0

I work at a large company that requires employees to sign a digital certification saying that we recognize the right of the said company to monitor all data and communication on our work laptops, and that anything we do on the computer should have no expectation of privacy.

What I wonder is, as far as standard enterprise IT security software goes, how omnipotent and omniscient is the IT department likely to be in monitoring user data?

Two specific questions:

  1. I store all my log in passwords (everything in life) on an excel spreadsheet, and password protect this spreadsheet. I understand that my company will have access to a copy of this spreadsheet since it's on my computer. But how likely is it that they can access its contents, perhaps using a keylogger to get the password for the spreadsheet, or screen capturing when I have the spreadsheet open with all the passwords shown?

  2. I use my gmail at work. It's https enabled. Is IT likely able to see all the emails I send and receive, even though it's through https?

Again, I believe our company uses a standard enterprise security tool, so wanted to see if anyone knowledgeable can shed insight on how much of my personal data can be freely accessed by the IT department.

Thank you.

user2847768
  • 3
  • 1
  • Thanks Rory for your answer. Wanted to add a bit more info: I'm in the U.S. and the software our company uses is "Check Point Endpoint Security". Any insight into if this is robust like the bluecoat you mentioned to be capable of intercepting Excel passwords and look within SSL? I'm not under investigation nor would do anything that would place me under investigation, but was curious if admins have passive access to passwords and emails--meaning if there is no active investigation it's likely that they can just pull up on a server my emails from a week ago or excel password. Thanks again. – user2847768 Feb 12 '14 at 21:28
  • In addition to @Rory's answer, it is possible to see if they are intercepting your SSL connections by checking against the server certificate's known fingerprint, which is a service [offered here](https://www.grc.com/fingerprints.htm). If they're different, then your SSL connection is being intercepted, with perhaps deep packet inspection/logging. And, as always, if the computer belongs to someone else, don't trust it. – Rubber Duck Feb 12 '14 at 21:37
  • Rubber Duck--very interesting link you sent. Just checked gmail and the fingerprint appears identical so seems like I may be safe on the SSL side of things. But of course if keyloggers and screencap are enabled by Check Point Endpoint then all is moot. I can't imagine our IT department blindly recording everyone in the company though so maybe there is safety in numbers. – user2847768 Feb 12 '14 at 22:02

2 Answers2

4

Ultimately if you are using a computer controlled by someone other than you (in this case your employer) they can get access to anything you process on that computer, including e-mails, passwords and pretty much anything else.

Whether they do or not is a different question. Depending on your location there may be legislation limiting what they can legally do (e.g the Data Protection Act and Regulation of Investigatory Powers Act in the United Kingdom).

Generally speaking I would say it would be unusual for a company to put key-stroke logging on their staff machines, unless perhaps that staff member is under investigation for something, even then the legality of that could be dubious.

On the Internet interception, it's possible (e.g. using something like bluecoat) for them to see inside SSL connections, but that doesn't mean they're looking at the content of your mails for anything other than malware...

I'd say that if you're not sure that you trust them to have this access the best option would be to only make use of your own computing devices for your personal activities.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
-1
  1. MS password protection is easily broken. Don't trust it. Use a real encryption method.
  2. The corp IT can easily perform man in the middle attacks of SSL thereby reading everything you send on the corporate networks.

Keep work stuff on work assets (hardware, software, networks,...) and keep personal stuff on personal assets.

It is really that simple.

swolford
  • 29
  • 1
  • 3
    Sorry I think you're out of date on Office based encryption. Modern Versions of office use AES-256 and AFAIK there's no known weakness apart from where a user makes use of a weak password. – Rory McCune Feb 12 '14 at 21:00
  • Rory, The encryption algorithm may be modern but it doesn't matter when there are many apps out there that can recover the password. I stand by my claim that using password protection from MS is not a safe way to protect a document. – swolford Feb 14 '14 at 13:42
  • But they just do brute force. any AES implementation can be brute-forced in exactly the same way. If I set a 32-character random password on an excel spreadsheet there's no way it's getting broken in a hurry. You can rail against using AES if you like but railing against the implementation doesn't make much sense unless there's a known weakness. – Rory McCune Feb 14 '14 at 14:23