wired privacy

Discussion in 'privacy problems' started by rhysp33, Jan 24, 2015.

  1. rhysp33

    rhysp33 Registered Member

    Joined:
    Jan 24, 2015
    Posts:
    1
    Hi, my workplace has a wireless router using WEP. If I was using a laptop that was plugged into the wireless router with a cable, could someone still gather information from a man in the middle attack etc if they had the password?

    Thanks
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    They can reconfigure your router if they have a password to manage your router. If they have a password for your wifi, they can join your network and could try some attacks from there. It would be wise to replace WEP with WPA or disable Wi-Fi if it's not needed any more.
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Generally speaking - yes.. But it requires specific gear, not just 'access' to the router.

    Remember, these days a lot of businesses have devices that can pry into EVERYTHING you do - even encrypted. The reason is these UTM's issue their own root certificate to your device, and then peel apart packets, even encrypted packets and then sniff the traffic at a granular level. I do consent basedl scanning for corporations, and there isn't anything we don't know. For example I can tell you how long a single person has spent on Facebook everyday, or even how many times every hour, and what they are doing on Facebook. These devices are NOT expensive (Sub $1000 in most cases). However my analyzers, and datamining tools cost far more. My primary appliance used for this is six figures, but I can pull reports so granular it would scare the hell out of you. (even email contents) This is done because employers have specific contracts for us to do it, and have rules in place they expect employees to follow. It's not usually a problem, but when it becomes a problem they can pull a ton of data, and then use that to fire you without warning. Don't expect privacy in the workplace at the network level. I recently had to tell the HR department of a firm that one of their employees was spending 14% of his average workday watching porn. Contractually I had no choice, and he was fired. Not my problem - don't break company policies 'consistently' and then you don't have to worry!
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    You're referring to HTTPS and SSL/TLS here. Someone suitable skillful could reject those fake root certificates, right? Or they could use a VPN service. Also, they can't break end-to-end encryption using GnuPG, as long as the private key is secure. Right?
    Yes. And doing any of the above during work time on business-provided devices is probably a violation. Still, it's arguable that employees are allowed secure Internet access during lunch or break times, using their own devices on appropriate subnets. Yes?
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Any properly setup firm will block installation of VPN's and other things. Also remember, most UTM's have application control, so even running a VPN will result in a penalty box, then you need to explain to your superiors why you are trying to circumvent their protection. Most of this is done for liability. Also we provide Data-Leak-Protection. Whereas we can automatically block leaks of sensitive data from employee computers. Via a combination of policies, root CA issurance, application monitoring, and DLP a company can essentially block most, if not all of your circumvention techniques. Much of our gear has DNA evaluation. Any document produced within a company has DNA involved that makes it easy to identify it as potentially secure company information being leaked.

    http://www.fortinet.com/solutions/data_loss_prevention.html

    You can deny connection (of any kind) for any system that has the ROOT CA's adjusted, or you can force-install a new RootCA, or even stealth-install RootCA for MITM type of interception of traffic within a company. There are many other techniques, technologies, etc. Also you can filter Port-53 DNS traffic, and get a handle on what people are doing, or even intercept all DNS calls, and redirect to your own DNS destinations.

    I will say a lot of firms 'gather' tremendous amounts of data, and only use it if they want to nail someone. It's easy for them to nail anyone they want, but only when it reaches critical mass, and they need more advanced data to fire someone do they usually call upon it. It's generally open and shut when they do - even a 'little' porn surfing at work, or going to potentially liable websites is enough these days.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes, I get all that.

    But what about private Internet access for employees on break and visitors? Isn't that standard practice too?
     
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Some companies make people use 4G for their own stuff.

    Alternatively, we setup policies, and create a 'breaktime' connection like a Guest, limited outside of intranet(LAN), and less restrictive URL filtration. But we set the time available to say 11:30AM-12:30PM, and give everyone the simplistic password for it.
     
Loading...