Three Reasons to Never Access your Personal Data from Office!

by July 10, 2014 0 comments

You may think that your corporate network is more secure than your home network. It might actually be true for most of you, but believe me, it’s still a bad idea to access your personal and financial information from your office network and/or office machines.
No, I am not referring to the work ethics part, where you shouldn’t be wasting precious office hours for personal work. That’s anyways a reason, and meant for the HR to tackle. What I’m alluding to is the security and privacy of your personal data getting tampered with while traveling over the office network.
Before I continue any further, here’s a standard disclaimer. This article is not meant to blame any organization in any way whatsoever about snooping on their employees’ data. It’s rather meant to look at two things–One: the vulnerabilities inherent to each and every standard Ethernet switch, which makes most enterprise networks vulnerable; and two: a network administrator actually possessing the power to misuse this vulnerability, and capture or snoop on user data.

hacked1. Corporate Content Filters Could be More Dangerous than Govt. Snooping
Content filters have been around for ages, and have become one of the biggest boons for corporates to filter out unwanted Internet access. This helps optimize the network and secure it from many type of threats. About 5 years ago, the banking sites used to be encrypted (read as https) and regular social media and personal/free emails sites used to be unencrypted (read as regular http). Those were the golden days for hackers to sniff into the network and steal email passwords, etc. But then things changed, and https became the preferred choice for a majority of websites, be it Facebook, Gmail, or Yahoo! Now they all work on https by default. Even Google.com (the basic search) now by default works on https.
This made all kinds of sites, be it banking or trading websites or simple free email websites more secure. While this was great from a security point of view, but it posed a major nightmare for content-filtering companies, because they now were unable to read through the content of most websites being accessed. So to defend their ground, and keep selling their boxes, they started building technologies that could read through and intercept SSL communication channels as well.
What that essentially means is that if you are accessing your bank online over a SSL channel, and your organization has a Content Filter which can do SSL inspection, then technically, somewhere along the way, your banking data can get decrypted, filtered, and re-encrypted before hitting your bank’s servers and while coming back. Whether your organization is doing it for your banking websites or not, you can go and check with your SysAdmin, or keep reading and I will tell you how to find that out.
These content filters are very secure and mostly they don’t store any decrypted data on the disk. But the scanning activity happens in the RAM. and if, the SysAdmin, a Vendor’s engineer or a hacker can get into the content filtering system and take a RAM Dump somehow, then there’s a high possibility that they can capture a lot of secure (otherwise encrypted) data. This is no hypothesis. I have done this successfully for some web content filtering products, and would love to try on some others!
So for SysAdmins, a word of advice. If your Content Filter is software based, then make sure that the shell of the OS is hardened as hell and no direct RAM access is allowed. If it is a hardware appliance, then make sure you don’t share any crash dump or memory dump file with your vendor for the root cause analysis of the failure (that generated the dump file), before vetting the dump file yourself. And be careful while doing so, as you just might find your CEO’s online banking password lying around somewhere!
Next, never ever enable HTTPS inspection on any banking/financial institution website & make sure everyone in the organization knows which HTTPS sites are scanned by the company.
For Users, to check whether your company is intercepting your SSL traffic or not, whenever you visit a SSL website, especially the banking ones, then just check the SSL certificate. If your organization is doing SSL inspection on that site, then you should see a SSL certificate generated by the Company or by the Content Filter’s vendor instead of the actual SSL certificate that should be signed by the known signing authorities like Verisign, Thawte, GeoTrust etc.
2. Ethernet Switches:
As Insecure as Popular!
This part will probably scare you the most, but believe me, it is one of the weirdest facts that, irrespective of the widespread of this vulnerability in many (read as most) corporate networks (barring a few who are really paranoid and smart), it is mostly taken very causally. So no measures are implemented to fix it. This vulnerability is called ARP poisoning or ARP-IP Flip Flop attack.
I remember talking to a reseller and a pre-sales engineer of a renowned UTM brand recently, and they were trying to laugh away the fact that their UTM, which has a so called IPS and ARP poisoning detection functionality, can’t handle or mitigate an ARP poisoning attack hitting directly on the UTM device’s IP. In fact, it doesn’t even generate an alert! Probably this is not the right medium to take brand names here, but believe me, I have video recordings of the successful attacks. Unfortunately, this situation is there with other UTM/Firewalls as well.
Let’s understand what an ARP Poisoning attack all about. Understand it like this–If this attack could run undetected on your network, then the attacker can do the following things:
1.    Steal any unencrypted content flowing through your network
2.    Steal any unencrypted username/password flowing through your network
3.    Steal AD auth hashes, which can be later cracked by rainbow table attack
4.    Can poison your DNS requests and redirect your
URLs to a spoofed URL without you even knowing about it.
a)    By doing so, the attacker can create a fake page of your bank, redirect you to that page when you open the bank’s actual URL, and steal your passwords from there.
b)    Ditto for your Gmail and Facebook accounts
c)    and for your corporate intranet portal and
email server and so on and so forth.
Now that was trivial, wasn’t it? (Of course I am being sarcastic here!).
Combating ARP Poisoning
Setting up an alerting system against ARP poisonings takes a simple open source and free tool and a Linux machine (no need for a dedicated server. It hardly takes any resource). In fact, I have written about this tool probably few dozen times in the past, especially when I was working full time for PCQuest! The tool is called arpwatch.
3. Rogue SysAdmins
There is all the more reason now more than ever, to be extremely nice to your SysAdmin! No telling when he/she might turn rogue, without you even noticing! Here are a few scenarios:
1    How many times you have given your laptop and its password to your sysadmin to fix something? And if you haven’t cleared your web browser’s cache, then you would have also given all your website passwords to him (Like the password for Facebook, which is usually stored in plane text!).
2.    How many times you have shared your pen drive with your sysadmin (or for that matter with any of your colleagues)? You of course took the precaution of formatting the disk of all your personal photos/data, etc. But do you remember the time when you went to your sysadmin to recover data from your crashed hard disk last winter? And do you remember how he miraculously restored it with great ease? Yes, because he can!
3.    How many times did you give him a poor Peer/Boss review rating and sent a secretive mail to the HR mentioning the reasons? Well he manages your inboxes (and the sent items)!
These should be enough reasons for not using your official machine for personal work! Use your own laptop for your personal transactions. Even a regular 3G modem or home DSL+WiFi combo would be safer than this! If you’re a techy, then install Linux on a laptop and use it for your banking and social media usage. It will be a whole lot safer!
Sleep Tight!

 

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<