How can I protect my computer from my potentially malicious colleagues?

Question

So, I work in this small company (10 people) where we do stuff in programming, for various platforms. I started recently working there (2 months) right after I graduated. My work is not exactly programming related, but I have enough knowledge to do some intermediate level programming like writing scripts in bash (I use Linux and Mac), writing simple programs and compile them and so on, but my comprehension of network and security topics is limited.

Some of my workmates, on the opposite, are more experienced programmers, computer science graduated, with deeper knowledge in network systems, web applications and programming. The work environment is very casual and friendly, we occasionaly meet after work to have a drink.

In the workplace, we all share the same LAN network, we recurrently use programs for remote desktop control and file transfer. We also host applications accessible via webservices. All our computers are login-protected and theoretically no one knows each other passwords.

Besides that, personally I use my computer for non-work related subjects: I access my personal email, chat with friends, access homebanking and social networks, edit personal documents which I save in the computer's hard drive.

Recently, I noticed that some of my colleagues sporadically arrive earlier at work (only one at a time) for no particular reason... As we work in small rooms, their excuse is that they can concentrate better earlier in the morning with less noise. Furthermore, I also noticed that some of them once in a blue moon bring their personal laptop to do some work related stuff. (I am not sure of the relevance of these behaviour to the question itself, I am just giving you the facts.)

This is very hard to put, but is there anyway that my colleagues can access my computer information and my personal files? Or is there some method they can use to discover my personal passwords?

I am speculating, of course, unfortunately I hope this doesn't happen, but I have no way of discovering it, and surely the right to question it.

As the above questions may seem too general, I will also leave this one for you:

Is there any way to find out if some one logged into my computer, by accessing some logs or any other info? I will take all your inputs, remember I use Linux and Mac.

Answer 1

Yes. Your colleagues, if they really wanted, could probably access your computer, your personal files, your passwords, your banking account, etc. That's just the way of it.

There are any number of ways they could do this, if they wanted to be dishonest and malicious. One simple way would be to install a keylogger (or other spyware) on your machine at some point when no one else is around. Another way would be to boot up your computer (possibly with a Linux LiveCD, to bypass any password protections) and look at all files stored on your computer, including passwords saved by your browser, etc. Password protections on your accounts will basically keep honest people honest, but won't stop dishonest co-workers.

In general, it is hard to protect yourself against a knowledgeable attacker when the attacker has (1) physical access to your machine, and (2) authorized access to your local network. You cannot prevent it. And, you cannot reasonably detect it; there is no way you'd reasonably be able to reliably detect tampering by looking in the log files. (I mean, it might be possible, but it's way too hard and complicated, and life is much too short.)

Generally, this is primarily a social problem, not a technical problem. There are any number of ways that your co-workers or roommates could mess with you. Fortunately, the overwhelming majority of people are generally honest (or at least, like to think of themselves as honest), especially if you avoid giving them an overwhelming motivation to screw with you. So I would not spend too much time worrying about the technical issues. Just avoid putting anything too sensitive on your work machine, and get on with your life.

In other words, here is my recommendation: Don't use your work machine for highly sensitive personal stuff like online banking, porn, or highly sensitive things you wouldn't want your employer to know (e.g., side consulting jobs, controversial activities in your free time, etc.). Apart from the security risks, you are giving your employer authorized access to all of that information. Do you really want your employer to have access? And do you want all that information stored in the company's backups? It's probably not a great idea. And, don't piss off your co-workers so badly that they'd be tempted to engage in nasty kinds of revenge (always good advice, regardless of computer security issues).

Personally, I wouldn't worry too much about the computer security risks. On the other hand, if this has you worried and you want to protect yourself against some kinds of mischief, here are a few modest steps you could consider taking:

1. install full-disk encryption, and use a hard-to-guess passphrase -- this will make it harder for someone who has physical access to your machine to get at your personal files.
2. when you leave your machine unattended, log out of the full-disk encryption, and re-type in your password when you come back
3. make sure the user account you usually use does not have administrator privileges
4. turn on automatic updates and make sure your browser is fully updated
5. back up your machine regularly
6. if you use Firefox, install the HTTPS Everywhere extension (unfortunately it isn't available for other browsers).

These are far, far, far from perfect, and if a co-worker wanted to mess with you, they probably still could. But if it makes you feel more comfortable, go for it.

Answer 2

is there anyway that my colleagues can access my computer information and my personal files?

Many ways. From just looking over your sholder when you are not paying attention to installing a hardware key logger to intercepting your network traffic. Someone there probably has administrative access to your machine. Whoever has administrative access can really see everything you do without doing anything malicious.

Or is there some method they can use to discover my personal passwords?

Again many different ways from trivial to sophisticated. Installing a hardware key logger, a software key logger, software monitoring program on your machine, sniffing network traffic, setting up a webserver to impersonate a website you frequently use, and just plain old asking.

'I can upgrade your system but I need your password.'

I have no way of discovering it, and surely the right to question it.

Well, there are lots of ways of discovering if someone is doing malicious things. It always pays to be cautious, but unless you have much clearer evidence that one of your coworkers is malevolent, I would be prudent but not excessivly so.

Defensive measures span from physical tamper seals and video monitoring to logging and auditing to network monitoring. The easiest measure you can take are things like:

• Don't type in a password or username when someone is in visible range.
• Put a rearview mirror on your display.
• Use encrypted communications when possible (https instead of http).
• Keep your data on a personal encrypted USB thumb drive.
• Configure the existing logging and monitoring system to detect logins and security critical functions, and review the logs.
• Be nice to your coworkers.

Resources:

• The NSA publishes hardening tips for Mac OS X and Linux (Red Hat)
• University of Illinois at Urbana-Champaign has a Mac OS X Security Checklist
• Mit has a page on Mac OS X - Security Recommendations
• IBM has a nice page on Linux logging

Note: I have no association with ThinkGeek, except for occasionally purchasing stuff from them.

Answer 3

To directly answer your question: Type last at a command prompt and it will show you user names and timestamps of successful login attempts (this doesn't do much good if they pulled your hard drive out to browse your files).

Although you shouldn't do your personal stuff on your work computer (legal reason.. something about the company owning any documents stored or created on the computer?)

Edit: just to expand a little.. As D.W. mentioned, it's very difficult to protect your machine from someone who has physical access to your computer. They could install key loggers, they could boot from a USB or Live CD and mount your hard drive. Even password protecting the BIOS to disable USB or CD boots can be undone by removing the little battery on the MoBo.

A couple things you can do to make it more difficult for them to yoink your stuff: Encrypt your home folder and use a GOOD password. Encrypting the data would force them to try and steal your password hash and crack it, and then logging in with your password just so they can see your files. Like I mentioned earlier, you could password protect your BIOS and then disable boot from external devices. In the end, though, this only makes it more difficult (doesn't prevent) the theft of your data.

I think the easiest solution is to not do personal stuff at work.. then there's a lot less worrying you have to do.

Answer 4

Probably the best protection for physical access is full disk encryption and a smartcard that stays on your keychain.

I mean this is assuming you're colleagues aren't a bunch of professional hackers. I doubt the NSA is interested in your computer.

Also, don't put personal files on your computer. Just don't. Assume that everything on your work computer is public.

Answer 5

In short, you can't. (Unless you use your own network, use truecrypt, gum up the usb ports and make sure that the mouse, keyboard and motherboard usb headers haven't been tampered with, and boot from a live linux CD/pendrive)

If allowed, bring your own laptop or PDA to work with your own GPRS dongle, use https everywhere or use a remote server over ssh and don't let it out of your sight.

However, that would require an extraordinary amount of trust from your employer which would be unlikely to be granted unless you were on the board, and even then your motives may be questionable as noone would know what you were up to.

If you need to do personal stuff, use your own kit and be open about it without revealing sensitive information.

Answer 6

To answer your top question: no, you cannot, short of taking it with you. As everyone else has pointed out, physical access = total control.

To add to what others have said, look at Blue Pill (hypervisor-based malware):

https://secure.wikimedia.org/wikipedia/en/wiki/Blue_Pill_%28malware%29

and, in particular, the "Evil Maid" attack:

http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html

Your coworkers may not be this sophisticated, so leaving a screen saver password and using full-disk encryption may be enough, but if you happen to work at the NSA, you're hosed the minute your box is out of your sight.

Answer 7

The answer is "Yes". If you are all on a shared network, then they have a way to communicate with your computer. Even if you assume that their intent is pure, perhaps you can not guarantee the hygiene of their personal machines. This is how "Wannacry" spread - exploited machines on the same network using vulnerable port (445 - Windows).