email security - emails read by other people
Discussion
Just been asked to investigate potential email snooping in my company. The top people are concerned that other people may be signing into their account and reading their email, or from the unauthorised users' own account reading the director's email, using some kind of remote control tool.
Do you know of any software tools that might help me identify any such activity, whether by seeing which network point is used to sign on to a particular userid, or to notify me through some report or email when a particular email account is logged into.
PS Email is MS Outlook on Windows2000 desktop, NT4 network.
I'm asking about the event logs, but wonder what else is available to help me.
Any thoughts?
Steve
Do you know of any software tools that might help me identify any such activity, whether by seeing which network point is used to sign on to a particular userid, or to notify me through some report or email when a particular email account is logged into.
PS Email is MS Outlook on Windows2000 desktop, NT4 network.
I'm asking about the event logs, but wonder what else is available to help me.
Any thoughts?
Steve
Assuming you're using Exchange Server, and the dodgy users are loggin in to somebody else's mailbox from their own network logon, you can have a look in Exchange Administrator.
On the treeview, pick the appropriate site, drill down to Configuration-->Servers-->(server name)-->Private Information Store-->Logons
and look to see which users are logging in to which mailboxes.
On the treeview, pick the appropriate site, drill down to Configuration-->Servers-->(server name)-->Private Information Store-->Logons
and look to see which users are logging in to which mailboxes.
Whatever system you're using there will be logs which will list the IP addresses of the client and the account they logged on with.
I've had to do this on a few sites. Very scary stuff sometimes and often ends up with people being sacked!
The other option is to reset the passwords on all the accounts and send out an interoffice email outlining the reasons for it and what the penalties would be if someone were to get caught.
Let us know which email server you are using and I'll see if I've got any notes handy.
I've had to do this on a few sites. Very scary stuff sometimes and often ends up with people being sacked!
The other option is to reset the passwords on all the accounts and send out an interoffice email outlining the reasons for it and what the penalties would be if someone were to get caught.
Let us know which email server you are using and I'll see if I've got any notes handy.
luca brazzi said:
thanks Pete...if the legitimate user was logged in at the time, would they notice anything, such as a lock up, or a difference in performance etc?
Steve
Pass I'm afraid!
Regarding the other option of reading mail via remote control, I assume you mean something like VNC, Netmeeting, PCAnywhere etc? If so, there wouldn't necessarily be any direct evidence, but AFAIK these types of tools need software to be running on the 'target' machine, which should be fairly easy to spot.
{edited for spellin'}
>> Edited by pdV6 on Friday 4th July 16:27
alunr said:Probably will do if this is the case.
I've had to do this on a few sites. Very scary stuff sometimes and often ends up with people being sacked!
alunr said:I know its MS exchange but not sure which version yet...waiting for a phone call on that one.
Let us know which email server you are using and I'll see if I've got any notes handy.
Thanks Steve
>> Edited by luca brazzi on Friday 4th July 16:36
there is software that you can install on pc's that monitor keystrokes and can be forced to raise alerts this is totally unobtrusive and the user won't be aware it is on there, i had to use it once as we thought someone was doing this after hours
if it is one particular machine and the user has no objection you could echo that pc to another machine and watch what occurs on it ,
if it is one particular machine and the user has no objection you could echo that pc to another machine and watch what occurs on it ,
boosted ls1 said:If you are on a network shared by other people (like a company network), or on the ISP's network, then it isn't too hard to "snoop" the traffic between your PC & your mail server, using something like ethereal.
Tell me pl ease, can somebody at another address interrogate your pc when you go on line and read your emails or does your server prevent that? What about Norton, does that stop your machine being given the remote once over? I'd like to know my private chat stays private. Thanks.
It is then fairly easy to capture account names & passwords. The way to stop this is to use SSL, which encrypts things - but hardly anyone tends to bother, although this will no doubt change....
If you have auditing turned on on your exchange/NT box you should find entries in the event viewer security log showing who did what to who's exchange mailbox.
As mentioned elsewhere you can use ethereal to track network traffic. This works best if you have a target to start with so you can filter out unwanted stuff as the amount of traffic on most networks makes your task tricky. This will show any remote control traffic or keylogger traffic.
The exchange admin as mentioned previously will show last logon to a mailbox and current I think. Be careful with this though as it is not 100% in my experience. I have seen it list mailbox logons 1 line out of step ie showing a = no login, b= a logged in, c= b logged in. If its not 100% you can't really accuse someone on that basis. So use as backup evidence only.
Make sure the permissions on the mailbox in question are set correctly. If they are then they may know the password for the account. This should show up in the audit log
Now the serious bit. There are various and currently conflicting laws governing the collection of data on employees without their knowledge. As usual there seems to be a grey area. I'm not an expert on these so hopefully somone else can provide a reference for you and me. I seem to remember that the employee has the right to privacy( you can't snoop on him/her) but the company (viewed as person under UK law) has the right to use their property without interference (not sure if thats the right phrase). Basically the company owns the network and has the right to use it for business. If you suspect someone is abusing the network in some way and you came to this suspicion via non user identifying methods then you are allowed to perform more targeted checks.
Does your company have an AUP document that the users sign? In case they try the "nobody told me I wasn't allowed to read the bossses email!" ploy
Disclaimer:
All of the above is for info purposes only. You should check all relevant laws before collecting data on employees without their knowledge.
Hope that helps
P.S.
This can be a real
task in a small company where you (think you) know everyone. Hope this isn't the case for you.
As mentioned elsewhere you can use ethereal to track network traffic. This works best if you have a target to start with so you can filter out unwanted stuff as the amount of traffic on most networks makes your task tricky. This will show any remote control traffic or keylogger traffic.
The exchange admin as mentioned previously will show last logon to a mailbox and current I think. Be careful with this though as it is not 100% in my experience. I have seen it list mailbox logons 1 line out of step ie showing a = no login, b= a logged in, c= b logged in. If its not 100% you can't really accuse someone on that basis. So use as backup evidence only.
Make sure the permissions on the mailbox in question are set correctly. If they are then they may know the password for the account. This should show up in the audit log
Now the serious bit. There are various and currently conflicting laws governing the collection of data on employees without their knowledge. As usual there seems to be a grey area. I'm not an expert on these so hopefully somone else can provide a reference for you and me. I seem to remember that the employee has the right to privacy( you can't snoop on him/her) but the company (viewed as person under UK law) has the right to use their property without interference (not sure if thats the right phrase). Basically the company owns the network and has the right to use it for business. If you suspect someone is abusing the network in some way and you came to this suspicion via non user identifying methods then you are allowed to perform more targeted checks.
Does your company have an AUP document that the users sign? In case they try the "nobody told me I wasn't allowed to read the bossses email!" ploy
Disclaimer:
All of the above is for info purposes only. You should check all relevant laws before collecting data on employees without their knowledge.
Hope that helps
P.S.
This can be a real
task in a small company where you (think you) know everyone. Hope this isn't the case for you.Just a note of the other side of the coin; when I was a System Admin in my last enployment we were actively encouraged by seniour management to snoop into everyones mail. You would be suprised at the amazing topics people talk about when at work 
They were looking for all non work related mail, and we then supposed to report it - I never did though. Had I done so it would have ruined my most entertaining task of all
They were looking for all non work related mail, and we then supposed to report it - I never did though. Had I done so it would have ruined my most entertaining task of all
CraigAlsop said:
Tell me pl ease, can somebody at another address interrogate your pc when you go on line and read your emails or does your server prevent that? What about Norton, does that stop your machine being given the remote once over? I'd like to know my private chat stays private. Thanks.
If you are on a network shared by other people (like a company network), or on the ISP's network, then it isn't too hard to "snoop" the traffic between your PC & your mail server, using something like ethereal.
It is then fairly easy to capture account names & passwords. The way to stop this is to use SSL, which encrypts things - but hardly anyone tends to bother, although this will no doubt change....
Craig, that's a bit worrying. My pc is at home, I use NTL for my email. So, could anybody else log on to NTL and find me/my email by pretending to be me or some other method? If so how would I know about it or check it?
I'm no IT bod, just a 'user', but is the 'person' sure that he has not got 'sharing' set on his Outlook account. I think it is set by the user so that, say, the secretary can have full control of his diary ( I know I do with other people). I'm sure there's another option where they can view/share emails as well. Perhaps this has been set by himself or someone else 
.
Then again I may be wrong.........again
Harry
. Then again I may be wrong.........again
Harry
Don't overlook the obvious in search of a more technical answer. I would start with the monitors themselves. Does anyone have access to either the secretary or finance director's offices, even while they are present? Do either of them leave their PCs on and unlocked, whereby someone could read what's open on the screen? Do they print emails? Rubbish bins and cleaners shouldn't be overlooked, either.
By default, the hard drives on NT or 2K machines are shared for admininistration as C$ etc, you can switch the sharing off if you suspect some one with the administrator or a domain admin username and password is accessing the drives directly.
