How transparent can a network or system admin of an organization or an ISP be?

[Techknowledge]

Is it possible for a network or system admin to view my emails over Hotmail, Gmail, Yahoo or Facebook without having my password? I heard that if you're in a LAN, network or system admins can actually view every page (even secured one over SSL) that an employee visits. Is this true? If so, does that mean reading and sending emails from/to free or non-free web mail solution is not secured inside a LAN, or over the internet (connected to a local ISP)? If that's so, how it does it work, and what kind of solution/technology do they use. How can I ensure all my access to Hotmail, Facebook or free web based emails are then not be able to read.

 

[unokitty]

There are a couple of dimensions to your question's answer. Though without knowing more detail, it is safe to say that the answer is "it depends."

From a legal perspective, the answer would be dependent on any agreements that you have with your suppliers or, if you are at work, on your organization's policy.

From a technical perspective, if I can run Wireshark, or similar tool, on a spanning port, then there isn't anything that you can send or receive over the network that I can't see.

Of course, there are other perspectives as well.

Short answer. If you are at work, it wouldn't be prudent to do anything on your network that you wouldn't do with your supervisor watching your monitor.

Best of luck,
Uno

 

[PrincessFrosty]

The legalities of it change from area to area and depending on what IT policy the company has the workers sign before use. You'll have to do some research on that in your local area.

The technicalities are mixed. You cannot intercept and read SSL connections, these are encrypted. However some software literally allows you to view the users screen remotely which would allow the admin to view any page the user was visiting at the time, or possibly take screenshots for later use.

The question of transparency is tough, you can attempt to hide monitoring software on desktop PCs deployed in business, you need to lower the permissions of the users so they cannot bring up task manager and see what processes are running, and make sure nothing shows in the system tray. Not terribly transparent, more of a hack and only works on computers you own, with BYOD you're out of luck.

 

[SecurityTheatre]

The technicalities are mixed. You cannot intercept and read SSL connections, these are encrypted. However some software literally allows you to view the users screen remotely which would allow the admin to view any page the user was visiting at the time, or possibly take screenshots for later use.

This isn't entirely accurate.

In a modern Active Directory system, it is possible to use a GPO to push out a trust relationship to a third-party (internal) certificate authority.

Then, it is possible to use an SSL Interception gateway to intercept SSL traffic, using an internally-signed certificate, inspect and read the data within the packets, and then forward those packets to the destination.

Due to the certificate trust deployed via GPO, you would not see the SSL error typical to a non-trusted SSL interception attack at a public place.

This is done at many large organizations.

The important part is the domain membership, as it enables corporate IT Administrators to transparently force your browser to trust their intercepting certificate without presenting you a security error screen.

 

[JBT]

They can absolutely look at everything you see and do. Are they? probably not. Is whatever you are doing against policy? if so wait till you get home. Better safe than sorry.

 

[PrincessFrosty]

This isn't entirely accurate.

In a modern Active Directory system, it is possible to use a GPO to push out a trust relationship to a third-party (internal) certificate authority.

Then, it is possible to use an SSL Interception gateway to intercept SSL traffic, using an internally-signed certificate, inspect and read the data within the packets, and then forward those packets to the destination.

Due to the certificate trust deployed via GPO, you would not see the SSL error typical to a non-trusted SSL interception attack at a public place.

This is done at many large organizations.

The important part is the domain membership, as it enables corporate IT Administrators to transparently force your browser to trust their intercepting certificate without presenting you a security error screen.

They can man in the middle the internet, but the certificate for the website will not be trusted, they can fiddle with the browsers to try and mask that, but ultimately if you view the SSL cert for the site you're viewing, it wont have a valid chain of trust.

If you bring your own browser on a USB key or download and install one that's not pre-configured by the work place, for example chrome which can be "installed" with basic user creds, then you'll see the cert warnings.