Jump to content



Photo

  • Please log in to reply
30 replies to this topic

#1 Amamba

Amamba

    Neowinian

  • Joined: 10-January 10

Posted 28 February 2014 - 01:00

Just curious... if I login to my personal Google account to check my Calendar / tasks, what exactly will my corporate IT be able to see.

 

Will it just be stuff on screen ? 

 

While I don't really have anything to hide, I don't want to give my company (or some hack working for it) access to my private info, either.

 

Here's the overall idea and reason for this question.

 

I use Google for my personal calendar, tasks and email. My company uses Outlook Exchange. I have on the average 3-6 meetings a day, and over a hundred active tasks. I also have quite a busy family schedule that I am trying to balance. I am not always in one spot and my start / end times are fluctuating. So it's important to be able to see my work calendar (meetings and tasks that are due today) and personal calendar on same screen so that I could plan my day ahead. Mail, not that important.

 

I could use the company provided software to sync my personal devices to Exchange. However, the rather vague Terms I would have to accept state that they may be able not only to remotely wipe my device (something I at least understand the reason for) but also go through the personal content, like location data and apps installed - no way I am letting a company I work for have that level of control over my life.

 

Another alternative would be to set up a Google account for just the work stuff, copy my meetings there, and maintain the master task list in it. Then I could share my personal calendar with it and have one place to look at.

 

So the question is - say I set it up this way, enable two way authentication via my personal cell phone, and while at work I log into this account via browser, turn off the display of my personal calendar, and switch from my personal task list to work task list. Now I only see work related info on the browser screen. Can someone from my IT department still get to my personal data ?

 

Thanks !




#2 Dot Matrix

Dot Matrix

    Way past cool.

  • Tech Issues Solved: 2
  • Joined: 14-November 11
  • Location: Upstate New York
  • OS: Windows 8.1
  • Phone: Nokia Lumia 920

Posted 28 February 2014 - 01:06

What do you mean "see"? They can see you're accessing those sites, and they can use packet capture applications if they want, to monitor traffic.

#3 Geoffrey B.

Geoffrey B.

    LittleNeutrino

  • Tech Issues Solved: 6
  • Joined: 25-July 05
  • Location: Newark, Ohio
  • OS: Windows 8.1u1
  • Phone: Nokia Lumia 928 WP8.1

Posted 28 February 2014 - 01:09

As someone who works in Network Security i can tell you something that you probably do not want to know.

 

If you are connected to the network. Regardless of if its your personal device or company owned. If you can see it in your Browser, if they want to they can see it to. Does this mean they are going to see it. Probably not. But if the company has have decent at security. If its in your browser they can see it too.



#4 OP Amamba

Amamba

    Neowinian

  • Joined: 10-January 10

Posted 28 February 2014 - 01:12

What kind of private info can they see ? I don't care if they see me accessing Google calendar. Can they see / read my appointment and task data if it's not on screen ? I assume the packets are encrypted, so even if they intercept them they can't read them ?



#5 OP Amamba

Amamba

    Neowinian

  • Joined: 10-January 10

Posted 28 February 2014 - 01:16

As someone who works in Network Security i can tell you something that you probably do not want to know.

 

If you are connected to the network. Regardless of if its your personal device or company owned. If you can see it in your Browser, if they want to they can see it to. Does this mean they are going to see it. Probably not. But if the company has have decent at security. If its in your browser they can see it too.

 

I understand that. I expect they are able to monitor my work computer screen if they wanted, and I assume they know what sites I visit. That's fair.

 

Here's the scenario.

 

I have two calendars - Business and Personal. And two task lists with same name. I log into my Google account, go to Calendar, and click on the Personal to turn it off - so I no longer see it on screen. I also go to my Tasks and turn the display of Personal tasks off. So when I look on screen, all I see is Business meetings and Business tasks. I assume that all the IT can see is that - they can't use the connection to Google that I established in my browser to go through the stuff that is not on my screen, and I assume that my tablet syncing to Google via unprotected WiFi at work (guest access) sends encrypted packets. Is this true or false ?



#6 Nagisan

Nagisan

    Neowinian Senior

  • Joined: 02-June 06

Posted 28 February 2014 - 01:51

I understand that. I expect they are able to monitor my work computer screen if they wanted, and I assume they know what sites I visit. That's fair.

 

Here's the scenario.

 

I have two calendars - Business and Personal. And two task lists with same name. I log into my Google account, go to Calendar, and click on the Personal to turn it off - so I no longer see it on screen. I also go to my Tasks and turn the display of Personal tasks off. So when I look on screen, all I see is Business meetings and Business tasks. I assume that all the IT can see is that - they can't use the connection to Google that I established in my browser to go through the stuff that is not on my screen, and I assume that my tablet syncing to Google via unprotected WiFi at work (guest access) sends encrypted packets. Is this true or false ?

They could technically hijack the session (this would let them browse the site as if they were using your computer/login info) if they were competent enough and wanted to (that is, had reason to believe you were using it for nefarious means and decided to put in the effort the check it out), but I doubt they would bother wasting the time to do so unless you gave them very good reason to do so.

 

It's probably not something you need to worry about, but if it's something you need to keep as private as possible than you are safer not accessing your private Google account over their network. A large company will likely have the means to do something along these lines, but it's a wasted effort (too costly for them) unless there is good reason to do so.



