Solved

How to prevent internal intruder

Posted on 2004-03-24
6
474 Views
Last Modified: 2013-12-04
I am network administrator in one of the company in malaysia, and a novice in IT security.
Lately, an internal intruder who able to sniffer the packet in my network send an email to me everyday, and telling me all the activities that i did. For eg. The content of email that i sent out by using my hotmail account, attachment file sent, the files that i transfered over my internal network.
I felt so unsecure now, i am keen to know what are the tools available that enable the internal intruder to do so, and any tools avaiable to overcome this problem. Please help............
I am using PIX firewall and ISS realsecure IDS in my network, and all kinds of cisco router and switches.
0
Comment
Question by:belim
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
Comment Utility
To combat the "sniffing" you need to get on a seperate VLAN, if you are on your own vlan then no one should be able to sniff your connection-physically. If they are spanning your port... then you need to log who is logging on your switch to set that up- to see if your port is being spanned- "show span" will do the job. With luck the intruder is in your company or using a box on your lan to do all this activity. If they are sending you an email, from an account outside the company- but using a server or workstation at your company to do so... then set up a rule in iss to find them... for example, the threats are coming from MR-X@1234.com  set up a rule in ISS to look for people visiting 1234.com. That should narrow the search down with a bit of luck, I don't use ISS so I can't tell you what the rule would look like really...

To sniff out sniffers... use a program like: http://www.securiteam.com/tools/2GUQ8QAQOU.html
http://sniffdet.sourceforge.net/ http://webteca.altervista.org/PDM.htm http://www.workingwireless.net/wireless/Installers/l0pht%20antisniff/ (as-1021.exe is ant-sniff from l0pht industries) can also be found here http://www.securityfocus.com/tools?platid=-1&cat=1&offset=20

A snort rule to detect the intruder using a workstation on your network to send the email (which would be sloppy/ammature) would look like this:
alert tcp home_net any <> External_net (content:"1234.com"; msg:"would-be attacker?";)
GL!
-rich


0
 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 100 total points
Comment Utility
Ecnrypt your email ...

An Introduction to the Windows 2000 Public-Key Infrastructure - Official white paper from Microsoft that introduces PKI on Windows 2000. Focus is on the design of PKI and the differences between Enterprise Certificate Authorities and stand-alone Certificate Authorities. 20 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/pkiintro.asp
 
Certificate Autoenrollment in Windows XP - With Windows XP it is now possible to autoenroll certificates to users. This reduces the normally high costs of building and maintaining a PKI infrastructure. The entire life cycle of the certificates can be managed including enrollment, renewal and deletion of expired and revoked certificates. To gain this new feature you need a .Net Schema, updates to your Group Policies and a Windows .Net Server 2003 Enterprise Edition as an Enterprise Certificate Authority. 46 pages.
http://www.microsoft.com/windowsxp/pro/techinfo/administration/autoenroll/default.asp
 
Microsoft Windows 2000 Public Key Infrastructure - White paper from Microsoft concerning the basic functionality in PKI, and what technologies in Windows 2000 that are able to use PKI. 27 pages.
http://www.microsoft.com/windows2000/techinfo/planning/security/pki.asp
 
Step-by-Step Guide to Administering Certificate Services - Nice introduction from Microsoft on Certificate Authorities. In this document you find simple practises where you install a stand-alone CA, do a backup and restore of it, issue certificates, revoke certificates and publish CRLs (Certificate Revocation Lists). 10 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/pubkeyox.asp
 
Step-by-Step Guide to Public Key Features in Outlook Express 5.0 and Above - Short white paper from Microsoft on configuration ofOutlook Express 5.0 with regards to the use of certificates and encryption/signing of mails. 2 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/pubkeyox.asp
 
Step-by-Step Guide to Public Key Features of Outlook 2000 - If you want to send encrypted/signed mail with Outlook 2000 here's an explanation of the client side setup. 3 pages.
http://www.microsoft.com/windows2000/techinfo/planning/security/pubkeyol2000.asp
 
Step-by-Step Guide to Public Key-Based Client Authentication in Internet Explorer - Nice little overview from Microsoft going through the configuration of IE when you want certificate based authentication using TLS/SSL. Only the client side is described here. 2 pages.
http://www.microsoft.com/windows2000/techinfo/planning/security/pubkeyie.asp
 
Windows 2000 Server and Key Management Server Interoperability - White paper from Microsoft on the integration of PKI and Exchange 5.5 / Exchange 2000. Thorough description of using the Key Management component on exchange to enable encryption and signing of emails. 40 pages.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/exchange/exchange2000/maintain/optimize/win2kms.asp
 
Windows XP Wireless Deployment Technology and Component Overview - This official Microsoft paper addresses Wireless technologies. It sums up the processes of connecting, authenticating and encrypting, and goes into different technologies such as RADIUS/IAS, EAP and certificates. 41 pages.
http://www.microsoft.com/windowsxp/pro/techinfo/administration/networking/default.asp

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 

Author Comment

by:belim
Comment Utility
If talking about email as example, Any Network IDS that available in the market that can sniffer the packet and re-arrange it back to the original content and attachment. My understanding IDS is just a piece of software which provide log details?????
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
IDS' detect packet's that meet certain goal or criteria. Packet Inspecting firewalls are capable of redirecting packets, overwritting them, and various other manipulation. We use our ids to detect exploits and various other unwanted network traffic- virus's being the main target for detection. IDS stands for Intrusion Detection System- they are inteded for the most part to find "hacker" activity and policy violations on your network.

I offered a way to catch, or attempt to catch the person sniffing on your network- trywaredk is telling you how to encrypt your email. The intruder could be using any number of sniffers, the most popular are Ethereal and TcpDump.
If you put your PC on a seperate Vlan- and you still get an email about your activity, then you've got 1 of 2 things going on.
1) your pc is compromised with a key logger, remote view, or some sort of activity logging program
2) your "hacker" has the ability to span your port on the cisco switch... which means you need to change the passwords on the switch, with a laptop or pc NOT plugged into the network- and using the cisco console cable- there is no way to sniff the console cable- then reboot the switch, because if he still has a session to your switch, that will knock him off.

Scan your PC with McAfee or some other anti-virus to be sure your not compromised. Ad-Aware will also detect bunches of trojan programs. The scanners I linked to can catch NIC's sniffing the network, give them a try.
GL!
-rich
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
OfficeMate Freezes on login or does not load after login credentials are input.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now