Security optimize

Porn browsing at work leads to corporate security breaches

Users accessing porn at work is a gateway for malware and ransomware that IT pros have to clean up. And if the content is also illegal, it's an even bigger problem. Bob Eisenhardt shares some tips for dealing with this issue.

Fact: Porn sites are bad places to visit in the workplace. And yet I have seen executives in major corporations sit at their desk with the monitor facing the hallway watching porn. I have seen my IT colleagues yank Internet privilege for users who download and store movies on servers. I have seen malware by the ton come in through porn sites. "Would you like to run AKSDKLLS.EXE?" is usually a bad thing indeed, and users religiously hit the NO button which is probably encoded to read NO on the screen but installs the keyboard logger in the background anyway.

A troublesome client call last week provoked a darker trend in security. This client has one system (of three) that always has malware. At one time it was infected by malware that set the HIDE attribute on every single file on his computer, so it took me two hours to clean it out. In the process, I was advised by the user that the business owner tends to open up every single email link he receives, which is asking for continual hell.

When the client call came in, the system was again locked up. Only this time his system was locked on boot to an FBI website page indicating his IP was blacklisted and for $200 he could get it cleaned up -- on a credit card! Knowing that the FBI does not do that -- they show up at the front door with guns -- this was yet another malware infestation. So I began cleaning it out with good old RKILL, ComboFix, and then MALWAREBYTES scanning. Bored, I also noticed something odd in the My Documents folder.

A great many files (not temp) were marked as HIDDEN once again, so I presumed that virus as mentioned above was still resident, possibly as a rootkit. Joy! More hours of work. But as I examined the hidden files, I saw that many were PowerPoint files with names such as SHERRI IN SPAIN or some such thing. Now we are entering a whole new land as there were about 100 of these things, and also compressed in ZIP files, all individually hidden with odd creation dates. As Sherlock Holmes would say, "Elementary, dear Watson: we have a porn browser here." This user, not the business owner, is the Moriarty who consciously downloads tripe and then marks it hidden. It takes time to do this and some smarts as most people do not know that old feature from DOS. I opened one and saw that Sherri is, indeed, quite happy, and closed it fast.

I showed the owner and documented to his eyes what his fine fellow was doing. I was ordered to clean it out, which I did, and also advised the owner to talk with his employee. I advised the owner that this was putting his entire business at risk as he sells medical insurance policies. We are talking HIPAA security rules here too. Management of staff is his business, not mine, so I left with a check and an embarrassed owner.

Darker thoughts intruded on my drive home. The ladies being displayed were of age, but what if instead of being 26 they were 16 or 6! I almost drove off the road at that one. The security aspect alone being set aside, my role as a consultant also comes into play. What are our responsibilities for security and consulting if we EVER find child porn on a user's system? I was stunned to even consider the idea and very shaken up. Reading the newspaper, we all know it happens but to other people, right?

Perhaps the computer gods were on my side, for the next day, I found some new ransomeware released called "ANTI-CHILD PORN SPAM PROTECTION." It pretends to be from a legitimate government source stating that your computer is sending out child porn spam links by email. It tells you that it has encrypted your data to protect you (yeah, right) and for $500 to $1000 a MoneyPak or PaySafe card you can get the password for your files. The program is launched IMMED on boot. IF you can CDRom boot, look for C:\DVSDLK\SVCHOST.EXE and delete this to regain your desktop.

The files that this infection creates when it is installed are:

c:\Documents and Settings\All Users\Desktop\fvd31234.bat
C:\Documents and Settings\All Users\Desktop\fvd31234.txt
c:\dvsdlk\svchost.exe
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\ultimatedecrypter\dc.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe
The Anti-Child Porn Spam Protection ransomware will also create a Windows service with a service name of fdPHosts, a display name of Function Discovery Provider Host Records, and an imagepath of C:\WINDOWS\system32\svschost.exe. This service will run in the background creating password-protected copies of new data files that are created on the computer and then delete the originals. Therefore, once you regain access to your computer, you should immediately disable this service.

This type of ransomware was very close to what my client had.

The issue of finding disturbing, possibly even criminal, data on client computers is something that a consultant may have to confront when investigating security issues, like malware infestations. It carries with it additional security risks and severe legal implications as well, both for the client and for the individual consultant. Handled correctly, it can be at least a one-sided devastating experience for the client and not impact the IT professional.

The following are my suggested take-away points.

  • First, there must a disclosure statement signed by the client in ADVANCE of any work. A colleague involved with a consulting franchise uses a work order signed by the client per visit. It must state that the consultant will only BROWSE data and, secondly, only install software approved by the client. This ensures that the consultant cannot be blamed for dumping porn or anything else onto the system.
  • Secondly, document your findings if you find "porn" of any nature. If adult-themed, immediately advise your client in detail as I did for my client. Do NOT open more than one file if you can do so, just to verify the existence of data. Show the client what you are doing. Stress that the data was present BEFORE you even walked into the door. My client did ask me if this stuff just "comes in" over the web, and while it can, the protocols in my case worked against that. Be clear and precise.
  • Third, educate the client on malware and the security risks that are associated with such data. HIPAA alone qualifies as a major red flag. It must be made clear that his or her business is at legal risk!! (Is your lawyer on your rolodex?) They may not know what a keylogger does, so educate them!

In my case, the situation stopped here when the client ordered me to remove everything I could find, which I did, and pronounced the system clean of obviously questionable data. This qualifies as "best effort" which is about a 95% guarantee. Advise the client that all obvious data candidates have been deleted and, if possible, sign your work order to that effect.

Worst-case scenario

If child pornography (or anything of a criminal nature) is found, my colleague's consulting franchise has specific instructions. DO NOTHING, stop all work. Get up from the computer then and there. You have to be careful here. Although this franchise's rules say to inform the client what you have found and then call the police, also consider stepping into a side room to call the police before informing the client, especially if you suspect that it is the client who is culpable. The risk of physical injury is very, very real. Tell the client, based upon your best interest on this score, but do not leave the client's office. Stay present. When the police arrive, detail your discovery, and tell the truth to the authorities. This is a criminal act and should be treated as such. You just became part of the legal process too. There will be a court action so document your work and keep it in detail. You may need to testify.

Tough situation isn't it? I hope we never find such data on our client's computers. As an IT security pro or consultant, have you ever had to face a situation like this? Do you have clear guidelines about what to do and what not to do from your organization? Share your thoughts in the comments.

Also see:

18 comments
HAL 9000
HAL 9000

A Old Peoples Home that i do a bit of work for is an interesting place. The Old Dears live for the Porn and take a great deal of time and effort looking for the best available on the Companies Provided Computers to keep them in their place. Now as these are Company Provided Systems on a Company Provided Network is not the company charged with looking after these Old People leaving themselves open just like any other company is? Besides Porn is way too subjective for my liking there are some that are obviously Hard Porn Sites but by the same token I've seen some pictures that leave a lot to be desired but in the circumstances that they are in they are all OK because they are Medical Pictures used for teaching and writing. If they where in a different location they may very well be a problem but where they where they where perfectly OK and necessary. Though that didn't stop some Do Gooders from complaining who would have complained just as much when told that their problem that they where seeking Professional Advice about could not be treated because the Doctors had no idea of what they where being asked to look at. :^0 Col

Tony Hopkinson
Tony Hopkinson

That's not one step away from child molester though! Even if porn was delivered in a safe and system friendly way, unless you happen to be in the porn business, you should probably be doing something else, while at work Like Facebook, warez, filesharing, downloading ringtones, artwork, mp3s.... All curiously not mentioned, with along with clouding an important issue with your bombastic morality, makes me wonder what concerns you more. Porn, or threat vectors.

jkameleon
jkameleon

Besides eliminating the need of browsing the malware infested porn sites outside of company, it has other benefits as well: - It keeps managers busy, and workers productive - By means of sexist advertizing, it offers very effective way of delivering the corporate spin, thus boosting employee engagement, and strenghtening company culture, values, and vision. Naturally, internal company porn site has to offer sexist advertizing tailored to all sexual minorities in order to avoid discrimination lawsuits, and such.

info
info

I once was contracted to a place (that I shall not name) that had just hired a dedicated IT security manager. He immediately identified several 'upper-level' personnel that were partaking in frequent porn browsing, cut off access to those sites, and sent them formal letters informing them of the policy, repurcussions, yadda yadda yadda... A week or so later he was called into the office by the CIO. Apparently these people had held a meeting with the head of their department, informing them they would leave the company if access wasn't restored. This went to the CEO, and consequently his orders to the CIO were to restore access immediately, and ignore all further activity by these people... Gotta love unenforceable policies!

franciscojanes
franciscojanes

How would the author recommend protecting an organization (regardless of size) against the threat posed by dangerous websites, without limiting productivity? Thanks.

