31 posts in this topic

Just curious... if I login to my personal Google account to check my Calendar / tasks, what exactly will my corporate IT be able to see.

 

Will it just be stuff on screen ? 

 

While I don't really have anything to hide, I don't want to give my company (or some hack working for it) access to my private info, either.

 

Here's the overall idea and reason for this question.

 

I use Google for my personal calendar, tasks and email. My company uses Outlook Exchange. I have on the average 3-6 meetings a day, and over a hundred active tasks. I also have quite a busy family schedule that I am trying to balance. I am not always in one spot and my start / end times are fluctuating. So it's important to be able to see my work calendar (meetings and tasks that are due today) and personal calendar on same screen so that I could plan my day ahead. Mail, not that important.

 

I could use the company provided software to sync my personal devices to Exchange. However, the rather vague Terms I would have to accept state that they may be able not only to remotely wipe my device (something I at least understand the reason for) but also go through the personal content, like location data and apps installed - no way I am letting a company I work for have that level of control over my life.

 

Another alternative would be to set up a Google account for just the work stuff, copy my meetings there, and maintain the master task list in it. Then I could share my personal calendar with it and have one place to look at.

 

So the question is - say I set it up this way, enable two way authentication via my personal cell phone, and while at work I log into this account via browser, turn off the display of my personal calendar, and switch from my personal task list to work task list. Now I only see work related info on the browser screen. Can someone from my IT department still get to my personal data ?

 

Thanks !

Share this post


Link to post
Share on other sites

What do you mean "see"? They can see you're accessing those sites, and they can use packet capture applications if they want, to monitor traffic.

Share this post


Link to post
Share on other sites

As someone who works in Network Security i can tell you something that you probably do not want to know.

 

If you are connected to the network. Regardless of if its your personal device or company owned. If you can see it in your Browser, if they want to they can see it to. Does this mean they are going to see it. Probably not. But if the company has have decent at security. If its in your browser they can see it too.

3 people like this

Share this post


Link to post
Share on other sites

What kind of private info can they see ? I don't care if they see me accessing Google calendar. Can they see / read my appointment and task data if it's not on screen ? I assume the packets are encrypted, so even if they intercept them they can't read them ?

Share this post


Link to post
Share on other sites

As someone who works in Network Security i can tell you something that you probably do not want to know.

 

If you are connected to the network. Regardless of if its your personal device or company owned. If you can see it in your Browser, if they want to they can see it to. Does this mean they are going to see it. Probably not. But if the company has have decent at security. If its in your browser they can see it too.

 

I understand that. I expect they are able to monitor my work computer screen if they wanted, and I assume they know what sites I visit. That's fair.

 

Here's the scenario.

 

I have two calendars - Business and Personal. And two task lists with same name. I log into my Google account, go to Calendar, and click on the Personal to turn it off - so I no longer see it on screen. I also go to my Tasks and turn the display of Personal tasks off. So when I look on screen, all I see is Business meetings and Business tasks. I assume that all the IT can see is that - they can't use the connection to Google that I established in my browser to go through the stuff that is not on my screen, and I assume that my tablet syncing to Google via unprotected WiFi at work (guest access) sends encrypted packets. Is this true or false ?

Share this post


Link to post
Share on other sites

I understand that. I expect they are able to monitor my work computer screen if they wanted, and I assume they know what sites I visit. That's fair.

 

Here's the scenario.

 

I have two calendars - Business and Personal. And two task lists with same name. I log into my Google account, go to Calendar, and click on the Personal to turn it off - so I no longer see it on screen. I also go to my Tasks and turn the display of Personal tasks off. So when I look on screen, all I see is Business meetings and Business tasks. I assume that all the IT can see is that - they can't use the connection to Google that I established in my browser to go through the stuff that is not on my screen, and I assume that my tablet syncing to Google via unprotected WiFi at work (guest access) sends encrypted packets. Is this true or false ?

They could technically hijack the session (this would let them browse the site as if they were using your computer/login info) if they were competent enough and wanted to (that is, had reason to believe you were using it for nefarious means and decided to put in the effort the check it out), but I doubt they would bother wasting the time to do so unless you gave them very good reason to do so.

 

It's probably not something you need to worry about, but if it's something you need to keep as private as possible than you are safer not accessing your private Google account over their network. A large company will likely have the means to do something along these lines, but it's a wasted effort (too costly for them) unless there is good reason to do so.

Share this post


Link to post
Share on other sites

It really depends on what the it department has disclosed to you in your employment terms/employee hand book. Read your terms of employment and use of equipment policies.

Share this post


Link to post
Share on other sites

They can see that you visited the website.

 

When you visit the site from your work network does it say https:// in the browser? If so, they can see nothing further.

 

If it just says http:// so it not secure, they could see everything.

