeeded in dragging the cursor back to its base the flying saucer continued to harass you.

      I laughed and looked around and spotted some smirking co-ops - I told them to to turn off their fun prank. The X protocols weren't very secure in those days.

      1. Ilsa Loving

        Re: I know it's unlikely

        At our university we had a lab of xterms, and they were properly secured. However, sometimes people would walk away and leave their terminals unlocked. Occasionally someone would go there and add the necessary commands to disable security, and then when the victim came back and started working again, suddenly their cursor would get attacked by a large herd of kittens because someone fork-bombed neko on their terminal.

        Fun times!

    5. Dr Dan Holdsworth

      Re: I know it's unlikely

      To be honest, this sounds like a small amount of prankster stuff, and quite a lot more Dell hardware being a bit crap. Add in a luser who is paranoid and hey presto, said luser goes into ultra-defensive mode and tries to attack the employer for not having protected her.

      A more mentally robust person would have either tried to discover the prankster and returned the favour, or else simply fired off pranks randomly in the hope of hitting the original joker by accident. Do enough of this and the entire group will get a local reputation as a bunch of "work hard, play harder" lunatics whom nobody wants to mess around with.

      I am however surprised that the base OS was Windows for all of this. Yes, it is the corporate OS of choice, but surely a security consultant would want to start off by securing the hardware and base OS and about the only thing that'll do that is an old-school Linux such as RHEL or similar. The thing here is that the firewall can be very precisely controlled, and SELinux can also be used (although mainly to generate grey hairs on the head of the operator).

      If the base Linux OS worked OK, then I would blame the Kali Linux underlying it. I don't have much experience with Kali Linux, but I would imagine that it isn't going to be very stable if used aggressively; but surely then this is the point of using virtual instances of Linux? Set up a stable VM, snapshot it and play around with the snapshot, then when something goes wrong you reinstate the known-good original.

      1. Anonymous Coward
        Anonymous Coward

        'Security' people using MSDOS is simply mad.

        The company should be considering whether they might just give up pretending and admit they know nothing about security.

        Microsoft software is the virus. If you have to investigate it, you need to use something vaguely reliable, like linux.

        1. Snorlax Silver badge
          Facepalm

          Re: 'Security' people using MSDOS is simply mad.

          "'Security' people using MSDOS is simply mad."

          MSDOS?

          1. Adrian 4

            Re: 'Security' people using MSDOS is simply mad.

            Read TFA.

            Apparently they run Kali in a VM under a tarted-up version of MSDOS known as Windows.

            Weird way to do it. You'd have thought they'd put the VMs in the stable system and make the unstable office-tools virus-bait system a guest, but no.

            1. jelabarre59

              Re: 'Security' people using MSDOS is simply mad.

              Weird way to do it. You'd have thought they'd put the VMs in the stable system and make the unstable office-tools virus-bait system a guest, but no.

              What better way to learn about application/OS insecurity than to be forced to use an insecure OS?

    6. Anonymous Coward
      Anonymous Coward

      Re: I know it's unlikely

      I have to agree; there's suggestion of "gaslighting" (named after a 1943's B&W movie) - a practice of inducing temporary mental breakdown - the allegation of a DVD drawer opening randomly can be the act of another using a network command suggesting deliberate interference was at play.

      As a student in a company of highly trained security professionals she had no chance against lay judgement in this domain. I therefore disagree with comments here suggesting she can equip herself with evidence capturing tech (I would do it as an experienced professional and have instructed it in my professional capacity) but it would breach her employment if caught installing devices to prove her case. Any software products may have interfered with her research results.

      Essentially mentoring failed her as did her employer: she should have left the company (grossly unfair as that is), in my experience (professionally and as a former victim myself) one must know when to walk away, learn from experience and understand that what doesn't kill you makes you stronger.

      I believe NCC shares fault and didn't protect their employee from herself and her environment.

      The Register headlining the fact she emailed 300 employees is further vilification of a victim to increase readership.

  3. Voland's right hand Silver badge

    Neither

    "could be caused by either faulty hardware, the unreliable installation of software, or software conflicts,"

    Neither. Just standard issue with new DELL laptops circa 2016. The new Intel CPUs Dell put in at the time were triggering latent races in a lot of different software.

    We had a race in our java based stuff which I could never ever trigger on anything else and was not triggered for years on anything from a small single core to multi-core monsters either bare metal or virtualized. The new 2016 edition HELL laptops were triggering it with 50% probability.

    I bet that some piece of software she was using had a similar latent race.

    She is born to be a security professional by the look of it though. She immediately blamed it on an intrusion. Paranoia reigns supreme...

    1. Michael H.F. Wilkinson Silver badge

      Re: Neither

      Would that be security professional or security consultant? In my book the former actually diagnose and deal with real issues, whereas the latter know the right buzzwords, and get paid more if they can increase the hours they can declare whenever they scream intrusion!!!!. I suspect the plaintiff would be ideal for the latter category.

      The alternative explanation would be that someone in system and networks at admin level is called Simon

    2. ibmalone

      Re: Neither

      Neither. Just standard issue with new DELL laptops circa 2016. The new Intel CPUs Dell put in at the time were triggering latent races in a lot of different software.

      That actually sounds like quite a useful thing to have around for testing :)

      (if a pretty irritating thing for anything else)

  4. DropBear

    To be fair, I have zero confidence "motherboard failure" was anything other than a default "we have no idea what your problem is" response, and I have to agree "reinstall Windows" is a completely inappropriate "solution" to any problem, let alone against self-unlocking (if that really happened). I'm not saying her claims have merit (and she probably did indeed handle everything as poorly as possible), but the whole thing sounds much more fishy than NCC tries to make it look. I'm not convinced there wasn't _something_ going on we have no idea about.

    1. Anonymous Coward
      Anonymous Coward

      Pentesters manage the security of their own machines to an extent. She probably told IT that she thought her machine was infected, so they said "well you should probably nuke it and start again, then." The IT helpdesk are not security savvy and usually know less than the consultants calling them for help.

    2. Waseem Alkurdi

      and I have to agree "reinstall Windows" is a completely inappropriate "solution" to any problem, let alone against self-unlocking

      If the machine was compromised, a Windows reinstall *is* a good start.

      1. kirk_augustin@yahoo.com

        No its not. Reinstalling windows will not at all take care of any root virus, corrupted registry, malware device driver, etc. In fact, it won't really do anything. You have to reformat the drive and reload an image of the bios and bootup you want to start with. Even CMOS can easily have been reflashed, depending on the type of machine.

        Obviously the company was not helping her at all, and it was all their responisibility.

        They should have just given her an entirely different machine that was from a stock image.

        There is no way she could have fixed things on her own.

        The company was totally and completely negligent.

        1. Waseem Alkurdi

          Reinstalling windows will not at all take care of any root virus, corrupted registry, malware device driver, etc.

          Are you sure you are qualified to operate a computer?

          And what the heck is a fucking root virus?

          1. ds6 Silver badge
            Boffin

            Warning: Technobabble

            "There is no way she could have fixed things on her own."

            Based on her conduct, yes, there's no way in high hell she could have fixed it.

            I mean, she would have to reflash the CMOS battery to uncorrupt the bootup registry and translocate the root virus to null space outside of the BIOS SRAM, and that is a very difficult process that only IT can solve. Shame on them for not helping a poor defenseless lady about the perils of a root virus in her malware device driver!

    3. hellwig

      re: "reinstall Windows"

      I have to agree "reinstall Windows" is a completely inappropriate "solution" to any problem,

      Phone tech support for Alienware (before they were Dell) once told me to reinstall windows to try to fix the horrible squeeling noise my CD-drive was making whenever I burned a disk. I straight up asked for a different support person, wasn't even going to entertain that crap when all I really needed was a replacement drive sent to me.

  5. Adrian 4

    hardware problem ?

    Individual, specific files being deleted is a 'hardware problem' ?

    Yes, that sounds like help desk advice all right.

    Did she turn it off and on again ?

    It would be interesting to know the real facts. Unfortunately neither the protagonists nor the reporter seem to have much interest in providing them.

    1. Spazturtle Silver badge

      Re: hardware problem ?

      "Individual, specific files being deleted is a 'hardware problem' ?"

      That sounds exactly like what a faulty HDD or SSD does. Bad RAM or a faulty SATA controller can also cause write holes.

      If individual files are vanishing after some basic software troubleshooting I would start testing the hardware.

      1. Adrian 4

        Re: hardware problem ?

        Bad sectors (or their equivalent) don't lose files cleanly. They create read errors, invalid filesystems, automatic bad-block replacement strategies etc. If you think the files are just written to the disc like parcels in a sack, you need to do some background reading.

    2. Jon 37

      Re: hardware problem ?

      The specific files that were deleted were her malware folder. (She was an IT Security worker, so had legitimate reasons for having samples of known malware).

      That sounds like she had anti-virus installed and it did a scheduled scan. If she didn't configure the anti-virus to exclude the folder of known malware, then the anti-virus would do what it was designed to do and delete the malware.

      1. Anonymous Coward
        Anonymous Coward

        Re: hardware problem ?

        And then... there is the extreme overreaction by most malware tools when it finds out you are using something like the Nirsoft tools.You learn the hard way to create a nice directory for all your real sysadmin tools and whitelist it in your malware checkers. Don't forget to do so on the stick(s) or drive(s) that you keep your master copies on.

        1. jcitron

          Re: hardware problem ?

          Yup. Excellent advice which I had to remember to do after I reimaged my laptop. Like most days in my life I get interrupted a gazillion times, came back and put in my tools thumb drive, then watched as my AV software decided I had naughty bits on it and wiped the stick for me.

      2. kirk_augustin@yahoo.com

        Re: hardware problem ?

        Not without leaving a track record.

        The whole point of anti-virus is they want to advertise on how useful they were in eliminating threats.

        They NEVER delete anything without bragging about it.

  6. Anonymous Coward
    Anonymous Coward

    The issue with Kali turned out to be the way she locked her laptop. Whilst the Kali VM was in focus, she would press Ctrl+Alt+Del and then *click* on Lock this computer from the full screen menu. Of course Ctrl+Alt+Del was still sent to the Kali VM, which triggered a timer for a reboot.

    1. defiler

      Done that on a live server before. Immediately followed by the words "aww shit."

      Luckily it was a web server, was back up within a minute, and there were no complaints. It gave me a stern reminder to watch what the hell I'm doing, though!

  7. Chris Evans

    Article unclear!

    In this context what does "protected disclosures' and 'suffered detriments" mean?

    1. granfalloon

      Re: Article unclear!

      In this context it relates to an employee's right not to suffer detriment (i.e. to be victimised by their employer) because they have made a 'protected' disclosure within the meaning of the Public Interest Disclosure Act (1998 as variously amended) - put simply 'whistle-blowing'. What actually constitutes a 'protected disclosure' is quite complex.

    2. Robert Carnegie Silver badge

      Re: Article unclear!

      "Protected disclosure" means whistle-blowing, going public, on the company or colleagues misbehaving. Or laptops, possibly. "Demerits" means being punished for whistle-blowing. HTH

    3. LucreLout

      Re: Article unclear!

      In this context what does "protected disclosures' and 'suffered detriments" mean?

      Protected disclosure is a legal term with specific meaning, as is suffered detriments. I'll not paraphrase the facts as IANAL and may lead you astray. Terms may be found below:

      https://uk.practicallaw.thomsonreuters.com/8-200-3427

      https://legal-dictionary.thefreedictionary.com/detriment

      Hope that helps.

    4. Doctor Syntax Silver badge

      Re: Article unclear!

      If you go pack to the article, just after the mention of "protected disclosures' and 'suffered detriments" there are a couple of links labelled "here" and "here". Follow those and it will be explained.

  8. Giovani Tapini

    they should have simply swapped out the laptop

    If it was a prank, bullying may have had some credibility... It does not sound like that was the case though. I know that helldesks often try to keep people offline for a day or so while they replace a drive which can make people rage temporarily.

    If indeed she was supposed to be working on security related stuff they probably should be assuming the device has been compromised anyway, not just faffing with re-installs.

    Sounds like a combination of helldesk processes being flawed along with a grumpy trainee

    1. Waseem Alkurdi

      Re: they should have simply swapped out the laptop

      they probably should be assuming the device has been compromised anyway,

      It's (presumably) compromised. Now what? Throw it away?

      Sensible reaction is to reinstall the OS, reflash a known good EFI firmware, then audit the device for any strange network behavior.

      1. kirk_augustin@yahoo.com

        Re: they should have simply swapped out the laptop

        Of course they don't have to throw away the laptop, but they should not be expecting a trainee to have access to the boot image they use as standard start up, and she would not have a copy of Windows, the necessary device drivers, the UEFI (it has not been EFI for over a decade) image, etc.

        Clearly it is ITs responsibility, NOT an intern.

        1. Waseem Alkurdi

          Re: they should have simply swapped out the laptop

          A trainee in IT. Had I been working in IT, I would expect the company laptop's image to be provided as standard with the laptop itself, or at least make it available to all IT employees.

          Not without disadvantages though, but important IMO.

    2. Bitsminer Silver badge

      Re: they should have simply swapped out the laptop

      Er, s/laptop/lusr/g

      FTFY

      (Turns out they did after all).

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like