Can my company see my gmail?

Discussion in 'Security' started by madh83, Apr 28, 2008.

  1. madh83

    madh83 Member

    Joined:
    Jan 14, 2007
    Messages:
    149
    Likes Received:
    0
    Just curious, since I'm sure there's a lot of IT ppl here, can e-mails through yahoo or gmail be seen?
     
  2. seepy83

    seepy83 Platinum Member

    Joined:
    Nov 12, 2003
    Messages:
    2,132
    Likes Received:
    0
    Assume they can see everything (that you do on your employers hardware, anyway). There are plenty of corporate-level software suites that take constant screenshots and log keystrokes, and the end-user would never know. It all depends on the employer.
     
  3. degibson

    degibson Golden Member

    Joined:
    Mar 21, 2008
    Messages:
    1,389
    Likes Received:
    0
  4. gsellis

    gsellis Diamond Member

    Joined:
    Dec 4, 2003
    Messages:
    6,062
    Likes Received:
    0
    As noted, maybe. It depends on what they have installed. They can also just capture port 25 traffic too.

    Many companies will not let you run another email package inside their network. Their email filters are not set to take corrective action for your email, so they have to trust a third party that may not be trustworthy to clean any attachments or messages from malware. Port 25 will be filtered and some security software will prevent port 25 from opening. This also stops local computers from becoming certain types of botnets. Botnets inside a company can get you blacklisted because of spam traffic.

    It is safer to assume that any email you send can be intercepted. So be careful what you put in the message.
     
  5. kamper

    kamper Diamond Member

    Joined:
    Mar 18, 2003
    Messages:
    5,513
    Likes Received:
    0
    I assumed that the op is asking about the web versions of yahoo and gmail. In which case, if you use the https url and iff your company doesn't have sniffing stuff installed on your machine, the only thing they can tell is that you are accessing the mail server, they can't see into it.

    Google has been criticized, though, for making their gmail ajax stuff automatically fall back on http when https isn't available (which would include whenever there is network trouble). Tools have actually been written to automatically sniff your google log in creds in situations like when you acquire an ip address at a wireless access point but can't connect to the interwebs until you plug a code into the auth webapp.

    In general I find that it's way too easy to accidentally visit an unencrypted google page and pass it your auth cookies. Since your google login is the same for all of their services, the gig's pretty much up when that happens. Although I'd be pretty surprised if your office sniffed your cookies and used them to log into your gmail account...
     
  6. hans007

    hans007 Lifer

    Joined:
    Feb 1, 2000
    Messages:
    20,108
    Likes Received:
    1
    at my last job, some "security guy" went to my desk the day i quit and i had yahoo mail open in my browser and he snooped around since my cookie was logged in. thats actually illegal.


    now they can passively monitor anything you are doing on their network. its their network and computers. but they cant actively snoop your email (what happened tome was like if someone sniffed my password and then logged in as me).

    at least that is what research i came up with. for me it worked out ok , even though i was pretty mad about it (the place sucked to work for anyway and i was leaving for another job and had given my 2 weeks). since i pointed out it was illegal they just let me go the next day and paid out my last 2 weeks which worked out great.
     
  7. degibson

    degibson Golden Member

    Joined:
    Mar 21, 2008
    Messages:
    1,389
    Likes Received:
    0
    I'll say this as clearly and succinctly as I can:
    Assume everything you do on a company's machine can be seen by your employer. There aren't a lot of things that are legitimately impossible for your employer to find. It is their hardware, they can install what they please on it, and they don't have to inform you. That can include keyloggers, screen captures, browser cache monitors... all kinds of things. It doesn't mean that you are being monitored, it means that you don't know and therefore shouldn't take the chance of doing something you don't want you company to know about.

    Your rights, as an employee using company property, are nil.
     
  8. Luden

    Luden Platinum Member

    Joined:
    Jul 15, 2001
    Messages:
    2,269
    Likes Received:
    0
    The Data Loss Prevention market has been growing exponentially the last few years, depending on your line of work it can be safe to assume that everything is monitored. With that being said I wouldn't worry unless your email activity could be deemed suspicious (emailing documents, customer information, etc).
     
  9. WobbleWobble

    WobbleWobble Diamond Member

    Joined:
    Jun 29, 2001
    Messages:
    4,867
    Likes Received:
    0
    Products such as ProxySG from Blue Coat can actually do SSL interception giving the company full visibility of any HTTPS site.

    We're actually in the process of implementing this at our company.
     
  10. OutHouse

    OutHouse Lifer

    Joined:
    Jun 5, 2000
    Messages:
    33,568
    Likes Received:
    7
    old thread i know but i am wondering if you implemented this and what you thought.
     
  11. MrColin

    MrColin Platinum Member

    Joined:
    May 21, 2003
    Messages:
    2,394
    Likes Received:
    1
    This is no longer true, it was once. There are off the shelf devices and roll your own FOSS options to do MITM on your own network.
     
  12. Fox5

    Fox5 Diamond Member

    Joined:
    Jan 31, 2005
    Messages:
    5,957
    Likes Received:
    0
    I believe these require them to resign the data with their own certificate though. So you'll get a warning unless the certificate is installed on the computer. (if it's a corporate computer, they likely installed a certificate)
     
  13. KeithP

    KeithP Diamond Member

    Joined:
    Jun 15, 2000
    Messages:
    5,140
    Likes Received:
    1
    Just curious, would it be more secure to use a remote access product such as logmein to access a home computer from work and get your email that way? Just wondering.

