When I am using my corporate network, is it likely/easy/possible for my company to monitor what I am sending and receiving on email such as Hotmail, Yahoo, etc.?
I do not use my corporate email for personal stuff, but I do get kind of steamy on the others.
Will they catch up with me?
Yes. I’ve personally seen it.
Also, they can monitor all of your ICQ/AIM stuff too. I’ve seen it as well.
Anything you send out that is not strongly encrypted can be viewed with standard Corporate “security” tools (which are really just ways to see what the employees are doing…we have a guy at my company who spends 8-5/M-F doing nothing but that.
I simply just don’t send anything through work that I care anyone intercept.
It’s very easy for a person with access to equipment where your data passes through (f.x. a gateway/firewall) to monitor anything unencrypted. On a non switched network it’s also possible for others on the same net to monitor your communication.
The likeliness of this ofcouse depends on the company.
// blinx
waves to boss
So - not to sound completely naive here - these security tools have the ability to tell an email sent from a Web site from any other kind of information being sent (e.g., registration for a site, etc.)?
Fascinating - I don’t have a problem with the company knowing what goes out (it is, after all, their time and equipment) - I just wondered how it was done.
Well, in it’s most basic form you’ll just dump all data being send and recieved (optionally after filtering for certain things) and as you have the all the information being send/recieved, you can see if it’s an email or something else.
I guess there are some smart “click here and see which of your employes do bad stuff” programs, but I’ve never tried any of that.
Even a simple packet sniffer program like Sniffer Pro can do it. Just mirror the packets going to and from your corporate firewall and tell the sniffer program to capture all SMTP and HTTP traffic. Then save it and sort through it at your leisure. Piece of cake.
And if the company wants to monitor a particular employee, it’s the same procedure as above, but in addition they tell the packet sniffer to only capture packets coming from that employee’s IP address.
Just in case your persecution complex was waning. 
Use your own laptop using a modem and phone line, use encryption, look over your shoulder often and you should be relatively safe. Better yet, do that stuff at home and not on company time.
The most basic level would be a keystroke logger, which (as the name suggests) keeps a record of every keystroke on a particular machine. A complete picture of user activities is thus kept.
Keystroke loggers aren’t common in my experience. The amount of disk space and man-hours required to actually do anything with the massive amounts of data make them prohibitively expensive. I have heard of one major bank using a keystroke logger and employing two staff full-time to monitor the logs, but even they only monitor certain staff in positions with access to sensitive data.
There are also keyword searchers, which are very common and produce automated reports whenever trigger words are detected in (say) web pages passed through the corporate firewall. I believe my own employer uses these. Similarly, I have heard of software that scans image files for flesh tones that might indicated pornography.
There’s time that isn’t company time? :eek:
That’s news to my boss.
epolo, writing from the office
There’s another part of the question besides whether it’s easy/likely/possible, and that is: is it legal? And that answer is yes. If you are using a company’s equipment, everything you do on it belongs to them.
Is it easy? Any company that wanted to, could. The basics wouldn’t be very difficult or costly.
Is it likely? Well, that’s the question. Monitoring employee accounts could get very expensive, particularly if a lot of people were watched. Then there’s the question of what the goal would be. Sending a few hot e-mail is unlikely to get any employee fired; the company would be looking for BIG things, like if you were passing company secrets. Or if you spend 4 hours a day surfing. Since there’s a lot of small trangressions, clamping down on those would make companies very unpopular. A likely possiblility is a snoopy employee, looking through things that interest them. In that case again, you’re probably safe unless doing something unusually outrageous.
The answer is possibly.
I would suggest that ALL people who use email use an encrypted service, which would force anyone who wished to monitor them to use a keystroke logger (expensive and annoying to deploy and monitor). Not using encryption opens you up to minor security holes, which when used by a clever and resourceful attacker opens you up to more significant security holes.
I reccomend using either the encrypted email from either LockTechnology or Hushmail. www.lok.com or www.hushmail.com
Of course, using encryption requires you to install encryption software on your computer, which is probably a violation of company policies, because installing any unauthorized software is probably a violation of company policies. Furthermore, even though packet sniffing can’t read encrypted packets directly, it’s quite easy to note the fact that you’re sending out encrypted packets, which means that you’ve installed encryption software, which is a violation of company policy, since installation of any unauthorized software is a violation of company policy.
You could use steganography, of course, but even then resource profiling could well reveal the fact that you tend to use many times as much bandwidth as an average employee in your position, since steganography is bandwidth-intensive by nature.
Bottom line: it’s not exactly gonna kill you to follow company guidelines, and it probably won’t break your bank to get internet access at home, so unless your company has some bizarrely irrational restriction on how you can use your net connection (No capital ‘J’, ever!), it’s probably best to just be prudent rather than trying to be sneaky.
Actually, all the encryption needed by the free encrypted email and file storage offered by Lokmail (www.lokmail.com) is contained in your web browser.
If you can sign into hotmail, which uses https to send username and password, then you can use https, which is all lokmail uses.
I believe that if you should be allowed to use web email at all at work, you should also be allowed to use encrypted email. There is no compelling company interest in everyone BETWEEN your company and your email provider having access to your email.