Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals
· Free Stuff
· Contests and Sweepstakes
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 04-28-2008, 07:08 PM   #1
madh83
Member
 
Join Date: Jan 2007
Posts: 149
Default Can my company see my gmail?

Just curious, since I'm sure there's a lot of IT ppl here, can e-mails through yahoo or gmail be seen?
madh83 is offline   Reply With Quote
Old 04-28-2008, 08:38 PM   #2
seepy83
Golden Member
 
seepy83's Avatar
 
Join Date: Nov 2003
Posts: 1,930
Default Can my company see my gmail?

Assume they can see everything (that you do on your employers hardware, anyway). There are plenty of corporate-level software suites that take constant screenshots and log keystrokes, and the end-user would never know. It all depends on the employer.
seepy83 is offline   Reply With Quote
Old 04-29-2008, 08:11 AM   #3
degibson
Golden Member
 
degibson's Avatar
 
Join Date: Mar 2008
Posts: 1,389
Default Can my company see my gmail?

Yes.
degibson is offline   Reply With Quote
Old 04-29-2008, 12:06 PM   #4
gsellis
Diamond Member
 
gsellis's Avatar
 
Join Date: Dec 2003
Posts: 6,041
Default Can my company see my gmail?

As noted, maybe. It depends on what they have installed. They can also just capture port 25 traffic too.

Many companies will not let you run another email package inside their network. Their email filters are not set to take corrective action for your email, so they have to trust a third party that may not be trustworthy to clean any attachments or messages from malware. Port 25 will be filtered and some security software will prevent port 25 from opening. This also stops local computers from becoming certain types of botnets. Botnets inside a company can get you blacklisted because of spam traffic.

It is safer to assume that any email you send can be intercepted. So be careful what you put in the message.
__________________
''Expecting the world to treat you fairly because you are a good person is a little like expecting the bull not to attack you because you are a vegetarian.'' -- Dennis Wholey

"I'm Juan Pablo Montoya. You crashed my car. Prepare to die" - Farker yequalsy's 1st grade son

"You do not need a parachute to skydive. You only need a parachute to skydive twice." Stolen from ROM/Rick Martin's sig in GemologyOnline
gsellis is offline   Reply With Quote
Old 04-29-2008, 08:06 PM   #5
kamper
Diamond Member
 
kamper's Avatar
 
Join Date: Mar 2003
Location: Toronto, ON
Posts: 5,513
Default Can my company see my gmail?

Quote:
Originally posted by: gsellis
As noted, maybe. It depends on what they have installed. They can also just capture port 25 traffic too.

Many companies will not let you run another email package inside their network. Their email filters are not set to take corrective action for your email, so they have to trust a third party that may not be trustworthy to clean any attachments or messages from malware. Port 25 will be filtered and some security software will prevent port 25 from opening. This also stops local computers from becoming certain types of botnets. Botnets inside a company can get you blacklisted because of spam traffic.

It is safer to assume that any email you send can be intercepted. So be careful what you put in the message.
I assumed that the op is asking about the web versions of yahoo and gmail. In which case, if you use the https url and iff your company doesn't have sniffing stuff installed on your machine, the only thing they can tell is that you are accessing the mail server, they can't see into it.

Google has been criticized, though, for making their gmail ajax stuff automatically fall back on http when https isn't available (which would include whenever there is network trouble). Tools have actually been written to automatically sniff your google log in creds in situations like when you acquire an ip address at a wireless access point but can't connect to the interwebs until you plug a code into the auth webapp.

