Surfing at Work

Discussion in 'Computer Security' started by HB2, Sep 28, 2004.

  1. HB2

    HB2 Guest

    Sometimes I write e-mails using a web based format (yahoo). When the e-mail
    is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    have Windows 2000. Is it safe to assume that my e-mails are kept private
    from my employer since they are sent using SSL? Does Winodws 2000 Server
    have monitoring tools built in or would our employer have to purchase such
    monitoring tools seperately?

    Also, its my understanding that using a keyboard log program is illegal.
    Is this correct?

    Thanks
     
    HB2, Sep 28, 2004
    #1
    1. Advertisements

  2. HB2

    Mr. Babco Guest

    Let me start with your last question. I'm not 100% sure the legalities of
    using a keystroke logger but it is definately an unethical practice. Your
    best bet is assume that your computer and its data transmissions are being
    watched. Using a web mail like yahoo etc. is certainly within bounds of
    most employers and the preferred method by many admins./company execs. Of
    course there is always a darker side of things, such as very curious admins
    that have no business in your personal email - but are still looking at it.
    SSL will prevent much of this sort of thing and is always a sure bet.
    Generally employers will need to buy third party software in order to get a
    clear view of your internet activities, but there is always open source
    software that can be used for this as well. Windows 2000 doesn't have
    anything that will track your activites - not known publicly at least!
     
    Mr. Babco, Sep 28, 2004
    #2
    1. Advertisements

  3. HB2

    Leythos Guest

    The simple answer is that your employer owns everything that crosses
    it's network and has a right to inspect anything on the network. Your
    employer also has the right to fire you for theft of company resources
    and turning in false time reports.

    Actually, in addition to the above, it's very easy to SEE you connected
    to the proxy service through the firewall. Since there is little reason
    for you to have an outbound SSL connection you abuse of company policy
    will stand out like a red beacon in the night.

    All versions of Server have monitoring tools, but it's a lot easier to
    monitor the firewall to catch abuses like yours.
     
    Leythos, Sep 29, 2004
    #3
  4. HB2

    Leythos Guest

    Amost forgot to address this - it's their computers, their network,
    their company, they can do anything they want with it and don't have to
    tell you squat (at least in the US).
     
    Leythos, Sep 29, 2004
    #4
  5. HB2

    andy smart Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    HB2 wrote:
    | Sometimes I write e-mails using a web based format (yahoo). When the
    e-mail
    | is of a personal issue I use megaproxy because it is SSL. Our PCs at work
    | have Windows 2000. Is it safe to assume that my e-mails are kept private
    | from my employer since they are sent using SSL? Does Winodws 2000 Server
    | have monitoring tools built in or would our employer have to purchase
    such
    | monitoring tools seperately?
    |
    | Also, its my understanding that using a keyboard log program is illegal.
    | Is this correct?
    |
    | Thanks
    |
    |
    Actually, there is a good reason for them to be even more suspicious if
    they find you doing it - how do they know you're not using it to send
    confidential company data off site? Rather than try to be underhand
    about it, why not just ask them what their policy is?


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBWsa9qmlxlf41jHgRAk6zAJ4kostj4MZZ+IVklUFyXNAxQnq17gCePkuj
    wRB14n5vlygUShXPr7I6Mlk=
    =1R0Y
    -----END PGP SIGNATURE-----
     
    andy smart, Sep 29, 2004
    #5
  6. HB2

    Mike Guest

    If you are doing something that you feel your employer would rather you
    didn't then you shouldn't be doing it. Do you walk into friends houses
    and take over their TV and video recorders for your own purposes? Of
    course you don't, so why take liberties with your employer's time, money
    and equipment?

    If you are writing emails that you would not like your employer to read,
    don't do it at work dummy!

    There are monitoring tools that can record an entire data stream however
    fragmented, reassemble it and play it back. You wouldn't know wether
    your employer had these tools until it was too late (Probably at the
    point you are sacked)
     
    Mike, Sep 29, 2004
    #6
  7. HB2

    Moe Trin Guest

    http://groups.google.com

    and search for the "Surfing at Work" You'll find this covered very
    well - and even find postings from wankers who have been fired for
    this, whining that the employer had no right to do that to them.
    Do you honestly think that because your SSL session (trivial to detect)
    can't be decoded, the employer is going to ignore it? You are either
    extremely stupid (and should be fired as unsuitable for the job) or are
    on drugs. If they are prescription drugs, contact your doctor immediately.
    You're joking, right? And you haven't seen ANY posting in this group
    about stuff that runs on the firewall.
    Don't ask for "legal" opinions on Usenet - they're worth less than what
    you paid for them. Consult your own lawyer. And this has also been
    covered many times on Usenet.
    You're posting from an IP address allocated to Illinois. IF you can prove
    to a judge that you were never warned that your use of the computer may
    be monitored, you might get a finding in a "Wrongful dismissal" case. Do
    let us know.

    Old guy
     
    Moe Trin, Sep 29, 2004
    #7
  8. HB2

    Jim Watt Guest

    Whose laws are we talking about.

    Who owns the computer.

    Who is paying you to surf the net?

    Does your company have a policy. Some might
    terminate you for doing these things.
     
    Jim Watt, Sep 29, 2004
    #8
  9. HB2

    David Q F Guest

    My $.02 worth. I am in Australia. Our corporate security policy disallows:
    - Web based email. Reason: The mail and its attachments do not pass through
    our firewall (as email) or antivirus.
    - Unauthorised encryption of email including smime and pgp. Reason: Again
    the difficulty is with checking content for fraud, theft or malware.
    - Unauthorised inspection of email by IT admins. Reason: Its a people
    problem and only HR can authorise inspection.

    It does allow reasonable personal use of email - this discourages (but
    doesn't cut out) abuse.

    One other thought I've had is that the use of Baysean Inference for Spam
    filtering could be extended for other purposes like automated checking for
    commercial espionage, fraud and other abuses without human inspection. Once
    alerted an admin/HR person could manually check.

    Last thought, "Do you have an Internet connection at home?"

    David Fosdike
    dfosdike at nospam(leave this out and change 'dots' and 'at') dot elders dot
    com dot au
     
    David Q F, Sep 30, 2004
    #9
  10. HB2

    Mark Landin Guest

    You make some false assumptions. First, privacy laws and employee
    rights vary by country. The EU, for instance, is much more protective
    of employee privacy than the US, even when the employee is using
    company resources on company time.

    Second, I for instance do not fill out a time report as I am a
    salaried employee. The OP may not do a time report either.

    As far as theft of company resources, what is "stolen"? It may be more
    accurate to say "unauthorized use" of company resources, which is
    certainly a different concept than theft. While unauthorized use can
    be grounds for discipline or termination based on violation of company
    property, it is not a criminal act like theivery.
     
    Mark Landin, Sep 30, 2004
    #10
  11. HB2

    Mark Landin Guest

    You don't have desktop anti-virus protection?
    Very valid.
    Also very valid. IT should not abuse their authorized access.
    Similar to the phone on your desk.
    The problem is that a legitimate business email and a illicit one have
    basically the same content. What makes one legit and one illicit is
    mainly the recipient, not what it says. That would be hard to
    automate, I would think.

    Likely the best one could do is say "the following emails sent this
    week referenced the Secret Omega Project" and some person would have
    the vet that whole list, checking senders and recipients against a
    known-good-list, for possible improper activity. That would be pretty
    labor-intensive.
     
    Mark Landin, Sep 30, 2004
    #11
  12. HB2

    Leythos Guest

    The op was posting from a ComCast account, so he's in the US, so it does
    apply - nothing false about the assumption there.

    The time sheet may not be filled out, but you are expected to put in a
    certain amount of hours and you are paid for them - screwing off during
    business hours, unless you make up the time, is theft.

    As for company resources, they pay for the service, to maintain a
    certain level of performance. When you utilize the network for non-
    company reasons you decrease the performance that is available for
    company benefit. Since the company PAYS for the connection you are
    utilizing for your own personal reasons, against company policy, you are
    stealing company resources - much like taking paper, pens, etc..

    You may not like it, but sooner or later it's going to end up in court.
    Just like a idiot that violates company policy, takes down the network
    due to a virus they brought into the company while using GoToMyPC or a
    personal email web client. If it can be traced back to the individual it
    will get into court.
     
    Leythos, Sep 30, 2004
    #12
  13. HB2

    HB2 Guest

    Firs of all who said anything about abuses? Second of all, have you ever
    made a personal phone call from work?
     
    HB2, Sep 30, 2004
    #13
  14. HB2

    HB2 Guest

    I know the policy of interent use in my company and I do not violate it. My
    questions here are related to privacy.
     
    HB2, Sep 30, 2004
    #14
  15. HB2

    Leythos Guest

    Yes, I have - after asking for permission. I'm of the impression that
    anything at the office belongs to the company, that they provided, and I
    "may" use it to do my work, but I have to ask permission if I want to do
    something personal at work.

    Use of the phone, even for local calls, when not permitted, can be
    theft, some phone systems utilize metered rates or other plans that
    charge for all outbound traffic.

    If it's not your personal material, service, etc... and you don't have
    express permission to take or use it, it could be considered theft.
     
    Leythos, Sep 30, 2004
    #15
  16. HB2

    Leythos Guest

    To answer your question, not that all the other stuff is out of the way:

    1) Any traffic, even encrypted, belongs to the owner of the network.

    2) It's easy to see where a SSL tunnel is connected - in fact, they
    stand out like a red beacon on a dark night. There are few reasons for
    employees to have external SSL connections from their desktop.

    3) Use of a proxy, even without the SSL connection (or with it) is going
    to be detected if the IT department is worth their salt.

    4) Sustained or repeated traffic patterns are easy to catch.
     
    Leythos, Sep 30, 2004
    #16
  17. HB2

    KG6VQE Guest

    To reiterate what was said....As a Sys Admin, I (the company) own all
    material on company equipment., and any data coming across the line is
    considered "Company Data". If someone is using encryption, or SSL to
    encrypt data, It is my job to question "why". We have a lax security
    program, usually based upon the managements discretion. When we suspect
    someone, I am usually tasked to get all pertinent data. We seize (copy) all
    data on the server, copy or clone the data on the workstation, redirect and
    read email, and monitor the activity on the line.
    The net sniffing programs available will allow us to see raw data going
    across the line, but usually we can, by monitoring SYSLOG info at the Proxy
    server (and/or firewall), and the do a reverse IP lookup for what sites are
    being used by the employee.
    Privacy is a fleeting premise. At work, there is no privacy. People at
    first are shocked when they find out we can read email and personal files,
    then they learn there is little they can do about it.
    As for whether we can see raw, encrypted SSL traffic, probably not....but we
    would question what you are using on ports 445. That is a beacon that says
    this person is doing something they "PROBABLY" should not be doing, on
    company time.
    We had one case where the employee copied personal files from home on to
    a company laptop, after their personal laptop broke....in there, there were
    NUDE pictures of the employee, and another of a friend of the employee.
    When the laptop was turned in, she requested files that belonged to her then
    DEAD brother, be sent to her...The company, not wanted to hurt the
    employee's feellings asked me to copy the files from the laptop, pertaining
    to the employee and the brother. That was when the files were discovered.
    The employee, believing they were safe because they did not divulge the
    password, weer wrong.
    There was no privacy at that time....We turned the case over to an attorney,
    to told us to give her only files pertaining to her brother, and erase the
    hard drive...which we did.

    Moral of story, there is NO Privacy working for a private company. So think
    bank records, SSN's, private messages, photos...up to the discretion of the
    Techncal department. Bottom line...BEWARE!!!
     
    KG6VQE, Oct 1, 2004
    #17
  18. HB2

    Leythos Guest

    [snip]

    This is such a great example of what is expected of the network security
    people. I can't tell you how many times we've been called in to a
    company to determine "if" something is happening, and then find that a
    lot is happening.

    We had one case where we installed a firewall and call logging software,
    an employee was seen using his cell phone and a pay phone frequently
    after that. Combining his actions and his network logs we were able to
    determine that something was amiss with this person - we seized his
    computer and managed to recover a massive amount of deleted file/folders
    that contained project bids for a competitor of the company he was
    working for - he had been working for the competitor during company
    hours and using the company resources to bid on projects for the other
    company (he signed the documents with his real name)....

    Then there was a firewall monitoring that indicated someone (we knew
    who) was arriving early to visit porn sites - we mentioned that ALL
    network activity (including sites visited and what workstation) were
    logged and reviewed on a random basis - the new acceptable use policy
    specifically forbids use of the network for non-company reasons. The
    user never visited a porn site again, but he was just one of a dozen
    doing it. People were actually fired over that.

    What most workers don't seem to understand is that the network is
    company property, and they pay for it, and the company is responsible
    for anything the employees do on the network - including abusive things
    they consider personal. Not to mention the waste of network bandwidth
    when running streaming audio, playing Quake, etc....

    If users looked at the network as a tool, or as a copier, and their
    using it for their own personal needs, they would understand that what
    they are doing is stealing company resources.

    If they have never run your own company, never managed a group of
    people, or if they have no proper business (or personal) ethics, then
    this may not bother them, but it should.

    I'm always amazed at how people thing the network isn't monitored - in
    todays times, when we can put video cameras inside a pack of candy,
    people should just assume that everything they do is monitored. You
    never know who is monitoring things in your home (spouse, kids, etc..)
     
    Leythos, Oct 1, 2004
    #18
  19. HB2

    David Q F Guest

    Mark,

    Thanks for your comments,

    Yes we do.
    The main problem here is organisations that have a large number of desktop
    clients. A new virus entering from the Internet via email has a window of
    opportunity until it's signature is deployed to everyone of them - this can
    take days, even weeks. Disallowing web-based email for SMTP blocking every
    executable, or anything known to carry an executable including .zips and
    'whitelist' what you want to get through also helps - users soon fall into
    line.
    I think you underestimate the power of Bayesean inference. Time will tell -
    at present I don't have time to test it.

    David
     
    David Q F, Oct 2, 2004
    #19
  20. HB2

    Wimbo Guest

    The use of SSL isn't always as secure as you might think. There are
    numerous appliances and software packages available which do a SSL
    man-in-the-middle attack. Examples are WebProxy from @tStake and SSL 1Box
    from FinJan

    [QUOTE FROM FINJAN WEBSITE]
    FinJan SSL 1Box™
    This solution enables threat analysis of encrypted SSL/HTTPS traffic and
    enforces SSL certification.
    SSL 1Box™ decrypts SSL/HTTPS traffic and reveals the original data,
    allowing Internet 1Box™ or another security proxy to perform security
    analysis and defend against hidden attacks. Furthermore, the device
    maintains role based policies to allow/block access of SSL traffic carrying
    an invalid certificate. SSL 1Box™ maintains confidentiality and preserves
    user privacy
    [/END_QUOTE]

    The only way to find out if your company has such a device is to examine
    the SSL certificate and find out who issued it.

    In companies where SSL traffic is used a lot for (actual) work (for
    banking, extranets access etc.) these devices are more and more common.
    Virusses, malware etc. received by webmail or downloaded via https websites
    are discovered and acted upon accordingly with these appliances / software
    packages.

    Wimbo
     
    Wimbo, Oct 6, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.