Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center Diary 2006-02-28 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

An Assignment From Professor Packetslinger of the School of Loose Screws

Published: 2006-03-01
Last Updated: 2006-03-01 22:23:38 UTC
by Deborah Hale (Version: 2)
0 comment(s)

Update #1

We have received an overwhelming number of emails as a result of this diary.  This is to clarify a couple of things.  Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately.

We have also received several emails asking us to release the name of the institution that this refers to.  We won't do that as we were asked not to in the diary.  It is our policy at the ISC to provide confidentiality when requested.  That is what allows us to cover such controversial subjects as we do.  Yes what is being done by this Institution of Higher Education is incorrect. We are pursuing a satisfactory resolution to this as best we can. We also have not and will not publish the entire document. 

John Bambenek one of our handlers that works at University of Illinois had this to say on the subject:

It's high time that the principles of academic freedom stop providing shields for felonious conduct or eventually the people and the government will take it away all together.

We also have received a number of emails suggesting that we have a legal obligation to report this.  We are aware that this maybe a possibility.  We will assure all of our readers that we will indeed do what is right. We may not talk about what we did but we will do our best to make sure that this type of activity does not continue to go on.  We truly want the Internet to be a safe place for all to work and play. 

Hopefully this will answer some of the questions and concerns that are arising from this article.

Update #2

We have received indications there has been a partial callback of the assignment. We're inviting the professor to contact us directly for any statement and/or clarification he might want to offer.

If he does contact us with a statement we will update the diary again.  Again thanks to all who  did contact us concerning this. Both the good and the bad. We have responded to as many as we could (of course not to the ones that gave us phony email addresses).  We at the ISC appreciate the participation of everyone, whether you agree with us or not. We learn a lot from the pro's and the con's and enjoy the interaction.

Update #3

Since this article is now referenced directly just a note there is a follow up diary on how to setup such assignments in a responsible manner.
Furthermore the amount of feedabck we get will mean that we're unlikely to individually answer unless you are a bit exceptional in remark or are the professor himself. Please no more "portscanning is not illegal" and assumptions the assignment was portscanning only, we've seen those remarks by now a few times.

But again, we'd love to have a chat with the professor himself.

We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.

So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).

The "TASK"

Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.

Hmm ? seems to me that Professor Packetslinger wants the students to do all of the background work for him.

Ok so now what must the students submit in writing to Professor Packetslinger?

Let's see what he wants:

What the student must submit

The note to the students:

In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.

(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).

The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations [AKA break ins, our words], examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.

Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:

Dates of student's incarceration so that they can be excused from class and not counted absent.

Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:

"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."

In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.

This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:

Illegal, unethical, immoral.
How about just plain stupid and ignorant.

And handler Swa had this to say:

Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.

Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.

First thing to do: recall the assignment; tell the students they should not even consider it.  Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.

This from our resident comedian Tom:

Spamming for Fun and Profit.

It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.

How about the school?

As fellow Handler Lorna put it

Wonder how the school would feel about a law suit launched against THEM because of this assignment!

The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.

0 comment(s)

Handlers - Down and Out in the Magic Kingdom

Published: 2006-02-28
Last Updated: 2006-02-28 23:54:11 UTC
by Tom Liston (Version: 1)
0 comment(s)

Once upon a time, eight handlers traveled to a Magic Kingdom, leaving their friends behind to sweep the floors, empty the ashes from the fireplace, and mind the store.  And lo, while their friends did labor long and hard, the eight naughty handlers danced and played among the inhabitants of that Magical place until they began to look and act... well... right at home.  Of course they moaned and complained that their time in the Magical Kingdom wasn't fun at all, but the friends they left behind knew better.

So, if you happen to be attending SANS 2006 and you see either Snow J or any of the dwarves... tell 'em we said "hi." (Note: Sincere apologies to Walt, his heirs, and assigns... Corporate lawyer-types: It's parody.  Lighten up.)

0 comment(s)

Trouble Brewing? - Port 106 Activity

Published: 2006-02-28
Last Updated: 2006-02-28 19:43:48 UTC
by Deborah Hale (Version: 1)
0 comment(s)
We received an email enquiry today from Mike asking if we had seen an increase in Port 106 activity.  He indicated that over the last 8 or 9 days he has seen an increase in traffic on port 106.  I looked at the information on this port at our DShield location and found that there is indeed something happening on Port 106.  On December 22 we started seeing an increase in data submissions on this port.  There are some known uses for the port but none of them really make much sense.  So - if anyone out in our viewing audience is seeing increases in Port 106 activity and can get us some data using a netcat listener, we would appreciate it.  We are curious about the traffic and what exactly it is looking for.

0 comment(s)

Deja Vu - Snow.A

Published: 2006-02-28
Last Updated: 2006-02-28 16:06:43 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
Notable behavior - "drops and install WinPcap network drivers", "flood network with spoofed arp packets (arp poisoning) " and "appends its code to all .EXE files in all drives, including mapped network drives and removable disks. Thus, it is able to propagate via the network and removable drives, such as flash drives and floppy disks."

Other - "first attempts to infect files which are running processes", "its main .EXE component respawns when it is terminated, making termination more difficult."



0 comment(s)

Followup on challenge "Spam, Recon or ??"