In general I find that it's way too easy to accidentally visit an unencrypted google page and pass it your auth cookies. Since your google login is the same for all of their services, the gig's pretty much up when that happens. Although I'd be pretty surprised if your office sniffed your cookies and used them to log into your gmail account...
__________________
"People should just buy a CD and rip it. You are legal then." -- Bill Gates
kamper is offline   Reply With Quote
Old 04-30-2008, 05:25 AM   #6
hans007
Lifer
 
Join Date: Feb 2000
Location: Culver City, CA
Posts: 19,920
Default Can my company see my gmail?

at my last job, some "security guy" went to my desk the day i quit and i had yahoo mail open in my browser and he snooped around since my cookie was logged in. thats actually illegal.


now they can passively monitor anything you are doing on their network. its their network and computers. but they cant actively snoop your email (what happened tome was like if someone sniffed my password and then logged in as me).

at least that is what research i came up with. for me it worked out ok , even though i was pretty mad about it (the place sucked to work for anyway and i was leaving for another job and had given my 2 weeks). since i pointed out it was illegal they just let me go the next day and paid out my last 2 weeks which worked out great.
__________________
heatwares
hans007 is offline   Reply With Quote
Old 04-30-2008, 08:28 AM   #7
degibson
Golden Member
 
degibson's Avatar
 
Join Date: Mar 2008
Posts: 1,389
Default Can my company see my gmail?

I'll say this as clearly and succinctly as I can:
Assume everything you do on a company's machine can be seen by your employer. There aren't a lot of things that are legitimately impossible for your employer to find. It is their hardware, they can install what they please on it, and they don't have to inform you. That can include keyloggers, screen captures, browser cache monitors... all kinds of things. It doesn't mean that you are being monitored, it means that you don't know and therefore shouldn't take the chance of doing something you don't want you company to know about.

Your rights, as an employee using company property, are nil.
degibson is offline   Reply With Quote
Old 05-01-2008, 12:47 AM   #8
Luden
Platinum Member
 
Join Date: Jul 2001
Posts: 2,269
Default Can my company see my gmail?

The Data Loss Prevention market has been growing exponentially the last few years, depending on your line of work it can be safe to assume that everything is monitored. With that being said I wouldn't worry unless your email activity could be deemed suspicious (emailing documents, customer information, etc).
Luden is offline   Reply With Quote
Old 05-05-2008, 03:23 AM   #9
WobbleWobble
Diamond Member
 
WobbleWobble's Avatar
 
Join Date: Jun 2001
Posts: 4,867
Default Can my company see my gmail?

Quote:
Originally posted by: kamper
I assumed that the op is asking about the web versions of yahoo and gmail. In which case, if you use the https url and iff your company doesn't have sniffing stuff installed on your machine, the only thing they can tell is that you are accessing the mail server, they can't see into it.
Products such as ProxySG from Blue Coat can actually do SSL interception giving the company full visibility of any HTTPS site.

We're actually in the process of implementing this at our company.
__________________
What the F prompt?
WobbleWobble is offline   Reply With Quote
Old 09-11-2012, 10:45 AM   #10
OutHouse
Lifer
 
OutHouse's Avatar
 
Join Date: Jun 2000
Posts: 29,021
Default

Quote:
Originally Posted by WobbleWobble View Post
Products such as ProxySG from Blue Coat can actually do SSL interception giving the company full visibility of any HTTPS site.

We're actually in the process of implementing this at our company.
old thread i know but i am wondering if you implemented this and what you thought.
__________________
20 years ago, we had Johnny Cash, Bob Hope and Steve Jobs. Now we have no Cash, no Hope and no Jobs. Please donít let Kevin Bacon die.Ē Bill Murray

"Going to McDonalds for a salad is like asking a prostitute for a hug." Sean Fallon

my post are being monitored by a STALKER!
OutHouse is offline   Reply With Quote
Old 09-11-2012, 11:43 AM   #11
MrColin
Platinum Member
 
MrColin's Avatar
 
Join Date: May 2003
Posts: 2,105
Default

Quote:
Originally Posted by kamper View Post
I assumed that the op is asking about the web versions of yahoo and gmail. In which case, if you use the https url and iff your company doesn't have sniffing stuff installed on your machine, the only thing they can tell is that you are accessing the mail server, they can't see into it.
This is no longer true, it was once. There are off the shelf devices and roll your own FOSS options to do MITM on your own network.
__________________
"Your heart is in the right place. But still, you are a very disturbed individual."

