nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up'

Waseem Alkurdi

Would have expected this from a luser.

But from a fscking infosec 'consultant'? HACKED YOU SAY?

Okay, test your own defenses!

Lee D
Silver badge

Re: Would have expected this from a luser.

You'd think an infosec consultant would be able to install something to, say, monitor login accesses to her computer, or at the very least record footage on the webcam or something.

Because it would be really hard to go to court when your own evidence basically says "Oops, that happened when I pressed Ctrl-Alt-Delete to logoff not knowing that usually means 'reboot' in Linux", or "Nobody but me ever went near the machine".

LucreLout
Silver badge

Re: Would have expected this from a luser.

But from a fscking infosec 'consultant'? HACKED YOU SAY?

Okay, test your own defenses!

I've upvoted you because I agree with what you say, however, it may also be fair to reflect on the fact that this was a trainee infosec consultant and so the usual expectations of cabaility may not apply.

Mark 85
Silver badge

Re: Would have expected this from a luser.

A certain amount of paranoia should be part of any InfoSec's personality. This does seem a bit intense and overboard on her part. Have an upvote for not testing one's own defenses as this could have part of the probationary process.

Herring`

I know it's unlikely

But I have seen one instance of an employee messing with another employees computer in order to mess with their head. This was made easier in an environment where credentials required to just get stuff to run were widely shared.

But Hanlon's Razor and all that.

Anonymous Coward
Anonymous Coward

Re: I know it's unlikely

I did this year ago with batch scripts etc. Set up a little script that'd copy itself into startup and eject the laptops CD drive every time it booted. The analyst put up with this for two years before wiping the drive and announcing he'd "fixed it".

I did this purely out of being an immature IT tech who worked in a joke-laden environment where all of us were constantly doing random stuff like this.

In this instance though I suspect what we have is a post grad out of their depth and using deflection to delay having to do any work. Yes it's impossible to say from what little we know but having worked with many staff over the past 25 years in IT I honestly doubt it's the organisation or anyone malicious - it's too easy to check for the type of access required to pull off this stuff.

Laptop unlocking itself - chances are the user didn't lock it and when challenged claimed they did..

Problems with windows - pfft it's windows.. this happens sometimes.

Being at work for only a few days and annoying someone so much they feel they need to hack you constantly for months.. - unlikely!

MrSuntan
Thumb Up

Re: I know it's unlikely

"I did this year ago with batch scripts etc. Set up a little script that'd copy itself into startup and eject the laptops CD drive every time it booted. "

I remember doing something very similar in my first IT support job to colleagues using the Back Orifice "remote access tool". Much amusement. Fun times. I then went onto a very lucrative career in penetration testing :)

StripeyMiata

Re: I know it's unlikely

Back in the days when wireless mice were rare we stuck a USB receiver in the back of our bosses laptop and every now and again would move his mouse pointer around the screen.

We got away with it for about 6 months.

Len
Silver badge
Devil

Re: I know it's unlikely

One of my proudest pranks is from the late 90's. The whole office was using Eudora as an email client. There was a 'ping' sound that Eudora would play every time you received an email. The sound was stored in a file called newmail.wav or something along those lines.

I took the full version of Frank Zappa's Peaches En Regalia, downsampled it to an 8 bit mono wav file to make it not too resource heavy and replaced the original newmail.wav with my version. Now, every time he would receive a new email, he would be treated to the full minutes long track. Every. Single. Time.

This post has been deleted by a moderator

swm

Re: I know it's unlikely

I once hired a co-op and one day she came to me and said that there was something wrong with her X-terminal. I went and looked and saw a small rectangle in the upper left corner of the screen. Every 30 seconds a flying saucer would be launched from this box and chase down the cursor. When it caught the cursor, it would drag the cursor back to its base. You could evade the flying saucer because it was slow but until it succeeded in dragging the cursor back to its base the flying saucer continued to harass you.

I laughed and looked around and spotted some smirking co-ops - I told them to to turn off their fun prank. The X protocols weren't very secure in those days.

Dr Dan Holdsworth
Silver badge

Re: I know it's unlikely

To be honest, this sounds like a small amount of prankster stuff, and quite a lot more Dell hardware being a bit crap. Add in a luser who is paranoid and hey presto, said luser goes into ultra-defensive mode and tries to attack the employer for not having protected her.

A more mentally robust person would have either tried to discover the prankster and returned the favour, or else simply fired off pranks randomly in the hope of hitting the original joker by accident. Do enough of this and the entire group will get a local reputation as a bunch of "work hard, play harder" lunatics whom nobody wants to mess around with.

