look now
Results 1 to 7 of 7

Thread: look now

  1. #1
    Junior Member
    Join Date
    Aug 2002
    Posts
    11

    Unhappy look now

    Hello Iím a new member and I need help. A larger corporation has recently acquired my company. (Both should remain nameless but they are big name companies, trust me). Computer use policies have been pretty lax, until now! Iíve recently discovered that there have been subtle changes in our network (installation of firewalls and proxies; changes in IP addresses and shares <Itís NT/2000 network.. Ugh, ufff, achhh>) and heard in the office gossip echoes that computer use is being monitored very closely. One of our cleaning people, Hispanic boy of 19, has been fired because apparently the IT department discovered that someone has been accessing XXX sites at around 9pm. Now, my problem! Throughout my work on a computer I switch among many windows and access hacking, freaking, security, Unix, Linux, BSD sites as well as IRC on openprojects. (Please save any morality lectures) Because I switch machines I did this on 2 different machines. (NT4 w/service pack6 & 2000 vanilla install) The problem is that i donít really know NT/2000 logging and caching capabilities. What I want to do is flush all the logs and any traces of my activities on local machines. I know I wonít be able to crack the domain servers and clean the traces there, but at least locally. I have been logged in under different accounts, (l0pht crack) so I will need to reboot the machines under ntfs capable *nix (Trinux) and erase all the appropriate folders. Help me to identify which ones they are. I have no clue and Microsoft is notorious for changing all their **** around to confuse and profit. Any advice appreciated. New York can be a cruel place for 22 year old who got fired Ďcause the IT department felt threatened because he was looking at www.astalavista.com

    sorry for miss-spellings = Microsoft Word 97

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    If they are a large company I guess they are not looking at the logs. They will have an Intrusion Detection system in place. This is able to monitor the network traffic, and looks at what is being sent. It will be looking for certain things eg any http request with XXX init.

    However you wonít even know the machine is there when set-up correctly they don't even have an IP address. But as they need to report to someone they will have a second network running of the back of them. Your best bet would be to gain physical access to the box and change the logs from there but that will be noticed as well.

    In other words if they do have even a half decent IDS system in place, there is nothing you can do.

    Sorry for the bad news

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  3. #3
    Junior Member
    Join Date
    Aug 2002
    Posts
    11
    there are no IDS's i know this for a fact.... remember they are restructuring now... i need to know what to look for in a local machine... (by the way i don't look at porn <at least not at work >)

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    233
    they are probably looking at firewall and proxy logs and nothing on the local machines.

    my only suggestion is to curb your at work surfing habits until the IT department slows down the monitoring.



    El Diablo

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    There are two types of IDS

    1)Host based - these are programs on local machines, but are normally placed on server's eg web, ftp, file etc. etc. This program looks for changes in the state of the os.

    They are not normally placed on work stations.

    2)Networked based - these are machines connected to the network, who's sole job is to sniff all the network going passed. These will be placed at verious points on your network. Eg by the gateway, infront of the exturnal firewall and behind the inturnal firewall.


    As most of the logging is done by Network based, there is nothing you can do about it. Just hope they don't spot what you have been up in the IDS logs. Or you might have been luckly if the IDS is not setup to look for what you where doing.

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  6. #6
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670

    Re: look now

    Originally posted here by zero_g_rubika
    Throughout my work on a computer I switch among many windows and access hacking, freaking, security, Unix, Linux, BSD sites as well as IRC on openprojects. (Please save any morality lectures) Because I switch machines I did this on 2 different machines. (NT4 w/service pack6 & 2000 vanilla install) The problem is that i donít really know NT/2000 logging and caching capabilities. What I want to do is flush all the logs and any traces of my activities on local machines. I know I wonít be able to crack the domain servers and clean the traces there, but at least locally. I have been logged in under different accounts, (l0pht crack) so I will need to reboot the machines under ntfs capable *nix (Trinux) and erase all the appropriate folders. Help me to identify which ones they are. I have no clue and Microsoft is notorious for changing all their **** around to confuse and profit. Any advice appreciated. New York can be a cruel place for 22 year old who got fired Ďcause the IT department felt threatened because he was looking at www.astalavista.com

    sorry for miss-spellings = Microsoft Word 97
    Hmm...as far as I know, most large companies don't do too much monitoring on local systems. Too many to deal with. The problem is, most of them use proxies for web activity, and if you ever even visit those sites, they've already got you. Many companies also use monitoring software that searches for keywords on each page in the proxy cache. If any keywords pop up, you're toast. My company uses this method, for example. It does you no good to clean all traces of activity on the local machine, because the IP address and timestamp are still connected to the words "HACK" "PHREAK" and "L0PHT" in the logs. My recommendation would be to curb your surfing activities at work until you are more familiar with the new company's capabilities and policies.
    /* You are not expected to understand this. */

  7. #7
    Senior Member SodaMoca5's Avatar
    Join Date
    Mar 2002
    Posts
    236
    Let me ask a few questions for you to consider and then give some recommendations.

    From your concern I must assume that the visiting of these sites is not part of you job. If it is then why be concerned. I too visit many "Hacker", "Phreaker", and "Cracker" sites including this one. It is part of my job to learn and keep current on how our systems may be attacked and what we can do to protect our data.

    Who would you trust more, someone who pushed the edge and admitted it or someone who did it, tried to hide it but was caught? Who would you trust someone who crossed the line and lied about it or someone who stepped forward and admitted their error? This illustrates a general statement which will underly each of the scenarios I will try to cover. As a security officer and having held clearance with the government (as well as being friends with an NIS agent) I can tell you that if someone breaches policy and tries to hide it they are 100 times more likely to be seen as suspicious than if they did it and came clean. The very act of trying to cover what you did, if you are caught, would negate any defense you had in the matter.

    Scenarios:

    A) Part of your job or could be construed as part of your job even if from a loose context. Response: Document what you have been doing clearly and concisely. Mention your motives for doing it and any data you have found that has been useful to you in your work. Submit this to your supervisor. He may tell you to stop, it may even get you a reprimand but your chances of keeping you job are excellent. Also, if you are terminated you can tell prospective emloyers your story and have a reasonable response and can show you were upfront and honest about your activities.

    B) Not part of your job but not really illegal. Response: Check the Acceptable Use Policy of your company. Most of these are very poorly written and do not include visiting the types of sites you mentioned. They often mention porn sites or use of the network for illegal activities. The one for my company has tremendous holes since it deals with porn, illegal activities or giving out sensitive information. Nothing about surfing for recipes, e-mailing friends, or looking up ways to defeat 128 bit encryption. You know - normal stuff. If your usage is not covered in the AUP then your company will not be able to terminate you on that basis. This means they may terminate you but you can ensure that the reason is something far more mild and not likely to cause other companies concern. If they use computer use as the determining factor you could take the AUP to a lawyer and see what recourse you have.

    C) Not part of your job, not strictly legal. Response: Come clean. Honesty, even late honesty will do better to set you in good standing for either keeping this job or finding another. If worst comes to worst move to Washington D.C. as a congressman or senator like most crooks.

    Trying to hide it is not only unwise it is irresponsible and short sighted. You will, of course, have to determine the position your supervisor etc would take and you may want to seek out someone in your chain of authority who will be most sympathetic to your interpretation and presentation of the events. You could then approach them first and follow up with your other (lower) supervisors by e-mail. A written trail is imperitive, handshake deals aren't worth the paper they are written on.

    Hope this Helps.
    SodaMoca5
    \"We are pressing through the sphincter of assholiness\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •