Hack myz laptopz.
December 3, 2012 9:05 AM   Subscribe

Can my employer tell whether I've logged into their outlook email site from a laptop or a desktop?

My employer mandates that you log into their outlook webmail server only from encripted laptops. I totally forgot about this when I started and used my laptop. Now I have to change my password. In this process they ask you to verify that you have only logged in via encripted laptops or desktops (which do not have to be encripted).

I'm planning on not using my laptop to log into work email anymore. But is there a way that they could know that I did use a laptop in the past? The site is the Microsoft Outlook Web App.

I'd like to change my password and change my ways, but I'd rather not have to confess my sins.

posted by mockpuppet to Computers & Internet (16 answers total)
Not from the web app.
posted by empath at 9:07 AM on December 3, 2012

Sure they could: maybe your company laptop is set to always connect through a vpn first, or to check in to a server to report security status, or to download virus updates from a corporate server. They could compare the ip used there with the ip used to check webmail. Not in both logs? Flag it. Or they could customise the user string in the browser.

The big clue of course is that if they did any of this, they would know already. I wouldn't worry.
posted by devnull at 9:29 AM on December 3, 2012 [1 favorite]

Re "devnull" - keep in mind, as in many instances, lying about doing something which is not in itself such a major deal becomes a VERY major deal. There is a reason they ask you to "verify" when, as "devnull" says, they have a way to get the information they ask for. Aside from the morality of the situation.
posted by uncaken at 9:35 AM on December 3, 2012 [1 favorite]

If they aren't validating the incoming hosts via certificate chains/etc or other methodologies then they aren't going to catch you from doing it accidentally in a follow up review. Go forth and be a good user from here on out.
posted by iamabot at 9:36 AM on December 3, 2012

devnull if they were going to do all that, why wouldn't they just block non-compliant access to begin with?
posted by empath at 9:49 AM on December 3, 2012 [1 favorite]

Also, they wouldn't be able to tell the difference between a non encrypted laptop and a non-encrypted desktop (which is allowed)
posted by empath at 9:50 AM on December 3, 2012 [2 favorites]

By encrypted do you mean the disk is encrypted, or the connection? I'm assuming disk, since they could force the SSL connection. I guess I see the point of forcing mobile users to be more secure, although like empath, if they really cared they would be more proactive. It would be easy enough to filter by MAC address and only allowed known computers to connect in the first place.
posted by COD at 9:55 AM on December 3, 2012

I am an Exchange Admin but I am not Your Exchange Admin.

They could probably figure it out by picking through and cross-referencing IIS/VPN/whatever proprietary security logs.

But: they either don't care, or they're incompetent. In this case, probably both. The policy is there to satisfy 3rd party audit requirements, or maybe some would-be middle-management security nazi, but they obviously haven't invested the time or money to actually implement secure access, instead depending on employees reading a popup before clicking OK. (Really?!)

So, as to the question of whether to fess up. We already know your IT administration is just covering their ass by creating policies they can't be bothered to enforce, and/or are in fact totally delusional in thinking that it constitutes effective security. If the issue escalates to management or HR, they'll be yelling up and down that "mockpuppet haxored our email!!1" because otherwise they have to admit that they suck. I would advise staying under their radar entirely. Click OK, go and sin no more.

(...unless you're working in a highly regulated industry, or a high-security government department, or have already made enemies, such that there would be someone motivated to pursue your termination because you didn't fess up before clicking on that OK, as uncaken warns above. In that case, consult competent legal counsel.)

(Yeah, this is a pet peeve.)
posted by The Prawn Reproach at 10:16 AM on December 3, 2012 [13 favorites]

Seconding The Prawn Reproach here.

If we're talking about disk encryption (which means the contents of the computer are encrypted), there is no difference between a desktop and laptop. It's a 100% meaningless distinction, which points to someone who *really* doesn't know what they're doing.

What we may be talking about is using HTTPS (SSL) encryption, which is encryption on your connection to the server. Your IT department may allow you to connect to webmail via SSL (encrypted) or HTTP (not encrypted). They may think that because desktops are generally only used at home, it's OK to let them connect to HTTP, while laptops might be used on an open wifi network, so they need the encrypted SSL connection. This is completely, 100% wrong. The *connection* should always be SSL encrypted, no exceptions. This is Exchange 101, and again points to incompetence in your IT department.

Here's what you do: Say you always connected with an encrypted laptop. If anyone ever asks, tell them you *definitely* made sure to connect to the HTTPS address because you know that connection is encrypted. The address will look like: https://mail.company.com. If they're talking about disk encryption (and not connection encryption), just feign ignorance. It's their fault for not explaining it.
posted by cnc at 12:17 PM on December 3, 2012

I should have specified. IT wants us to put encription software on our home laptops. We do not need to encript out desktops. Either way, you can log in from any computer. I think it's VPN software they want us to install.

Anyway, I think I'll go with going force and sinning no more.
posted by mockpuppet at 12:34 PM on December 3, 2012

Full-disk encryption is CYA for those instances in which you download sensitive data and then lose your device. That's it. I work in an environment which requires full-disk encryption for any computers used offsite, portable or not. The main concern is loss of data, leaked sensitive information such as company trade secrets (for industry) or personal information (for healthcare), etc.
posted by caution live frogs at 2:22 PM on December 3, 2012 [1 favorite]

Yeah, the encryption on the device drive matters because about every year like clockwork someone leaves a laptop in the park with, I dunno, half the countries tax records. Or HIPPA data. Or a bunch of SSNs. That sort of thing always makes the paper. People get upset. It costs millions to clean up.

If it's just a checkbox you're expected to check and blow through the process, and you're sure all you've ever done is access the webmail and look at stuff in the browser encrypted session, just stop doing it and you might be able to plead cluelessness if it ever came up in the future. But be DAMN sure you have no actual company data on your laptop. None. If you've ever downloaded data so that you could work on it as a local file, there may be copies of it lurking in the recycle bin, or wherever. Get someone who knows what they're doing to make sure all copies of it are wiped completely clean.
posted by randomkeystrike at 2:37 PM on December 3, 2012 [1 favorite]

Are you saying you can use a desktop at home that you own yourself without encryption? Or are they saying that the company owned computers in your office are okay? If the former, that's completely clueless on their part. The latter may be justified on the grounds that they have some physical security on their own site.
posted by randomkeystrike at 2:39 PM on December 3, 2012

devnull if they were going to do all that, why wouldn't they just block non-compliant access to begin with?

emphath: that was my point.
posted by devnull at 5:26 AM on December 4, 2012

So all the computers in question belong to me, no work computers. They say that if you are going to log into their online outlook mail server with your personal computer, you need to install VPN software to log on if you are using your own laptop. If you are using a desktop, you don't have to have the VPN software.

I'm not sure what the difference is. This is in healthcare but I don't have access to pt information at home other than what might be sent in emails.
posted by mockpuppet at 8:02 AM on December 4, 2012

The difference is that your IT people don't know what they are doing, apparently. There is zero difference between connecting using your laptop vs. connecting using your desktop. The same potentially-sensitive data is being transmitted, and there is no assurance that your desktop is more secure simply by virtue of being a larger computer. Desktops are more likely to be connected using ethernet cable, meaning less likelihood of wifi snooping, but lots of desktops have wifi cards built in or added, so no guarantee (you are using your own home wireless either way so you should be able to trust the router... you'd think, anyway).

Your laptop is more likely to be stolen, because short of a break-in at your home your desktop probably isn't going anywhere. However, your desktop is MUCH more likely to be on all the time, and more importantly, is likely to be on all the time connected to a network - so it is MUCH more likely to be targeted in a hacking attempt. Loss of data is loss of data, but with a desktop someone illicitly accessing your data is less likely to be noticed: Your local sensitive data can be stolen, but your desktop will still be in your possession, and worse, (depending on the skills and finesse of the intruder) may not even show any outward sign that it was compromised.

Ignore what the IT people say in this case. You should use the VPN software every time you connect to the system from an external location. That is the rule in my workplace (a VA hospital) and should be the rule for any place you are accessing (or may potentially be accessing) human data. Heck, we aren't allowed to send any patient data by email unless it's encrypted, even if the sender and recipient are both on the local intranet and no outside servers are involved. That's standard HIPPA compliance. If they aren't enforcing this in your workplace, odds are some time down the road this will come back to bite IT in the ass. Using the VPN all the time on every computer you use means that when this DOES cause a problem, YOU won't be the person responsible.
posted by caution live frogs at 10:07 AM on December 6, 2012

« Older Help me keep my head warm!   |   he's got the whole thing in his hands Newer »
This thread is closed to new comments.