Government Security
Network Security Resources

Jump to content

Photo

What Can Your Network Admin Access?


  • Please log in to reply
8 replies to this topic

#1 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 19 April 2005 - 03:16 AM

I was PM'd this question on another site, and thought I'd share the exchange with you.
-------------------------
The question was:

I am a grad student at ASU in Educational Meida/Technology. Unfortunately, the folks at my school assume I know way more than I really do. Our media specialist(who really isn't very tecnology savvy) has everyone scared out of their wits regarding their hotmail and yahoo email accounts.

Myth or reality?
If an employee logs into hotmail or yahoo email, what exactly does the network administrator have access to?

On another note, if an employee takes his/her personal laptop to school and logs on the server, what does the server administrator have access to on that computer?

---------------------------
My answer:

Well, as usual, it depends.

Unless your email login is encrypted (you login using a page beginning with https://), the admin can see you account and password if he is logging the traffic throught the firewall or router or another device. So he can login as you if he wants. Note closely when you log out of your email and when you login, note the last login (it usually tells you somewhere). If they don't match, he may be logging in as you.

That goes for any traffic that's on the network. But anyone can run sniffer software on the network and capture the same traffic. Again, if it's encrypted, you won't have any luck, but little traffic is. It's pretty hard to detect sniffers on the network.

As for access to your PC, if you're joined the windows domain, the domain admin (which your admin most likely belongs to) is added to the local administrator's group on your PC. So he has access to everything on your PC.

If you have admin access to your PC, look in the user accounts and check the administrator's group. You can remove that access, but that may break some programs that the admins use (backup, SMS, or other things they run on your PC). Also, if you remove all admins and screw something up, they can't help you as they won't be able to get in.

If you own the PC, I'd clean out all admin access that isn't yours and make sure you know the admin account password. And use one of the free firewalls like zonelabs.

However, remember, there is no true security or privacy as there are so many ways to access a PC without a user knowing it. The best advice: either keep your PC clean and don't do things on it or store things on it you don't want others to find, or use encryption to hide the stuff from prying eyes. It's more work, but it's worth it.

An easy tool that I'd suggest is at http://www.cypherix.com/ The tool is cryptainer, which creates encrypted "folders" in which you can drag and drop files. The LE version is free and can make up to 10MB containers. Buy the PE if you want larger files. I've used it for about a year.

Just make sure you pick a good, long passphrase (at least 12 characters, but I'd do 16) that is hard to guess. But don't forget it, cuz if you do the data is gone gone gone.

Good luck.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#2 Guest_SilverSandStorm_*

Guest_SilverSandStorm_*
  • Guests

Posted 30 April 2005 - 12:45 AM

Nice post beardednose :)

I'd like to add a couple of points

1. Just as the admins can't log your username/password if you're using https/ssl to access your webmail, they can't read those mails either provided again the connection is over HTTPS/SSL

2. You *should* be using a firewall that only lets very specific IPs/mac addresses log on to your PC. If you have a problem with your PC, learn to solve it yourself. Admins are just human beings, give them the same level of trust as you give any normal human being. Which should be close to 0 if you don't know them well !

3. Listen to your admins. They do recommend smart things to do like patching your machine, keeping it up to date, etc. A user who makes their life difficult by not listening to their recommendations, and leaving his/her PC wide open, and then refusing to allow admins access - thats a combination thats going to lead to pain.

However, remember, there is no true security or privacy as there are so many ways to access a PC without a user knowing it. The best advice: either keep your PC clean and don't do things on it or store things on it you don't want others to find, or use encryption to hide the stuff from prying eyes. It's more work, but it's worth it

While this is true, I would say that as long as you're only worried about admins, that isnt a real issue. Keep your PC virus/spyware clean, firewall it, pick up some common sense while following the sundry fads/jokes/fun games/videos, and your PC really isnt likely to get compromised.

#3 MsMittens

MsMittens

    Staff Sergeant

  • Members
  • 258 posts

Posted 30 April 2005 - 12:57 AM

1. Just as the admins can't log your username/password if you're using https/ssl to access your webmail, they can't read those mails either provided again the connection is over HTTPS/SSL


Unless they are using ettercap or Cain'n'Abel. The question is how ethical is the admin?

#4 myth

myth

    Staff Sergeant

  • Members
  • 408 posts

Posted 30 April 2005 - 03:27 AM

Regarding the networks I admin:

If a user thinks he/she can get away with attempting hacking techniques, or other forms which violate the policies in place, I am willing to drop down to his level in order to kill his connections...

Speaking of ettercap, Its been used to kill connections with users who I have flagged for their activities on the network, and the list keeps getting bigger. I should get an assistant.

This also depends on how much time you have, no point spending a week tracking down a user who's just checking their hotmail once a week, i use to to send myself school assignments from home.

#5 skydance

skydance

    Corporal

  • Members
  • 176 posts

Posted 30 April 2005 - 04:20 AM

another thing a user can do is to tunnel their http and irc sessions through a friend's server.... i use Bitvise Tunnelier for that... anyway the admin can do pretty much anything if he really wants your data... monkey with mitm.... arp, dns spoofing....

#6 Guest_SilverSandStorm_*

Guest_SilverSandStorm_*
  • Guests

Posted 30 April 2005 - 07:06 AM

1. Just as the admins can't log your username/password if you're using https/ssl to access your webmail, they can't read those mails either provided again the connection is over HTTPS/SSL


Unless they are using ettercap or Cain'n'Abel. The question is how ethical is the admin?

<{POST_SNAPBACK}>



If the user refuses to accept a certificate which doesn't belong to the target website, I don't really see how that is going to work (the attack). Might just be me being dizzy from all the theory I've been reading over the past few hours though.

#7 Guest_SilverSandStorm_*

Guest_SilverSandStorm_*
  • Guests

Posted 30 April 2005 - 07:07 AM

Regarding the networks I admin:

If a user thinks he/she can get away with attempting hacking techniques, or other forms which violate the policies in place, I am willing to drop down to his level in order to kill his connections...

Speaking of ettercap, Its been used to kill connections with users who I have flagged for their activities on the network, and the list keeps getting bigger. I should get an assistant.

This also depends on how much time you have, no point spending a week tracking down a user who's just checking their hotmail once a week, i use to to send myself school assignments from home.

<{POST_SNAPBACK}>

Killing a users connections is quite okay....I think most people are worried about invasion of privacy. Killing connections serves to show the user that you know what they're up to. Either they get smarter, or they stop messing around.

#8 MsMittens

MsMittens

    Staff Sergeant

  • Members
  • 258 posts

Posted 30 April 2005 - 08:52 AM

If the user refuses to accept a certificate which doesn't belong to the target website, I don't really see how that is going to work (the attack).


What if the attacker is just forwarding the certificate and acting as the go-between?

#9 Guest_SilverSandStorm_*

Guest_SilverSandStorm_*
  • Guests

Posted 30 April 2005 - 11:13 PM

If the user refuses to accept a certificate which doesn't belong to the target website, I don't really see how that is going to work (the attack).


What if the attacker is just forwarding the certificate and acting as the go-between?

<{POST_SNAPBACK}>


Hmm, that would permit the connection to go ahead. The problem is that the certificate effectively carries the server's public key [digitally signed]. So by doing this, the attacker is effectively allowing the client (user) access to the server's public key. From now on the security of PKI takes over, without access to the server's private key, the attacker can't do anything further. (the client would simply encrypt her/his public key with the server's public key and send it over, as a very basic example).

The traditional MITM attack on PKI depends on the attacker substituting one (or more) sides public key with her/his own (and thereby impersonating that end). In this case the server's public key isnt substituted, so the attacker can't impersonate the server. The attacker could impersonate the client, but not act as a go between, since the client would see that the attacker *is not* the server.

The attacker can impersonate the client by encrypting her/his public key with the server's public key and sending it to the server (and dropping the client's public key transmission). That would however result in the client now being excluded from the communication, since the client would be unable to decrypt anything being sent by the server (which uses the attacker's public key), if the attacker just passes on the transmissions from the server. The other possibility - the attacker would also be unable to use the client's public key to re-encrypt data and pass it on to the client, since the attacker only has the *encrypted by server public key* form of the client's public key.

So impersonating the client wouldn't allow the attacker to get very far since she/he would need to do so from the initiation of key exchange, and hence she/he would lack the client's credentials (user/password, cc#, etc). Also, eavesdropping would not be possible since the client would be exluded from the transaction



Of course, what with the plethora of users who simply click Yes when any certificate is produced, all of the above security falls to social engg :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users