I am however surprised that the base OS was Windows for all of this. Yes, it is the corporate OS of choice, but surely a security consultant would want to start off by securing the hardware and base OS and about the only thing that'll do that is an old-school Linux such as RHEL or similar. The thing here is that the firewall can be very precisely controlled, and SELinux can also be used (although mainly to generate grey hairs on the head of the operator).

If the base Linux OS worked OK, then I would blame the Kali Linux underlying it. I don't have much experience with Kali Linux, but I would imagine that it isn't going to be very stable if used aggressively; but surely then this is the point of using virtual instances of Linux? Set up a stable VM, snapshot it and play around with the snapshot, then when something goes wrong you reinstate the known-good original.

cream wobbly

Re: I know it's unlikely

Yeah, I'm wavering between her being incompetent, and her being bullied.

Then there's the other old saying, "why not both?" Maybe she's incompetent and someone took it upon themselves to "constructively dismiss" her. With that model applied to the back-and-forth above, she might not be able to effectively support her accusation, but have sufficient knowledge to make the accusation in the first place.

The typical "jokey" English work environment? Modern equivalent of striped paint, long stand, etc.? Honestly wouldn't be surprised. Bullies are rife.

Anonymous Coward
Anonymous Coward

'Security' people using MSDOS is simply mad.

The company should be considering whether they might just give up pretending and admit they know nothing about security.

Microsoft software is the virus. If you have to investigate it, you need to use something vaguely reliable, like linux.

Intractable Potsherd

Re: I know it's unlikely @cream wobbly

"Modern equivalent of striped paint, long stand, etc.? Honestly wouldn't be surprised. Bullies are rife."

I find it wrong to class such trivia as the striped paint and long stand as bullying. There is a serious risk that the term is going to become entirely devalued, making it harder for anyone who actually *is* bullied to be taken seriously by others. There needs to be a minimum level before bullying can be effectively claimed.

Anonymous Coward
Anonymous Coward

Re: I know it's unlikely

I thought that was a mandatory activity when they first came out. We always kept a spare wifi mouse and keyboard just to wind up people who were annoying us. The surprising thing was the range where you could get some mouse movement, as we couldn't see the screen from the other end of the office it didn't even matter that not all mouse movements were received, it was enough just to drive the poor dev we were persecuting crazy. We would wait until a service desk call was placed then one of my desktop colleagues would go and 'fix' the offending pc by removing the transmitter.

Anonymous Coward
Anonymous Coward

Re: I know it's unlikely

I have to agree; there's suggestion of "gaslighting" (named after a 1943's B&W movie) - a practice of inducing temporary mental breakdown - the allegation of a DVD drawer opening randomly can be the act of another using a network command suggesting deliberate interference was at play.

As a student in a company of highly trained security professionals she had no chance against lay judgement in this domain. I therefore disagree with comments here suggesting she can equip herself with evidence capturing tech (I would do it as an experienced professional and have instructed it in my professional capacity) but it would breach her employment if caught installing devices to prove her case. Any software products may have interfered with her research results.

Essentially mentoring failed her as did her employer: she should have left the company (grossly unfair as that is), in my experience (professionally and as a former victim myself) one must know when to walk away, learn from experience and understand that what doesn't kill you makes you stronger.

I believe NCC shares fault and didn't protect their employee from herself and her environment.

The Register headlining the fact she emailed 300 employees is further vilification of a victim to increase readership.

Alien8n
Silver badge

Re: I know it's unlikely @cream wobbly

"Modern equivalent of striped paint, long stand, etc.? Honestly wouldn't be surprised. Bullies are rife."

One of my first jobs I got given the old "Go and ask Bob for a long weight".

Stood there for about a minute then went back and asked if that was long enough.

Ilsa Loving

Re: I know it's unlikely

At our university we had a lab of xterms, and they were properly secured. However, sometimes people would walk away and leave their terminals unlocked. Occasionally someone would go there and add the necessary commands to disable security, and then when the victim came back and started working again, suddenly their cursor would get attacked by a large herd of kittens because someone fork-bombed neko on their terminal.

Fun times!

Anonymous Coward
Anonymous Coward

Re: I know it's unlikely @cream wobbly

"I find it wrong to class such trivia as the striped paint and long stand as bullying."

First day in holiday job. Asked to make a list of the locations of all the tapes.

I spent three hours going round the computer room, the various offices, and checking the corridors and eventually returned to tell the boss that I could not find a single tape with an 8 or 9 in its number.

