Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to prevent internal intruder

Posted on 2004-03-24
Medium Priority
Last Modified: 2013-12-04
I am network administrator in one of the company in malaysia, and a novice in IT security.
Lately, an internal intruder who able to sniffer the packet in my network send an email to me everyday, and telling me all the activities that i did. For eg. The content of email that i sent out by using my hotmail account, attachment file sent, the files that i transfered over my internal network.
I felt so unsecure now, i am keen to know what are the tools available that enable the internal intruder to do so, and any tools avaiable to overcome this problem. Please help............
I am using PIX firewall and ISS realsecure IDS in my network, and all kinds of cisco router and switches.
Question by:belim
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 400 total points
ID: 10673571
To combat the "sniffing" you need to get on a seperate VLAN, if you are on your own vlan then no one should be able to sniff your connection-physically. If they are spanning your port... then you need to log who is logging on your switch to set that up- to see if your port is being spanned- "show span" will do the job. With luck the intruder is in your company or using a box on your lan to do all this activity. If they are sending you an email, from an account outside the company- but using a server or workstation at your company to do so... then set up a rule in iss to find them... for example, the threats are coming from MR-X@1234.com  set up a rule in ISS to look for people visiting 1234.com. That should narrow the search down with a bit of luck, I don't use ISS so I can't tell you what the rule would look like really...

To sniff out sniffers... use a program like: http://www.securiteam.com/tools/2GUQ8QAQOU.html
http://sniffdet.sourceforge.net/ http://webteca.altervista.org/PDM.htm http://www.workingwireless.net/wireless/Installers/l0pht%20antisniff/ (as-1021.exe is ant-sniff from l0pht industries) can also be found here http://www.securityfocus.com/tools?platid=-1&cat=1&offset=20

A snort rule to detect the intruder using a workstation on your network to send the email (which would be sloppy/ammature) would look like this:
alert tcp home_net any <> External_net (content:"1234.com"; msg:"would-be attacker?";)

LVL 12

Assisted Solution

trywaredk earned 400 total points
ID: 10675043
Ecnrypt your email ...

An Introduction to the Windows 2000 Public-Key Infrastructure - Official white paper from Microsoft that introduces PKI on Windows 2000. Focus is on the design of PKI and the differences between Enterprise Certificate Authorities and stand-alone Certificate Authorities. 20 pages.
Certificate Autoenrollment in Windows XP - With Windows XP it is now possible to autoenroll certificates to users. This reduces the normally high costs of building and maintaining a PKI infrastructure. The entire life cycle of the certificates can be managed including enrollment, renewal and deletion of expired and revoked certificates. To gain this new feature you need a .Net Schema, updates to your Group Policies and a Windows .Net Server 2003 Enterprise Edition as an Enterprise Certificate Authority. 46 pages.
Microsoft Windows 2000 Public Key Infrastructure - White paper from Microsoft concerning the basic functionality in PKI, and what technologies in Windows 2000 that are able to use PKI. 27 pages.
Step-by-Step Guide to Administering Certificate Services - Nice introduction from Microsoft on Certificate Authorities. In this document you find simple practises where you install a stand-alone CA, do a backup and restore of it, issue certificates, revoke certificates and publish CRLs (Certificate Revocation Lists). 10 pages.
Step-by-Step Guide to Public Key Features in Outlook Express 5.0 and Above - Short white paper from Microsoft on configuration ofOutlook Express 5.0 with regards to the use of certificates and encryption/signing of mails. 2 pages.
Step-by-Step Guide to Public Key Features of Outlook 2000 - If you want to send encrypted/signed mail with Outlook 2000 here's an explanation of the client side setup. 3 pages.
Step-by-Step Guide to Public Key-Based Client Authentication in Internet Explorer - Nice little overview from Microsoft going through the configuration of IE when you want certificate based authentication using TLS/SSL. Only the client side is described here. 2 pages.
Windows 2000 Server and Key Management Server Interoperability - White paper from Microsoft on the integration of PKI and Exchange 5.5 / Exchange 2000. Thorough description of using the Key Management component on exchange to enable encryption and signing of emails. 40 pages.
Windows XP Wireless Deployment Technology and Component Overview - This official Microsoft paper addresses Wireless technologies. It sums up the processes of connecting, authenticating and encrypting, and goes into different technologies such as RADIUS/IAS, EAP and certificates. 41 pages.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open


Author Comment

ID: 10675411
If talking about email as example, Any Network IDS that available in the market that can sniffer the packet and re-arrange it back to the original content and attachment. My understanding IDS is just a piece of software which provide log details?????
LVL 38

Expert Comment

by:Rich Rumble
ID: 10676205
IDS' detect packet's that meet certain goal or criteria. Packet Inspecting firewalls are capable of redirecting packets, overwritting them, and various other manipulation. We use our ids to detect exploits and various other unwanted network traffic- virus's being the main target for detection. IDS stands for Intrusion Detection System- they are inteded for the most part to find "hacker" activity and policy violations on your network.

I offered a way to catch, or attempt to catch the person sniffing on your network- trywaredk is telling you how to encrypt your email. The intruder could be using any number of sniffers, the most popular are Ethereal and TcpDump.
If you put your PC on a seperate Vlan- and you still get an email about your activity, then you've got 1 of 2 things going on.
1) your pc is compromised with a key logger, remote view, or some sort of activity logging program
2) your "hacker" has the ability to span your port on the cisco switch... which means you need to change the passwords on the switch, with a laptop or pc NOT plugged into the network- and using the cisco console cable- there is no way to sniff the console cable- then reboot the switch, because if he still has a session to your switch, that will knock him off.

Scan your PC with McAfee or some other anti-virus to be sure your not compromised. Ad-Aware will also detect bunches of trojan programs. The scanners I linked to can catch NIC's sniffing the network, give them a try.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question