Illicit remote access
November 2, 2006 5:51 PM   Subscribe

Mac OS X security question: it may be that one of our employees is illicitly logging in remotely to one of our computers.

The evidence: an email with attached document received on one of our work computers was, within a couple of hours of receipt, forwarded to the private email of one of our employees. This much is evident from the MS Entourage inbox.

The forwarding apparently took place on a Saturday when, as far as I know, the employee was not on the work premises. It goes without saying that the forwarding of this confidential information was, in our view, a breach of the employee's contract, and we'll have to deal with that.

What I would like to know from mefites is: what are the various means by which he might have gained access remotely to the work computer? It's running Mac OSX 10.4.4. We don't have any particular security measures in place; it's a small business and I myself login remotely to the same computer sometimes using Timbuktu; as far as I know, the employee does not have access to the Timbuktu password. I suspect he is using another method.

BTW the computer in question shares its internet connection with a second computer via IP over Firewire. The employee didn't have access to this second computer either on the Saturday when the email was forwarded.

Won't be able to respond to technical queries for the next few hours: here it's 01.45 and I'm going to bed; but any and all feedback very much appreciated.
posted by londongeezer to Computers & Internet (13 answers total)
I'm not an expert on computers, but I know a lot about employee investigations. Look to see if he was given the password by another employee, or someone else helped him with access to the second computer. In other words, look for a brick and mortar connection to your click question.
posted by Ironmouth at 6:02 PM on November 2, 2006

Can you provide the e-mail headers? Illicit remote access may or may not have been involved. If I understand you correctly, the order of events are as follows:
  1. An e-mail account Aa to which employee A has legitimate access received an email E with an attached document .
  2. Someone retrieved message E from Aa and forwarded it to a private e-mail account Ab owned by employee B.
  3. You examined B's MS Entourage inbox for their private e-mail account Ab and saw message E.
Where is the mail server that hosts e-mail account Aa located? If you don't have any access controls for your mail server, why couldn't employee A have retrieved the mail for account Aa from home using POP3 or IMAP and forwarded it to B's private e-mail account Ab without having to be inside your network at all?
posted by RichardP at 6:16 PM on November 2, 2006

Can you look at the logs on the possibly comprised machine? They should be able to tell you if and when anyone connected to the box. You've got an advantage because you have some specific times when you can start looking.

Now, of course if the person in question is a real hacker then he/she can hide the traces of the connection, but it's the easiest place to start.
posted by mpemulis at 6:18 PM on November 2, 2006

I'm not an entourage user, but could it have been forwarded automatically via a mail rule?

Another method would be via VNC, which is built into OS X. It would be enabled under System Preferences: Sharing: Apple Remote Desktop.
posted by Steve3 at 6:18 PM on November 2, 2006

He might have installed a VNC server (i.e. OSXVNC) or another remote access program besides Timbuktu.

You can technically log in via ssh and script Entourage through AppleScript, but if you want to send mail from a terminal, that's much easier with a command-line mail tool. If you're sure it was sent via Entourage, I'd vote for VNC. It could have been sent from a shell if Entourage wasn't used.

Or of course, the mail may not have gone through that particular machine at all, as RichardP notes. It could even have been sent by another employee pretending to be the employee you're investigating, for the express purpose of getting that employee in trouble -- assuming someone else had access to that document. You can check the e-mail headers on the received message to at least see if it was sent from the suspect's machine's IP address. (Note that since your mail server has to accept e-mail for your company's employees, it could actually be sent from outside your network by anyone on the Internet, and so the From address could be completely spoofed.)
posted by kindall at 6:23 PM on November 2, 2006

Oh yeah, Apple Remote Desktop will work with VNC clients too, forgot about that (its compression is lame, so I always use OSXVNC). That's probably the culprit right there.
posted by kindall at 6:25 PM on November 2, 2006

Here are some simple things I would do immediately after firing anyone:

- Change all passwords on all systems you use, including remote log in, database access, email, and other services. This is crucial.

- Open up the sharing icon in preferences and check what you are sharing and reduce it to a minimal set. and check that the firewall is on and allowing only what you need minimally to get by.
posted by about_time at 6:35 PM on November 2, 2006

So, who was on the premises on Saturday? Who else apart from you knows how Timbuktu is set up? Could this mail not have been forwarded to this employee's private mailbox by somebody else?
posted by flabdablet at 6:42 PM on November 2, 2006

Under the Timbuktu menu is an option to open the Activity Log. I would be sure to look there.
posted by Remy at 7:33 PM on November 2, 2006

Yeah, start with System Preferences:Sharing and see what's enabled under Services and Firewall.

In Applications/Utilities, you'll find a program named Console that lets you browse a lot of logs. Many logs are archived automagically; poke around until you find the system.log from that Saturday and you'll probably get a lot of information from looking at what the computer was logging at that time.
posted by ikkyu2 at 7:41 PM on November 2, 2006

One of the handiest ways to poke around, by the way, is to go to Console/File/Open Quickly and look at the menu listing the contents of /var/log; old system.log files are archived there.
posted by ikkyu2 at 7:43 PM on November 2, 2006

Thanks everybody. This is all very useful info & advice.

Btw, I know the email was forwarded from the inbox of trusted employee (A) not because i have access to the private mail account of the suspect employee (B), but because that email is marked within Entourage as having been forwarded from employee A's work inbox to employee B's private (non-work) email address.
posted by londongeezer at 12:32 AM on November 3, 2006

It couldn't be an automated e-mail forwarding rule that's been set up, could it? Seems pretty daft from a hacking point of view (i.e. it's dead easy to track and disable) but perhaps the employee thought it was OK?
posted by Chunder at 1:27 AM on November 3, 2006

« Older Calling all passive-aggressives   |   Is "marionetting" real? Newer »
This thread is closed to new comments.