How secure is secure?

Thanks to this group and all the high tech individuals who frequent it I
have learned how to protect my PC from the inside out.  But what about
security risks to my info 'before' it gets to my computer?  Like my mail
box on the server.  Could someone hack into that and thumb through my
mail?
If so, how would I ever know?
(The short story)
We have a rogue employee at my work who one day decided to run the web
site, she got in tight with the ISP, got tools to set and delete
passwords on a protected directory on the server.  Who knows if she has
telnet access to other things, like my email box.  I've talked to the
boss about it, but so has she, the boss isn't going to take a stance.
She is the most two faced, lying SOB I've ever ran across, and she digs
to find dirt on me.
I know she's never going to touch anything on my PC again (thanks to you
guys), but is it possible to protect myself if she can get into the
server?

-Scott
0
Scott
1/30/2002 6:23:00 PM
grc.security 16608 articles. 1 followers. Follow

16 Replies
1461 Views

Similar Articles

[PageSpeed] 5

"Scott" <scott@kaltecsci.com> wrote in message
news:3C583A38.C7367AE8@kaltecsci.com...
> I know she's never going to touch anything on my PC again (thanks to you
> guys), but is it possible to protect myself if she can get into the
> server?
>

PGP is your friend where email is concerned. If someone has access (legal or
a hack) to the server -- or ANY link the mail goes through to its final
destination -- they can read every word unless it is encrypted.

Phil
0
Phil
1/30/2002 7:00:00 PM
Scott <scott@kaltecsci.com> wrote in message
news:3C583A38.C7367AE8@kaltecsci.com...
| Thanks to this group and all the high tech individuals who frequent it I
| have learned how to protect my PC from the inside out.  But what about
| security risks to my info 'before' it gets to my computer?  Like my mail
| box on the server.  Could someone hack into that and thumb through my
| mail?

the short answer is, yes, anyone could crack the server and read your files,
email, etc, if they know what they're doing and if the server is secure
enough.

| If so, how would I ever know?

short of running an Intrusion Detection System on the server, you wouldn't.

| (The short story)
| We have a rogue employee at my work

rouge meaning what?  is she fired?  was she doing something that she
shouldn't be?

| who one day decided to run the web
| site, she got in tight with the ISP, got tools to set and delete
| passwords on a protected directory on the server.

does she have any business running the web site?  who is in charge of the
site?  how large is your company... do you have an IT department or director
of technology?

| Who knows if she has
| telnet access to other things, like my email box.

usually, your email would be handled by a server other than the web server.
most companies should manage their own email server, but many don't.  if she
is able to socially-engineer her way with the ISP then she could be able to
get other resources.

| I've talked to the
| boss about it, but so has she, the boss isn't going to take a stance.

not going to take a stance?? did you say that she has access to things that
she shouldn't?  if he doesn't get it then i PRAY for you the time someone
serious tries to attack your systems.

| She is the most two faced, lying SOB I've ever ran across, and she digs
| to find dirt on me.

well... here's the million dollar question... why would there be any "dirt"
on you on office systems?  i mean, there's absolutely NO reason on the face
of the earth for you to handle personal matters (email, web surfing,
messages, etc) using company computers or resources.  therefore, if all that
is ever in your email box are messages about company direction and tasks
then what can she find?

| I know she's never going to touch anything on my PC again (thanks to you
| guys), but is it possible to protect myself if she can get into the
| server?

it's not possible unless people around there start to take the IT
infrastructure seriously.  please give us a better understanding as to who
she is and what all your jobs are at this company.

- Dixieland
0
Dixieland
1/30/2002 7:03:00 PM
> rouge meaning what?  is she fired?  was she doing something that she
> shouldn't be?

She's the office manager, and now "web designer".
I used to be in charge of all the web based stuff but I got busy with other
things and she bought a HTML book and talked the boss into taking over.  I'm
only mad about that because she has no clue what she's doing and the site is a
mess.  "It looks good in IE" though...

> Who is in charge of the
> site?  how large is your company... do you have an IT department or director
> of technology?

She is now, she refuses any form of help.  She even had the FTP password changed
to lock me out.  I got that fixed because I require the server for other
things.  I'm a product engineer, and I am the network admin., although there
isn't much to our network. The company only has 4 active employees including the
boss. I'm the only "technical" one of the bunch. Our products are digital test
equipment and software.

> usually, your email would be handled by a server other than the web server.
> most companies should manage their own email server, but many don't.  if she
> is able to socially-engineer her way with the ISP then she could be able to
> get other resources.

We host the ISP's hub upstairs in our building, they give us bandwidth and
server space for rent.
She has gotten on my PC in the past, copied links, and I recently found a 3"
stack of printouts she had been making from my posts in yahoo clubs.  'I
wondered why she would close windows whenever I walked into the front office'
Many posts were made from home, or on lunch break, regardless, she had no right
to spy on me.

> not going to take a stance?? did you say that she has access to things that
> she shouldn't?  if he doesn't get it then i PRAY for you the time someone
> serious tries to attack your systems.

He is the least technical, so he figures it's just a personality conflict.

> it's not possible unless people around there start to take the IT
> infrastructure seriously.  please give us a better understanding as to who
> she is and what all your jobs are at this company.