    -KeithP
     
  14. ch33zw1z

    ch33zw1z Lifer

    Joined:
    Nov 4, 2004
    Messages:
    13,767
    Likes Received:
    0
    Indeed.

    Logmein
    Teamviewer
    SSH+RDP or VNC

    all viable options, but will not prevent logging keystrokes. But FFS, do you really want to work for a company that has a stick far enough up their ass they will investigate keystrokes?
     
  15. Dankk

    Dankk Diamond Member

    Joined:
    Jul 7, 2008
    Messages:
    5,514
    Likes Received:
    0
    And no.

    If your company seriously has so little trust in their employees that they have to babysit and watch everything you do, then yes. This isn't always the case though.

    If you're somewhat technically-inclined, you should be able to tell whether there's corporate monitoring software installed on your computer. Unless it's hidden extremely well, it might be obvious, and it would be even more obvious if you can't visit certain non-work related websites.

    I'm fortunate enough to work for a company that doesn't do this. I can browse websites like Anandtech and Reddit while still getting work done, because my boss actually has faith in me. It's a win-win.
     
  16. Paperlantern

    Paperlantern Platinum Member

    Joined:
    Apr 26, 2003
    Messages:
    2,188
    Likes Received:
    0
    This is where I'm at too in my position. The majority of the firm has web mail and a lot of other sites, mostly streaming media to conserve bandwidth, blocked. The IT dept has access to most everything for work purposes, testing, software downloads, virus research, we just can't be subjected to the same filtering that the rest of the firm is, we wouldnt be able to do our jobs effectively. So yes we do have access and I do access gmail sometimes, anandtech and a few other sites, but I do get my work done as well.

    It's good to have a trusting boss.
     
  17. tbtn

    tbtn Junior Member

    Joined:
    Aug 6, 2012
    Messages:
    22
    Likes Received:
    0
    Operate under the assumption that they can. If you're working for a small office they probably don't monitor you (unless you work with classified information).

    I guess the real question isn't "can they" but "do they". Because there's always a way to monitor your activities on a company computer.
     
  18. wirednuts

    wirednuts Diamond Member

    Joined:
    Jan 26, 2007
    Messages:
    7,121
    Likes Received:
    0

    SSH+RDP and windows popup keyboard. or use a password program that auto-fills credentials.
     
  19. PrincessFrosty

    PrincessFrosty Platinum Member

    Joined:
    Feb 13, 2008
    Messages:
    2,093
    Likes Received:
    6
    You can't be 100% sure.

    Using the web variants of gmail through https protects you against them simply intercepting your messages, however there's nothing to stop them from installing software to capture keystrokes on your PC and either reconstruct what you're doing or just logging in to your account once they capture your credentials.

    The best bet is to bring your own device and connect it to the network, a laptop, or mobile device if they have wireless, then as long as you use https all your traffic will be encrypted. That will hide the contents of your messages, but not what sites you're visiting.
     
  20. DisgruntledVirus

    Joined:
    Dec 26, 2007
    Messages:
    11,790
    Likes Received:
    0
    Can they? Yes.

    Will they? Depends on your company how far they will go. Last job at a fortune 500 company had the ability to see sites you visit broken into how long you were there. While that isn't reading my email, I wouldn't be surprised in the lease if they had passive MiTM hardware that recorded everything and stored it for x days.

    Current company has the ability to remotely screen shot your system, record/monitor the session, and stuff like that. However I haven't seen it done yet and don't think it would be except in cases where there is some legal reason to (lawsuit against them or to CYA and terminate an employee).

    I'd say assume it's all monitored and logged. If you wouldn't want your grandparents seeing what you're doing, then don't do it at work as employers *could* see it and it *could* be used against you. With that said, I personally believe that it's pretty unlikely they will unless you give them a reason to. Most companies don't care that much to devote company resources to actively seeking it out and taking action, instead they fall to the reactive approach to it and use it as a resource if it's needed.
     
  21. marcamarca

    marcamarca Junior Member

    Joined:
    Oct 29, 2012
    Messages:
    8
    Likes Received:
    0
    Re: assume they can see everything. Ditto.
     
  22. FrankvanEen

    FrankvanEen Junior Member

    Joined:
    Nov 14, 2012
    Messages:
    2
    Likes Received:
    0
    Technically - most likely yes, specially at big size company, from private data protection law (specially European) - not!

     
  23. Dravic

    Dravic Senior member

    Joined:
    May 18, 2000
    Messages:
    890
    Likes Received:
    0
    In agreement with Luden here.

    As Security professional we have no choice but to monitor everything I possibly can on the network and end point. They easiest way into a corporate network these days is through the desktop. But rest assured I have no urge, nor the time to look at what you send in in your yahoo/gmail. Just be smart and don't send personal information like CC# or SSN out of the corporate network. If you company is in a PCI required field we have to monitor for those items and your personal crap is clogging up my SIEM with false positive alerts :)
     
  24. Dravic

    Dravic Senior member

    Joined:
    May 18, 2000
    Messages:
    890
    Likes Received:
    0

    Done every day at the gateway, no warning is generated. Websense is just one vendor that offers HTTPS blind proxy without the end user even knowing it. Most software filters out personal websites like medical and banks, but gmail and things like that are being parsed. It can break applications for sure, but for general web browsing you wont notice much of a difference.
     
  25. Dravic

    Dravic Senior member

    Joined:
    May 18, 2000
    Messages:
    890
    Likes Received:
    0
    IMHO.. Any company that allows ssh out of its network from the corporate desktop should have their security team replaced.

    I check my personal email on my asus epad(cell hotspot) or my rezound directly. I very seldom check anything personal from my corporate network.