Get the Director and secretary to change their passwords, although I'm sure you will have done this anyway. You could also use file encryption for the storage of their documents on the local PC. Do they use home folders on the server? Make sure only the user and the administrator have access to their folders. If possible add all other users or groups to the security on the folders with deny permissions set. (ensure the director or secretary isn't in one of the groups that you deny)
Set the logon hours for the users in User manager for domains to restrict out of office hours logons and, if you can, set the logon to allow the secretary and director accounts to only logon to their own workstations. This should prevent anyone from using their ID at another PC.
Ensure that the director does not have an alternate recipient set in his mailbox properties on the exchange server.
Their are plenty of freeware port scanners available that will tell you what ports are open on the PCs and allow you to try to attach to them. If you check all PCs then you may find it's counterpart on the network with an identical port open.
This is all fairly basic stuff, but is it likely to be a more serious attack? Is the leaked stuff appearing as office gossip or from a competitor?
Andy
By default, the hard drives on NT or 2K machines are shared for admininistration as C$ etc, you can switch the sharing off if you suspect some one with the administrator or a domain admin username and password is accessing the drives directly.
Get the Director and secretary to change their passwords, although I'm sure you will have done this anyway. You could also use file encryption for the storage of their documents on the local PC. Do they use home folders on the server? Make sure only the user and the administrator have access to their folders. If possible add all other users or groups to the security on the folders with deny permissions set. (ensure the director or secretary isn't in one of the groups that you deny)
Set the logon hours for the users in User manager for domains to restrict out of office hours logons and, if you can, set the logon to allow the secretary and director accounts to only logon to their own workstations. This should prevent anyone from using their ID at another PC.
Ensure that the director does not have an alternate recipient set in his mailbox properties on the exchange server.
Their are plenty of freeware port scanners available that will tell you what ports are open on the PCs and allow you to try to attach to them. If you check all PCs then you may find it's counterpart on the network with an identical port open.
This is all fairly basic stuff, but is it likely to be a more serious attack? Is the leaked stuff appearing as office gossip or from a competitor?
Andy
Thanks Andy....I'm still trying to get hold of the right people to do some digging for me....based on what I've read on this thread.
Can't say much about the leaked information, apart from that its price sensitive and highly accurate.
Will keep peeps informed on what happens with the investigation.
Keep your ideas coming...
LB
Can't say much about the leaked information, apart from that its price sensitive and highly accurate.
Will keep peeps informed on what happens with the investigation.
Keep your ideas coming...
LB
boosted ls1 said:I wouldn't worry too much in your case - to be able to sniff the data, then they would need to be already on the network *between* you & the server. So an NTL employee could probably do this, for example, but an outsider would have to hack into NTL's network first. Nothing's impossible, but this is fairly low on the scale of risk.
Craig, that's a bit worrying. My pc is at home, I use NTL for my email. So, could anybody else log on to NTL and find me/my email by pretending to be me or some other method? If so how would I know about it or check it?
Do you dial up, or do you have broadband? If you have broadband, then make sure you have some firewall SW like zonealarm to stop people trying to hack you.
Regarding sniffing passwords on corporate networks: should be relatively hard these days: any sensible company ought to be using switched networks, and while this doesn't render sniffing impossible, it makes it harder, or requires the attacker to have more of a clue.
Whatever e-mail server you use should maintain access logs - that'd be the first place I'd go looking to see if someone's snarfed a password and is being naughty.
And there *is* much law in the area of snooping employees' activities, although I've forgotten precisely which law applies. Suffice to say though that if you're going to monitor, in detail, their activities, you at least need to have reasonable suspicion that they're up to no good before doing so, and I think you need to make it clear in the AUP that you reserve the right to monitor activities given good reason.
I'll go look up my notes on this and post back when life calms down a bit...
(This topic is given a very good treatment in a course I used to be in involved in teaching: The BCS's Certificate in Information Security Management Principles).
Whatever e-mail server you use should maintain access logs - that'd be the first place I'd go looking to see if someone's snarfed a password and is being naughty.
And there *is* much law in the area of snooping employees' activities, although I've forgotten precisely which law applies. Suffice to say though that if you're going to monitor, in detail, their activities, you at least need to have reasonable suspicion that they're up to no good before doing so, and I think you need to make it clear in the AUP that you reserve the right to monitor activities given good reason.
I'll go look up my notes on this and post back when life calms down a bit...
(This topic is given a very good treatment in a course I used to be in involved in teaching: The BCS's Certificate in Information Security Management Principles).
luca brazzi said:
Its the Finance Director's email, which has his secretary as a delegate, and she also has his userid and password....no one else.
Why on earth does she have his userid and password? I can't see any need if the FD has delegated calender/mail.
I put a beer on the secretarys password being easy to guess or written on a notepad/stuck to the monitor. Someones taken this and used it to access the FDs email via delegation permissions assigned to the secretary!
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff