KFL - Protect your privacy in a corporate environnement

Protect your privacy

in a corporate (hostile) environnement

Computers are certainly the most common desk tool that you'll find on any workplace. Electronic communication usually offer speed, reliabilty and ease of use that make them a great tool for increasing productivity. So workers are now able to mail, surf and many others funny things in the name of productivity. Great. But don't expect them to TRUST you. So they'll watch your back, looking at your trace, sniffing at each corner, invading your life without any respect in the fear of the fun that you could get out of their toys...

But there is one thing on wich you can count. Time is money for everyone, and usually you may be faced to a fact : even if they watch you, they may not have enough time or ressources to CLOSELY watch you. Just keeping few rules in your mind can help you to keep your life for you..

In a corporate environnement, you'll be faced again with passwords. Rules for creating passwords apply here too (see the Why and how about passwords page about that). But there is another rule : do not give your password to your co-workers. Password will give access on your computer, any misuse of the computer will be of your responsibility...On every system there is way to share the information without need of your password. If you work with a co-worker on a project, share the password to access only to the project files with him, keeping in mind that you should never use this password elsewhere... the rule here is : TRUST NOBODY.

If you have access to the mail, you should remind that in most of the case you'll pass through the corporate server. Wich are owned, administred, ruled by your boss. So, facing the fact : NO PRIVACY AT ALL. Everything that go through is recorded. And can be retrevied at anytime by the owner of the server. Don't expect any corporation to respect the law when in come against productivity. They especially don't care of things that regards the privacy of their troops...

But you can bet them at their own game. The wild internet carry many problems with it... let say things as virus, trojans are a serious concern for them. So, kindly request of a tool that you have used in the past (let say on your last workplace), named PGP (Pretty Good Privacy) that you used to verify the identity of your correspondant, throwing away any unsigned mail...so easy to use (just few button added to your mail client) that you even use it at home. So clever and justified request may be fullfilled by your boss. And now you've a STRONG way to encrypt your private mail, ensuring that if there is no keyboard logger on your computer your boss will not be able to access your mail....

You can't use PGP ? well, there is others ways to still use your mail with confidence. You can find some freeware out there that can encrypt files. Install one of them on your computer, write your mail as a document, encrypt it, and send it as an attachement. End-user restriction on your system didn't allow you to install any tool ? well, there is ways to get rid of these restriction (your system use an antivirus, right ? then your antivirus may install the tool for you if you ask in in the correct way :->), but that will not be legal. And if you protect your privacy, wich is a RIGHT, you should do it in a legal manner.

In the case you can do nothing, and you've got acces to the internet, then you may still got access to your private mail. Use an external mail server. There is several way you can do that. The best of all is to get an account with a POP/SMTP abilities. With that, if you have a corporate proxy that is not too much secured (and you can expect that again if there is a lack of time and ressources for the admins), you can configure your mail client to grab mail of the external server aside of the corporate server. But there is still a big point here. Your mailbox should be on your computer. If it's located on the corporate server, doing that will result of nothing more than using your corporate mailbox.

Otherway, you'll have to use your browser to access your external mail server. Internet access by browser ARE monitored, but in most of the case the information monitored is 'who get where when ?', meaning they will track the originating computer, the URL request, date, time... not the content of the page. If you have a good external mail account, your password should not appears in clear in the URL (wich again will render useless the use of the browser instead of the mail client). You play here on the fact that with the browser they fear that end users will access porn sites, online games, etc.. so they will see that you access an external mail server, not what is inside.

Web access are restricted and didn't allow you any others things than few corporate web sites ? then you may fool many restriction software by sending him false information. It may be done easily under windows, again if your computer his not strongly configured. And if you don't want to tweak the configuration of the computer, there his still tricks for many software. Get the name and the version of the software that restrict you (you can usually get that by requesting a forbidden site, the warning page is usually the default page that came with the software, meaning there is all information you need cause they are so proud of their products..) then make a search on the internet to get instruction on how by bypass the restriction.

There is another point that can help you, is that most of the admins rely on the fact that end-users have no or little knowledge of their systems. Most restrictions are usually called 'security by obscurity' and can easily bypassed. You can even act in a total legal maner by using tools they don't think you will use. The mass accessed internet those last years, it was runnings many years before, and many tools from these times are still usable, and many, many admin don't think to control those one (how it can be that an end-user know about that ?). TELNET is a great tool, that may let you access the whole outside world (mail, surf, ftp,..) without being monitored at all. Of course, an old text tool, but so powerfull that you should take time to learn to use it.

That bring us to another concern. the files that lies on the computer. Of course, you're the only one that physically access your computer. You control the information you share. But the one who got the administrator account got a complete access to all files. At your workplace, you're certainly not the administrator of your computer. And even, probably not the ONLY one. So, someone else can access the file. Then, the file must be encrypted. And as much of them as possible, even mail database if they are stored locally. You can find text editor that offers the ability to encrypt your document, you should use them instead of your usual text editor.

There is usually another problem on any system, those things we call histories. Not only systems take trace of histories, applications does that also !. Do not write a personnal letter, then just clearing the letter to write a memo that will be stored on a network drive. History of the document will reveal your complete, personnal letter to anyone who have read access to the memo. Do not use enhanced text editors when you don't intend to use their functionnality, notepad does not track history...

Again, there is many freeware or shareware out there that can take care of that for you, you should spend a little time to choose the one that'll suit your needs (your system, applications you use) and try to use it. Again, at your workplace it may be more or less difficult to install it. The better ones are the ones that will run from a floppy or a CD without need to be installed and registered. But you'll need to have a floppy or a CD-Reader mounted on your computer. If not, you can still use a floppy/CD on another computer connected throught the network, but anyone may come and grab your disc.. otherwise send it by mail, but mail may be monitored..

Social engineering is your last weapon. IS departements have also employees, try to be close of them. From them, you can learn what they watch, what they use to watch, what they have done by the past with these tools, many of them can just sufficently elevate our privilege to suit your needs without any regards on why just because you're close. On any ground of security, the weakest point is the human one. Try to be smarter than the one who are watching you....