"And now you know they're numbered in octal and you know where everything is in the department", he said kindly.

My ears must have gone bright red but it was, to say the least, a valuable learning experience.

Snorlax
Silver badge
Facepalm

Re: 'Security' people using MSDOS is simply mad.

"'Security' people using MSDOS is simply mad."

MSDOS?

Adrian 4
Silver badge

Re: 'Security' people using MSDOS is simply mad.

Read TFA.

Apparently they run Kali in a VM under a tarted-up version of MSDOS known as Windows.

Weird way to do it. You'd have thought they'd put the VMs in the stable system and make the unstable office-tools virus-bait system a guest, but no.

jcitron

Re: I know it's unlikely

A coworker pranked another in an office I supported with a wireless keyboard and mouse. Periodically words would be changed in emails or documents, and the victim's mouse would move randomly.

I got a call from both the prankster and the victim and played along with it for a few months. Eventually the victim discovered the wireless dongle when he went to plug in a thumb drive.

RockBurner

Re: I know it's unlikely @Intractable Potsherd

You make a very good point, however, the line between good-natured banter/antics that build team rapport, and ill-natured, position maintaining bullying can be pretty fine, a moveable feast, and in a different place for different people. That's the real issue. I've worked in a couple of environments that really were toxic if you couldn't grow a thick skin and fight back.

There's no need for it most of the time.

jelabarre59
Silver badge

Re: I know it's unlikely

Now, every time he would receive a new email, he would be treated to the full minutes long track. Every. Single. Time.

Now you just have their browser automatically load up the caramelldansen 10 hour swedish loop video.

jelabarre59
Silver badge

Re: 'Security' people using MSDOS is simply mad.

Weird way to do it. You'd have thought they'd put the VMs in the stable system and make the unstable office-tools virus-bait system a guest, but no.

What better way to learn about application/OS insecurity than to be forced to use an insecure OS?

baggins84

Re: I know it's unlikely

Working in digital forensics a member of my team did this to a new grad. They then told him that it was his mobile phone interfering and that he should put his phone in airplane mode. The poor guy believed him and spent the next however long with his phone in airplane mode. Eventually they confessed to it. The 'victim' had a digital forensics degree. You'd have thought he know better.

This post has been deleted by a moderator

Bibbit

A rather lame prank but...

Back in the older days of gmail my friend had a colleague with a spoon aversion. Whenever they emailed him they would write the word "spoon" multiple times in white text so he could not see it at the end of the mail. Google then started offering spoon based products to him. Low tech but it got results.

Jack of Shadows
Silver badge
Mushroom

Re: Where I work...

Hardware engineers are like nuclear-armed countries when it comes to pranks.

I'd expand that allusion to engineers, any sort. Control freaks each and every one of us. Always on, it's hardwired into the mental processes, so everyone shouldn't be surprised when that mindset can be turned into a weapon.

Chairman of the Bored
Silver badge

Re: Where I work...

@JackofShadows- heck yes, expand to all engineers. Work hard, play harder.

When I take a dirt nap it will probably occur right after I say, "Hey! Hold my beer and watch this..."

Voland's right hand
Silver badge

Neither

"could be caused by either faulty hardware, the unreliable installation of software, or software conflicts,"

Neither. Just standard issue with new DELL laptops circa 2016. The new Intel CPUs Dell put in at the time were triggering latent races in a lot of different software.

We had a race in our java based stuff which I could never ever trigger on anything else and was not triggered for years on anything from a small single core to multi-core monsters either bare metal or virtualized. The new 2016 edition HELL laptops were triggering it with 50% probability.

I bet that some piece of software she was using had a similar latent race.

She is born to be a security professional by the look of it though. She immediately blamed it on an intrusion. Paranoia reigns supreme...

Michael H.F. Wilkinson
Silver badge

Re: Neither

Would that be security professional or security consultant? In my book the former actually diagnose and deal with real issues, whereas the latter know the right buzzwords, and get paid more if they can increase the hours they can declare whenever they scream intrusion!!!!. I suspect the plaintiff would be ideal for the latter category.

The alternative explanation would be that someone in system and networks at admin level is called Simon

ibmalone
Silver badge

Re: Neither

Neither. Just standard issue with new DELL laptops circa 2016. The new Intel CPUs Dell put in at the time were triggering latent races in a lot of different software.