-Xionide
MrColin is offline   Reply With Quote
Old 09-12-2012, 08:31 AM   #12
Fox5
Diamond Member
 
Fox5's Avatar
 
Join Date: Jan 2005
Posts: 5,599
Default

Quote:
Originally Posted by MrColin View Post
This is no longer true, it was once. There are off the shelf devices and roll your own FOSS options to do MITM on your own network.
I believe these require them to resign the data with their own certificate though. So you'll get a warning unless the certificate is installed on the computer. (if it's a corporate computer, they likely installed a certificate)
__________________
ebay
Look up bluefox451

heatware
http://www.heatware.com/eval.php?id=35565
Fox5 is offline   Reply With Quote
Old 09-12-2012, 09:35 AM   #13
KeithP
Diamond Member
 
KeithP's Avatar
 
Join Date: Jun 2000
Location: Sacramento
Posts: 3,941
Default

Just curious, would it be more secure to use a remote access product such as logmein to access a home computer from work and get your email that way? Just wondering.

-KeithP
__________________
Heat 64-0-0
KeithP is offline   Reply With Quote
Old 09-12-2012, 10:55 AM   #14
ch33zw1z
Lifer
 
ch33zw1z's Avatar
 
Join Date: Nov 2004
Location: Ten Forward
Posts: 12,073
Default

Quote:
Originally Posted by KeithP View Post
Just curious, would it be more secure to use a remote access product such as logmein to access a home computer from work and get your email that way? Just wondering.

-KeithP
Indeed.

Logmein
Teamviewer
SSH+RDP or VNC

all viable options, but will not prevent logging keystrokes. But FFS, do you really want to work for a company that has a stick far enough up their ass they will investigate keystrokes?
__________________
Heatware

ch33zw1z is offline   Reply With Quote
Old 09-12-2012, 07:02 PM   #15
Dankk
Diamond Member
 
Dankk's Avatar
 
Join Date: Jul 2008
Location: Mormonville, Utah
Posts: 4,848
Default

Quote:
Originally Posted by degibson View Post
Yes.
And no.

If your company seriously has so little trust in their employees that they have to babysit and watch everything you do, then yes. This isn't always the case though.

If you're somewhat technically-inclined, you should be able to tell whether there's corporate monitoring software installed on your computer. Unless it's hidden extremely well, it might be obvious, and it would be even more obvious if you can't visit certain non-work related websites.

I'm fortunate enough to work for a company that doesn't do this. I can browse websites like Anandtech and Reddit while still getting work done, because my boss actually has faith in me. It's a win-win.
__________________
AMD FX-8350 4.4GHz | MSI TwinFrozr 7870 1050/1200
MSI 990FXA-GD80 V2 | G.SKILL 16GB DDR3 1600
Kingston HyperX 120GB SSD | Seagate Barracuda Green 2TB HD

Steam
Dankk is offline   Reply With Quote
Old 09-12-2012, 08:47 PM   #16
Paperlantern
Platinum Member
 
Paperlantern's Avatar
 
Join Date: Apr 2003
Location: Server Room
Posts: 2,070
Default

Quote:
Originally Posted by LessThanDan View Post
And no.

If your company seriously has so little trust in their employees that they have to babysit and watch everything you do, then yes. This isn't always the case though.

If you're somewhat technically-inclined, you should be able to tell whether there's corporate monitoring software installed on your computer. Unless it's hidden extremely well, it might be obvious, and it would be even more obvious if you can't visit certain non-work related websites.

I'm fortunate enough to work for a company that doesn't do this. I can browse websites like Anandtech and Reddit while still getting work done, because my boss actually has faith in me. It's a win-win.
This is where I'm at too in my position. The majority of the firm has web mail and a lot of other sites, mostly streaming media to conserve bandwidth, blocked. The IT dept has access to most everything for work purposes, testing, software downloads, virus research, we just can't be subjected to the same filtering that the rest of the firm is, we wouldnt be able to do our jobs effectively. So yes we do have access and I do access gmail sometimes, anandtech and a few other sites, but I do get my work done as well.

