Can a company track down non-company email?
January 26, 2010 2:12 PM Subscribe
Hypothetically, let's say that an employee from CompanyX, a rather large large semi-techie company, sent something they shouldn't have to a competitor. The employee didn't use their work email address (which the company can search) but they did use their company computer at work and something like their Yahoo account.
Can the company track down the source of that email without knowing the exact recipient but perhaps knowing the company that it was sent to? If they can, how good do they have to be to do it? Do they have to know the computer it came from? Does it matter if the person used https? Are there some limiting factors that may prevent them from tracking non-work email?
Can the company track down the source of that email without knowing the exact recipient but perhaps knowing the company that it was sent to? If they can, how good do they have to be to do it? Do they have to know the computer it came from? Does it matter if the person used https? Are there some limiting factors that may prevent them from tracking non-work email?
HTTP: If the company is recording their TCP/IP traffic, it is trivial and they don't need to know which computer it came from.
HTTPS: Much more difficult for them. However they would have access to things like browser history, cookies and perhaps even keylogging if they were really paranoid. The employee would certainly not be home free, and any attempt to obfuscate the trail would probably indicate consciousness of guilt, which might exacerbate matters if the truth came out.
However, if they know *what* was sent (and it wasn't just a regular email but something like a large attachment) and roughly when, they could probably scan for upload traffic of the right size and to the right IP addresses (eg Yahoo or other mail providers). This might give them enough of a clue to narrow down their investigation.
posted by unSane at 2:19 PM on January 26, 2010
HTTPS: Much more difficult for them. However they would have access to things like browser history, cookies and perhaps even keylogging if they were really paranoid. The employee would certainly not be home free, and any attempt to obfuscate the trail would probably indicate consciousness of guilt, which might exacerbate matters if the truth came out.
However, if they know *what* was sent (and it wasn't just a regular email but something like a large attachment) and roughly when, they could probably scan for upload traffic of the right size and to the right IP addresses (eg Yahoo or other mail providers). This might give them enough of a clue to narrow down their investigation.
posted by unSane at 2:19 PM on January 26, 2010
Can the company track down the source of that email without knowing the exact recipient but perhaps knowing the company that it was sent to?
Not easily. You can only prove that the employee accessed yahoo at that time. Any email would be between yahoo and the recipient.
If they can, how good do they have to be to do it?
The only possible way would be if they captured every packet across the WAN and did some packet inspection to rebuild the message they typed into their browser or ran a MitM thing, or grabbed a screenshot of the account from the host PC, or , or , or. Lots of ways, but they're pretty unlikely outside of secure environments or unless the corp IT is watching.
Does it matter if the person used https?
No. HTTPS assumes secure connection between the host and the client. As your network admin, I control everything between you and the host. MitM is trivial.
Are there some limiting factors that may prevent them from tracking non-work email?
If you see it on a work desktop, as the network admin, I can also see and save it if I feel like. You have no privacy. Assume everything you type and see online is stored and tracked.
FWIW I think it would be far more likely the competitor turns the evidence over to the original company so THEY don't get sued.
posted by anti social order at 2:30 PM on January 26, 2010
Not easily. You can only prove that the employee accessed yahoo at that time. Any email would be between yahoo and the recipient.
If they can, how good do they have to be to do it?
The only possible way would be if they captured every packet across the WAN and did some packet inspection to rebuild the message they typed into their browser or ran a MitM thing, or grabbed a screenshot of the account from the host PC, or , or , or. Lots of ways, but they're pretty unlikely outside of secure environments or unless the corp IT is watching.
Does it matter if the person used https?
No. HTTPS assumes secure connection between the host and the client. As your network admin, I control everything between you and the host. MitM is trivial.
Are there some limiting factors that may prevent them from tracking non-work email?
If you see it on a work desktop, as the network admin, I can also see and save it if I feel like. You have no privacy. Assume everything you type and see online is stored and tracked.
FWIW I think it would be far more likely the competitor turns the evidence over to the original company so THEY don't get sued.
posted by anti social order at 2:30 PM on January 26, 2010
By the way, it's completely legal for a company to monitor all computer usage by an employee. The employee has no privacy rights at all.
posted by Chocolate Pickle at 2:42 PM on January 26, 2010
posted by Chocolate Pickle at 2:42 PM on January 26, 2010
@anti social order
HTTPS assumes secure connection between the host and the client. As your network admin, I control everything between you and the host. MitM is trivial.
A man in the middle attack against SSL would almost certainly be noticed by the client, especially when the host has certificates signed by a real CA.
I'm aware that some tricks could be used -- like using your administrator powers to add CA certs to the client's machine -- but those can't foil a smarter than average user.
Would you care to share the "trivial" man in the middle that exists here?
posted by OwenMarshall at 3:00 PM on January 26, 2010
HTTPS assumes secure connection between the host and the client. As your network admin, I control everything between you and the host. MitM is trivial.
A man in the middle attack against SSL would almost certainly be noticed by the client, especially when the host has certificates signed by a real CA.
I'm aware that some tricks could be used -- like using your administrator powers to add CA certs to the client's machine -- but those can't foil a smarter than average user.
Would you care to share the "trivial" man in the middle that exists here?
posted by OwenMarshall at 3:00 PM on January 26, 2010
No. HTTPS assumes secure connection between the host and the client. As your network admin, I control everything between you and the host. MitM is trivial.
Really? The work IT system can spoof a valid signed SSL certificate of a major website? I'm blown away if this is possible without a browser error message on any modern browser.
posted by derbs at 3:11 PM on January 26, 2010
Really? The work IT system can spoof a valid signed SSL certificate of a major website? I'm blown away if this is possible without a browser error message on any modern browser.
posted by derbs at 3:11 PM on January 26, 2010
Many employers have tracking software and keyloggers installed on employee computers that would allow them to easily see who is doing what on the company network.
No. They really don't. They may have some "net nanny" bullshit, but they're not doing a keystroke trace on everyone. That's just ridiculous. It happens occasionally, directed at individuals suspected of wrongdoing, but keeping every keystroke by everyone, ever? No.
(Also even if they had the keystrokes, they don't necessarily know where the mouse was. You could say you were typing the sensitive info in a private Word doc.)
posted by drjimmy11 at 3:20 PM on January 26, 2010 [1 favorite]
No. They really don't. They may have some "net nanny" bullshit, but they're not doing a keystroke trace on everyone. That's just ridiculous. It happens occasionally, directed at individuals suspected of wrongdoing, but keeping every keystroke by everyone, ever? No.
(Also even if they had the keystrokes, they don't necessarily know where the mouse was. You could say you were typing the sensitive info in a private Word doc.)
posted by drjimmy11 at 3:20 PM on January 26, 2010 [1 favorite]
wow ... difficult to answer ... but the quick version is if they didn't send it through the company email system they are probably cool from a simple analysis. Webmail leaves few tracks identifiable back to an individual file or PC (or user), assuming no serious packet monitoring was occurring (which is unlikely).
Doesn't mean they are in the clear, though. If it was serious enough, and the company found out enough details through other means (and seriously investigated), they could possibly piece together enough information to pinpoint the sender (or small group of likely senders). I do a bit of this sometimes ... and I call it a "needle in a haystack" exercise ... but given enough starting info, a knowledge of the systems, sufficient access (combined with decent logging), and a bit of nous, my hit rate is surprisingly higher than the needle in a haystack would suggest ... seriously.
Also ... was it a word file? did it contain metadata? first obvious strike!
Otherwise investigators tend to look for correlating info ... who had access to the data when, when do they know the file was received by, etc. etc. It may surprise you how much the field can be narrowed ... a 1000 employee company suddenly becomes very small.
drop me a memail if you want to discuss further ... J
posted by jannw at 3:21 PM on January 26, 2010
Doesn't mean they are in the clear, though. If it was serious enough, and the company found out enough details through other means (and seriously investigated), they could possibly piece together enough information to pinpoint the sender (or small group of likely senders). I do a bit of this sometimes ... and I call it a "needle in a haystack" exercise ... but given enough starting info, a knowledge of the systems, sufficient access (combined with decent logging), and a bit of nous, my hit rate is surprisingly higher than the needle in a haystack would suggest ... seriously.
Also ... was it a word file? did it contain metadata? first obvious strike!
Otherwise investigators tend to look for correlating info ... who had access to the data when, when do they know the file was received by, etc. etc. It may surprise you how much the field can be narrowed ... a 1000 employee company suddenly becomes very small.
drop me a memail if you want to discuss further ... J
posted by jannw at 3:21 PM on January 26, 2010
As your network admin, I control everything between you and the host. MitM is trivial.
Unless you have control over the user's computer or the user is using atypically lax security settings in their browser, having admin-level access to the network gives you absolutely no ability to view the unencrypted traffic without the user being alerted to the fact that something's amiss.
posted by one more dead town's last parade at 3:24 PM on January 26, 2010
Unless you have control over the user's computer or the user is using atypically lax security settings in their browser, having admin-level access to the network gives you absolutely no ability to view the unencrypted traffic without the user being alerted to the fact that something's amiss.
posted by one more dead town's last parade at 3:24 PM on January 26, 2010
I'm blown away if this is possible without a browser error message on any modern browser
It's possible, under the right, controlled circumstances, which are uncommon, but not unheard of in more controlling environments.
When IT installs the OS and Browser on your machine, they also put in an SSL certificate that they generated. It's the "MyCompany Certificate Authority Cert", and it sits right alongside the ones from Verisign and Equifax and the like. Any site SSL certificates that are signed by the signing key associated with that Certificate Authority will be accepted by your browser, no questions asked. MyCompany's IT generated the CA key and certificate, and can generate signed certificates at will. (This part is quite common, actually, as it allows IT to use internally-signed certificates on things like intranet sites and internal mail servers.)
Now, when you browse to yahoo, your connection is intercepted, and instead of receiving an SSL certificate that says "This is *.Yahoo.com, certified by Verisign", it receives a certificate from the MitM that says "This is *.Yahoo.com, certified by MyCompany". Your browser will compare the signature on the certificate, and determine that yes, the *.yahoo.com certificate has been signed by the MyCompany CA. Because your system has the MyCompany CA cert configured to be a trusted Certificate Authority (which IT did way back when), your browser will trust its signatures, and thus, will trust the signed *.yahoo.com cert -- even though it isn't Yahoo's.
Unless you click on the locked padlock icon on your browser's toolbar, you'd likely never notice that Yahoo's certificate is signed by the wrong authority.
With that said, it is more common for a company that wants to do surveillance to just run an ongoing screen capture program on the workstations, and keep a running log of everything that appeared onscreen. Considering how cheap storage is these days, it's not even terribly expensive.
If you are using a computer that your employer owns, you have NO privacy, and no EXPECTATION of privacy. Assume that anything you type or look at is being mirrored on a 42" screen in your boss's office.
posted by toxic at 3:29 PM on January 26, 2010 [1 favorite]
It's possible, under the right, controlled circumstances, which are uncommon, but not unheard of in more controlling environments.
When IT installs the OS and Browser on your machine, they also put in an SSL certificate that they generated. It's the "MyCompany Certificate Authority Cert", and it sits right alongside the ones from Verisign and Equifax and the like. Any site SSL certificates that are signed by the signing key associated with that Certificate Authority will be accepted by your browser, no questions asked. MyCompany's IT generated the CA key and certificate, and can generate signed certificates at will. (This part is quite common, actually, as it allows IT to use internally-signed certificates on things like intranet sites and internal mail servers.)
Now, when you browse to yahoo, your connection is intercepted, and instead of receiving an SSL certificate that says "This is *.Yahoo.com, certified by Verisign", it receives a certificate from the MitM that says "This is *.Yahoo.com, certified by MyCompany". Your browser will compare the signature on the certificate, and determine that yes, the *.yahoo.com certificate has been signed by the MyCompany CA. Because your system has the MyCompany CA cert configured to be a trusted Certificate Authority (which IT did way back when), your browser will trust its signatures, and thus, will trust the signed *.yahoo.com cert -- even though it isn't Yahoo's.
Unless you click on the locked padlock icon on your browser's toolbar, you'd likely never notice that Yahoo's certificate is signed by the wrong authority.
With that said, it is more common for a company that wants to do surveillance to just run an ongoing screen capture program on the workstations, and keep a running log of everything that appeared onscreen. Considering how cheap storage is these days, it's not even terribly expensive.
If you are using a computer that your employer owns, you have NO privacy, and no EXPECTATION of privacy. Assume that anything you type or look at is being mirrored on a 42" screen in your boss's office.
posted by toxic at 3:29 PM on January 26, 2010 [1 favorite]
Bluecoat (and many others) make appliances that will monitor outgoing traffic for anything suspicious and provide logging and alerts, including HTTPS traffic, but in that case they provide their own cert and proxy the HTTPS traffic, e.g. going to https://mail.google.com will show up as https://mail.google.com.mycompany.com, so the employee knows they are being monitored.
Many monitoring appliances can be easily set up with instructions like "record all unencrypted file uploads to popular mail services and log the username, time, and file." Whether anyone is reading the log or looking at the files depends on how paranoid your company is.
Also note that any sensible IT group will be monitoring your physical ports, so burning CDs or writing to a USB drive is also not a good idea.
posted by benzenedream at 3:30 PM on January 26, 2010
Many monitoring appliances can be easily set up with instructions like "record all unencrypted file uploads to popular mail services and log the username, time, and file." Whether anyone is reading the log or looking at the files depends on how paranoid your company is.
Also note that any sensible IT group will be monitoring your physical ports, so burning CDs or writing to a USB drive is also not a good idea.
posted by benzenedream at 3:30 PM on January 26, 2010
I'm aware that some tricks could be used -- like using your administrator powers to add CA certs to the client's machine -- but those can't foil a smarter than average user.
Foil, as in go undetected? or Foil as in go undefeated?
The typical machine in use by a typical employee in a typical "rather large" corporate environment is going to be locked down, remotely administered, and many of them will have additional CA certs installed. The smarter than average user will have a much harder time being able to notice these "tricks" when they're operating under the permissions granted to them by IT than they would on their own home computer, and if the machine was set up correctly, they won't be able to defeat them without administrative or superuser access.
Considering this individual used an employer-owned machine to intentionally commit a fireable offense, I'm not sure it's safe to assume that they're "smarter than average".
posted by toxic at 3:48 PM on January 26, 2010
what a load of horseshit some of the commentators are posting. There is technically feasible, and back in reality world. Man-in-the-middle - SSL attacks - keystroke monitoring ... garbage ... whilst technically possible does anybody actually do this? none of my clients do. You are talking about technical vulnerabilities ... the most common weaknesses are stupid things like
...
"the version of the document leaked was 1.2.3.4 ... our crm system says that this was altered by BillBloggs"
Seriously ... unless the anonymous poster works for the NSA or som other 3 letter acronym this technical stuff is stupid ... if they get hit it will be because of some environmental factor. I do a bit of this ... we pick up on environmental factors ... no real company runs keystroke logging or SSL MITM attacks on all their staff.
What are you people smoking?
posted by jannw at 4:06 PM on January 26, 2010 [1 favorite]
...
"the version of the document leaked was 1.2.3.4 ... our crm system says that this was altered by BillBloggs"
Seriously ... unless the anonymous poster works for the NSA or som other 3 letter acronym this technical stuff is stupid ... if they get hit it will be because of some environmental factor. I do a bit of this ... we pick up on environmental factors ... no real company runs keystroke logging or SSL MITM attacks on all their staff.
What are you people smoking?
posted by jannw at 4:06 PM on January 26, 2010 [1 favorite]
I happen to be the reason employees at Nike can't access outside email, such as Gmail, hotmail, etc.
Now I'm a restaurant manager.
It wasn't anything racy, but it did become public.
God I miss working at the WHQ.
My suggestion, say nothing, or fess up immediately. Chips will fall, and it won't be the end of the world. Never send anything from a work computer you wouldn't be ok clearing with your boss first.
I do miss tag day.
posted by efalk at 4:08 PM on January 26, 2010 [2 favorites]
Now I'm a restaurant manager.
It wasn't anything racy, but it did become public.
God I miss working at the WHQ.
My suggestion, say nothing, or fess up immediately. Chips will fall, and it won't be the end of the world. Never send anything from a work computer you wouldn't be ok clearing with your boss first.
I do miss tag day.
posted by efalk at 4:08 PM on January 26, 2010 [2 favorites]
Jeebus, ok toxic consider me blown away...
Can I just ask though - is adding their own trusted cert onto a PC a "hack", or is it something you can legitimately do in windows? How would one do the same thing on a Mac?
posted by derbs at 4:10 PM on January 26, 2010
Can I just ask though - is adding their own trusted cert onto a PC a "hack", or is it something you can legitimately do in windows? How would one do the same thing on a Mac?
posted by derbs at 4:10 PM on January 26, 2010
jannw: I used to manage systems for a major online brokerage. I assure you, the level of surveillance I'm talking about was not at all unusual in the financial sector when I worked in it. I have no reason to believe that they're doing any less today.
derbs: On a PC, you add certificate authorities by double-clicking on a properly formatted *.crt file. This launches a "Certificate import Wizard" (you can do it other ways as well). On a Mac, you do it like this. And here are howtos for most browsers, if you don't want to it to be an authority for non-web applications.
