Checking personal mail at work

[slicksilver]

Can passwords be captured by a network admins? I don't mean to do anything against company policies . Check personal mail is very much allowed at our workplace. What I would like to know if they will be able to sniff out my user ids and passwords of personal accounts?

The company's network is on a work group and they soon plan to move to a domain. The have a cyberoam firewall which they recently installed. We are about a 50 user workgroup.

Any info would be greatly appreciated

Thanks

 

[NotquiteanooB]

I would imagine that if they have installed any keystroke capturing apps ... anything you type would be seen ... including passwords. If you are a 50 user group, and there is a lot of keyboard activity from all 50 ... they would need lots of storage to capture and log everyone's output. Doubtful a company would go that far. (I wonder !!)

 

[MrChad]

Yes, they could.

The real question is would they.

 

[Chiefcrowe]

It's possible but highly unlikely!

 

[slicksilver]

can packet sniffers also decode web passwords?

 

[WobbleWobble]

Key loggers would normally be deployed if they're targeting you specifically. It would be way to much data to sift through and retain.

On the network side, if your webmail logon page is encrypted with SSL, then they probably will not be able to decrypt your webmail logon information. If it is not encrypted with SSL, then your username and password is sent out cleartext and can easily be read if it is captured with a packet sniffer.

Note some organizations implement SSL interception, in which it may be possible for their proxy to decrypt your webmail login information.

 

[spikespiegal]

The short answer is they can. The practical answer is I doubt they have the resources to bother. Unless the company you work for actually has this kind of expertise in house it's doubtful they would waste the time. Basically, if they have a policy against you wasting time on the clock then they are wasting more resources hiring somebody to packet snoop. It's more efficient/cheaper for the company to simply track the sites you aren't supposed to be on.

The only exception is if they suspect your communications involve trade secrets, passing on sensitive account info to as competitor, or that jazz. I've seen in those instances outside consultants pulled in to decrypt info you are passing to build breach of contract cases, etc.

 

[SecPro]

Can passwords be captured by a network admins? I don't mean to do anything against company policies . Check personal mail is very much allowed at our workplace. What I would like to know if they will be able to sniff out my user ids and passwords of personal accounts?

The company's network is on a work group and they soon plan to move to a domain. The have a cyberoam firewall which they recently installed. We are about a 50 user workgroup.

Any info would be greatly appreciated

Thanks

Not only is it doubtful that your company would expend resources to capture your password it is very possible that if they do so and read your personal e-mail they would run afoul of the law.

You probably have policies and/or login banners that say that you have no expectation of privacy on the company network, you can be monitored anytime, etc., etc. Those policies, although powerful and wide reaching, do not give the company carte blanche to do whatever they want. When you start involving encryption and passwords and other additional protection to information it usually takes a search warrant or some sort of discovery order to have solid legal grounds for breaking into password protected or encrypted information especially when it isn't clear that the company "owns" the information.

 

[Oakenfold]

Yes, they can capture the information. The question is would they want to use the resources to do it (if they even have the resources- looks like you are fairly small). If you are not putting the company at risk, not breaking policy or procedure then the only reason would be for malicious intent.

If you are that concerned about your company monitoring your activity then don't do it on their network.

 

[imported_NoGodForMe]

For public companies, SOX requires all e-mails to be archived. I don't use the company e-mail system for any personal messages. I log into my e-mail using web mail.

Yes, companies use key loggers in case a system crashes and they want to see what the operators typed. No, they usually don't have someone watching everything you do. At my company, this is what they have.

Websense - Blocks streaming music, porn, and gambling sites.
Keylogger - If a directory gets blown away, they check logs to see what happened.
Web Timer - They track time logged onto the web. If the browser is sitting idle on a page, it still counts as time. For a while, the VP of IT was getting a report of web time. Anyone near the top of the list was warned. One person I knew had a weather widget from Yahoo running. Get this, it was polling the weather site all day, the person was logged into the web and was at the top of the list, ooops.

Smart phone or a net book teathered to a smart phone is the best idea. Companies don't seem to care if you have a netbook in your cube.

Like others have said, they're not reading a log of every person, that would be a full time job, but if something weird happens, then they'll look at your log.

 

[LS8]

Yes, if they wanted to. A general rule to consider is that IT can see ALL traffic on the network - ALL of it - encrypted, unencrypted, doesn't matter, they can see it. Now, they might not know what it is. If you have dopes running your IT department chances are they don't know what the traffic is and probably aren't even looking but don't assume this - assume they are looking at everything you're doing - this is how you stay out of trouble! The corporate network is for work, if you reserve it for work you stay out of trouble.

Netbook + mobile broadband is the best option.

Just because your friend got away with something at his last company doesn't mean you will! Don't risk your job in this shitty economy!

 

[Red Squirrel]

If it uses SSL you should be safe unless there's a keylogger, though I heard some workplaces can actually crack SSL somehow, think it captures the certificate info and decrypts the session on the fly.

Just setup a web based email system on a home server and run it on SSL. That's what I do for home, I also have openvpn for remoting into my machines.

 

[Rainsford]

If it uses SSL you should be safe unless there's a keylogger, though I heard some workplaces can actually crack SSL somehow, think it captures the certificate info and decrypts the session on the fly.

Just setup a web based email system on a home server and run it on SSL. That's what I do for home, I also have openvpn for remoting into my machines.

They don't crack SSL, at least not the way you're suggestion. If that was possible, SSL would be useless.

Your browser has a number of certificate authorities installed in it, and corporate computers can have special ones installed by the company either through domain policy or some other method. When you try to connect to an SSL encrypted website, the corporate proxy gives you a certificate the proxy created (signed with the company's certificate authority) and talks to you with that, then uses the real website certificate to proxy your connection to the actual website. Your traffic is just as secure outside the company as normal, but the proxy can still see what you're doing.

SSL is built on trust, and since your company owns your computer, they can make it trust whatever they like. There are ways to try to get around THIS particular method of course, but it's a constant arms race, and the user is violating the first law of computer security...if your adversary owns your hardware, you might as well just give up now.

Technology is not the answer here, just as your IT department if you're concerned. If checking personal email is within policy, chances seem good that they won't actually log your password (they're probably more interested in what sites you're visiting).

 

[gsellis]

Rainsford's post is the complete answer.

Yes, they could log it locally. Except in Sales environments, a lot of companies would not even bother. Corporate policy, that allows private email, may even state that is it private.

SSL, while potentially hackable, is basically secure, so your https email would be safe.

It really is easier to monitor you console anyway, so I would just read your email over your shoulder on my workstation if I were some misguided system admin at where you work...

 

[DrPizza]

As has been said several times, yes they can. However, a few said it would take a lot of resources to log keystrokes. With this, I disagree. It's been years; probably close to a decade since I ran a keylogger on my computer at home. It took an insignificant amount of resources back then to do so. Since then, memory, bandwidth, processor speed, etc., have all vastly increased. The number of keystrokes recorded in a day remain relatively constant.

 

[Oakenfold]

As has been said several times, yes they can. However, a few said it would take a lot of resources to log keystrokes. With this, I disagree. It's been years; probably close to a decade since I ran a keylogger on my computer at home. It took an insignificant amount of resources back then to do so. Since then, memory, bandwidth, processor speed, etc., have all vastly increased. The number of keystrokes recorded in a day remain relatively constant.

Assuming that logging the data would be insignificant resource wise (I have no clue, depends on the size of the organization) it is more of a question of devoting the people to review that data. That's assuming they have the talent to even review the data to begin with and for what gain?

 

[gsellis]

At BlackHat this year, a guy did a demonstration on updating the microcode in a keyboard to work as a keylogger that could send its capture. Yep, minimal resources. Oh, and he did it using a Mac keyboard.

 

[DrPizza]

Assuming that logging the data would be insignificant resource wise (I have no clue, depends on the size of the organization) it is more of a question of devoting the people to review that data. That's assuming they have the talent to even review the data to begin with and for what gain?

That's quite true - there's probably no compelling reason to waste manpower to physically pour over the data. However, such data could be routinely scanned for certain words or phrases.

Also, in our high school, we have software installed on all 50ish of the computers that are located in our library. From the librarian's desk, she can view the desktops of all those computers simultaneously, or zoom in and see the contents of any particular screen at its full resolution - this without using many resources. i.e. it's pretty simple for big brother to watch. However, in such a work climate, I don't think employees would be comfortable - I think the overall effect would be negative, especially towards morale.

 

[Red Squirrel]

They don't crack SSL, at least not the way you're suggestion. If that was possible, SSL would be useless.

Your browser has a number of certificate authorities installed in it, and corporate computers can have special ones installed by the company either through domain policy or some other method. When you try to connect to an SSL encrypted website, the corporate proxy gives you a certificate the proxy created (signed with the company's certificate authority) and talks to you with that, then uses the real website certificate to proxy your connection to the actual website. Your traffic is just as secure outside the company as normal, but the proxy can still see what you're doing.

SSL is built on trust, and since your company owns your computer, they can make it trust whatever they like. There are ways to try to get around THIS particular method of course, but it's a constant arms race, and the user is violating the first law of computer security...if your adversary owns your hardware, you might as well just give up now.

Technology is not the answer here, just as your IT department if you're concerned. If checking personal email is within policy, chances seem good that they won't actually log your password (they're probably more interested in what sites you're visiting).

That's still cracking imo. If a corporation can do it, what stops a hacker? That sounds like a huge weakness in SSL. There was also another exploit that came out a while back. I forget exactly how it went, had to do with some network called thor or something, and forcing people to connect through a "man in the middle".

 

[KeithP]

I am no security expert but I wonder how secure the following scenario would be?

Install the free version of logmein remote access software on a home computer. Access that computer from work and use it to check the email.

One nice option logmein has is to enable the use of security codes that are only good for one sign in. If you enable this feature, you can print out a list of codes that are good for one time only so after you use the code once, it can't be used again. Next time you sign in, you have to enter a different code.

In that scenario, even if someone was using a key logger, it wouldn't matter because a different code is required at the next sign in. This would secure logmein access. Once in logmein, SSL takes over to secure email access.

Am I understanding that right? Anyone care to comment?

-KeithP