Monday, May 12, 2008

My arch-nemesis

Over the weekend my honeynet got pwned. I mean that in every sense of the word. I'm looking at a 50% rate of compromise. I contained the honeynet and planned on dealing with it this morning. While performing some live response on what I'd targeted as patient-0 my screen went black and my room suddenly got quiet. My office usually hums at about 70DB so when my poweredge server, firewall, precision workstation, switches, kvm, mac mini, 2 workstations AND MY HONEYNET go quiet it's pretty noticeable. I had been in the process of collecting physical memory and...poof.

At first I thought I had popped the breaker. Let's face it I have quite a bit plugged in. Then my thought process started up again...wait I've never popped the breaker..why all of a sudden?

There was a bit of shouting and people started running down the hall to see if I'd broken something..kind of funny. I then remembered something..electricians had been sighted early in the day. My subordinate confirmed this.

"I just saw someone run from that office in to the other room" he said pointing further down the hall.

I walked to the next office and poked my head in..

ME: "Hey are the electricians screwing with stuff?"

COWORKER: "They shouldn't be".

ME: "Well my office just went dark, where are they?"

COWORKER: "Oh, they're next door, let's go talk to them"

ME: "Probably a good idea".

We both poke our heads in to the next room and I spot a power whip laying in the middle of the floor as if to mock me and display the prowess of the master electrician and 3 guys looking at prints. On the wall I spot an open single gang box with wires mashed in a wire nut. That wall is the exact wall where I get power...

ME: "Are you guys messing with power in here?"

ELECTRICIAN: "We saw a few extra wires attached to that whip and had to disconnect it" he says looking at me sheepishly.


ME: "You just took down my office".

ELECTRICIAN: "Yeah sorry about that, that's my bad. I had to disconnect the leads on that whip".

I was lost for words. My arch-nemesis killed all reasonable hope of me collecting information. The vm on bootup gave me some corrupted filesystem errors and the other virtual machines I had running had obviously lost power as well.

Why is the electrician my arch-nemesis you ask? Let's just say this isn't the first time they've struck.


Anonymous said...

I understand that you've moved to VirtualBox for your honeynet environment. Would you mind blogging a bit about that since the switch from last January.

Is the solution still acceptable? What is your honeynet makeup etc.


Troy said...

Way back in my early days, I was imaging the laptop of a major big wig, when all of the sudden the capacitors in several of the powerstrips we had equipment plugged into began to pop like firecrackers. It turns out some electricians working in the building shorted our whole floor when passing wires through conduit. Electricians and forensics really don't mixed well.