That actually sounds like quite a useful thing to have around for testing :)

(if a pretty irritating thing for anything else)

DropBear
Silver badge

To be fair, I have zero confidence "motherboard failure" was anything other than a default "we have no idea what your problem is" response, and I have to agree "reinstall Windows" is a completely inappropriate "solution" to any problem, let alone against self-unlocking (if that really happened). I'm not saying her claims have merit (and she probably did indeed handle everything as poorly as possible), but the whole thing sounds much more fishy than NCC tries to make it look. I'm not convinced there wasn't _something_ going on we have no idea about.

Anonymous Coward
Anonymous Coward

Pentesters manage the security of their own machines to an extent. She probably told IT that she thought her machine was infected, so they said "well you should probably nuke it and start again, then." The IT helpdesk are not security savvy and usually know less than the consultants calling them for help.

Waseem Alkurdi

and I have to agree "reinstall Windows" is a completely inappropriate "solution" to any problem, let alone against self-unlocking

If the machine was compromised, a Windows reinstall *is* a good start.

hellwig
Silver badge

re: "reinstall Windows"

I have to agree "reinstall Windows" is a completely inappropriate "solution" to any problem,

Phone tech support for Alienware (before they were Dell) once told me to reinstall windows to try to fix the horrible squeeling noise my CD-drive was making whenever I burned a disk. I straight up asked for a different support person, wasn't even going to entertain that crap when all I really needed was a replacement drive sent to me.

kirk_augustin@yahoo.com

No its not. Reinstalling windows will not at all take care of any root virus, corrupted registry, malware device driver, etc. In fact, it won't really do anything. You have to reformat the drive and reload an image of the bios and bootup you want to start with. Even CMOS can easily have been reflashed, depending on the type of machine.

Obviously the company was not helping her at all, and it was all their responisibility.

They should have just given her an entirely different machine that was from a stock image.

There is no way she could have fixed things on her own.

The company was totally and completely negligent.

Waseem Alkurdi

Reinstalling windows will not at all take care of any root virus, corrupted registry, malware device driver, etc.

Are you sure you are qualified to operate a computer?

And what the heck is a fucking root virus?

ds6
Boffin

Warning: Technobabble

"There is no way she could have fixed things on her own."

Based on her conduct, yes, there's no way in high hell she could have fixed it.

I mean, she would have to reflash the CMOS battery to uncorrupt the bootup registry and translocate the root virus to null space outside of the BIOS SRAM, and that is a very difficult process that only IT can solve. Shame on them for not helping a poor defenseless lady about the perils of a root virus in her malware device driver!

Adrian 4
Silver badge

hardware problem ?

Individual, specific files being deleted is a 'hardware problem' ?

Yes, that sounds like help desk advice all right.

Did she turn it off and on again ?

It would be interesting to know the real facts. Unfortunately neither the protagonists nor the reporter seem to have much interest in providing them.

Spazturtle
Silver badge

Re: hardware problem ?

"Individual, specific files being deleted is a 'hardware problem' ?"

That sounds exactly like what a faulty HDD or SSD does. Bad RAM or a faulty SATA controller can also cause write holes.

If individual files are vanishing after some basic software troubleshooting I would start testing the hardware.

Jon 37

Re: hardware problem ?

The specific files that were deleted were her malware folder. (She was an IT Security worker, so had legitimate reasons for having samples of known malware).

That sounds like she had anti-virus installed and it did a scheduled scan. If she didn't configure the anti-virus to exclude the folder of known malware, then the anti-virus would do what it was designed to do and delete the malware.

Jack of Shadows
Silver badge

Re: hardware problem ?

And then... there is the extreme overreaction by most malware tools when it finds out you are using something like the Nirsoft tools.You learn the hard way to create a nice directory for all your real sysadmin tools and whitelist it in your malware checkers. Don't forget to do so on the stick(s) or drive(s) that you keep your master copies on.

kirk_augustin@yahoo.com

Re: hardware problem ?

Not without leaving a track record.

The whole point of anti-virus is they want to advertise on how useful they were in eliminating threats.

They NEVER delete anything without bragging about it.

Adrian 4
Silver badge

Re: hardware problem ?

Bad sectors (or their equivalent) don't lose files cleanly. They create read errors, invalid filesystems, automatic bad-block replacement strategies etc. If you think the files are just written to the disc like parcels in a sack, you need to do some background reading.

jcitron

Re: hardware problem ?

Yup. Excellent advice which I had to remember to do after I reimaged my laptop. Like most days in my life I get interrupted a gazillion times, came back and put in my tools thumb drive, then watched as my AV software decided I had naughty bits on it and wiped the stick for me.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing