An email list my boss and I are subscribed to (membership comes with the job, not optional) has a very heavy topic over the security of wireless networks. So, my boss wanted me to do a security audit on our network and write a report on it, ugh, grrrreeeaaaattttt.
Surprisingly it's been fun, but rather scary. It took about 30 minutes to break our WEP key (mainly because I had to learn to use aircrack) and about 10 minutes to gain administrator rights on our network (Windows 2003 server / XP machine environment), and 5 hours to brute force the 79 passwords on all of our employees logins from ms-cache hashes. My password took 4 hours itself, but my bosses who has administrator rights took 7 minutes. In fact, 52% of all passwords broke took under 10 seconds and were in the dictionary. Average password crack time was 4 minutes per password. So now I can login remotely through our VPN and do whatever I want, no need to sit in the parking lot anymore. Fun stuff, and no I wont tell you where I work.
So I'm at the point to where I need to start gathering sensitive information. So I figured I'd put a key logger on a few machines that handle a lot of sensitive data, the credit card numbers and social security numbers of our 30,000+ members. I figured I'd print off a list of whatever names, credit card numbers, and social security numbers it caught. And just for good measure I've already decided to print off a copy of our executive director's, president's, vice president's, and head attorney's pay check to make sure the threat really sinks in.
Which brings me to a key logger. Considering the information that it will be handling I don't want to use just anyone's key logger, I know they're a lot of programing folks here and it's nothing against you personally, I'm just not willing to take that security risk. And also I don't want to use a lot my money or company money to buy an expensive one. I found keylogger.org - but websites like that typically get paid to say "This one is the best..." I don't really need one with a ton of features like web surfing monitoring, network traffic, or email monitoring. I just want something that records key strokes to a *.txt so I can access it easily remotely and stays somewhat hidden.
So, any recommendations?
IP: Logged
12:44 PM
PFF
System Bot
SonataInFSharp Member
Posts: 882 From: Minneapolis, MN Registered: Aug 2003
Why do so many people still use WEP? Is it to accommodate older hardware?
I can't believe people in this current age still use passwords found in the dictionary. My passwords never have any meaning whatsoever. I finally convinced my wife to switch all of her passwords, too.
IP: Logged
12:53 PM
Pyrthian Member
Posts: 29569 From: Detroit, MI Registered: Jul 2002
the joys of network security. as you are now well aware - no such thing as 100% secure. 1st is to enforce secure passwords, which include numbers & such 2nd is to lock out bad logins after 2-3 tries 3rd is scripts. there are a few nifty ones, which like account lock-outs monitor login attempts, and ban an IP address based on bad login attempts. 4th is force new passwords on a regular basis 5th is login cards instead of passwords.
anyways - much is up to how secure you actually need to be. and, yes - wireless is a very unsecure. most wireless access points dont have "lockout" capability for bad login attempts.
Well banning by bad login attempts are useless. The method I used is capturing a few WEP packets and brute forcing the hash on the laptop. I took this approach this it is less likely to create suspicious network traffic. I also didn't brute force the server directly, I sniffed the network for login hashes as people logged in to start their morning work. Once again, I never touched the server for it.
... I figured I'd put a key logger on a few machines that handle a lot of sensitive data, the credit card numbers and social security numbers of our 30,000+ members. I figured I'd print off a list of whatever names, credit card numbers, and social security numbers it caught. And just for good measure I've already decided to print off a copy of our executive director's, president's, vice president's, and head attorney's pay check to make sure the threat really sinks in.
STOP!!! until you have written authorization to do this from somebody in the organization with the power to grant that authorization. Even if your motives are good, this is the kind of activity that can possibly get you (and your boss) fired. Working through your boss, I would discuss your plans with your Corporate Counsel before going any further.
[This message has been edited by Marvin McInnis (edited 09-17-2007).]
IP: Logged
02:07 PM
Synthesis Member
Posts: 12207 From: Jordan, MN Registered: Feb 2002
STOP!!! until you have written authorization to do this from somebody in the organization with the power to grant that authorization. Even if your motives are good, this is the kind of activity that can possibly get you (and your boss) fired. Working through your boss, I would discuss your plans with your Corporate Counsel before going any further.
Definitely!
Just because you were asked to review the security, write a quick report and ask for permission from higher up to go that far. If you gain access to sensitive data and then flash it at them, there is going to be a kneejerk reaction that will most likely involve your loss of job.
They will most likely then hire a security firm to secure everything and then have someone else come in. I have seen it happen.
Originally posted by FieroRumor: My favorite is the hardware type that fits between the keyboard and PC...looks like a tiny dongle...
Those are pretty cool but in order for it to work it would require an "attacker" to be inside our building, not just sitting out in the parking lot or down the street.
quote
Originally posted by Marvin McInnis: STOP!!! until you have written authorization to do this from somebody in the organization with the power to grant that authorization. Even if your motives are good, this is the kind of activity that can possibly get you (and your boss) fired. Working through your boss, I would discuss your plans with your Corporate Counsel before going any further.
quote
Originally posted by Synthesis: Definitely! Just because you were asked to review the security, write a quick report and ask for permission from higher up to go that far. If you gain access to sensitive data and then flash it at them, there is going to be a kneejerk reaction that will most likely involve your loss of job. They will most likely then hire a security firm to secure everything and then have someone else come in. I have seen it happen.
I got a PM from a forum member about this already, although I highly doubt I would be terminated over something like this, I went ahead and took his advice. I now have written permission to gain access to anything for the purpose of the audit as long as it doesn't "bring the network down" and I cannot expose the information to anyone who would be consider "unauthorized." I appreciate everyones concern though.
And my boss wasn't expecting a quick report, he is expecting a fully written, step by step of how I did it, what I used, where I got it, how long it took, and it's going to end up being several pages long, not including what I print off. He is expecting a real security audit, not an email along the lines of "ya i broke in and we are vulnerable." It's my understanding that my report is going to be given to our executive staff and board members.
So, back on topic. Suggestions?
IP: Logged
02:39 PM
Synthesis Member
Posts: 12207 From: Jordan, MN Registered: Feb 2002
Ghost Keylogger. Will email all key presses to you in a log file, as well as the windows they were in and any dialog boxes. You may want to review them for anything that may be work inappropriate and get someone fired before you submit them.
downloaded ghost key logger, only thing I don't like about it is when the user starts up their computer it doesn't start silently, you have to hit "hide."
IP: Logged
03:37 PM
PFF
System Bot
darkhorizon Member
Posts: 12279 From: Flint Michigan Registered: Jan 2006
... I figured I'd put a key logger on a few machines that handle a lot of sensitive data, the credit card numbers and social security numbers of our 30,000+ members.
quote
[I'm more concerned about] ... an "attacker" ... sitting out in the parking lot or down the street.
quote
I now have written permission to gain access to anything for the purpose of the audit as long as it doesn't "bring the network down" and I cannot expose the information to anyone who would be consider "unauthorized."
I don't want to beat a dead horse ... but ... You probably do now have permission to install a key logger on any computer owned by your company, but installing one (or any other software) on a computer not owned by the company, without the owner's knowledge and permission, may be a felony. I don't know Oklahoma law in this regard, but your Corporate Counsel should. Better to ask now than later.
[This message has been edited by Marvin McInnis (edited 09-17-2007).]
Originally posted by Marvin McInnis: I don't want to beat a dead horse ... but ... You probably do now have permission to install a key logger on any computer owned by your company, but installing one (or any other software) on a computer not owned by the company, without the owner's knowledge and permission, may be a felony.
I really appreciate your concern but I assure you that all of the computers I have accessed I have been given written permission and are owned by our company.
quote
Originally posted by FierociousGT: besides WEP why don't you use the MAC address?
Because MAC can be spoofed just as easily as WEP can be cracked.
OmniQuad used to have a real nice security suite, which included a keylogger. I used to use an earlier version which also included taking screen shots if particular words or applications were launched.
I hated to do it, but it was under direction of HR to do particular 'monitoring'.
Ghost keylogger worked pretty well. I figured out it has a "deploy" option and doesn't even need to install. So it worked pretty well. Thanks everyone. Now I get to write a report on what we need to do to secure it!
Ghost keylogger worked pretty well. I figured out it has a "deploy" option and doesn't even need to install. So it worked pretty well. Thanks everyone. Now I get to write a report on what we need to do to secure it!
When someone locks an account 3 things happen. Its written to a log, I get an e-mail and the user calls the help desk because that is the only way to unlock the account. Virus protection is a must, something you can report on and one that will alert you. Give the users just enough to do their job and no more.
