Pointsec & LAN ID Security Hack - is this possible?

count66

Hi,

Thanks for stopping by.

I'm not a tech guy but really need the assistance of someone who has knowledge of these things.

Long story short - I was recently accussed of uploading porn to the network of the company that I work for using my company laptop.

Fortunately for me, the date stamp on the upload happened to be at a time when I was able to verify that I was in hospital as a patient, hence I couldn't have been the one to carry out the uploading of the porn to the company network.

A subsequent scan of my laptop also showed that there was no porn on my laptop.

However, the original porn had been uploaded to the company network into my personal folder on the network - seemingly this folder is partitioned on the company network to my particular LAN ID.

Therefore what I am being accussed of now has been downgraded to allowing someone have access to my company laptop through the release of my passwords which to my actual knowledge I have never done.

The laptop is protected by pointsec upon log on and subsequently by a LAN log in. I have confirmed with the IT dept that administrators on the network can over ride pointsec with their own administrators passwords.

The first question I have is, is it possible for anyone else (other then IT dept) to get through pointsec?

Secondly, if I had left my laptop logged on (past pointsec but still logged out of the LAN bu not logging in with my LAN ID) is it possible for someone to log on to the LAN using their ID and then use my personal folder on the company network - i.e. would my personal folder on the network be configured into my laptop regardless of the LAN ID of the user logged on to the network?

If you could help me out with this question, I would really appreciate it as I'm really trying to figure out how this happened as I'm facing quite a serious sanction at work.

Also, if anyone else with better tech knowledge then me can maybe also figure out how someone may have gotten to my personal folder on the network that might be useful too!

I really would appreciate any help anyone could give me on this.

Thanks for reading!

Count.

sean_crawford

count66 wrote:

Fortunately for me, the date stamp on the upload happened to be at a time when I was able to verify that I was in hospital as a patient, hence I couldn't have been the one to carry out the uploading of the porn to the company network.

Times on filesystems can be manipulated.

The first question I have is, is it possible for anyone else (other then IT dept) to get through pointsec?

Yes, it can be circumvented by someone with the right knowledge, but that's an unlikely reason for porn being in your network folder.

Secondly, if I had left my laptop logged on (past pointsec but still logged out of the LAN bu not logging in with my LAN ID) is it possible for someone to log on to the LAN using their ID and then use my personal folder on the company network - i.e. would my personal folder on the network be configured into my laptop regardless of the LAN ID of the user logged on to the network?

If permissions on your network folder aren't configured properly, i.e "Everyone" has full access - it could be demonstrated on other users. (not using porn, of course)

Ask your administrator "what security permissions does my folder have?" and try be in their presence as they check.

If they become defensive at your presence, settle (in a friendly manner) with a list of users/groups that have access.

If you could help me out with this question, I would really appreciate it as I'm really trying to figure out how this happened as I'm facing quite a serious sanction at work.

If you're sincere about this not being uploaded by you, then it sounds like someone is trying to smear you or have you dismissed.

There could be any number of reasons but the scenario pointsec was circumvented is highly unlikely.

Here are some of the potential reasons I'd be more concerned about.

1. LAN Id password was discovered. (how and when)
2. Network folder wasn't secured properly with correct permissions.
3. Local or domain administrator account for the company was compromised

Of course, there are many possibilities but if the person who uploaded the porn didn't calculate the timestamp as a defence, they're probably not thinking of more complex ways they could be caught.

If your operating system audits login events, you could potentially find
your answer there and it's one of the first places i'd check.

Using the dates of when you were out of office as a starting point and the timestamp of the files uploaded to your folder, check the domain controllers and see who logged in and from where.

Each login event will have the name of computer it originated from.
If it originated from your machine, you'll have to guess who it was.

If all machines audit events locally, you'll be able to see who logged in on those dates too.

count66

Cheers Mate - thanks for the advice!

I have obtained my network log in files for my computer and they are clean for the time I was in hospital and match perfectly with my sick days from work.

The only issue is that they don't record when people log in through VPN and as such I cannot get a record of who logged into my network folder back in September - the record just shows blank.

This is why they are saying that I had to be the one who let someone on to my laptop by giving them the access to my passwords.

Although my laptop was in the office at the time I was in hospital, I cannot remember whether it was logged in past pointsec and just logged at at the LAN log in stage or whether it was fully logged out of both systems.

I'm just trying to see what options were feasible for someone to either get access to my laptop, my network folder etc and you have been a great help that way so thanks!

By the way, I have a fair idea who it was that try to set me up but they have been sacked since for doing something dodgy - unrelated to my incident though.

sean_crawford

count66 wrote:

I have obtained my network log in files for my computer and they are clean for the time I was in hospital and match perfectly with my sick days from work.

So you have local administrator access? or are you part of a domain group which has local administrator access? I don't know the specific details but I can imagine if someone has admin access to your laptop, it would be trivial to recover your password hash from cached logins, very easily in fact.

Cached logins are necessary for that exact scenario - working remotely.

The only issue is that they don't record when people log in through VPN and as such I cannot get a record of who logged into my network folder back in September - the record just shows blank.

This is why they are saying that I had to be the one who let someone on to my laptop by giving them the access to my passwords.

I can't imagine those not being logged somewhere but i don't know the full details.

As said before; if auditing is enabled, the login events would be stored in the security log.

Assuming it wasn't cleared by someone with admin rights, you should be able to tell who logged in remotely over the LAN or locally at any time/date.

And if it was cleared, the user id will still be there.

In any situation, it would be difficult to cover your tracks if an expert was asked to investigate ;-]

count66

Thanks again mate!

The nature of the job (internal audit) I do means that I can request access to all sorts of files and that's how I managed to get hold of my network log in file.

The problem is the guy who I think set me up before he got fired, had the permission to get exactly the same access to security systems that I had and probably even more so as he was at manager level.

That's maybe how he was able to get either the administrator access to the system or the access to my passwords since your saying it's possible.

As an internal auditor it wouldn't be unusual for the IT dept to receive such requests from us and they probably would not even have taken any notice of such a request as long as it was coming from an authorised source such as our internal audit department.

Thanks very much again for all your help - it really is much appreciated. That advice as to how someone else could have accessed the system along with my hospital admission record showing that I could not have been the one who was viewing the adult material at the dates I was supposed to have been should, hopefully, be enough to put me in the clear.

Have a great day!

Count.

Col_Loki

I would check if a request was made to have access to your folder while you were in hospital. Ie "he was working on something and we now need access to his folder to retrieve the files as it is critical for our work". He might have had access to it for quite a while.

As Sean said this would show up in the Folder permissions (unless it was later removed). They should still have a reference of the request.They probably dont have auditing enabled on the folders which would let you know the username accessing the folder at the time.

That would be the most logical IMO.


I take it the porn has been removed? If not it might be worth checking who the owner is in the permissions (Properties -> Security -> Advanced -> Owner)

count66

Thanks Col - Loki,

Your advice has been very helpful.

I checked with the porn file - its been well deleted by IT.

Also, they don't have auditing enabled on the folders as they are saying that it would take up far too much space.

But one thing in my favour is, if I can prove enough doubt as to the legitimacy of accusing me, when there are not proper controls in place to track who has access to private folders and who doesn't, then that, plus the fact that I was in hospital on the dates concerned, along with the other issues that Sean has highlighted should be enough to clear me, - well here's hoping anyways.

Thanks again - have a good day!