• Breaking News

    [Android][timeline][#f39c12]

    Sunday, February 2, 2020

    Home Unlabelled His first words were "Uhh...hey" Tech Support

    His first words were "Uhh...hey" Tech Support

    February 02, 2020

    His first words were "Uhh...hey" Tech Support

    His first words were "Uhh...hey"

    Posted: 01 Feb 2020 07:08 AM PST

    Backstory: So I work the help desk for a robotics company that specializes in autonomous robots that deliver supplies and equipment to certain departments/facilities in the healthcare industry. So, the pharmacy at a hospital will have their supplies for the day delivered from someone in the arrivals department of a hospital. Or there might be garbage that needs to be dropped off and the robot will take an elevator down to the basement and drop it off and wait for its next job. Stuff like that.

    Well last night, I get a call from one of our hospitals. "company name help desk, this is *my name", how can I help you?". The guy on the other end starts off with "Uhh... hey" and then tells me that one of the robots is stopped in a hallway. I log into it through our software to see him on the map and see that he was stopped near the pharmacy because a fire alarm had apparently gone off earlier and he's supposed to pull off to the side to give people enough space to go up and down the hallway.

    "Well I'm right near the pharmacy. Can I just take what I need from it to the pharmacy?". Usually I'd say yes, but I'd never heard this person call before. He also has yet to give his name. AND his sentences took forever to complete. I then check out our database of specific users in certain departments we're supposed to talk with and call the pharmacy.

    "Hey this is my name from the company name help desk. I'm calling because it looks like the robot that's on the way to make a delivery to you guys is stopped because of a fire alarm. And there's someone asking if they can just bring the supplies over to you guys. Did you send him?". three second pause "Uhh...no we didn't. Hold on". The lady on the other end leaves and puts me on hold. She comes back a few minutes later. "Yeah I had no idea who that was. He looked like he was completely out in space somewhere. Probably a junkie".

    And she's probably right. That robot was probably carrying hypodermic needles and drugs that could sell for a pretty penny. I feel bad for the dude and his addiction, but people need that stuff. I asked if he was violent or anything and she said he just ran away when he saw her coming so I guess it's good no one got hurt.

    submitted by /u/SuspiciouslyLinear
    [link] [comments]

    Engineers VS Technicians

    Posted: 01 Feb 2020 05:24 PM PST

    In what seems like a lifetime ago, when I first got out of the Military, I started a job with a thermocouple manufacturer to work in the service department to work on instruments sold to companies that needed to monitor the temperature of equipment ranging from industrial machinery to fast food grills and deep friers. On my first day of work the head of the engineering department who would be my manager took me on a tour to meet the engineering folk and the manufacturing people.

    Our cast is the bright eyed technician (me), Chuck the head of engineering and Dick an all too full of himself engineer.

    Dick was troubleshooting units of a brand new design (his creation) that failed right off the assembly line. As Chuck and I walked up I could see Dick scratching his head. He had 3 oscilloscopes hooked up checking different points on the units motherboard.

    Chuck introduced me to Dick who clearly looked down on me from the start. He didn't care much for military folk. Anyway here is how the conversation went.

    Chuck: Hi Dick, I want to introduce you to Me, he is coming to us fresh out of the Air Force.

    Me: extending my hand "Nice to meet you"

    Dick: ignoring the extended hand..."I can't figure this out, been trying to fix this one unit for three hours."

    Chuck: Well I am sure you will figure it out, after all it is your design.

    Me: feeling slighted over the rude welcome..."Dick, that resistor is burned out."

    Dick: silence...blinks a few times then looks down to see I am right.

    Chuck: let's move on to the manufacturing floor.

    Dick the dickish engineer never learned to do a physical examination before breaking out the o-scope.

    TL/DR: first day on the job I diagnosed an issue that the designer failed to troubleshoot after 3 hours. Technicians look before acting, engineers over think things.

    submitted by /u/markdmac
    [link] [comments]

    A spot of technical support has unexpected side-effects

    Posted: 01 Feb 2020 05:55 AM PST

    This is a tale about a relative of mine - lets call her Susan. In her mid-twenties, but never really got around to leaving her teens behind, and never achieved much at school. In a dead-end job as a small cog in the large machine of an out-of-town supermarket. Red-headed, both literally and figuratively. No known technical intuition. In summary: not exactly the sort of person you'd trust with a screwdriver.

    Susan is a cashier, and consequently has to deal with POS terminals. And, as the regulars here will know, both of the traditional meanings of that acronym are applicable. One particular terminal had been especially flaky for weeks, and the penny-pinching management were finally persuaded to replace it. Out came a man from this year's lowest-bidding support contractor and he replaced the terminal.

    Well, at least he fixed the flakiness. When he'd gone, they found that the new terminal did not work at all.

