Jump to content


Forensics on an email server

security hacking email

  • Please log in to reply
1 reply to this topic

#1 OFFLINE   Jeber

Jeber

    Still Version 1.0 beta

  • Forum Moderators
  • 4,635 posts

Posted 08 August 2015 - 06:28 PM

I have a friend (no, really) who has found out that a third party has access to his work emails. This man's a lawyer, so this is a fairly serious issue.

The emails were sent from his work server to another attorney. His server is on a privately owned domain and maintained by a friend of his. We don't know what setup the other attorney has for her email.

I told him, and I hope I was correct in my advice, that the maintainer of the server should be able to look at the logs for that domain and see which IP addresses logged in during the month in question. Eliminating the IPs that are known should expose the unknown. Turns out the server logs are only kept for 60 days, and these emails were from December of last year. Of course they could have been accessed any time since then, but we'd only be able to find the culpret if the access was within the last 60 days.

So without discusiing hacking techniques, what advice can I give him on how best to determine how those emails were obtained? I suspect if the hacks were made more than two months ago he may never find out who did it or how. What are your suggestions for methods to harden their server against future attacks? Obviously, being lawyers, their emails are frequently very sensitive and I believe they would spare no expense to make sure this doesn't happen again.

He was a dreamer, a thinker, a speculative philosopher, an idiotĚ
(Douglas Adams)


Jeber Central
Jeber's Journal


#2 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,667 posts

Posted 08 August 2015 - 07:09 PM

First off, your advice was spot on. That said. if the logs are cleared every 60 days then it would be basically impossible to know who logged in without them.

Next he needs to change all his passwords and treat all of his accounts as if they were compromised (they probably are). Since he knows who maintains the server, he needs to have it setup with either two-factor authentication or to only allows certain IPs to access the account.

Remember if they were accessed then, the cracker has had access since then.
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984





Also tagged with one or more of these keywords: security, hacking, email

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users