Column: Test Center Rx
- 08 October, 1999 12:01
I believe that my workstation has been hacked. My workstation is connected to an internal LAN and has an assigned IP address. All the workstations are connected to individual floor-port numbers and are somehow connected in the data center to similar numbers and to the servers and operating systems. My problem is that I believe my PC or my IP address was used to access the Internet without my knowledge. I cannot believe this is impossible, as I have been told. I am being held accountable for the Internet accesses that I never accessed. Please assist me in determining whether it is possible to hijack a workstation or IP address on an internal LAN, whether my workstation or IP address could be used by the system administrator or other person without my knowledge, and how any evidence (that my PC was used by someone else) could be traceable.
-- Haroun Dharsey
Brooks: Well, there are two issues here: The first is security on your particular PC, and the second is the nature of IP addresses.
The first thing is the physical security of the PC. Never mind the technical approaches to hijacking; could someone just walk up to your computer while you're away and use it? A screen saver with the password enabled is probably the place to start. This isn't very secure in Windows 9x, but in Windows NT it's actually pretty good.
Of course, if you're using a network login against either a Novell Directory Services tree or a Windows NT Server domain, any administrator can log into your PC. There's not much you can do about that, but, again, if you leave yourself logged in with a password-protected screen saver, you should at least be suspicious if you find yourself logged out when you return to your PC.
The next possibility is that someone else is using the same IP address. This almost can't happen while your machine is on, but if your PC is off at night, there's nothing to keep someone from using that same address. There's really nothing you can do about that -- it's the nature of IP. But it is possible.
As for getting evidence of that kind of thing, you're probably out of luck. There's very little you can do, especially in the case of another machine using your same IP address.
Pace: I have to disagree with Brooks about gathering evidence and protecting your IP address; there are a number of things you can do. However, you'll need to enlist the help of the IT department, who, with any luck, has nothing to do with this. The politics at this stage can be touchy, so tread lightly.
The first thing to have them do is disable your computer's access to the network at certain times of day. Though it might be fun to have your workstation locked while you're at your desk, you'll probably find it impractical. Work out a schedule with IT that will fit easily into the hours you work, so you don't end up staying at work too late -- only to find that your system can no longer access anything.
Once that is done and you're confident that no one is using your machine, have the IT department statically map your MAC address to your IP address in your upstream router's ARP table. Also, have them map the MAC address to your port in the switch. This will prevent anyone else on your subnet from being able to use your IP address from anywhere but your system. Then have the IT staff monitor things again to see if there is any more undesirable traffic coming from your PC.
If they do find traffic, you may have multiple personalities, or someone may be spoofing your IP address. Again, you'll need to work with the IT department to make sure that they have anti-spoofing access lists configured on all their routers. And then it's time to go back to monitoring.
At this point, if the traffic is still showing up, the IT department will need to monitor the network to see where your IP address is coming from. To do so they will need to monitor from a number of different points on the network to be certain of the location of the traffic. Once this is done, and the traffic re-appears, there should be no real questions left in their minds about who, or at least which, machine is responsible. They'll be left with the MAC address and switch port number of the perpetrator who will, no doubt, have a surprise waiting the next day.
(Brooks Talley is the Test Center's test manager and a consultant for InfoWorld Consulting Services. Mark Pace is a senior analyst in the Test Center. Send them your questions at firstname.lastname@example.org.)Desk edit by: