Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: What would you do ?

  1. #1
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    Question What would you do ?

    Hi girls and boys,

    I have some questions for you...

    There's this bigshot CO from a big new firm who thinks he's being "hacked" from inside his firm and wants to find out who the culprit is. So forward I was called to formulate a plan of how I will deal with this.

    Now there’s a catch.
    I don’t know the OS, don’t know anything about the network or any policies and probably will know it only by the time I’ll meet this bigshot and set foot in this new clients firm. For all I know the entire “I’m being hacked” thing might be paranoia.
    Now I hope this OS will be a Windows 2000 or XP or at least a NT4 with the security eventlog enabled (but I think this hope is in vein) so I could plow through the logs and hope to find the “hacker”.

    So most likely there’s no security in this new clients firm and that will be the main goal…to sell security. But first I will need to catch this “hacker” and I want to catch him red-handed if possible (not necessary). Are there any tools that will monitor the pc and alert the user if unauthorized access is in process? Now I know a firewall has this possibility and maybe even some AV’s but I don’t want to install any of these tools yet. So what I’m looking for is a tool that will work on even a Windows 98 or ME and can show me who is connected or better yet ...Can show the client who is connected or tries to connect…anyone knows a good tool that can do this (free if possible) ... I would use netstat to see the active connections or something similar depending on the OS but I don’t think this guy will be doing that.

    I will be investigating the pc and try to find any Trojans, Backdoors or anything else that maybe used by the “attacker”, and also I will be checking the settings on the pc, Is a firewall installed is the AV up to date, who has local logon rights, who has domain rights (if it’s a domain that is) and so on … but will be leaving everything as is on the pc to see who will be connecting.

    Now I know there’s not a lot of information but what would you do if faced with this task?
    Any advice from you specialists is appreciated.
    Back when I was a boy, we carved our own IC's out of wood.

  2. #2
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Why don't you ask him what his OS is? What is he seeing on his machine that makes him suspect he has been hacked?
    Can you speak to any IT bod in the company (if there is one) and find out if the machines are patched if they have any firewalls. how they connect to the internet, if they have a router, if so what is it?

    If you ask intelligent questions you will appear to be knowledgable and experienced to the client and you will be better prepaired when you finally go on site.


    Most likely the CO has been browsing pr0n and has picked up spyware.

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    well...snort and ethereal along with any other packet sniffer will serve your needs.

    I would worry about catching the hacker. Chances are it doesnt exist. Get them secure and clean up the thousands of adware/virii you are bound to find.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  4. #4
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Helas ... I wish it was that simple ... this is an Assignment where I don't get to call the guy or get the possibilty to talk to any of the IT-guys over there (if any are available).

    That's the whole point , I get no info but the basics that's why I post it here ... if I had all the info I would post different questions if any.

    I'm just looking for different input ... what would you do with such a task , a task where you hardly get info ...

    "A guy thinks he is being hacked ... I don't know his OS , I don't know what the security or network is like in this firm and I can't ask because the guy isn't availble (read I don't wanna ask)...but I want this new client ... help him catch the hacker"

    ..this is what my boss tells me ... so hence my question.

    I have a fair idea of what can be done and what not ... I'm just looking for nice ideas and things I wouldn't imediately think of.

    well...snort and ethereal along with any other packet sniffer will serve your needs.
    I see what you mean ... but probably this idea will be too advanced to sell the client, he'll probably will like a simple solution

    And yes I to think the most things found will be virusses and a like ... many of them.

    Thanks for the input
    Back when I was a boy, we carved our own IC's out of wood.

  5. #5
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Strange your boss keeps you from contacting.

    You should probably take a CD of the usual spyware tools, Ad-aware, spyware blaster, Spyware search and destroy, coolsearch shredder (CWS). A free antivirus such as Avast or AVG would probably be a good idea but I'm not sure if the free licences cover commercial users. A free firewall might be an idea also.

    While you are there you may want to quickly audit the physical security around his machine, does he lock his door at night etc.
    Find out if they have a password policy. If not you can speak to him about strong passwords and why it's a good idea to change them reguarly.
    Do employees share passwords?
    Do they have antivirus in place? Is it up to date?

    Do they have a desktop policy? Are employees installing their own software? Are they using the company bandwidth for dowloading illegal material? You can talk to him about the consequences of having unlicenced software on his network.


    Do they have an acceptable use policy (AUP) for internet and email. Is employee internet/email monitored. Do they have internet filtering? Does he know he could get into trouble if his employees download offensive material?


    Check for wireless access points, if they have them find out if they are secured or just left open. Are they broadcasting SSID.

    What about information assets? Does the company have servers or is it a network of destops with files stored locally? Do they have centralised backups? Is there a backup policy and is it being followed? How are the backups stored? Do they have offsite storage? Are backups tested?
    Disaster recovery plans (business continuity plans)?

    I see you are in Belgium, the company could well have information covered under the data protection act. Principle 7 of the DPA is concerned with the security of information covered by the DPA, he could get strung up for breaching that.


    If they really have little or no idea about security of their network there is a lot you can do for them that is little do do with the specific of the operating systesms.

  6. #6
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Aspman,

    Many thanks for your input ... I will definetly be looking at this: Principle 7 of the DPA

    And offcourse if I get to the location I will be looking into everything you mentioned ...

    I just hope I get the possibility to check it all out ...there's a lot of mistery hanging round this new client

    Anyway thanks again for your input,

    C.
    Back when I was a boy, we carved our own IC's out of wood.

  7. #7
    Junior Member
    Join Date
    Aug 2004
    Posts
    7
    Maybe you can try this tool: WhoIsConnected
    http://www.nativecs.com/index.en.php
    I know that it is not the most "sophisticated" but it will do the following according the home page.

    The brief description of opportunities:

    Monitoring of network connections and open resources.
    Disconnect any selected connection and closing any open resource.
    Monitoring Your network connections.
    Processes controlling.
    Show open IP ports (Windows XP/2003).
    Disable the newest connections to Your computer (analogue of the command "disable login" in OS Novell NetWare).

    This program works on computers with operational system Microsoft Windows 2000 and later.

  8. #8
    Senior Member
    Join Date
    May 2004
    Posts
    519
    obviously take all your tools with you, scanners, sniffers, virus software the lot.

    fully update and patch all their systems, scan for trojans, ensure once you have patched and cleaned the systems that all passwords are changed. If it is being attacked from within the company then ensure the physical security of everything. no passwords lying around, rooms unlocked etc.

    People should not have access to anything they dont need so check groups etc.

    you can sit a sniffer on the network and listen for anything abnormal, check all logs and if not already ensure logging is set up correctly. Make sure when you get there you get a full background on everything (the network setup, the reasons why they think they are being attacked, the proof, full OS and software details .. the lot)

    you can never have to much information

  9. #9
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    obviously take all your tools with you, scanners, sniffers, virus software the lot
    Yes I will be taking an arsenal of tools ... but the most important being somekind of Knoppix distro for checking the clients pc to the bone.

    I will also be looking into the physical security of the big man's office ... it's probably wide open.

    I hate not knowing anything ... but then again it is also fun finding out yourself isn't it .

    Thanks for the input guys.
    Back when I was a boy, we carved our own IC's out of wood.

  10. #10
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I think I see this problem a little differently. You said he thinks he is being hacked, you can't speak with IT people ( guessing he doesn't trust them either ).

    Before I did anything I would convince your boss that you need to sit down with the client ( without your boss ) , maybe over lunch, and find out in a casual atmosphere why he thinks he is being hacked and from where. Then go about and find out how much he knows about the network, AUP, etc.

    Basically you want to Social Engineer your client.

    From there maybe you can get a better idea of what you will need.
    Remember, he puts his pants on the same way you do, even if he does have someone else to wipe his ass. As long as you are not doing it what do you care?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •