Remote server questions

Question

I apologize for the lengthy questions and my lack of knowledge on this issue. I work from home using my own computer and connect to a remote server. I know my employer monitors my work when connected to the server. My concern is if anyone from our IT dept could gain access to my home computer files. Several IT people have come and gone over the last few months and my one credit card had a fraudulent charge on it. It was caught quickly. But still worries me if other accounts are now vulnerable.

So my questions are:

• 1. Is my work able to see my Word documents, pictures, or internet pages while I'm connected to the remote server. If I were to have them open on my personal desktop not through the remote server.
• 2. Are they able to hear me or see me while I'm connected. I cover the camera part because I have kids and the camera scares me. But I'm also concerned about if they can hear me since I do talk to my kids in the morning while they get ready for school. Like you'd talk to another coworker walking by. They know not to interrupt me. (I also may talk to my dog or sing here and there....) lol
• 3. A lady from work uses her cellular data at work when she texts/iMessages because she said if using the company's wifi they can see exactly what she's saying. True? How about with my remote connection?
• 4. I'm thinking of getting a separate computer just for work, but am afraid that my current computer is still accessible to them even when not connected to the remote server... Maybe through my internet connection? it's the one that has all my stuff on it.
• 5. Is there any program I can look for that will detect any spying on my home computer. They use LogMeIn when connected to the remote server.

Thank you in advance to anyone who takes the time to read this and answer any of the questions or give advice. THANK YOU!!

Answer 1

You left out a very important detail: how you connect to your employer's computer system to do your work. I believe you are using LogMeIn, but if not, that would change the answers.

If you are only connecting to a remote desktop (using a product like LogMeIn, Microsoft Terminal Services, RDP, VNC, or Citrix), then no, your employer cannot see into your computer. Based on your description, I believe this to be the case so you should be well insulated from them. Depending on the remote desktop product, they may or may not have access to your camera and microphone, but usually those are under your control. (These devices are commonly made available so you can run your company's IM software like Skype.) If in doubt, leave your camera covered.

The fact that your credit card number was stolen is purely coincidence; the number and extent of retail and hotel data breaches in the past three years is astounding, and fraud has impacted the vast majority of cardholders. People have either been wrongly charged, or their cards were among those stolen and the bank sent a replacement before the old card expired.

So to list the answers:

1. No, you're safe.
2. Yes, but only in a way you would know. In the US, it would be illegal to audio monitor you without notifying you of the monitoring (although video monitoring may be legal!) But you should probably check your work contract or employment policy to make sure you haven't agreed to audio monitoring as a condition of employment.
3. At home, this is not true and your personal browser is not subject to company monitoring. (The browser on your LogMeIn desktop is subject to monitoring, of course.) At work, this is partly true; if your coworker's iPhone uses the company WiFi, their WiFi data passes through the company network and is likely subject to logging or monitoring. The reason I say it's partly true is that the company can monitor all unencrypted traffic, but not the contents of encrypted traffic, such as iMessages. The logs can reveal that the iPhone set data to a server at Apple that is known to handle iMessages, but they have no way of knowing to whom it was sent or what it contained. But see the cautionary note below: **
4. No. If you have a work computer on your home network, the only way they could get to your home computer without your explicit permission would be to hack it, which would violate the Computer Fraud And Abuse Act of 1984. That's a federal crime.
5. Most anti-virus software is useless when it comes to commercial spyware that you're thinking of. But product recommendations are off topic for this site.

If you are not using LogMeIn, and you are connecting to a VPN tunnel at your work, so your personal computer is actually joined to their network, then the answer is different. They then have access that is not blocked by any firewall in your home; only your Windows Firewall would prevent them from viewing your machine. Also, in this case, any traffic from your desktop applications to the internet would pass through their network, where it would be subject to inspection and interception.

** If your employer gave you a Trusted Root certificate to install, they will have the ability to view the contents of your secure https connections. (On the iPhone installing root certificates is done by installing a "profile"; this may be done under the guise of installing some work-provided required "security software", like AirWatch.) The root certificate would allow them to operate a transparent https proxy (like Blue Coat); these proxies work by dynamically generating certificates that your new root certificate happily authenticates, allowing their proxy to inspect your traffic. This is normally detectable by viewing the certificate details in your browser; but viewing certificates is not possible on the iPhone version of Safari.

Trusted Root attacks like this can be thwarted if an application performs "certificate pinning", but browsers can't do pinning, and very few apps take this step when connecting to their home servers.