Snak
Snak

A departmental manager had been informed that one of her staff, a female secretary whom I had not met and who we shall call Carol, had been seen accessing porn on her machine, so she asked me to investigate in Carol's absence. It only took a few minutes and I found several pictures of a woman scantily-clad in very revealing, black, lacy underwear. But nothing else. It was not 'porn' as I would recognise it; maybe at best it could be described as 'glamour'. I showed this to the manager who was visibly shocked. The woman was not attractive, rather overweight and, to be honest, the pictures were not at all scintillating. "That's Carol", spluttered the manager. We had to conclude that however unnattractive the pictures were, they did not constitute porn. I'm not sure what conversations were held subsequently, but Carol left soon after.

Deadly Ernest
Deadly Ernest

a bare ankle was seen as pornography. I write stories, but most of the websites where you can put free stories up are very restrictive in what they allow, many limit the subject matter - as long as you stay within the subject matter you can be very pornographic and they don't mind, but sway from their subject matter and it's yanked, no westerns on the sci-fi site etc. type thing. There are even sites that won't allow stories unless they have a heavy sexual content, is porn only sites. There is one site that has no real subject restrictions, but since it allows pornographic stories it's a listed porn site; despite huge numbers of the stories having no sex in them. So all of my free stories go up at Stories on Line because I can put them up on the one site, regardless of if they have any sexual content or no sexual content. Because they're on a listed porn site, many people assume ALL the stories there are porn stories, and they aren't.

Tony Hopkinson
Tony Hopkinson

This is the most refreshing and creative soltion to the issue I 've seen since Big Ug look Little Ug's charcoal away.

JCitizen
JCitizen

that some "upper level' personnel need their 'perks'. ;\

tech
tech

For a start, us a DNS service such as OpenDNS to block the casual user from non work related sites. You get to choose what types of sites are OK. This goes a long way to preventing, especially accidental or casual visiting of potentially dangerous sites. With a little work you can even redirect DNS requests at the router in case someone tries to get fancy and bypass the DNS. Lock down the systems as much as the client will allow. This can be easy, or hard depending on the environment. Make sure a good Antivirus software is installed and kept up to date. Install and maintain a good Network Firewall that will block rouge access attempts .

Deadly Ernest
Deadly Ernest

available that allow you to filter the content of Internet activity at the gateway, and even log the sites visited by user. Such devices and software have been around for over a decade and are heavily used by many government agencies and companies. The devices and software also allow you to place sites on a blacklist that will then refuse to pass any content from those sites or domains, thus the stuff doesn't get looked at or reach the computer concerned.

roleat
roleat

I'm sure this 'Carol' was very offended that you did not find her attractive. Now back to the actual topic itself which is viewing explicit and risky materials on work time and on work property. Businesses should disclose their privacy policy with their employees and state that their office machines are not personal property and must not be used to engage in work inappropriate activities. One just assumes this, but if it were made clear then it could put the fear into those with less of a technical ability i.e. the ones who can't hide their activities. I would expect anyone caught engaging in this type of behaviour to be reprimanded immediately. It's beyond unacceptable within an public space yet alone an office environment, wait until you get home to enjoy your scandalous content.

Tony Hopkinson
Tony Hopkinson

Thought you was going to plug your latest bodice ripper, never been in to the Barbara Cartland stuff myself. :p

jkameleon
jkameleon

And moral too, but that should go without saying.

Tony Hopkinson
Tony Hopkinson

instead of complete f'ing idiots. That would probably work out cheaper as well.

HENpp
HENpp

"When the police arrive, detail your discovery, and tell the truth to the authorities." Do not call the police before contacting your own attorney. You may be advised not to speak to the police at all. Your attorney should probably handle talking to the authorities on your behalf. This is indeed a very difficult situation to handle. Regarding the privacy policy as it relates to office machines, accessing questionable or illegal material using a personal device through the organizational infrastructure would have to be addressed as well.

Deadly Ernest
Deadly Ernest

and some sci-fi as well. If you want a list of the sites to find them, just ask and I'll send them. Heck send me an email with what you like and I'll even send you a free novel in pdf format. If you want a bodice ripper, I can organise that too, but prefer to do the other stuff.

Deadly Ernest
Deadly Ernest

to what extent has management the right to get someone in to work on a BYOD - I suspect anything found on a BYOD would come under the heading of an unlawful search as it was NOT approved by the owner.