Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Unauthorized access
  •  
greg_m

Messages: 65
Karma: 0
Send a private message to this user
Today, a colleague claimed that whilst away from her computer, several unread messages had been read in her inbox, and that she thought someone had been snooping. Her screen was locked, and she says no one knows her password.

My manager then asked if I could check if anyone had accessed this person's account from another computer using web mail.

As this person had been in a meeting all afternoon, any access logs that recorded activity, authentication, etc. would have helped clear this up

I can't see any such forensic data, but does anyone know better? This is the second time someone has claimed that their email account has been accessed without their knowledge or permission.
  •  
mbox

Messages: 25
Karma: 1
Send a private message to this user
Kerio Connect Administration has a Log section with various logs you can view. The Debug log can provide even more information, but you need to enable those debug logs before-the-fact by (in 7.0) selecting the Debug log, right clicking in the right pane, selecting "Messages...", and enabling the types of logging you want.

If your Kerio server is accessed through a firewall, the firewall might have logs too, such as IP addresses connecting to the server. Depending on your operating system and its configuration, the operating system may have limited network and authentication logs of its own (Linux /var/log or Windows event viewer). An external authentication server may too if you use one.

Any computer used to access the mail server may also have left over data on it. If the webmail client was used over SSL (https), you may be out of luck since the browser doesn't cache SSL traffic. If using Outlook (KOFF), then the data could be cached in an Outlook user profile. Also, make sure that the permissions on the mailbox folder do not have any sharing enabled.

Knowing the times that each e-mail was read (status changed from unread to read) may be useful. Maybe these times are recorded somewhere. It doesn't appear to be recorded in the .eml file.

Regardless, as part of your regular activities, I would suggest changing passwords on clients and servers, running virus scans on the clients and servers, checking operating system and network application (e.g. Adobe) patches, checking that security settings on firewalls/servers/desktops are locked down (a network scanner can help), etc. If you're really paranoid, you can reinstall systems from scratch.
  •  
greg_m

Messages: 65
Karma: 0
Send a private message to this user
Thanks for your suggestions, unfortunately none of these is applicable or useful in this case.

I think the only way for me to prove to a user that it is not possible for anyone else to access their account is to employ directory services with password management. This way only they would know their password, and I would have to change their password to gain access.

At present I know everyone's password, and they know I do, so they can accuse me and/or management of snooping and I can't disprove it.
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
I am not sure that someone has read her mails. Wouldn't the reader be smart enough and mark them "unread" again after reading?

Does she have a smartphone where she reads the mails? That could sync them as "read".

A corrupt index.fld and the subsequent repair can mark all messages as "read" as well.

If you need some logs to prove, the debug log is definitely the way to go.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
greg_m

Messages: 65
Karma: 0
Send a private message to this user
All good points, and i agree, I don't think anyone has either. But I can't prove this. The person concerned is claiming constructive dismissal, and things are getting messy, so I wanted to be able to say with no question of doubt, that unless she has disclosed her password, that there is no way anyone would have access to her emails, without there being some evidence.

I don't know what everyone else does, but I only have the SMTP server messages filtered in my debug log usually, as the most common request is along the lines of 'did this email get delivered/received?'. Occasionally, I might switch other messages on for debugging, strangely enough. But this log isn't really designed as an audit trail, is it?

We are currently working towards ISO27001 certification, and the standard is very tight on audit trails and forensic evidence. I'm curious how well Kerio Connect would perform in a more secure environment. Would it be capable enough for a government department for instance?
  •  
mbox

Messages: 25
Karma: 1
Send a private message to this user
I'm not sure directory services would much limit a rogue administrator. Someone with OS administrative access to the mail server can easily bypass Kerio and directly view ".eml" files in your mail store folder, which doesn't alter read status or leave a trace in Kerio's logs. To monitor this type of thing, you could enable auditing on the OS level (like Windows file auditing), but maybe that won't trace OS administrators with disk sector level access. Even if the Kerio administrator is not an OS administrator, the Kerio administrator could still probably expose e-mail content when setting up certain types of debug logging, forwarding, archiving rules, or backups, so you may also want some way to audit changes to the Kerio configuration too.

Although it may be unlikely, it can be difficult to prove unequivocally "there is no way" because its difficult to know whether some system was compromised at some point in time due to some administrative configuration error or zero-day attack. Logs help though. You also need to trust someone in an administrative position unless everything under control is somehow encrypted end-to-end.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Each user has a statistic of last login (by protocol). You can find there what protocol was used for recent access to the mailbox. And the enable debug log for the protocol to trace details (if it will happen again).
  •  
mbox

Messages: 25
Karma: 1
Send a private message to this user
Kerio_pdobry wrote on Fri, 11 June 2010 19:46
Each user has a statistic of last login (by protocol). You can find there what protocol was used for recent access to the mailbox. And the enable debug log for the protocol to trace details (if it will happen again).


Nice. It took me some time to find that: in the web interface it was under Account/Users/Status/User-Statistics rather than being under the main Statistics section. Highlight all users before using that function to get a complete table for all users. The older (non-web interface) allows this to be added to the Users columns, but it appears no longer an option in the web interface.

I'd like to see an IP address (or list of recent addresses) too. Gmail does that as a security measure, and it may be what greg_m would have needed. Status/Mobile-Devices shows an IP address, but I don't see that for non-mobile devices, and its not clear that it's preserved in stats.usr.

[Updated on: Sat, 12 June 2010 01:08]

  •  
greg_m

Messages: 65
Karma: 0
Send a private message to this user
Quote:
Each user has a statistic of last login (by protocol). You can find there what protocol was used for recent access to the mailbox. And the enable debug log for the protocol to trace details (if it will happen again).


Thanks, although the user in this case had both an Activesync phone and her email client running the entire time she was away from her desk, so that would have shown in the last known access.

Quote:
I'd like to see an IP address (or list of recent addresses) too. Gmail does that as a security measure, and it may be what greg_m would have needed. Status/Mobile-Devices shows an IP address, but I don't see that for non-mobile devices, and its not clear that it's preserved in stats.usr.


Yes, a simple way of showing that there had not been any access made from an unexpected location. So a historical log of IP addresses would have been very useful in this case.
Previous Topic: Terminalserver / KOC / German Support
Next Topic: CentOS 5.5 Support?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Sep 23 04:04:26 CEST 2017

Total time taken to generate the page: 0.00480 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.