If I am using my own laptop at a firm where I consult, and I use their internet connection, can they record me keystrokes? I mean, is it technically feasible? If not generally, can it be done while on websites? For instance, while using prviate email or search engines? I assume they can trace what websites I visit while on their system. There’s no special software on my laptop required to use the internet here, I just plug in a cable. But if they can track websites to me, can they track keystrokes or searches or passwords typed while on the internet?
They can’t directly track your keystrokes, no. All they can see is the information that passes through the hardware they have control over – i.e., the network connection. Note that this may include passwords, if any of the sites you use (and need a password for) use unencrypted connections.
Since you are using their internet access, you may be stuck with whatever security/spy systems they have in place on their network. You might want to consider changing your base contract language with your clients so that any internet access you use remains “secure.”
If you are finding this is a common occurrence these days, you might want to set up your own proxy server and use a VPN connection to that server.
If you really just plug in a cable and go, then they can monitor your unencrypted network traffic, which includes all non-HTTPS traffic (HTTP = plain, HTTPS = encrypted) you generate. This means they can see what you type in the google box (not because they see your keystrokes, but because they see the text that gets sent to google as a result), all the regular HTTP sites you visit and the contents you view on those sites, plus even the names and addresses of the HTTPS servers you visit, but none of the contents.
The mitigation to this problem is to use a VPN to connect to the internet via a tunnel out of the untrusted network or to use an encrypted SOCKS proxy. You can reduce the problem to a single point: all they know is you’re connecting to one particular server (the VPN/proxy endpoint) and they can’t see any of your traffic. There are also probably a handful of other clever ways around this problem that I don’t know about.
It is also possible that the host company could set up a network such that in order to actually use it, your computer is required to be part of a Windows “domain”, which means you could also be required to run their own logon scripts (which you may not even see happening) when you log on to the network. In this case, they could be installing all sorts of nefarious monitoring software on your computer and actually monitoring more than just your network traffic.
So they can tell I am at straightdope and what part of the boards I am on, but not tell what username or password I am typing in.
In any case, how does this VPN thingy work? Is “use a VPN to connect to the internet” meaning software or a site I visit through which I visit other sites?
As for monitoring software, I assume Avast! and similar programs would find it?
This is site-specific, since different sites do security in different ways. I just did a network trace of an SDMB login and an eavesdropper can see the username and a “one-way hash” of the password, but they can’t see the password itself. Unfortunately, it looks like the way vBulletin is set up, they could reuse the stolen one-way hash to log in as you if they really wanted.
It’s complicated, but basically, you use a “VPN Client” on your computer (Windows has built in VPN client functionality for some types of VPNs; I assume Macs do too. There are other 3rd party VPN client packages available as well) to connect to a VPN server somewhere out on the internet. Generally, you’d subscribe to a hosted VPN service such as hamachi, but if you know what you’re doing, you can set up your own VPN server (that’s what I did, using OpenVPN software). What happens when you connect your VPN client to the server is that your network traffic that’s bound for the internet first gets sent over an encrypted tunnel to the VPN server, and goes unencrypted out to the internet from there.
Unlikely. If they are allowed to run any software they want on your computer, the game’s over and they won.
I was thinking about this a bit more, trying to figure out a good way to explain it, and came up with the following ridiculous analogy: Let’s say you didn’t want your nosy neighbor to see where you were going when you leave your house. So you call up the Virtual Private Sidewalk company and they show up at your house with a big flexible tunnel that they attach to your front door. The other end of the tunnel goes to the VPS company’s headquarters, where they have a whole bunch of secret exits, making it effectively impossible to track you from there, even though you’re going out in public where everyone can see you.
So all your nosy neighbor can see is that you’re a customer of the VPS service, and whatever you do via that service is effectively private.
Not quite like secret exits. More like they have a fleet of limos with dark windows to take you where you’re going and bring you back.
Actual key logging requires them to have physical access and install a program on your laptop. So if you left it in the office over lunchtime or just left it turned on while you visit the restroom, they could install a keylogger program without your knowledge. And the consulting contract you signed probably gives them the right to do this if they wanted.
In reality, most businesses don’t have the time or inclination to do this, nor the time to actually examine the logs if they did it, so you are probably not likely to encounter this. But it’s possible.
Yes. Key logging can be done via hardware or software. Hardware devices can be installed inside the keyboard, or as a dongle between the keyboard and PC - much less likely with a laptop.
As t-bonham says, logging can be done via software too. If it’s a work laptop, it’s theoretically possible that when it was set up (imaged) such a program was installed. Physical access isn’t needed though - when connected to the work network the software can be “pushed” onto your laptop.
But yes, it’s unlikely for most places cause of time and inclination.
It’s actually very simple to do. Some of the schools I used to work at (as an IT Manager) used a piece of software called Securus which would install itself on any computer that connected to the network without user interaction or confirmation. You set the software with a list of keywords and if any is displayed on your screen (i.e. if you view the word on a website, type it in any application or view it in a document) it takes a screenshot and sends it to the server with date/time/user information. Very simple to set up and use, I doubt any businesses use this software specifically but similar technologies may exist for the corporate marketplace.
How did it install itself?
I’m not sure since it was set up prior to my arrival and was essentially managed by the company who provided it. I remember it ran on a dedicated server and would be licensed for a set number of PCs on the network which you could expand by paying more. We only had access to basic configuration (and of course the screenshots it stored), any updates done to the server were done by Securus technicians. I assumed that it stored the domain administrator credentials to install the software until I noticed that it had installed itself on my laptop which was never added to the domain. Of course I was able to block the service from running but pupils and staff don’t have the permissions required to do this.
You’re an IT manager… you connect your personal laptop to a network and it’s suddenly taken over by a monitoring program… and you don’t know or care how this happened? 
‘Taken over’ isn’t accurate, it is just a very low memory process. It isn’t malicious so why would I be concerned over it being there?
I looked on their website but to access the technical support area you need your school information so I can’t check how it installs itself.
Missed edit time
Actually thinking about it (it seems a long time ago now) we may have set the software to be deployed using group policy via msi or a vb login script, if it was a login script then the chances are good I would have run the script on my laptop at some point whilst testing stuff before deploying.
(My emphasis)
As has been pointed out, this is wrong. If you join your computer to their domain, they need not have physical access to run whatever software they want on your computer.
I’d personally be concerned about any software being installed on my computer without my permission, especially for the purposes of spying on me. Whether the software is actively malicious or not, breaking into my computer to install itself is a hostile act. But I’m kind of skeptical that what you’re describing actually happens, though. Supposedly, this software can just inject itself into any computer just because it connects to the network? That would effectively make it a worm that exploits known security vulnerabilities in your own users’ PCs. Microsoft, for example, would be extremely interested in finding out how this software works and plugging whatever hole it’s using.
ETA: Ah, I hadn’t seen your second post when I started writing. That would make a lot more sense.
What ntucker said 
Logon script? Fine. “Security” program that exploits an unpatched flaw to execute unauthorized code? Nuh-uh.
Actually they can probably see your username and pass since it looks like SDMB has that info sent unencrypted from the browser.
The password isn’t sent in the clear – it’s an MD5 hash of your password. So that hash could be used to log them in as you, but they still won’t know your password.