    Susan was supposed to report things like this to her supervisor, who would have gone to a manager, who would ... you get the idea. But Susan's red-headed traits came to the fore - she questioned the installer's parentage, grabbed a screwdriver and started taking things apart.

    Removing a cover-plate revealed the connection of the terminal to the supermarket wiring. There were four coloured wires on each side of the connector block. The black wire connected to the black wire, the blue wire connected to the blue wire, the red wire connected to the ... yellow wire?

    Muttering imprecations, Susan unscrewed the mismatched wires and swapped them around. And, hey presto - the terminal worked perfectly. (OK, that last bit isn't strictly true. But it worked as well as any of the other terminals.)

    News of Susan's little success spread quickly, with the result that, as far as her colleagues were concerned, she was now local technical support for anything electrical. And Susan discovered, as many of us here have, that you can actually get surprisingly far by (a) pushing the power cable all the way in, (b) switching it off and back on again, or (c) reading the instructions.

    Now, few good deeds go unpunished, and she could have received a ticking-off for going outside her job description. But Susan got lucky. Her manager not only thanked her for showing initiative but even invited her to take management training.

    If you suspect that supermarket management courses are not exactly a short-cut to riches, you would be correct. But it did mean that Susan got a bit more responsibility, a bit more recognition, and above all quite a bit more variety. She felt less like a cog and more like an employee.

    This happened last spring/summer, and bits of the story were passed to me by other relatives. Recently I met Susan for the first time in a year, and she confirmed the story. But what struck me was that she's matured noticeably in that year, lost a bit of weight, looked better and generally seemed happier with life.

    And all because she spotted that two red wires should be connected to each other.

    submitted by /u/monedula
    [link] [comments]

    The AV Saga Part 10: Occam’s Razor

    Posted: 01 Feb 2020 07:28 AM PST

    The AV Saga Part 10: Occam's Razor

    Previously: https://redd.it/akrqz8

    A little while after we finished getting our AV house in order, I was in a different office in a different town working on a project. Early in the afternoon I got a quick message from my Boss.

    Boss: Security got an alert there's a machine with emotet on it in that office. IP coming ASAP. Identify and remove.

    Giving me an IP address isn't completely useless, but I'm not sure why I have to do the work to identify the infected PC.

    Boss: 10.10.1.100.

    I plug the IP into our PC management console and spits out the laptop name of one of the department team leads in the office. I walk over to TeamLead's desk.

    Me: Hey TeamLead, your laptop just popped up as having a virus. I gotta take it.

    TeamLead: Oh. I know what did it…

    Me: You do?

    TeamLead: Yeah, I just got this email from a co-worker with what I thought was a document link in it. I clicked on it and it opened a website and a thing popped up but then I closed out of it.

    Me: Yeah, that email looks wrong. But this is actually a great help because we can use this to hopefully find out where it's coming from. Thanks. Do you have another PC you can work on?

    TeamLead: I can work on one of the PCs in the training room.

    Me: Great. I'll make sure $MainOffice is working on a replacement for you ASAP.

    I take it back to the conference room I'm working out of when I get another message from my boss.

    Boss: Another infected PC at that site. IP coming. Also, meeting invite to discuss infection in 15 minutes. Invite should pop into your inbox in a sec.

    Me: I've got the infected laptop, it's off the network. And I'm sure this will only be a slight distraction from what I'm supposed to be working on here.

    Boss: 10.10.2.59.

    I can already tell by looking at it that it's an IP for this office's wifi network. Management console spits out the same laptop name. So it looks like we only have one infection. I form my own opinions on how TeamLead got an infected email while waiting for the meeting to start. 15 minutes later…

    Chief Information Security Officer (CISO): Ok. Thanks for joining. $Boss told me first device is secure. Do we have the second infected machine?

    Me: It's the same machine. Laptop. It was caught via both it's hardwired IP and it's wifi IP.

    CISO: Are we sure? That second IP triggered after the first one.

    Me: Yes, I can confirm, based on IP, they are the same device. I can also confirm the device is in my possession. Wifi switch is off, it currently has no network connection.

    CISO: Great. Team, do we have any idea where this came from? This a completely different department and user subset from the original and secondary infections.

    Me: It came from a link in an email he received. It's from OGUser. It's clearly spoofed since the email address doesn't make the user.

    CISO: An email from an internal user? How did our filters not catch it?

    Me: I can tell you it kinda did? Our filtering did redirect the IP to our filtering site, but then still allowed it to be access after "checking" it. I can see the link is modified with our filtering.

    CISO: $ServerTech: Do you see any messages getting blocked at the rough time it was identified?

    ServerTech: I do not. RubiksDude, can you send me the header info from the email?

    Me: Sure. But I assume we don't want to put this device back online? I'll email you pictures with my phone.

    Click. Click. Send.

    Me. Sent. Btw, this email was from a legit internal email chain.

    CISO: WHAT?!

    Me: It's in reply to an email chain from like two months ago. It had 6 users on it. OGUser was the only one to reply to the original email. And looking through TeamLead's email I see those two emails.

    CISO: Did they get into our Office 365 system? Do we know which of these users are on an on-prem exchange and which are on Office 365? RubiksDude, send an email to everyone on the call with the list of users from the email. ServerTech, see where their email accounts live.

    Me: Ok. But I can tell you from a quick glance OGUser is the only one whose mail is in the cloud. Everyone else is on-prem. Email sent.

    CISO: ServerTech, how many IT people have admin access to the Office 365 portal?

    ServerTech: Unsure? Probably 20 or more.

    CISO: Get a list. Start checking and see if you can find any evidence any of those accounts have been compromised.

    Me: I would also like to point out that OGUser is one of the original users who was infected with emotet when this all started a few months ago.

    CISO: I think our Office 365 portal has been hacked. Boss, have some scan OGUser's PC.

    Boss: Ok. Our current AV software still can't detect this virus. We'll scan with $OtherAV.

    CISO: Great. Let's reconvene in the morning and see where we stand. If needed email. ServerTech, I want that admin list ASAP.

    Seems like a bit of a stretch to immediately assume "we've been hacked!" but whatever. An hour later I got another message from my boss.

    Boss: You have an admin account to the O365 portal. Change your password for it and let me know when it's done.

    Me: Seriously? We're just going with that? I changed my password to that 3 weeks ago.

    Boss: Just do it.

    Me: Fine...It's done.

    On my way back to the hotel I see a meeting invite for the next morning, 6:30am local time. Great.

    THe next morning, I just on the call while still lying in bed.

    CISO: Ok. ServerTech identified 22 users with admin access to Office 365. 21 have reset their passwords. The last guy is on vacation. We're going to fast track MFA for the portal. ServerTech, what do you have?

    ServerTech: RubiksDude was correct, only OGUser's email is in Office 365. That user's email address was clearly spoofed to send the email. It did not come from that user. I also saw that reply was sent to the other users from the original chain. I deleted those emails from the server. If some of them use cached mode we might need to double check it's deleted from their Outlook.

    CISO: Boss, get someone on that. We're gonna bring in $ExpensiveITSecurityFirm to run forensics on our Office 365 environment. We need to find evidence of how they got access to our system. I'm also pushing $AVSoftware company again to tell us why their scans can't pick up emotet. Also asking why their email filtering can let that link through.

    Me: Seriously? Is this what we think happened?

    CISO: What do you mean?

    Me: OGUser was one of the original infected. We know they got a replacement PC. Do we know if the tech who replaced it copied over their data? if AVSoftware can't detect the infection, isn't there a good chance it was transferred over?

    CISO: So what do you think happened?

    Me: Emotet probably intercepted outgoing messages from OGUser. It got sent to whoever is running this variant, they sat on it and now sent an infected email as a reply.

    It makes a lot more sense than someone hacking our Office 365 portal, having access to hundreds of thousands of emails and email addresses and user accounts, and then just picking one user to spoof with a copy of a real email and then send it to only 6 users.

    I would think if someone got access to our email system, they'd keep it quiet as long as possible trying to siphon as much information as possible. And if they decided to try infect the wider environment they'd try and catch many more users to try and guarantee an infection. There's also no need to spoof the email as being from a user, they could have just sent the email from any user's account, no?

    One small infection attempt potentially blows their cover if discovered, like this, if we think that's what happened.

    CISO: Exactly! We don't know how long they may have had access to our system. Along with MFA I'm also fast tracking conditional access to the portal and webmail. If you're not on an approved network or coming from a IP address we approve, you can't access those sites.

    Boss: I'll add that scans yesterday on OGUser's PC found no infections, but we're going to replace that PC anyways.

    CISO: Sure. ServerTech, you'll be the contact point for $ExpensiveITSecurityFirm. If we find any important information email it to this group.

    And thus we spent thousands of dollars for $ExpensiveITSecurityFirm to tell us they could find no evidence of intrusion. We also spent the next month fast tracking conditional access, and ended up breaking a lot of user's email access as we identified all the different ways and places user's connect to email, since like everything else in our environment, we have no idea about a lot of stuff until it breaks.

    We also turned on banners in emails for Office 365 users warning if an email was from an external sender. That was done with no notice to anyone, not even IT. And due to our environment configuration, any email sent from a user with their email account still on-prem, O365 considered external and added a banner. Most users immediately ignored those banners since a lot of the emails they were getting from internal employees was marked as external. That could be a tale by itself.

    MFA was enabled haphazardly at best, and many IT folk struggled for a week or so to regain access to the Office 365 tools they needed.

    I'm not suggesting that we shouldn't improve security where we can, but CISO's tenure was filled with policies derived from poor decision making and just wild jumps in troubleshooting issues.

    submitted by /u/TheRubiksDude
    [link] [comments]
    Read more
    at

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel