SUMMARY

This chapter sets the groundwork for the technical component of this course. System administrators perform most of the technical activities related to information security. This chapter therefore defined system administration and introduced the role played by system administrators in organizations. It also introduced the common information security tasks performed by system administrators. Finally, it provided an overview of the common utilities used to simplify these tasks in large organizations.

The hands-on activity in this chapter will lay the stage for the hands-on activities you will perform in all the remaining chapters of this book.

EXAMPLE CASE–T.J. MAXX

Corporate interest in information security was dramatically raised in 2007 following the revelations of embarrassing information security breaches at several well-known companies. Hackers had complete access to credit-card databases at many of the leading retailers in the country including T.J. Maxx, Barnes and Noble, and Office Max (Figure 2.5).

Hackers know that it is safe to be outside the target country to avoid prosecution. It was therefore initially believed that the attacks were caused by hackers outside the country. However, investigations revealed that the attacks were mostly from domestic sources and led to the prosecution of 11 men in 5 countries, including the United States. Most interestingly, the ringleader turned out to have been an informer for the US Secret Service.

Outcome

On August 5, 2008, the US government charged 11 individuals with wire fraud, damage to computer systems, conspiracy, criminal forfeiture, and other related charges for stealing credit-card information from prominent retailers such as T.J. Maxx, BJ's Wholesale Club, Office Max, and Barnes and Noble.

In August 2009, many members of the same gang were again charged with compromising Heartland Payment Systems, a credit-card processing company, and stealing approximately 130 million credit-card numbers. With approximately 100 million families in the United States, this translates to almost 1 credit card stolen from every American family. 5 members of the gang were indicted on July 25, 2013.^23,24

Background

The gang involved in all these incidents had been in operation since 2003. Between 2003 and 2007, the gang used simple methods to exploit weaknesses in wireless security at retail stores. At T.J. Maxx, they had found that many stores did not use any security measures in their store wireless networks. As a result, obtaining employee user names and passwords was as simple as waiting outside the stores in the morning with laptops and listening to the network traffic as employees and managers logged into their accounts.

Worse, these user accounts had access to the corporate IT systems at T.J. Maxx, including those that stored credit-card information. Using this information, the hackers had a free run of the company's credit-card information. For almost a year, the gang members extracted the data, stored it on the company's own servers, and retrieved it at their own convenience. Their goal was to use this information to sell fake credit cards at pennies on the dollar.

This was the method used by the gang in the attacks that formed the basis of the 2008 indictment. Beginning in August 2007, the gang refined its skill set and began to use SQL injection attacks to place malware on web applications and gain access to corporate databases. The gang used this method in the attacks for which it was indicted in 2009.

The ring leader and his activities

Albert Gonzalez, the ringleader of the gang, was a resident of Miami, Florida. Beginning around 2003, he is believed to have driven around Miami, using his laptop computer to locate insecure wireless access points at retail stores. Stores typically use these networks to transfer credit-card information from cash registers to store servers. When an open network was located, the gang would use a custom-written “sniffer” program to collect credit-card account numbers (one of the most popular sniffers is Wireshark, an easy to use program that is available for free use²⁵). Fake cards using these numbers were then sold in the gray market. The biggest victim was T.J. Maxx, which lost information on over 40 million credit cards.

Later, when the gang graduated to SQL injection attacks, it would visit stores to identify the transaction processing systems these companies used. The gang used this information to determine suitable attack strategies to target the specific systems used by these companies. The gang also studied the companies' websites to identify their web applications and to develop appropriate attack strategies for these websites.

The ringleader, Albert Gonzalez, earned over $1 million in profits by selling this card information. Apparently, at one time, his counting machine broke and he had to manually count $340,000 in $20 bills. In August 2009, Albert Gonzalez agreed to plead guilty to charges in the T.J. Maxx case, which had been filed in 2008.

Gonzalez became an informant for the Secret Service in 2003 after being arrested for various crimes. As an informant for the Secret Service, in October 2004, he helped the Secret Service indict 28 members of a website Shadowcrew.com. Shadowcrew stole credit-card information and sold it for profit. While in operation, Shadowcrew members stole tens of thousands of credit-card numbers. After the Shadowcrew operation was completed, however, Albert began his own exploits.

Impact

The direct damage from the attacks in terms of fraudulent charges on customer credit cards was limited. In March 2007, one gang in Florida was caught using cards stolen from T.J. Maxx (TJX) to buy approximately $8 million in goods at various Wal-Marts and Sam's Club stores in Florida. However, the collateral damage from the incident has been colossal. TJX Companies, Inc. (TJX) (T.J. Maxx Stores is one of the companies owned by the group, Marshalls is another) settled with Visa for $40 million in November 2007 and with MasterCard in April 2008 for $24 million.

The impact was nationwide. Tens of millions of customers had to be reissued credit cards. Customers who had set up automated payments on the stolen cards received collection notices from service providers when charges did not go through because the cards had been canceled and new ones had been issued in their place.

Surprisingly, sales at T.J. Maxx do not seem to have been significantly affected by the intrusion (Figure 2.6). Fraudulent expenses were refunded to customers by the credit-card companies through the automatic protection programs offered by credit cards. Customers do not seem to mind their cards information stolen so long as they are not held liable for fraudulent transactions.

Significance

The T.J. Maxx case is significant for the study of information security and its relationship with other professions because the case has been extensively documented in the press. In addition, details are also available from the indictments made in the case. These readings provide a rich account of the actors involved in information security, their motivations. and the legal processes that follow major information security incidents.

REFERENCES

Pereira, J. “How credit-card data went out wireless door,” Wall Street Journal, May 4, 2007.

Pereira, J., Levitz, J. and Singer-Vine, J. “U.S. indicts 11 in global credit-card scheme,” Wall Street Journal, August 6, 2008: A1.

United States of America vs. Albert Gonzalez, Criminal indictment in US District Court, Massachusetts, August 5, 2008 (the T.J. Maxxcase).

United States of America vs. Albert Gonzalez, Criminal indictment in US District Court, New Jersey, August 17, 2009 (the Heartland case).

Zetter, K. “TJX Hacker was awash in cash; his penniless coder faces prison,” Wired, June 18, 2009.

Gorman, S. “Arrest in Epic Cyber Swindle,” Wall Street Journal, August 18, 2009.

Gorman, S. “Hacker sentenced to 20 years in massive data theft,” Wall Street Journal, 2010: A1.

“Albert Gonzalez,” Wikipedia, http://en.wikipedia.org/wiki/Albert_Gonzalez.

T.J. Maxx, 10-K reports, 2006–2010.

T.J. Maxx, 8-K filing, January 18, 2007; April 2, 2008; November 30, 2007.

CHAPTER REVIEW QUESTIONS

1. What is system administration?
2. Why is system administration important?
3. Who is a system administrator?
4. What are some of the important day-to-day activities performed by system administrators?
5. Define Infrastructure as a Service (IaaS).
6. What are some of the benefits of using an IaaS provider?
7. What is a virtual server?
8. What are some benefits of virtualization?
9. What is the role of a system administrator in maintaining information security in an organization?
10. What is software configuration?
11. How does software configuration impact information security?
12. Define access control. How can weak access controls impact information security?
13. Define user management. How does user management impact information security?
14. What is monitoring? How does it help information security?
15. What is reactive monitoring? What are some common reactive monitoring methods?
16. What is proactive testing? What are some common proactive testing methods?
17. What is a system update? What are the challenges in keeping systems updated? Why is it important for information security?
18. What is a single point of failure? How do system administrators typically deal with single points of failure?
19. What is the difference between cold spares and hot spares?
20. What is Active Directory? What role does it play in maintaining information security on Windows computers?
21. What are group policies? How do group policies assist system administrators in maintaining information security?
22. What is a domain controller?
23. Provide a brief description (two to three sentences maximum) of the information security features of the latest version of Microsoft's System Center or comparable product.
24. What is Linux? Why is it popular? What are some of the most popular distributions of Linux?
25. Provide a brief overview (two to three sentences maximum) of the capabilities of Puppet, the IT automation software used by many system administrators.

EXAMPLE CASE QUESTIONS

1. Based on the information provided above, list as many example of violation of confidentiality, integrity, and availability identified in the case.
2. Based on the case, identify the failures in execution of the common system administration tasks at T.J. Maxx at the time of the case.
3. If you were responsible for system administration at T.J. Maxx, what are the things you would have done to prevent the occurrence of the incidents reported in the case?

HANDS-ON ACTIVITY–LINUX SYSTEM INSTALLATION

In order to get practical hands-on experience on essential information security and system administration skills, the book includes a series of hands-on activities, which use the Linux operating system. You will create the required environment as the hands-on activities in this chapter. When you complete the activity, you will have your own working copy of CentOS Linux (http://centos.org) that we have configured for use with this course. In our experience, at the end of the course, students find these hands-on activities to be the most useful component of this course, and in fact, one of the most interesting activities in their college studies. The specific configuration used here has been chosen because it allows you to create the required infrastructure on almost any computer you may own. We have taken considerable effort to make this resource available for you because these are skills that are highly sought after by employers and which differentiate you from competitors in the marketplace. We hope you find these activities as exciting as we are excited about creating them (Figure 2.7).

The activity for this chapter is completed in two steps. In the first step, you will install VirtualBox, a virtualization environment. In the second step, you will use VirtualBox to create a virtual machine containing a preconfigured Linux operating system.

Step 1 – Installing VirtualBox

Before you begin, note the minimum system requirements:

• Windows XP, Windows 7, Windows Server 2003, or Windows Server 2008
• Macintosh OSX 10.5 or greater
• 2 GB of RAM
• 10 GB free hard drive space

VirtualBox is an open source computer application that can be installed on any computer running an Intel or AMD processor to create virtual machines on the computer. Guest operating systems can be installed on these virtual machines so that a Windows computer with adequate storage and processing power can run multiple operating systems. Follow these steps to install VirtualBox on your personal computer. At the time of this writing, the product is being updated very rapidly, so your version numbers may differ from those shown here. It should be safe to follow the configuration management rule for consumers, “when in doubt, install the latest version.” For more details on VirtualBox, check the VirtualBox manual,²⁶ particularly Chapter 1 of the manual.

1. Visit the VirtualBox download page (Figure 2.8) to obtain the installer. This URL changes often; it is best to search for “Download VirtualBox” to locate this link. The page looks as below. Download the appropriate installer for your system. The instructions below are for Windows. The procedure for other systems will be similar.
2. Double-click the downloaded file to start the installation. Click “Next” on the welcome screen (Figure 2.9) to begin the installation.
3. You are now asked to select the location where you would like to install VirtualBox. The default location is your Program Files folder. Click “next” if the default install location is OK (Figure 2.10).

   

   FIGURE 2.8 VirtualBox download page

4. The installation now proceeds like any normal application. You may receive an alert from the UAC (user acceptance control). Allow the installation and proceed through the screens by clicking “Next.”
5. You may receive a warning that your network connections will be restarted. If you have any network traffic (file downloads, music streaming, etc), you may want to wait until those transfers are complete before proceeding.
6. If you are asked whether you would like to install USB support, it is recommended that you elect to do so.

   

   FIGURE 2.9 VirtualBox installer welcome screen

   

   FIGURE 2.10 Default install Location

7. Click “Finish” to complete the installation. When installation is complete, you will see the confirmation (Figure 2.11). If you enable the checkbox to start VirtualBox, you will see the VirtualBox manager (Figure 2.12). It is currently empty. You will populate it with your own customized Linux operating system in the next step of this exercise.

Step 2 – Install the OS

As you may have read in the VirtualBox documentation, you can install almost any modern desktop operating system as a guest OS. For this book, we have customized a distribution of Linux. Using Linux in allows us to circumvent commercial licensing limitations. Fortunately, most security concepts are generalizable across operating systems and most of the general concepts you will learn here also apply to Windows. Follow the instructions below to install the customized Linux distribution in a new virtual machine on your computer:

1. Download the CentOS Linux virtual image from the companion website for the text. The .ova file extension stands for “Open Virtual Appliance,” an industry standard for operating systems packaged for installation into a virtual machine.²⁷ The format was created by VMWare, a leading firm in the virtualization industry. Note that this is a VERY large (over 2.5 GB) file and can take several hours to download, even over broadband.

   

   FIGURE 2.11 VirtualBox install confirmation

   

   FIGURE 2.12 VirtualBox manager

2. Double-click on the CentOS_6.ova file, the “Appliance Import Wizard” will start. The default values should be fine, and you can start the process of creating your virtual machine by clicking “import,” as shown in Figure 2.13. The import may take 10–20 minutes depending upon the speed of the computer and the location of the installation.
3. When the installation is complete, the VirtualBox manager shows the new VM in the list of VMs (Figure 2.14). You can now start VirtualBox at any time, select the VM and click on “start” to start up the VM. When the VM is running, you can click on “stop” to terminate the VM.
4. At this point, you are probably eager to see what all this leads to. After the virtual machine has been imported, click on “Start.” The Linux operating system will start. Common issues and their solutions are listed below. After any such issues are resolved, you will see the CentOS Linux login screen.

Known issues

1. You may get a warning suggesting that you download and install the expansion pack since your computer had USB 2.0 enabled. You may ignore this message, or if you feel comfortable, you may download and install the extension pack available on the VirtualBox website.
2. You may get warning messages regarding mouse movements, window size, etc. These may be ignored.
3. If you get an error message that says that indicates a problem with the CPU, please select the VM, select “Settings” in the VM manager, then System →Processor and select the “enable PAE checkbox (Figures 2.15 and 2.16).”
4. If you are unable to connect to the network, go to settings → network and attach the network adapter 1 to the NAT as shown in Figure 2.17. You may also be able to just scroll down on the front page and select “Network.”

Starting the virtual machine

1. When the virtual machine boots up, you will see the login screen as shown in Figure 2.18.

   

   FIGURE 2.13 Default setting for OS import

   

   FIGURE 2.14 Virtual machine in Virtual machine manager

   

   FIGURE 2.15 CPU error

   

   FIGURE 2.16 Enabling PAE

   

   FIGURE 2.17 Attach the VM to NAT

   

   FIGURE 2.18 CentOS VM login screen

   

   FIGURE 2.19 CentOS Linux desktop

2. At the Login prompt enter the username alice and use the password aisforapple. This will bring up the CentOS desktop as shown in Figure 2.19.
   1. To stop the virtual machine, select Machine → Close (Virtual Box → Quit on OS X) from the running CentOS VM window.
   2. To start the machine again, use Start → Programs → Oracle VM VirtualBox → Oracle VM VirtualBox (Applications → Virtual Box in OS X).
   3. In the next chapter, you will learn some basic UNIX/Linux system administration, including folder navigation, using the vi editor, and creating user accounts.

Hands-on activity questions

1. Provide a brief description of VirtualBox and its uses.
2. Provide a brief description of the OVA file format.

   To demonstrate that you have successfully installed the VM, submit the following:

3. A screenshot of the CentOS desktop.
4. Start the browser using Applications → Internet → Firefox web browser. Submit a screenshot of the browser window showing the default home page of the browser.
5. Start the system monitor using Applications → System tools → System monitor. Submit a screenshot of the System monitor.
6. Start the terminal by selecting Applications → System Tools → Terminal. At the prompt, type in the command “whoami.” Submit a screenshot of the terminal window showing the command and its output. (Most of the hands-on activities in the book will make extensive use of this terminal window.)
7. Stop the VM by selecting Machine → Close → Poweroff the machine.

CRITICAL THINKING EXERCISE–GOOGLE EXECUTIVES SENTENCED TO PRISON OVER VIDEO

In September 2006, four classmates bullied a boy suffering from autism at their school in Turin, Italy, and uploaded the clip to Google video (the predecessor to YouTube). The video became popular and was viewed over 5,500 times over the next 2 months and even reached the top of the list of “most entertaining” videos at Google's Italian site.

When Google was notified about it by Italian Police, Google removed the video. However, the boy's father and Vivi Down, an organization representing people with Down's syndrome, sued four Google executives for defamation and illegal personal data handling. Google claims it was swift in removing the video upon being alerted.

On February 24, 2010, the Court of Milan acquitted all executives of the defamation charge, but held three executives guilty of illegal personal data handling and being slow to remove the video upon being informed about it by the police. They were senior vice president and chief legal officer David Drummond, former Google Italy board member George De Los Reyes, and global privacy counsel Peter Fleischer. Personal liability was assigned because corporate officers are held legally liable for a company's actions in Italian law. None of the executives was present in Italy for the hearing and since the sentence was suspended pending appeal, none were under immediate threat of imprisonment.

Google's stand, articulated by its communications manager, was that “They didn't upload it, they didn't film it, they didn't review it and yet they have been found guilty.” In his 111-page judgment, the judge Oscar Magi wrote “the Internet [is] not an unlimited prairie where everything is permitted and nothing can be prohibited…. Instead, there were laws regulating behavior and if those laws were not respected, ‘penal consequences’ could ensue.” According to Italian law, not stopping a fact is equivalent to causing it. The data protection law requires prior authorization before handling personal data and the posted video was personal data. Therefore, Google was responsible for ensuring that the user who posted the video had the consent of everyone involved in the video.

On December 21, 2012, an Italian appeals court overturned the conviction and acquitted the executives.

REFERENCES

Manuela D’ Alessandro, “Google executives convicted for Italy autism video,” 02/24/2010, http://www.reuters.com/article/2010/02/24/us-italy-google-conviction-idUSTRE61N2G520100224 (accessed 07/16/2013).

Hooper, J. “Google executives convicted in Italy over abuse video,” The Guardian, 02/24/2010, http://www.guardian.co.uk/technology/2010/feb/24/google-video-italy-privacy-convictions (accessed 07/16/2013)

Povoledo, E. “Italian judge cites profit as justifying a Google conviction,” New York Times, April 12, 2010.

EDRi-gram, “First decision in the Italian criminal case against Google executives,” 02/24/2010, http://www.edri.org/edrigram/number8.4/decision-italy-vs-google-executives (accessed 07/16/2013).

Pfanner, E. “Italian appeals court acquits 3 Google executives in privacy case,” New York Times, December 21, 2012.

CRITICAL THINKING QUESTIONS

1. What is your opinion about the incident?
2. Should system administrators and companies be responsible for the content posted by users of a website?
3. Say you are the system administrator of a website and you receive a request from a user to delete a picture uploaded by a friend at a party that includes the user. Would you consider the request reasonable?
4. How would you respond to such a request?

DESIGN CASE

For this design case, we will use the Sunshine State University used on the first chapter. Like many other IT-related services at the University, email support is divided into two major systems:

1. Information technology, which reports to the VP of Business and Finance, supports email for all administrative personnel. For historical reasons, the Provost Office pays IT for support of faculty email as well.
2. Student email is supported by the technical staff reporting to the Dean of Students.

The current Student Email system runs on a single server purchased 6 years ago. The server has two internal drives. The internal drives contain the operating system and applications and an external JBOD holds all the data. The server has a single power supply and a single network port. The server runs Linux and the open source SMTP program Sendmail for email delivery.

A recent hardware issue brought the Student Email Servers crashing. The first time this happened, there was an outage of 13 hours. Unfortunately, the root cause of the initial outage was not determined and problem happened again but this time things were a bit more serious: a critical storage failure caused all of the emails to be lost. The System Administrator in charge of the server could not handle the pressure and resigned. You were the Student Assistant to the Sys Admin. The Dean of Students is in a bit of a bind and offers you a job with great pay, benefits, and tuition waiver program to help you finish your degree.²⁸

Two weeks later the server is back online and all email has been recovered from tape. The failure happened at 1:00 p.m. on a Wednesday. The last backup ran at 2:00 a.m. on Tuesday. Email delivered between those times was irrevocably lost.

The student population is up in arms and the Provost gets involved. Together with the Dean of Students, you are asked to recommend a choice for email service among the following options, along with your reasons for the same:

• Maintain email services locally
• Replace the entire email infrastructure with a SaaS email solution
• GoogleApps for Education (http://www.google.com/apps/intl/en/edu).

SECURITY DESIGN CASE QUESTIONS

1. What is a JBOD anyway?
2. As you research your options for Sunshine State University, you are advised to start with a common procedure – looking at what your closest peers are doing. Businesses call this benchmarking. In your context, this means what peer universities are doing in terms of email systems.
   1. List three universities or colleges in your area that you would consider the closest peers to Sunshine State. (Keep this list handy. You will find yourself returning to this list often to research what these schools are doing to address the challenges you face in this and later chapters.)
   2. Which of these options has each of the institutions selected for email service? Why did they select this choice? (You may find information regarding this on their websites. You can also call their technical support help line).
   3. If your own institution is not on the list in (a), what is your own institution doing for email service? Why?

   

   FIGURE 2.20 Sunshine State University email infrastructure

3. What problems can you anticipate from Sunshine State's current system as shown in Figure 2.20? What are the single points of failure? What would have to happen for the local system to be able to safely handle email service if any of these single points of failure were to fail?
4. What features (if any) do the cloud service models (IaaS and SaaS) offer that could not be currently provided locally?
5. During your research you find that one of the common queries fielded by technical support is restoration of accidentally deleted email. What facilities (if any) does each alternative provide in the restoration of accidentally deleted emails?
6. Another important feature request from the student body is email access from a wide variety of devices, especially non-web clients such as smart phones and traditional email clients such as Thunderbird and Eudora. What support does each of the choices provide for email access from these devices. What advantages or disadvantages does each system have for such access?