Mystery Porn Surfer Becomes Phantom Menace

Determining that an employee has been surfing porn sites is one thing; proving it is anotherIt's been a busy week. I'm trying to keep track of the number of extremely senior people that I'm annoying, but it's not easy - and it's only going to get harder next week.

The trouble all stems from my innocent discovery last week that someone was surfing inappropriate (read: pornographic) Web sites from the workstation of an extremely senior member of the company. I promptly passed my findings over to human resources. A staffer approached the problem with guns blazing and then had to backpedal quickly when I reminded her that the data I'd passed her wasn't totally reliable.

The reasons behind that are complex. At the moment, users don't have to authenticate themselves to our Web proxy server. This means that our Web proxy has no idea who requests a particular Web page but only records the IP address from which the request came.

So I take the IP address, resolve that to a machine name using our domain name server (DNS) and then find out who's using that machine from our inventory system. It's not an elegant solution, but it leaves me about 95% certain of the identity of the surfer. That, as far as I'm concerned, is enough proof to warrant a quiet request to management to deal with the user.

Insufficient Evidence

Of course, this information isn't really enough to support disciplinary action.

For one thing, we run Dynamic Host Configuration Protocol on some network segments. It dynamically allocates IP addresses, so the IP address reported in the logs may have been reassigned by the time I ran the scans and queried the DNS. It's also possible that our inventory system is incorrect, our cobbled-together log-scanning scripts have errors, my data manipulation in Excel introduced errors and so on.

Wednesday's tricky problem: While the great and the good are discussing exactly how to approach this issue from a management perspective, I find out that one of the "inappropriate Web surfers" is now using a different PC than he was last week. This must be due to a desk move. When I check his old PC, I find that it's now being used by a female summer student visiting from overseas.

Unless that Web surfer covered his tracks well - cleaning out his Web cache, deleting any download directories, wiping cookies and so on - he's bound to have left some trace of his former surfing activities on his PC. That means we may have a young female temporary employee from a famously litigious country using a company-issued PC that contains pornography.

One phone call later and the desktop support team finds an imaginary hardware failure on her machine; they swap it out for a new one without alarming anyone.

One way to confirm whether we have the right machine is to check for footprints in the system's history file. At the moment, I need to find a quick and easy way of remotely finding out what sites a particular user has visited. We use Netscape, but its history file isn't an easy format to read. I need a tool, so I turn to the Internet.

I find the Internet endlessly fascinating. It's not just the sheer amount of both useful and useless information that it holds, but also the untold stories that you can infer from the location and presentation of the information.

A search on Netscape Communications Corp.'s Web site for the file name netscape.hst gives page after page of links to sites in a wide variety of languages telling you how to find and delete this file.

The best of these sites, containing a good list of how to cover your surfing tracks (or what to look for if you're sleuthing), turns out to be on a Web page called Julia's Teen Crossdressing Page that's dedicated to helping teen-agers hide their online activity from their parents. Eventually, I do find the utility I need - a program that pulls Web addresses from netscape.hst and turns them into a text list. It works perfectly. It's available at www.rapca.org, the Web site of the Regional Air Pollution Control Agency in Dayton, Ohio. What a bizarre pairing of Web pages.

I run the utility on the suspect machine's netscape.hst files. Yes, I have the right machine, but I still don't know who was using it at the time.

However, I've got this situation almost under control now. The scanning and much of the reporting is now done automatically, and all I have to do is report upwards. This should leave me a bit more time to concentrate on more normal work.

Time for an Audit

I'm looking forward to getting our auditing and monitoring software working.

When I started working here, I was impressed to learn that we had a global enterprise license for what I think is the best software in this field, RealSecure security management software and the various SafeSuite scanner packages from Internet Security Systems Inc. (ISS) in Atlanta.

RealSecure acts almost like a burglar alarm. It has agent software sitting on key servers and key network segments constantly scanning all use of the system, in real time, for what it considers to be suspicious activity. When it finds evidence of a security breach in progress, it can take a range of actions, from alerting key personnel to automatically terminating user sessions.

ISS's Internet Scanner, System Scanner and Database Scanner act as technical audit packages. They find technical security vulnerabilities on target systems, report which vulnerabilities are present on which systems and what the associated risk is and then give detailed advice on how to fix the vulnerability.

I've heard a succession of good reports about these systems, seen numerous marketing presentations extolling their virtues and read many articles about them in the industry press. However, this is going to be the first time I've ever worked in a company that uses them in a production environment. Seeing that most of the rollout of the ISS system is already done, the budget's approved and we only need to arrange the training, things should be relatively simple. I can't wait.

And then, the last thing on a Friday afternoon, the guy who headed up the project to buy, implement and deploy the ISS software resigns. He leaves next Friday. Project documentation? Er . . . he's been meaning to get around to it for months now.

Why did I ever think things would be easy?

Join the newsletter!

Error: Please check your email address.

More about Internet Security SystemsISS GroupNetscape Communications CorpOn TargetSecurity Systems

Show Comments