Jump to content

Employee Problems & Monitoring Needed


Guest Deleted_Account
 Share

Recommended Posts

Guest Deleted_Account

To start off i would like to say that YES our usage policy states all networking traffic is monitored, and all computers WILL and MUST be passed through a proxy (allowing us to capture everything). ***

Now one of our employees has been caught E-Mailing company secrets, but wait theres a problem: They used OpenPGP to encrypt said emails. How do we know what they were doing?

What we know:

1) Said employee accessed a 'Level 4' (Tech) terminal without authorization (we log all logins and log outs on the networks and systems While the employee has access to this terminal at all times they are ONLY allowed to access it if me, my team, or Management says so)

2) Immediatly after copying Financial documents employee went back to their work station signed on (our system only allows employees to sign on one computer at a time and since no one besides IT knows the local accounts & passwords this eliminates plausible deniability. )

3) Employee connected to her personal email and sent an email using OpenPGP (E-mails are intercepted with SSLstrip which is also in our usage policy stating "Any personal email or "Secure Website" Using protocols such as, but not limited to, SSL, TLS, ETC. may be monitored though means of "Stripping" or "forging" of such protections or by means of redirecting traffic [sSL strip]... "

So what i would like to know is what can i do to get hold of that password used to secure the Email. I checked for the PGP key but its be removed. I am in the process of attempting recovery but not sure how the keys are stored or if normal recovery will work. Even so with out the password i cannot decrypt it. Also i managed to get the public key (from the intercepted emails the second email contained the public key) again need password though.

What would my best bet be? Considering the employee new what she was doing and circumvented out keylogger by using KeyScrambler to encrypt (encode?) the keystrokes. Is there any way to retrieve that password? Under the assumption that she will NOT enter it again on company computers (since she removed the private key i mean).

Sorry about the long post :P wanted to make it clear we are aloud to do this. also keyloggers are only installed when we suspect something and said employee has been suspected for months and now we may have evidence but it may slip through our fingers if we can't decrypt these messages.

Thank you,

x942

Link to comment
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Guest Deleted_Account
Get the lawyers involved.

Already are but we need proof and right now that proof is in the form of an encrypted email. And since in canada there is no legal method of forcing some one to disclose a password i need a different method of getting it.

Link to comment
Share on other sites

Have you considered installing a screen viewer or something similar in order to see what he/she is doing. Then you could record it and use it as evidence or install a silent keylogger.

Edited by Infiltrator
Link to comment
Share on other sites

Guest Deleted_Account
Have you considered installing a screen viewer or something similar in order to see what he/she is doing. Then you could record it and use it as evidence or install a silent keylogger.

Keylogger done. screen viewer may work though just worried it may be too late, as the data was already sent. Right now i am looking into passwords she has used and attempting to build a dictionary to bruteforce may way in. Also trying to see if OpenPGP has any known vuln's doubt it though.

Link to comment
Share on other sites

Does she know that your onto her?

If she doesn't, you could pose as an interested buyer and try to make her do it again.

She must know, she is obviously doing something wrong, and I am pretty sure she is smart too to realize that someone is watching her. Even though the damage has been done, the only thing to do right now is keep a close eye on her and record everything she does.

Link to comment
Share on other sites

Guest Deleted_Account
Does she know that your onto her?

If she doesn't, you could pose as an interested buyer and try to make her do it again.

Very good idea. She is on to us monitoring her (I know because she has since started bringing in a 3G stick). However if i pose as a buyer she may use the same password for the key even if she doesnt ill have proof she is sending the messages as they will be digitally signed. As for the 3g stick i may issue a 'temporary precaution' to the employees and block all usb devices or just use the monitoring software and capture it with out sniffing which would work too. Im worried that a new policy may throw her off from doing it.

She must know, she is obviously doing something wrong, and I am pretty sure she is smart too to realize that someone is watching her. Even though the damage has been done, the only thing to do right now is keep a close eye on her and record everything she does.

Exactly! and everything is being monitored with the exception of when she is browsing on her 3G stick which as i mentioned i am worried if we introduce a new policy it may scare her away. So i am thinking of going a head with a fake buyer and setup. Ill get the lawers to make sure we don't cross the line into entrapment. Also screen captures key logs and recived email will have to be enough i guess hope it is. openPGP , as predicted, has no usefull vuln's, only 1 vuln i could find and thats if a 3 char pass is used and idoubt that :P

Link to comment
Share on other sites

I think you should use a bit of social engineering to get her to reveal the password.

Link to comment
Share on other sites

Guest Deleted_Account
I think you should use a bit of social engineering to get her to reveal the password.

That is another great idea. I have never social engineered before however. Is it just like place a fake, yet realistic, phone call or email to her in order to build trust and then convince her to reveal her password? Hmmm... we have the recipients email address maybe if i forge it i could email her and then intercept the password when she sends it back? but that may be entrapment :P

Link to comment
Share on other sites

  • 2 weeks later...

Employer monitoring of electronic mail constitutes an emerging area of the law that is clearly unsettled at this point in time. This iBrief demonstrates that the privacy rights of non public-sector employees are relatively unprotected by the federal and state constitutions, broad judicial interpretations of enacted privacy legislation favor legitimate employer-monitoring practices, and many of the elements of common law claims are difficult for employees to prove.

Link to comment
Share on other sites

I would have to say +1 to gcninja. It could be under grounds of entrapment, however nobody really has to know that. Especially if your in an environment with xp or vista use, she would just think that it's a bug somewhere, and you need to get in, HOWEVER I would make sure you have someone standing by to take care of 'the rest' as soon as you get that password, because I am certain she will freak out and change it as soon as you get off the phone with her.

Also, are you using outlook? If so, (and presuming she has not deleted the sent emails) you could just reset her pw, go into her computer, and check out her outlook after hours.

@barry99705- They already have all the evidence needed to kick her ass out right now, however this is definitely something that x942's company needs to take to court with this woman. And in court, you gotta have everything proper or else it's a no go..

Edited by h3%5kr3w
Link to comment
Share on other sites

Wait. You're allowing someone to just plug a 3G stick into a company computer?? How the fuck does that fly? She just completely bypassed your firewall. Throw her ass out on those grounds right there.

Barry is 100% right! if you have a stated policy against using 3rd party hardware on company systems then she is in clear violation and you have the right to enforce disciplinary actions against her. It wont recover the files that she stole but it seems like the burden of proof is against her already.

Link to comment
Share on other sites

If I was the employer I would've given her a written warning, informing her of the security breaches she violated and if that continued to happen she could find herself another job or have her prosecuted.

Edited by Infiltrator
Link to comment
Share on other sites

But they might not want her to know so they can see what see has been sending etc.

Legality of this might be questionable but could you not, over the weekend, set up a button hole cam that points at her screen and keyboard. So you can see her typing in the password. If she doesn't know about the camera she hopefully won't cover it.

Link to comment
Share on other sites

Also, why not question her why she accessed a level 4 computer w/o authorization. It might be late but just say "on our monthly audit, we noticed you had accessed this machine and copied certain files, why was this done?" she'll know shes in trouble but if she thinks she can lie well enough she'll be good to go. Also, can you make a clone of her HD? its YOUR computer, you can do what you want with it ie: hardware keylogger

Link to comment
Share on other sites

Also, why not question her why she accessed a level 4 computer w/o authorization. It might be late but just say "on our monthly audit, we noticed you had accessed this machine and copied certain files, why was this done?" she'll know shes in trouble but if she thinks she can lie well enough she'll be good to go. Also, can you make a clone of her HD? its YOUR computer, you can do what you want with it ie: hardware keylogger

Good point!

Link to comment
Share on other sites

Also, why not question her why she accessed a level 4 computer w/o authorization. It might be late but just say "on our monthly audit, we noticed you had accessed this machine and copied certain files, why was this done?" she'll know shes in trouble but if she thinks she can lie well enough she'll be good to go. Also, can you make a clone of her HD? its YOUR computer, you can do what you want with it ie: hardware keylogger

Screw that!......Fire that bitch....twice!!!

Its obvious that you have all the proof that you need to take whatever termination action that you need to. Why go through the whole Perry Mason act when you have her by the short hairs :angry:

Link to comment
Share on other sites

Since we are all talking about Employee Monitoring needs, I have found a very interesting article on the subject. Its worth read.

http://www.computerworld.com/s/article/917...is_asked_to_spy

Thanks

Infiltrator

Link to comment
Share on other sites

This is instant dismissal in my opinion, and I am unsure as to how a end user should have the ability to log into a "level 4" system with permissions to even do anything bad. You let it go you will set a precedent for other idiots who pull the same stuff. I have been physically threatened at work because i have deleted movies and music off PC's. I don't give a fuck. They sign the user agreement, the commit to the policy in a legal and binding way, they have no recourse. Companies just don't have the balls to enforce shit. Put a copy of the user agreement on her desk, with the rules that she broke highlighted and that the equate with dismissal. Giver her notice, but disable her account till she come face to face with management to face the music.

Mercy is for the week.

Cobra Kai

Link to comment
Share on other sites

1: Your security sucks. Why can anyone with an account log on to a Level 4 system if its important that access is controlled?

2: Why it is possible for an employee to copy confidential material onto a flash drive from a Level 4 system?

3: Why can an employee get on to the internet and send emails?

As for firing her, IT doesn't do this, HR does. You pass the information you have to HR and the users manager, and they decide on the firing.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...