In a big-IT environment, the certificates are generally included in the default image. When a machine is re-imaged, it gets the certificate, while it's getting its OS and default set of supported applications.
posted by toxic at 5:04 PM on January 26, 2010
derbs: On a PC, you add certificate authorities by double-clicking on a properly formatted *.crt file. This launches a "Certificate import Wizard" (you can do it other ways as well). On a Mac, you do it like this. And here are howtos for most browsers, if you don't want to it to be an authority for non-web applications.
In a big-IT environment, the certificates are generally included in the default image. When a machine is re-imaged, it gets the certificate, while it's getting its OS and default set of supported applications.
posted by toxic at 5:04 PM on January 26, 2010
jannw: smoking the same thing as toxic. If you are in an industry that is (a) heavily regulated, (b) vulnerable to employee fraud, or (c) carries most of its value as intellectual property, odds are that your employer has some sort of monitoring in place.
At a former workplace, several employees were turfed for IP theft. They were caught by monitoring appliances which logged network traffic and USB/CDROM writes. I agree not too many people do full-on keylogging and MITM by default, but if something odd shows up in the monitor logs, the second stage is sniffing and logging everything that goes in and out of that user's computer.
posted by benzenedream at 5:21 PM on January 26, 2010
At a former workplace, several employees were turfed for IP theft. They were caught by monitoring appliances which logged network traffic and USB/CDROM writes. I agree not too many people do full-on keylogging and MITM by default, but if something odd shows up in the monitor logs, the second stage is sniffing and logging everything that goes in and out of that user's computer.
posted by benzenedream at 5:21 PM on January 26, 2010
While I doubt that the type of monitoring that would catch a suspicious email sent during a https encrypted yahoo mail session is routine, if the IT department wanted to, they could certainly intercept it. However, proving who sent the email after the fact, without prior monitoring systems set up would be difficult.
posted by demiurge at 7:19 PM on January 26, 2010
posted by demiurge at 7:19 PM on January 26, 2010
(Also even if they had the keystrokes, they don't necessarily know where the mouse was. You could say you were typing the sensitive info in a private Word doc.)
The better keyloggers also take screenshots too. Hell, some places do full packet capture of all network traffic and store it permanently.
Would you care to share the "trivial" man in the middle that exists here?
It's old news. Google ettercap or sslstrip.
posted by anti social order at 8:45 AM on January 27, 2010
The better keyloggers also take screenshots too. Hell, some places do full packet capture of all network traffic and store it permanently.
Would you care to share the "trivial" man in the middle that exists here?
It's old news. Google ettercap or sslstrip.
posted by anti social order at 8:45 AM on January 27, 2010
However, proving who sent the email after the fact, without prior monitoring systems set up would be difficult.
Right. That's why I originally said the biggest risk is the competitor talking to the employer.
posted by anti social order at 8:46 AM on January 27, 2010
Right. That's why I originally said the biggest risk is the competitor talking to the employer.
posted by anti social order at 8:46 AM on January 27, 2010
It's old news. Google ettercap or sslstrip.
Neither of which will let you view the unencrypted traffic without unusually lax settings on the user's computer. If the user hasn't set them, and you don't have control of the computer, you're out of luck.
posted by one more dead town's last parade at 9:14 AM on January 27, 2010
Neither of which will let you view the unencrypted traffic without unusually lax settings on the user's computer. If the user hasn't set them, and you don't have control of the computer, you're out of luck.
posted by one more dead town's last parade at 9:14 AM on January 27, 2010
If the large semi-techie company has any kind of DLP solution with a desktop agent or integrated with a web proxy, then the transfer was almost certainly logged. Though if they didn't block the transfer they're either not running DLP or running it in log only mode.
If they know what company it went to and they don't have DLP then the best way to figure out who did it is to ask for the headers, through a lawyer if necessary. The headers will show which internal IP made the https connection to Yahoo. Who had a specific internal IP during a specific time period is logged at my company for a while, so I'd be able to go back and find out who it was.
posted by IanMorr at 10:24 AM on January 27, 2010
If they know what company it went to and they don't have DLP then the best way to figure out who did it is to ask for the headers, through a lawyer if necessary. The headers will show which internal IP made the https connection to Yahoo. Who had a specific internal IP during a specific time period is logged at my company for a while, so I'd be able to go back and find out who it was.
posted by IanMorr at 10:24 AM on January 27, 2010
This thread is closed to new comments.
posted by decathecting at 2:16 PM on January 26, 2010