#7 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 28 February 2014 - 21:58

It really depends on what the it department has disclosed to you in your employment terms/employee hand book. Read your terms of employment and use of equipment policies.

#8 DeltaXray

DeltaXray

    Neowinian

  • Joined: 08-February 14

Posted 28 February 2014 - 22:03

They can see that you visited the website.

 

When you visit the site from your work network does it say https:// in the browser? If so, they can see nothing further.

 

If it just says http:// so it not secure, they could see everything.

 

BUT, let me tell you, from someone who works in IT infrastructure, that even if it is unencrypted most places do not have the capability to see past what individual website address you have listed.  They just simply do not have the capability or capacity to log every packet and make sense of it.  Even if they logged every packet that went through, they just would not bother to inspect your individual traffic unless they had a specific reason (disciplinary or legal) to do so.

 

That said, generally the terms and conditions of using your corporate network give them the right to view anything that goes over their network.  Doesn't mean they actually can, but they have the right to.



#9 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 28 February 2014 - 22:10

It really depends on what they have on the system. To blindly say all they can see is what address you browsed to is ridiculous. I have installed systems that have captured every key click, every application launched, screenshots, web mail, pop mail, exchange mail, anything that you do on your computer it's captured and stored.

As I said check the disclosure you sign off on, and see what they allow. If they say anything to the effect that anything you do on their equipment is theirs, don't use their computer for anything other than work related stuff.

#10 McKay

McKay

    Grossly Incandescent.

  • Joined: 29-August 10
  • Location: 308 Negra Arroyo Lane
  • OS: Windows 8.1
  • Phone: Galaxy Note 3

Posted 28 February 2014 - 22:15

Im not saying they will have this feature installed. But if they are packet sniffing, and its not a https website, they can read your login details etc.



#11 watkinsx2

watkinsx2

    Neowinian

  • Joined: 11-December 01
  • Location: Hertfordshire
  • OS: Windows 7
  • Phone: HTC One/Lumia 920

Posted 28 February 2014 - 23:02

Your IT department will probably have better things to do that looks at your Google calendar. If they don't then maybe they need to be replaced :p



#12 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 3
  • Joined: 25-March 04
  • Location: England, UK

Posted 01 March 2014 - 01:05

<snip>

 

So the question is - say I set it up this way, enable two way authentication via my personal cell phone, and while at work I log into this account via browser, turn off the display of my personal calendar, and switch from my personal task list to work task list. Now I only see work related info on the browser screen. Can someone from my IT department still get to my personal data ?

 

Thanks !

 

Yes.

 

If they've got a keylogger installed on your work computer they can capture everything you type. If they have remote monitoring capabilities, they can see what's on your screen. If they have network sniffers they can capture all network traffic including the entirety of webpage content, authentication credentials/cookies, etc.

 

HTTPS will not protect you if your company has a HTTPS proxy and a custom certificate installed on your work machine.

 

Where multi-factor authentication is concerned, i.e. where you have a randomised number to enter during authentication: If they capture your authentication credentials, including this random number you supply, the number is obviously only good for a very short period of time, hindering them from logging in as you later on. However, they can easily capture the session cookie. The session cookie is what takes over as a means of identification as you browse a website after having supplied your credentials (the cookie is given to your browser upon successful authentication; your browser sends a copy with every request for a new page from then on). With a copy of the session cookie, they are free to browse the website as if they are you, without even needing a copy of any of your authentication credentials (i.e. login, including two-factor auth, is bypassed). If and when you logout, the session is invalidated, blocking anyone else using it, however they can still impersonate you in the mean time. The proper solution to securing your network traffic over an untrusted network is to tunnel your network traffic through an encrypted VPN connection, to a trustworthy VPN provider (preferably a VPN service under your own control, e.g. your home router/gateway). Of course the VPN solution relies upon you using a trusted device in the first place (so perfect for using your laptop with Wi-Fi at a coffee shop), which is not the case here.



#13 primexx

primexx

    Neowinian Senior

  • Tech Issues Solved: 6
  • Joined: 24-April 05

Posted 01 March 2014 - 01:51

While it's safe to assume that any competent IT will have access to the technical capabilities to see everything (since you're on their device & network), I would also assume that the same competent people will not be employing malicious tactics, like keylogging you, as a matter of policy. If they are doing things like that - you've got a bigger problem than just what they can or cannot see.



#14 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 01 March 2014 - 01:54

You have no clue the capabilities or the requests that we get from management or how much we have to cover our assess when users do stupid things.

#15 MorganX

MorganX

    MegaZilla™

  • Tech Issues Solved: 1
  • Joined: 16-June 04
  • Location: Midwest USA
  • OS: Digita Storm Bolt, Windows 8.1 x64 Pro w/Media Center Pack, Server 2k12 - Core i7 3770K/16GB DDR3/OCZ Vector 256GB/Gigabyte GTX 760
  • Phone: HTC One 64GB

Posted 01 March 2014 - 02:36

Assume they can see anything you do using company equipment. If it's that big of an issue to you use a personal cell phone or tablet using your cell phone carrier. Of course, if they pay for your cellular service, they can ultimately access your phone records, texts, and voicemail.





Click here to login or here to register to remove this ad, it's free!