6

Sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that said your work monitors every little thing you do on the computer so it's best not to do personal things on there. But I would think that it's safe as long as you safely log out of your accounts and clear history?

And even if your employer can see your activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?

Is it ok to do such things on a work computer like pay bills and so on? Is there risk involved?

Adam Burke
  • 4,164
  • 12
  • 31
Steve P
  • 81
  • 1
  • 1
  • 4

6 Answers6

19

It's safest to assume your employer can see everything. Now if the sites you visit are all property secured your employer probably won't be eavesdropping passwords,1 but that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes, and when they do, anybody with access to the machine can use your stored credentials.

All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might allow a coworker to debug something in your environment. Or you might get a new machine and hand the old one off to an intern without reimaging.

The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.

Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.

1 There are things they could do to eavesdrop on secure connections, but it would be an intentional move. The tools normally used by a non-evil corporate IT department are unlikely to compromise your passwords for secure sites. But nothing is ever guaranteed.

Monica Cellio
  • 52,850
  • 20
  • 133
  • 216
  • @SteveP comments here are not the place to get technical advice like what you're asking for. You might want to try the Information Security site, or you could drop into [chat] for informal conversation. – Monica Cellio Dec 16 '18 at 04:14
  • @SteveP There are numerous ways to bypass https encryption monitoring in the work place. A keylogger or using proxy servers would filter the contents and be visible to your workplace. Doesn't matter what browser you use as the network traffic is being monitor. Keyloggers do not rely on browsers and can see what you're typing regardless of what method it is sent or received. – Dan Dec 17 '18 at 20:14
7

A)
Is it OK to do? Yes, generally.

B)
Is it advisable to do? No, if avoidable don't do it.

C)
Are there risks? Yes.

A)
You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.

C)
Legally employers are allowed to monitor their computers and network/internet access.
This includes keyloggers, screencapture and other soft- or hardware mechanisms.

The risk is that you don't know who exactly has access to those logs and with them your private information.
They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.

B)
Most of the time there won't be an issue.
However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.

DigitalBlade969
  • 11,542
  • 4
  • 22
  • 37
  • Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ? – Steve P Dec 13 '18 at 14:24
  • @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one. – Pac0 Dec 13 '18 at 14:43
  • So if I’m typing a password in an https website, can they see my password? – Steve P Dec 13 '18 at 14:50
  • @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password. – David Thornley Dec 13 '18 at 16:37
  • Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ? – Steve P Dec 14 '18 at 00:17
  • @SteveP Everything is encrypted in https, but the encryption has to have a key. This is normally transmitted by encryption with the private key, which normally resides on a hard drive or SSD, which your employer has full access to (at least in the US). A man-in-the-middle attack is one where you think you've connected with the destination system but have actually connected with another system which is relaying https message back and forth. There's ways to stop such attacks, but an employer-provided browser will remove some of those protections. – David Thornley Dec 14 '18 at 22:48
  • 1
    @DavidThornley: It's rare for there to be any client-side persistent key in HTTPS. Just secure setup of the temporal / per-session symmetric key. But it doesn't matter, because the decryption happens on the employer-owned computer, so they're in a perfect position to place code that reads the outgoing data before encryption, and the incoming data after decryption. – Ben Voigt Dec 15 '18 at 14:40
  • 3
    C needs a country disclaimer, there are countries where this is illegal, certainly when monitoring is disproportionate to the risk. – KillianDS Dec 17 '18 at 21:58
2

If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.

The attack is essentially:

  • Company configures all their computers to accept a company-issued top-level security certificate.
  • When you connect to your bank's secure web site, it will go though the proxy server.
  • The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.
  • The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.
  • Your browser accepts that, because it thinks the certificate is genuine.

Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.

The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.

If it's all done correctly, neither you nor the bank sees anything wrong.

Simon B
  • 14,230
  • 5
  • 30
  • 53
  • Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off? – Steve P Dec 14 '18 at 00:25
  • Answering your question: anything that's moving through the proxy that basically Man In The Middle you is clear-text for whoever is controlling or has access to the proxy server. Logs are kept on the proxy server, your local history is irrelevant. Your password is usually a base64-encoded hex at the end of an URL or inside a JSON that your browser sends via HTTPS to the bank server. If that communication is not encrypted via HTTPS or the encryption is broken like described in the answer, then yes, your password is basically in the clear for the server admins. – BoboDarph Dec 14 '18 at 08:33
  • This is how to make a proxy work, but a proxy is not necessary. The end node could be complicit in the logging. – Ben Voigt Dec 15 '18 at 14:42
  • Is it safe to use outdated browser? Like I didn’t want to or update my browser – Steve P Dec 16 '18 at 19:54
  • @SteveP An outdated browser is rarely a safe idea. If you can install a browser that doesn't use the computer's security certificates, but uses its own instead, then it will flag up warnings if someone attempts a man-in-the-middle attack like I described above. That assumes you are allowed to install software on your work machine. – Simon B Dec 16 '18 at 21:07
  • Well it’s just that I was doing personal business on a public computer then I seen a pop up saying to update browser so I wasn’t paranoid thought maybe my info had been compormsid but I checked the internet options and it looks like the organization marked it to never check for updates and in that’s what they wanted to leave it that way ? – Steve P Dec 17 '18 at 19:59
1

While different companies have different policies on Internet usage, and different IT departments do different levels of monitoring, I think it's safe to assume that yes, they could potentially see everything you're doing.

I would have thought that HTTPS traffic could not be read, but according to @SimonB it's possible that they could even then.

Logging out of your account and clearing history will make no difference. It's unlikely they check your activity by looking at your browser history, or by checking to see where you're logged in. What they probably do is monitor the network traffic as it passes through their network servers, so they'll know where you've been even if they never even see your physical computer.

komodosp
  • 5,720
  • 17
  • 26
0

I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.

On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.

But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.

Edit:

Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.

Time4Tea
  • 4,974
  • 5
  • 18
  • 38
  • 4
    The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts. – Charles E. Grant Dec 13 '18 at 01:04
  • Can they see your passwordsnyou type in on https websites? – Steve P Dec 13 '18 at 14:43
  • @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think. – Time4Tea Dec 13 '18 at 14:56
  • How likely is that? And I thought https websites protect you and encrypt everything ? – Steve P Dec 13 '18 at 15:12
  • And that’s ridiculous I would think it’s illegal for employers to install keyloggers ? – Steve P Dec 13 '18 at 15:22
  • @SteveP as Monica Cellio says in her answer, it isn't likely, but it's not 100% safe (zero-risk). https encrypts data between the browser and the website you're using; however, if someone has access to the machine you are using, they could in principle still log every key you are typing. There is no full-proof way to protect against someone who has direct access to the hardware. As Charles E. Grant mentions in his comment, it is apparently legal for employers to install keyloggers in the US. Be careful! – Time4Tea Dec 13 '18 at 15:54
  • Thanks but you said if they do have some kind of Keylogger installed then they would have to mention it in their internet use policy correct? – Steve P Dec 13 '18 at 19:41
  • And how about public libraries, do they’ve use keyloggers? – Steve P Dec 13 '18 at 19:42
  • @SteveP Charles E. Grant mentioned that in his comment above - perhaps his link might tell you more. I don't know whether there have been any cases of public libraries using keyloggers, but in general, I think anyone who has admin access to a computer could install a keylogger. Be cautious, if you are using a computer you don't own. – Time4Tea Dec 13 '18 at 21:51
  • @SteveP From what I know of librarians, I'd be astonished to find they'd installed a keylogger. This doesn't mean a patron hasn't, of course, and some level of administration might dictate it. Publicly usable computers are not safe to use in general. – David Thornley Dec 13 '18 at 22:32
  • But I would think public library computers are safe if they do freeze which they do every night? I mean would you say library computers are safe? – Steve P Dec 14 '18 at 00:19
  • @SteveP: Restoration to a checkpoint (which is what I believe you mean by "freeze") only stops the most casual threats. – Ben Voigt Dec 15 '18 at 14:51
  • Question , is it safe to use outdated browsers? Like I didn’t want to update my browser – Steve P Dec 16 '18 at 04:12
  • @SteveP 'But I would think public library computers are safe'' Absolutely not! Though the problem is less likely to be the librarians and more likely to be your fellow library patrons. – Charles E. Grant Jan 15 '19 at 04:03
0

To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.

Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.

Dan
  • 21,133
  • 4
  • 33
  • 71