It's good to have a trusting boss.
__________________
Heat
My Security Twitter
All Tips are appreciated:
RDD- Re4SwLasDUtPqgeuAuQowdiJbMh7KMkEHX | TIPS- EWXAZZiwxKXGjPVKzg6eWNcbjvVVHsgXJb
LTC- LQ7YSPcXSsqWxAhhpnpRnZb7qgtkqXCtfn | MINT- Maov1U6WNcbxuPtmdEzERRv1xe9gXwTeB6
Paperlantern is offline   Reply With Quote
Old 09-13-2012, 03:57 PM   #17
tbtn
Junior Member
 
tbtn's Avatar
 
Join Date: Aug 2012
Posts: 22
Default

Operate under the assumption that they can. If you're working for a small office they probably don't monitor you (unless you work with classified information).

I guess the real question isn't "can they" but "do they". Because there's always a way to monitor your activities on a company computer.
tbtn is offline   Reply With Quote
Old 09-15-2012, 02:19 PM   #18
wirednuts
Diamond Member
 
Join Date: Jan 2007
Posts: 7,121
Default

Quote:
Originally Posted by ch33zw1z View Post
Indeed.

Logmein
Teamviewer
SSH+RDP or VNC

all viable options, but will not prevent logging keystrokes. But FFS, do you really want to work for a company that has a stick far enough up their ass they will investigate keystrokes?

SSH+RDP and windows popup keyboard. or use a password program that auto-fills credentials.
wirednuts is offline   Reply With Quote
Old 09-24-2012, 11:08 AM   #19
PrincessFrosty
Golden Member
 
Join Date: Feb 2008
Location: UK
Posts: 1,291
Default

You can't be 100% sure.

Using the web variants of gmail through https protects you against them simply intercepting your messages, however there's nothing to stop them from installing software to capture keystrokes on your PC and either reconstruct what you're doing or just logging in to your account once they capture your credentials.

The best bet is to bring your own device and connect it to the network, a laptop, or mobile device if they have wireless, then as long as you use https all your traffic will be encrypted. That will hide the contents of your messages, but not what sites you're visiting.
__________________
Intel 2600k @ 4.7Ghz || ThermalRight TRUE Spirit 140
16Gb PC3-12800 || MSI GTX580 Twin Frozr II
Dell 3007 WFP-HC 30" || BenQ XL2420T 24" 120hz

http://www.pcgamingstandards.com - PC Game fixes database.
PrincessFrosty is offline   Reply With Quote
Old 10-04-2012, 09:37 AM   #20
DisgruntledVirus
Lifer
 
DisgruntledVirus's Avatar
 
Join Date: Dec 2007
Location: NE Ohio
Posts: 11,779
Default

Can they? Yes.

Will they? Depends on your company how far they will go. Last job at a fortune 500 company had the ability to see sites you visit broken into how long you were there. While that isn't reading my email, I wouldn't be surprised in the lease if they had passive MiTM hardware that recorded everything and stored it for x days.

Current company has the ability to remotely screen shot your system, record/monitor the session, and stuff like that. However I haven't seen it done yet and don't think it would be except in cases where there is some legal reason to (lawsuit against them or to CYA and terminate an employee).

I'd say assume it's all monitored and logged. If you wouldn't want your grandparents seeing what you're doing, then don't do it at work as employers *could* see it and it *could* be used against you. With that said, I personally believe that it's pretty unlikely they will unless you give them a reason to. Most companies don't care that much to devote company resources to actively seeking it out and taking action, instead they fall to the reactive approach to it and use it as a resource if it's needed.
__________________
My FS/WTB thread

Quote:
Originally Posted by Texashiker View Post
So dont hate on me for jumping to conclusions without the reading the whole story.
DisgruntledVirus is offline   Reply With Quote
Old 11-05-2012, 04:21 PM   #21
marcamarca
Junior Member
 
Join Date: Oct 2012
Posts: 8
Default

Quote:
Originally Posted by seepy83 View Post
Assume they can see everything (that you do on your employers hardware, anyway). There are plenty of corporate-level software suites that take constant screenshots and log keystrokes, and the end-user would never know. It all depends on the employer.
Re: assume they can see everything. Ditto.
marcamarca is offline   Reply With Quote
Old 11-14-2012, 07:52 AM   #22
FrankvanEen
Junior Member
 
Join Date: Nov 2012
Posts: 2
Default Yes

Technically - most likely yes, specially at big size company, from private data protection law (specially European) - not!

Quote:
Originally Posted by madh83 View Post
Just curious, since I'm sure there's a lot of IT ppl here, can e-mails through yahoo or gmail be seen?
FrankvanEen is offline   Reply With Quote
Old 11-14-2012, 11:26 PM   #23
Dravic
Senior Member
 
Dravic's Avatar
 
Join Date: May 2000
Posts: 886
Default

Quote:
Originally Posted by Luden View Post
The Data Loss Prevention market has been growing exponentially the last few years, depending on your line of work it can be safe to assume that everything is monitored. With that being said I wouldn't worry unless your email activity could be deemed suspicious (emailing documents, customer information, etc).
In agreement with Luden here.

As Security professional we have no choice but to monitor everything I possibly can on the network and end point. They easiest way into a corporate network these days is through the desktop. But rest assured I have no urge, nor the time to look at what you send in in your yahoo/gmail. Just be smart and don't send personal information like CC# or SSN out of the corporate network. If you company is in a PCI required field we have to monitor for those items and your personal crap is clogging up my SIEM with false positive alerts
__________________
Gamer/Workstation: FX 8150 @ 4.55Ghz, Crosshair V 990FX, H100 , 7970, 120GB SSD, 16 gig DDR3 @ 1600, Haf 932

Linux Workstation: Phenom II 1055T, MSI 790FX, Nvidia GTX 460, PC Power & Cooling 610W, 16 gig DDR3 @ 1600, Antec Titan 550
Dravic is offline   Reply With Quote
Old 11-14-2012, 11:30 PM   #24
Dravic
Senior Member
 
Dravic's Avatar
 
Join Date: May 2000
Posts: 886
Default

Quote:
Originally Posted by Fox5 View Post
I believe these require them to resign the data with their own certificate though. So you'll get a warning unless the certificate is installed on the computer. (if it's a corporate computer, they likely installed a certificate)

Done every day at the gateway, no warning is generated. Websense is just one vendor that offers HTTPS blind proxy without the end user even knowing it. Most software filters out personal websites like medical and banks, but gmail and things like that are being parsed. It can break applications for sure, but for general web browsing you wont notice much of a difference.
__________________
Gamer/Workstation: FX 8150 @ 4.55Ghz, Crosshair V 990FX, H100 , 7970, 120GB SSD, 16 gig DDR3 @ 1600, Haf 932

Linux Workstation: Phenom II 1055T, MSI 790FX, Nvidia GTX 460, PC Power & Cooling 610W, 16 gig DDR3 @ 1600, Antec Titan 550
Dravic is offline   Reply With Quote
Old 11-14-2012, 11:41 PM   #25
Dravic
Senior Member
 
Dravic's Avatar
 
Join Date: May 2000
Posts: 886
Default

Quote:
Originally Posted by ch33zw1z View Post
Indeed.

Logmein
Teamviewer
SSH+RDP or VNC

all viable options, but will not prevent logging keystrokes. But FFS, do you really want to work for a company that has a stick far enough up their ass they will investigate keystrokes?
IMHO.. Any company that allows ssh out of its network from the corporate desktop should have their security team replaced.

I check my personal email on my asus epad(cell hotspot) or my rezound directly. I very seldom check anything personal from my corporate network.
__________________
Gamer/Workstation: FX 8150 @ 4.55Ghz, Crosshair V 990FX, H100 , 7970, 120GB SSD, 16 gig DDR3 @ 1600, Haf 932

Linux Workstation: Phenom II 1055T, MSI 790FX, Nvidia GTX 460, PC Power & Cooling 610W, 16 gig DDR3 @ 1600, Antec Titan 550
Dravic is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:18 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.