 

BUT, let me tell you, from someone who works in IT infrastructure, that even if it is unencrypted most places do not have the capability to see past what individual website address you have listed.  They just simply do not have the capability or capacity to log every packet and make sense of it.  Even if they logged every packet that went through, they just would not bother to inspect your individual traffic unless they had a specific reason (disciplinary or legal) to do so.

 

That said, generally the terms and conditions of using your corporate network give them the right to view anything that goes over their network.  Doesn't mean they actually can, but they have the right to.

Share this post


Link to post
Share on other sites

It really depends on what they have on the system. To blindly say all they can see is what address you browsed to is ridiculous. I have installed systems that have captured every key click, every application launched, screenshots, web mail, pop mail, exchange mail, anything that you do on your computer it's captured and stored.

As I said check the disclosure you sign off on, and see what they allow. If they say anything to the effect that anything you do on their equipment is theirs, don't use their computer for anything other than work related stuff.

Share this post


Link to post
Share on other sites

Im not saying they will have this feature installed. But if they are packet sniffing, and its not a https website, they can read your login details etc.

Share this post


Link to post
Share on other sites

Your IT department will probably have better things to do that looks at your Google calendar. If they don't then maybe they need to be replaced :P

1 person likes this

Share this post


Link to post
Share on other sites
<snip>

 

So the question is - say I set it up this way, enable two way authentication via my personal cell phone, and while at work I log into this account via browser, turn off the display of my personal calendar, and switch from my personal task list to work task list. Now I only see work related info on the browser screen. Can someone from my IT department still get to my personal data ?

 

Thanks !

 

Yes.

 

If they've got a keylogger installed on your work computer they can capture everything you type. If they have remote monitoring capabilities, they can see what's on your screen. If they have network sniffers they can capture all network traffic including the entirety of webpage content, authentication credentials/cookies, etc.

 

HTTPS will not protect you if your company has a HTTPS proxy and a custom certificate installed on your work machine.

 

Where multi-factor authentication is concerned, i.e. where you have a randomised number to enter during authentication: If they capture your authentication credentials, including this random number you supply, the number is obviously only good for a very short period of time, hindering them from logging in as you later on. However, they can easily capture the session cookie. The session cookie is what takes over as a means of identification as you browse a website after having supplied your credentials (the cookie is given to your browser upon successful authentication; your browser sends a copy with every request for a new page from then on). With a copy of the session cookie, they are free to browse the website as if they are you, without even needing a copy of any of your authentication credentials (i.e. login, including two-factor auth, is bypassed). If and when you logout, the session is invalidated, blocking anyone else using it, however they can still impersonate you in the mean time. The proper solution to securing your network traffic over an untrusted network is to tunnel your network traffic through an encrypted VPN connection, to a trustworthy VPN provider (preferably a VPN service under your own control, e.g. your home router/gateway). Of course the VPN solution relies upon you using a trusted device in the first place (so perfect for using your laptop with Wi-Fi at a coffee shop), which is not the case here.

Share this post


Link to post
Share on other sites

While it's safe to assume that any competent IT will have access to the technical capabilities to see everything (since you're on their device & network), I would also assume that the same competent people will not be employing malicious tactics, like keylogging you, as a matter of policy. If they are doing things like that - you've got a bigger problem than just what they can or cannot see.

Share this post


Link to post
Share on other sites

You have no clue the capabilities or the requests that we get from management or how much we have to cover our assess when users do stupid things.

Share this post


Link to post
Share on other sites

Assume they can see anything you do using company equipment. If it's that big of an issue to you use a personal cell phone or tablet using your cell phone carrier. Of course, if they pay for your cellular service, they can ultimately access your phone records, texts, and voicemail.

Share this post


Link to post
Share on other sites

when you are online the best thing to do is act like

everything you do is being watched

 

better to be safe than sorry

 

devobtch

Share this post


Link to post
Share on other sites
I use Google for my personal calendar, tasks and email. My company uses Outlook Exchange. I have on the average 3-6 meetings a day, and over a hundred active tasks. I also have quite a busy family schedule that I am trying to balance. I am not always in one spot and my start / end times are fluctuating. So it's important to be able to see my work calendar (meetings and tasks that are due today) and personal calendar on same screen so that I could plan my day ahead. Mail, not that important.

 

I'm in a similar situation at my job, we use Outlook and my personal schedule is littered with various appointments which fill up my week quite a bit.  I needed a way to auto-add my work calendar to my personal one for the meetings we have at work as well as various tasks assigned in the calendar.

 

I found an old copy of the Google Calendar Sync plugin on the web which allows me to sync my work schedule directly to my Google Calendar.  It also lets me do a two way sync and also a one way sync to load your Google Calendar in your work calendar.

 

By doing the one way for my work to my personal calendar, it let me see what was ahead of time w/o publishing my personal appointments to my work calendar (As it never sync'd).

 

By doing the two way - it let me sync everything work and personal so things were 'talking' to each other.  One huge caveat though is if you have multiple calendars in your Google Calendar (Say you have one for your medical appointments, workout schedule etc), the sync will only do your default calendar which is generally the non categorized calendar in your web view.  

 

By doing the one way sync from my Google Calendar to my Outlook, It syncs the default calendar, but doesn't let my work calendar into my personal one.

 

If you want your personal schedule to be added to your work calendar, then a quick and dirty way to keep your co-workers from knowing you have a "Job Interview at ACME Corp" in your personal schedule, you mark it as private, then it is not visible to anyone but you in your work calendar (Unless someone knows your login credentials). 

 

The Google Calendar Sync program was discontinued by Google in favor of their enterprise solutions, but you can still find a copy of the non-enterprise version they used to give away on the net if you look hard enough. :)

Share this post


Link to post
Share on other sites

Having worked for an over-zealous (protective?) council before. They were able to see the lot. Websites, data, key strokes, packets, everything.

 

Totally depends on the systems they have in place.

Share this post


Link to post
Share on other sites

it's best to use a pen 3g modem so you can navigate without preying eyes; even that can be null if they installed Dameware or VNC or even go as far as installing a keylogger on your corporate computer, so the best is to use your own Internet connection with you own equipment (phone, laptop, whatever).

Share this post


Link to post
Share on other sites

Depends how good your organisation is. What do they have as web filters mainly. Bloxx or Websense maybe? 

Share this post


Link to post
Share on other sites

Personally I have no issues at work, even accessing my online bank details.  I trust them not to bother with it as it would get them into more trouble (as we have a data security policy) - If you must look at personal data, you must have a reason for it.

 

Many people put personal stuff in their calendar in my work and mark it private.  As long as your trusted (which all employees should be otherwise you're in the wrong job), then you can justify the reasons rather trying to work around them.

1 person likes this

Share this post


Link to post
Share on other sites

Ok, let me be more clear.

I don't browse porn sites, or have monthly job interviews - I am ok with the job I have. However, I don't like the idea do opening up any aspects of my private life to the company as an entity, but even more so to the individuals. Some of our IT people look like they could use a year off and a lot of antidepressants.

At work, if I need to browse some sites, or quickly check my bank balance, I use a personal tablet connected to guest wifi that company provides for suppliers. I assume they can see what sites the device loads, and may be can even guess whom that device belongs to, but they can't actually read the encrypted communication between my mail or bank account.

Share this post


Link to post
Share on other sites

Ok, let me be more clear.

I don't browse porn sites, or have monthly job interviews - I am ok with the job I have. However, I don't like the idea do opening up any aspects of my private life to the company as an entity, but even more so to the individuals. Some of our IT people look like they could use a year off and a lot of antidepressants.

At work, if I need to browse some sites, or quickly check my bank balance, I use a personal tablet connected to guest wifi that company provides for suppliers. I assume they can see what sites the device loads, and may be can even guess whom that device belongs to, but they can't actually read the encrypted communication between my mail or bank account.

 

If you are using a personal device, where they have not installed a custom company-created root certificate, then your HTTPS connections are safe.

 

Some HTTPS pages load resources from none HTTPS protected links, which can be risky (imagine javascript code retrieved via HTTP which a third party such as your company's proxy could intercept and replace with a malicious copy of the file modified to spy on you). I doubt your IT staff are going to bother doing such a thing though, and it's only on the odd site that doesn't load all resources via HTTPS. Your browser may warn you about this (e.g. warning exclamation in the left side of the address bar in Firefox).

Share this post


Link to post
Share on other sites

Ok, let me be more clear.

I don't browse porn sites, or have monthly job interviews - I am ok with the job I have. However, I don't like the idea do opening up any aspects of my private life to the company as an entity, but even more so to the individuals. Some of our IT people look like they could use a year off and a lot of antidepressants.

At work, if I need to browse some sites, or quickly check my bank balance, I use a personal tablet connected to guest wifi that company provides for suppliers. I assume they can see what sites the device loads, and may be can even guess whom that device belongs to, but they can't actually read the encrypted communication between my mail or bank account.

Ok let me be more clear, If you don't want them to know don't use company equipment because they have the ability to see everything.  Currently what I have in place only shows where you are at, I could easily put in place something that shows screen shots as well or something that captures your web mail or something that captures the applications you run and what you do in those applications or everything above.  Bottom line, you don't want them to know don't put it on their equipment even if it is on their network (attaching any byod to their network, including iphones, ipads, and any other smart device).  We have ways to see everything if pushed enough by management (we could care less otherwise), we wouldn't be a very good IT group if we couldn't.

Share this post


Link to post
Share on other sites

Depending on the setup.. See all the websites you've been too, how long, how much bandwidth you used.. pretty much can see anything network application run such has Remote Desktop to uTorrent. Some places have VNC installed, they could just pop in any second and see your screen and you would never know they are even in it.. If they have a Mobile Device Management, they can see your call log, text, current location, how fast you are driving.. Just depending on how much they have put in place.. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.