Published: 2006-02-28
Last Updated: 2006-02-28 06:04:34 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
First off, I wanted to say thanks to all the folks willing to throw their hat in the ring on this one.  Analysis is fun and you will always find unique ways to look at things!  Right up front you have to know that sometimes you will never know what caused the traffic.  There are lots of lessons that you learn from doing analysis.  

First (which was the reason for this diary orginally) is not become complacent when looking at traffic.  That is one that will bite you in the end (no pun intended:>).  For example, remember in the diary that I initially wrote for this challenge I said "It has often been said that if you want to hide something, hide it in plain sight."  Well, that is so true and if you have read that diary entry called Malware: When "comments" become commands  it reinforces the same concept.  The malware is going to a specific website repeatedly.  However if you looked at the site, you would see nothing out of the ordinary.  Many folks don't even look at normal web traffic.  This is one that would fly under the radar, even with seasoned analysist as the malware spaced out the visits since it was on a timer.  However if you did an analysis of all your web traffic, this site might show up and might cause red flags.  The whole point is the author of this malware, hid everything in plain site and made it look like normal web traffic.

Second is to always try to detemine if there is a logical reason for the traffic before you don your tin foil hat and procede to think that there are folks everywhere who are after you.  A happy medium is required.  You need to determine for your organization and its security needs what is the best fit.  However, I hope this has made you think twice about just hearing a port and saying "oh it has to be ....." and never looking at it.  Or just seeing traffic and assuming that it is something without investigating it.

Let me start off by saying that alot of folks did alot of good work on this.  Even if your analysis was not on target, that's ok.  There were several things about this that led me down the same path that many of you took.  My analysis proved wrong later when we finally got captures of what it actually was.  However, kudos goes to fellow handler Don Smith, who nailed it right off the bat.  

So, without any more ado.....the results of the analysis.  As a refresher you can read the diary that started this all: 
Spam, Recon or ??: You make the call!!

The packets turned out to be what some folks (to include Don) thought it was and that was pop-up spam rejects where the spammer was spoofing the IP range of our submitter, which is why he got the ICMP responses back.  Here is a capture of the payload of some of the traffic:  Payload of ICMP Packets

There were several things that many of you caught that made you wonder if this was indeed pop-up spam.  Some made me wonder too such as three types of ICMP messages (can expect this if you are probing the security of the network), source port of 0, DF (Don't Fragment) flag set on a few of the packets (seemed strange when you are doing UDP and such a small payload on it), TTL timeouts on some (why would you set it so low if you want to get spam through and ensure it doesn't timeout), ICMP Type 11 (Time Exceeded) had IPs getting two packets each while the ICMP Type 3, Code 13 (Communication Administratively Prohibited) did not duplicate IPs.

Yeah, many things caught my eye on this traffic the same as it did yours.  From all indications though, its just pop-up spam.  Here are some of your thoughts and analysis on the traffic.  Some of these do not have a name associated out of honoring the submitter's request.  Other requests were submitted, but folks asked not to be included.  To everyone who submitted an analysis, I thank you!  If I accidently skipped someone, please let me know and I'll be happy to include you in here.  It was fun and I hope everyone learns from it.  We'll have to play again sometime!
0 comment(s)

Out of cycle oracle patch part II

Published: 2006-02-28
Last Updated: 2006-02-28 01:38:26 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
A few days ago we reported on a possible out of cycle Oracle patch. Unfortunately the details of Oracle are hidden behind a login system so the security officer's analysis takes much longer than strictly needed.

Integrigy published a report that might be of use to our readers.

Swa Frantzen

0 comment(s)

Security Awareness (from students point of view)

Published: 2006-02-28
Last Updated: 2006-02-28 00:43:46 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Greetings everyone,
Sorry it has been so quiet the last 48 hours.  It is a rare that there isn't something to report in that time.    Perhaps this is the long quiet before a storm? 

As many of you realize, I work in Academia so a lot of my time is spent keeping your sons and daughters from doing stupid things on the nice brand new computers you bought them for graduation/birthday/Christmas. The rest of my spare time, I usually spend time trying to balance two seemingly opposite things:  securing our network and anything connected to it and at the same time  respect the need for our traditionally open network environment.   So anytime something comes out to help me in the security awareness world, then I am usually looking for ways to leverage it for the good of campus.

Last fall, the EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance had a video contest for students to come up with creative ways to raise awareness about security issues and recently announced the winners.  Their press release is located at  and the winner's videos are located at .  It is very interesting to see security through the eyes of the younger generation.  And to think in a few short years, they will most likely be working for you or your company.  Most of the videos are good and have my creative juices going of how to better educate the students and the faculty alike.

I hope that in the corporate environment, maybe some of these may spawn better/newer security awareness ideas for educating your staff.  Perhaps some of the companies are large enough that you can create your own creative videos involving your specific security problems of the year.  Maybe you aren't that large, but I do encourage you to think outside the box for creative ways to raise awareness.

For those not ready do develop their own awareness program, SANS offers awareness training over the Internet for the corporate environment. It comes complete with motivational posters and on-line exams.

NOTE:  the security videos above do have a terms of use associated with them.  So, please do not steal them for your own commercial uses unless you have the permission of the owners.  However, if there is one you really like, send the owners a scholarship or offer them a job at your company after graduation.  You never know they might let you use it directly in your security training or record one especially for you.

0 comment(s)
Diary Archives