8

Two closely related questions:

1) My boss said it's ok for us to go on our personal email during our breaks. If I do this, can the company steal any information beyond what is viewable on the screen? Does this mean as long as I don't send or view any private/confidential emails this should be ok? Since Gmail uses an encrypted connection, does this mean someone monitoring the network can get my password?

2) The computers at work reset all the settings on each log out. I found it hugely beneficial to login to Chrome with my Gmail Account. This is so tabs, bookmarks and history are saved. What security precautions should I follow considering someone else could potentially use the same computer (though not logged into my Window's account)? Should I log out of Chrome after each use or should I change some settings to not sync specific things?

I have 2 factor authentication enabled.

JohnD
  • 431
  • 1
  • 4
  • 10
  • 3
    Is it your computer or the company's computer? If company's, they can install software to intercept everything – Neil McGuigan May 25 '17 at 18:53
  • @NeilMcGuigan what is the name of such software and how likely is it they actually will? – JohnD May 26 '17 at 08:31
  • Charles Proxy on the network and their own SSL cert on your computer – Neil McGuigan May 26 '17 at 15:50
  • I would use my phone or Tor, if you can install software on your computer – Andy K May 27 '17 at 05:48
  • 1
    Possible duplicate of [Is there any way for my ISP or LAN admin to learn my Gmail address as a result of me logging into Gmail's web interface through via their network?](https://security.stackexchange.com/questions/61056/is-there-any-way-for-my-isp-or-lan-admin-to-learn-my-gmail-address-as-a-result-o) –  Mar 10 '18 at 08:30

4 Answers4

6

You can monitor anything in a network you control. So that means private webmail can be monitored by your employer.

Legally (us) they are allowed to do so when using company equipment or resources.

Monitoring is usually done on traffic, so all info on every page you load is susceptible to interception. This does require specific software and quite a lot of time, so is only done by larger companies, or in case where a specific employee is suspect.

So Stay on the safe side and don't use private mail if you have a reason to believe your employer is interested in you in ways you don't like. Use your phone (not via WiFi).

Arvid
  • 61
  • 1
  • 1
    Isn't this wrong as the connection is encrypted? – JohnD May 25 '17 at 21:20
  • 3
    Encrypted, yes. But we don't know the specifics of OP's situation. Company *may* have installed their own CA root cert in all company machines' trustStores, in which case they could invisibly, and legally MitM all traffic outbound from their network. – JesseM May 25 '17 at 21:54
  • @JesseM don't modern browsers warn when a certificate can't be trusted? – JohnD May 26 '17 at 08:32
  • 2
    @JohnD Sure they do, but in this case, it *is* trusted. Company makes their own CA, and adds that CA root cert to company-issued computers' trustStore. Then company proxy mints their own interception cert for splat.google.com. If a real CA did that in the wild, it would be noticed (this has happened) but *within* the company, the only way to notice it would be something like Chrome doing certificate pinning against a known google cert. Point being, within a company's own DNS, they *could* forge certs for anything they wanted with their own CA cert installed in company browsers. – JesseM May 26 '17 at 17:32
  • @JesseM how do I verify the company has not installed their own CA in replacement of the default? – JohnD May 28 '17 at 06:26
  • @johnd you would have to look through your browser and system's "trustStore" which will vary based on OS and browser. You will want to review the "root CA certs" and look for one named by your company – JesseM May 30 '17 at 00:13
1

Always assume your traffic is being monitored if:

  • You don't own the computer/device you are using;
  • You are not the administrator of the network you're connected to.

Answer 1: Usually you should assume that everything you do at your workplace is being monitored. Maybe it's not really happening, but let's assume the worst.
It's not that hard to read unencrypted traffic on every network. If you don't own neither your machine nor the network you're connected to, your employer could be effectively reading even the HTTPS encrypted traffic.
It's easy for a network administrator that has access to your machine/account (does he?) to setup a "fake" certificate on it and perform a MITM (Man-in-the-Middle) attack. This means that, for example, when you visit gmail.com and you type in your password, this will be sent to your network administrator first, and then he will send it to gmail.com. So every web page or data sent/received through the the page can effectively be stolen.

Just to clarify:

Since Gmail uses an encrypted connection, does this mean someone monitoring the network can get my password?

The encrypted connection is not related to your password! The encryption when you visit a web page (or you send data through it) is managed via certificates. Your password "only" protects the access to your account.

Answer 2: Given the answer to question 1 and the fact that the computer resets after each logout, I think that, assuming all info get destroyed on logout, you don't have to do something else. Just in case, check your User folder to see if some Chrome files don't get deleted on logout. The path should be something like C:\Users\YOUR_NAME\AppData\Local\Google\Chrome\User Data

Vereos
  • 113
  • 4
  • Most companies now (especially larger ones) make a statement that you cannot expect privacy and the computing environment is the property of the company. At my work, that is displayed at login. – baldPrussian Dec 02 '17 at 18:25
1

The biggest concern here is that you are likely using a work-issued computer, whose software was installed by your IT department. Since they are able to install anything they want on your work-issued computer, they can install what amounts to spyware on it. If you cannot trust your work-issued computer to be secure, then you cannot rely on any of its security features to guard you against your employer.

For example:

Since Gmail uses an encrypted connection, does this mean someone monitoring the network can get my password?

That is only true if you can trust your work computer. If you have an adversary that can modify your computer's configuration—like your employer can—they can intercept your encrypted GMail traffic. There are in fact commercial products that are designed to allow businesses to inspect their employees' encrypted connections. Most of these work by using a combination of two components:

  1. Install a transparent proxy on the company's outbound network connections, that intercepts all outbound traffic and acts like a "man in the middle" for all connections.
  2. Configuring the employees' work computers to trust the proxy unconditionally for all encrypted connections (by installing what's called a root certificate). This means that the employee's computer will allow the proxy to impersonate the remote site.

Similar techniques are also used by some adware vendors, most notably the infamous Superfish adware that Lenovo preinstalled on its laptops some years back.

So before you get to questions about whether to log out of Chrome and such, you have to decide whether to trust your employer's computer in the first place. Frankly, with the spread of smartphones in the past decade, I just don't bother anymore—I just read my personal mail on my personal phone.

Luis Casillas
  • 10,181
  • 2
  • 27
  • 42
0

1) Yes, the company could be monitoring everything you type / view / send on a company based computer. Importantly, it may be done by the company to protect themselves, not to harm you --

My company uses firewalls that "Man-In-The-Middle" all inbound / outbound connections - meaning that the firewall decrypts all encrypted traffic, inspects it, then re-encrypts it so it still looks encrypted to the end-user. We don't do this because we Infosec folks are evil, but because we want to know if people are sending out secure documents over webmail, or accidentally downloading viruses or other malware. We also block access to lots of sites and domains (including advertisements) to reduce the number of infections we get on user systems.

If you're looking at sensitive things you don't want your employer to know about (personal, healthcare, employment, etc), use a phone or tablet and your cellular data plan to keep it secure.

2) If the computer is set up to wipe out settings between every use, you should be relatively safe in using the computer to login, use your bookmarks, and then have everything cleaned up at logout -- but a malicious administrator could be collecting your info while the system claims to be cleaning up, or someone could attach a hardware 'keylogger' that would collect key strokes from the computer.

You should add "Google 2 Factor Authentication" to your gmail account. This simply means when you log in, you give your password, and a PIN code that is sent to your phone at login time. It makes breaking into your account much harder, even if someone has grabbed your password, because the need the code generated on your phone to login.

claidheamh
  • 432
  • 2
  • 6
  • How can you verify if the company firewalls is doing "Man In The Middle"? – JohnD May 26 '17 at 08:33
  • You need to look at the Security Certificate for the website that you're viewing - here's a pretty concise example of how to look it up in Chrome (on Windows or Mac): https://www.ssl2buy.com/wiki/how-to-view-ssl-certificate-details-on-chrome-56 Once you're viewing the Cert, look at who the LAST cert (the lowest in the list) is registered to - if the cert is registered to the site you're viewing (*.google.com for instance), your connection is secure to the site. If the cert is owned by YOUR company, then they are probably inspecting your traffic through a 'Man-in-the-Middle' – claidheamh May 29 '17 at 12:36