Inappropriate Use of IT Resources and How to Monitor Kevin Savoy, CPA, CISA, CISSP Director of Information Technology Audits Brian Daniels, CISA, GCFA Senior IT Auditor
Agenda • Current Status • Law • Policy • Technical Aspects • Procedures • Monitoring
Pornography Investigations • Commonwealth law and UVA Policy prohibit state employees viewing and downloading of sexually explicit material via state resources. • The Audit Department does not go out of its way to look for this activity. We act when it is reported to us. • Must have permission from the President or Vice President of the area to review someone’s computer activities.
Morality Police? • I and my staff are not here to enforce morality. • What employees do at home (unless criminal) that does not effect UVA is none of my business.
Past 14 months • Ten investigations of staff / faculty. • Nine (9) employees have left the institution. • Egregious cases where employees were downloading thousands of pictures/movies. • Some using peer-to-peer file sharing with users around the world. • Some using “pagesucker” software to download whole websites.
What are the risks? • Potential for Hostile Workplace lawsuits. • Drain on IT resources (bandwidth, drive space). • Pornography is infamous as a means to entice users to sites that are ripe with security risks such as viruses, Trojan horse backdoor software etc. • Criminal activity such as child pornography.
It’s a problem…. • SexTracker, a porn industry consultancy states that about 70% of all Web traffic to Internet pornography sites occurs between 9 a.m. and 5 p.m. • The number of porn sites has vaulted eighteen fold, to 1.3 million, since 1998, says the National Research Council.
CODE OF VIRGINIA 2.2-2827. Restrictions on state employee access to information infrastructure. • Except to the extent required in conjunction with a bona fide, agency-approved research project or other agency-approved undertaking, • no agency employee shall utilize agency-owned or agency-leased computer equipment to access, download, print or store any information infrastructure files or services having sexually explicit content. • Agency approvals shall be given in writing by agency heads, and any such approvals shall be available to the public under the provisions of the Virginia Freedom of Information Act (§ 2.2-3700).
Definition of sexually explicit • We adhere to the law’s definition of sexually explicit. (2.2-2827 and 18.2-390) • This definition can be found at: http://leg1.state.va.us/cgi-bin/legp504.exe?000+cod+18.2-390
UVA Policy • Mirrors the Commonwealth’s Code of Virginia: http://www.itc.virginia.edu/policy/moreobscene.html
Degrees of Pornography • Audit Department realizes that evidence of sexually explicit material can be left behind from accidental hit of a sexually explicit web site or received unsolicited via e-mail. • We factor that into our investigations.
Technical Issues – Peer to Peer File Sharing (P2P) • University environment is a sharing environment. We do NO content filtering. • P2P allows users to download parts of files from one another. • Your computer may have 10 percent of a file the rest of the world is looking for. Thus you become a server for those users.
P2P continued • It works great and was designed so everyone would not have to hit just one site to download a movie or whatever and thus overwhelm it. • Two individuals were using it to collect and distribute adult pornography from UVA. • It can be made into an automated process where you type the fetish that you are interested in and you begin to download and trade files with other Internet users.
P2P risks • Potential is there to download and trade movies and pictures that you are unaware of. • In essence, UVA or any business could become a server for child pornography if not careful.
Page Sucker and Vampire • Examples of software that allow one to download the majority of the contents of a web site so that it is stored and viewed off line. • One individual found to be doing this. • The user assumption is that they will not be caught through Internet logs.
Generic log ins • Many computers have generic logins so that it becomes hard to track offending parties. • However, wherever possible it is best to institute individualized logins for accountably. (No one likes to be blamed en masse for another user’s indiscretions).
Procedures • Allegations of abuse should be made to Internal Audit or UVA Police (if it appears criminal). • IT Audit and UVA Police are working closely together when criminal activities may be present. • Departments: DO NOT ATTEMPT to investigate on your own as this may step on evidence and in a worst case scenario make it invalid for HR and/or criminal court proceedings.
Local Support Partner (LSP’s role) • A few cases were brought to our attention when an LSP went to his manager to state that a user’s system had sexually explicit material on it. • In those case’s the employee complained that his system was slow. (That will happen when you store 1000’s of porn movies and pictures on your system!!)
LSP’s role • According to the UVA General Counsel's office, employees of the University generally are not at risk of personal liability for reporting potential legal and policy violations, if following set policy in good faith.
Warning signs… • Monitor positioned so that no casual observer can see what is on the screen. • Users who want to control all lab machines. Booting up in the morning and checking “things out” before letting others on the machine etc. • Frequent corruption of the user’s machine. ***Disclaimer : not all users with the above attributes are viewing pornography!
We don’t just do Porn! • We are an equal opportunity shop. So pornography is just one area that this presentation applies. • Often called in to verify harassment charges, running private businesses, making fraudulent transactions etc.
One last warning to anyone.. • The Internet is not anonymous. • Trails of where you have been are all over the place. • Your own computer • Web site computer • Search engine computer • Internet Service Provider computer • Firewall server • E-mail server • Even router syslogs if implemented
Our Approach • We have a checklist we have devised for these investigations • DOS search for key words such as sex, porn, girl, boy, etc… • Turn on Windows search to include hidden files – review Internet Cache and history • If criminal activity is suspected make a forensic copy of the hard drive first!! • We have utilities to restore deleted files such as deleted JPEGs • We have utilities to change password to get into Window system • We have utilities to review Apple Internet Cache • Use hex editors to review at the byte level • Use keylogger or monitoring software for stealth investigations • DOCUMENT, DOCUMENT, DOCUMENT • Create report
To go Stealthy or not • Each case is different • If the individual knows of the allegation we may review systems on site. • More often we go in after hours to review or make a binary copy unbeknownst to the user. • If we want to review on going behavior we go to key logging/monitoring.
Other uses for monitoring • In one of our cases an investigation was non-conclusive. Some evidence pointed to validation of the anonymous allegation. • Due to the seriousness of the allegation, the employee was told that a condition of their continued employment would be the monitoring of their computer usage.
Legal Implications of Monitoring • Need to observe State Laws and Policies • Look for specific provision regarding monitoring of employee’s computers. • It should be officially stated that there is No Expectation of Privacy when using state machines
Legal Implications of Monitoring cont. • Clause about monitoring should be included in an acceptable use policy so that employees sign off on that they understand that monitoring may be done and there is no expectation of privacy. • Annual review of the acceptable use policy could be mandatory so that employees are aware.
Virginia DHRM Policy • No user should have any expectation of privacy in any message, file, image or data created, sent, retrieved or received by use of the Commonwealth’s equipment and/or access…
Virginia DHRM Policy continued • …Agencies have a right to monitor any and all aspects of their computer systems including, but not limited to, sites, instant messaging systems, chat groups, or news groups visited by agency users, material downloaded or uploaded by agency users, and e-mail sent or received by agency users. Such monitoring may occur at any time, without notice, and without the user’s permission...
Virginia DHRM Policy continued • …In addition, electronic records may be subject to the Freedom of Information Act (FOIA) and, therefore, available for public distribution.
Legal Implications of Monitoring cont. • Despite the policies, if you are monitoring, you should get approval from high ranking employee that can be trusted in advance. • This may protect you down the road.
Key Logging / Monitoring • Hardware Keyloggers still popular. • Literally record key strokes into flash memory from any USB keyboard, up to 2,000,000 keystrokes. http://www.keyghost.com/usb%20keylogger/KeyGhost-USB-Keylogger.jpg
Problems with physical keylogging • Can be detected by users if they snoop around their USB connections. • Must place on the system without arousing suspicion.
Keylogging / Monitoring Software • Generally undetectable software that hides deep in memory while running. • Combines key strokes with images. • Very Low resource overhead so that user does not notice degradation in performance. • Example that we use: • Spector Pro
Online Searches • Records searches conducted online through Google, MSN, Yahoo, etc. • Records: • Timestamp • Search Engine • Search Term • Frequency of Searches on each term • Date range of searches on that term
Online Searches http://www.spectorsoft.com/products/SpectorPro_Windows/index.html#screenSnapshots
Screen Snapshots • You can set it for: • Frequency of screen shots (every 5 seconds, 30 seconds, etc.) • Color recording, or disk-saving black and white
Screen Snapshots – VCR style http://www.spectorsoft.com/products/SpectorPro_Windows/index.html#screenSnapshots
Instant Messaging • Records all instant messenger activity • Timestamp • User Name • IM Program Used
Instant Messaging http://www.spectorsoft.com/products/SpectorPro_Windows/index.html#screenSnapshots
Email Activity • Monitors email activity on Applications such as Outlook, as well as web based clients such as Gmail, Yahoo, and Hotmail • Saves a copy of all attachments that can be opened
Email Activity http://www.spectorsoft.com/products/SpectorPro_Windows/index.html#screenSnapshots
Remotely or Locally • You can configure the software to send the results covertly and automatically to you. • Convenient, but transmission could be blocked on the network and this increases your risk.
Remotely or Locally cont. • You can also configure it to just store the results on the machine in question. • These results can be called up manually by you when you go based on a simultaneous 3-4 key punch. • Ex. Shift-Alt-Ctrl-S • You can then transfer these results onto any removable media or view it locally.
Risks of Monitoring Software • Need to be logged in as the user you want to monitor. • This user must have install privileges. • If they do not, then you must temporarily upgrade their privileges through the use of an administrator account. • Therefore you may have to enlist the help of the relevant system administrator http://www.diamondsourceva.com/ShoppingAdvice/images/caution-sign2.jpg
Risks of Monitoring Software Cont. • Before Install, you need to disable: • Symantec • Windows Defender • Spy sweeper • Ad-aware • Spybot • Etc. http://www.diamondsourceva.com/ShoppingAdvice/images/caution-sign2.jpg
Risks of Monitoring Software Cont. • During Install, ensure that the Monitoring software itself is upgraded • This will help prevent it from being detected by security software. • Don’t forget to re-enable security software, and then determine if any traces of the install show up. It is often possible to remove these traces. http://www.diamondsourceva.com/ShoppingAdvice/images/caution-sign2.jpg
Who should know? • We inform as few employees as possible when monitoring. This avoids rumors and innuendos from spreading. • Always executive management is told • Sometimes the user’s supervisor is told • Never are peers told
Confidentiality • Monitoring often encompasses aspects of an employee’s personal life that may or may not be pertinent to the investigation. • Confidentiality is a must. Only a select few in the Audit Department working on the case are allowed to read monitoring results. • In addition, all materials follow a chain of custody form. All materials are placed in a locked safe, behind the director’s locked office door, behind a pass key entrance of the audit department.