She's been with the company for 13 years (to my 4 years), before that, Taco
Bell.
She's now a wannabe designer, IT, geek without a clue.
Might it be possible that I could telnet into my server stuff and keep an eye on
things?
0
Scott
1/30/2002 7:44:00 PM
hi Scott:

screw telnet. use secure shell.

parts of this sound all too familiar, she probably laid the boss. small
companies are sometimes fun to work for, but i'd still send out resume`s,
just in case. maybe she convinced the boss that she's checking to see what
you do on company time. Like the time Wally from Dilbert said he tranfered
1M or so of company data to a secure backup site or something. He took
credit for copying a file to a floppy.

aside from that, in the interest of security, let me convey to you the
extent of my IT vocabulary:

Linux, Free BSD, Apache, QMail, secure shell, vpn, PGP (for sure!) , telnet
off, finger off, rlogin off, etc., Samba (for the winders boxes), you get
the picture. But the most important tech terms are "bitch down the road. see
ya." and "pointy haired boss out the door." you shouldn't be sacrificed for
those lamers. get in with some people yourself and turn the tables.
someone's bound to have a suggestion or two. get tight with the other
employee. you'll need an ally just to keep a good frame of mind. I had one
in a small company, we became friends ' cause we could both see right thru
the lamers. He was a technician and electronics was not really in his blood.
we'd do lunch or take rides ( we were honest reporting our time, also) and
I'd debunk all the myths about the company's product in developement which
never worked.  but they paid us well to try and ran out of $.

hope things work out to YOUR advantage. you're working with neo-cheaters and
no, I don't subscribe to the whole neo-tech crowd's point of view. just some
things.

her expertise in tacos says it all. what a scream! so what kind of dirt did
she get from yahoo? since most of the world probably knows by now, let US in
on it :-)

regards,
mike

Scott <scott@kaltecsci.com> wrote in message
news:3C583A38.C7367AE8@kaltecsci.com...
> Thanks to this group and all the high tech individuals who frequent it I
> have learned how to protect my PC from the inside out.  But what about
> security risks to my info 'before' it gets to my computer?  Like my mail
> box on the server.  Could someone hack into that and thumb through my
> mail?
> If so, how would I ever know?
> (The short story)
> We have a rogue employee at my work who one day decided to run the web
> site, she got in tight with the ISP, got tools to set and delete
> passwords on a protected directory on the server.  Who knows if she has
> telnet access to other things, like my email box.  I've talked to the
> boss about it, but so has she, the boss isn't going to take a stance.
> She is the most two faced, lying SOB I've ever ran across, and she digs
> to find dirt on me.
> I know she's never going to touch anything on my PC again (thanks to you
> guys), but is it possible to protect myself if she can get into the
> server?
>
> -Scott
>
0
mike
1/30/2002 8:39:00 PM
In article <a39fsm$2c3s$1@news.grc.com>, Phil Youngblood <yngbld@net> 
says...

> 
> "Scott" <scott@kaltecsci.com> wrote in message
> news:3C583A38.C7367AE8@kaltecsci.com...
> > I know she's never going to touch anything on my PC again (thanks to you
> > guys), but is it possible to protect myself if she can get into the
> > server?
> >
> 
> PGP is your friend where email is concerned. If someone has access (legal or
> a hack) to the server -- or ANY link the mail goes through to its final
> destination -- they can read every word unless it is encrypted.

PGP no doubt...also, get a different email account and start using that.  
If she can get into your email, you might want to go around that.

www.myrealbox.com
0
Golem
1/30/2002 10:47:00 PM
>
> PGP no doubt...also, get a different email account and start using that.
> If she can get into your email, you might want to go around that.
>
> www.myrealbox.com

PGP means I can only send email to people with PGP right?
I could use a different POP account from work, that's a good idea.
It's not like she's going to see anything major, but I still want to have control
over
what she can and can't spy on.
I already had to take down 4 web sites, and leave 3 Yahoo clubs because of her.

Thanks
-Scott
0
Scott
1/30/2002 10:56:00 PM
Off topic but I had too...:)  Except for the part about her working for the
company 13yrs and her previous job at Taco Bell I would say she sounds an
AWFULL lot like my Ex-Wife.

I personally think you have a couple choices with this type of person.  #1)
Denial of Information (which sounds like your doing)  #2) Counter attack
with your own Information (If you can prove she's incompetent and misusing
company resources to spy on you then you may get the upper hand) #3) Find
new imployment

Good luck,

Chris
0
Chris
1/30/2002 11:05:00 PM
"Scott" <scott@kaltecsci.com> wrote in message
news:3C587A06.E9D5E720@kaltecsci.com...
> >
> PGP means I can only send email to people with PGP right?

Just so you have all the info, that is not *entirely* correct. The primary
function of PGP is to correspond with others having PGP. It *is* free and
secure so anybody with clue should have it -- don't get me started. <g> Back
to my original thought after the commercial, you can create a
self-decrypting file that could be read only by those provided the correct
pass phrase.

Phil
0
Phil
1/30/2002 11:39:00 PM
> I personally think you have a couple choices with this type of person.  #1)
> Denial of Information (which sounds like your doing)  #2) Counter attack
> with your own Information (If you can prove she's incompetent and misusing
> company resources to spy on you then you may get the upper hand) #3) Find
> new imployment
>
> Good luck,
>
> Chris

Thanks
Unfortunetly #3 is most likely my only true peace.
0
Scott
1/31/2002 2:01:00 AM
| Thanks
| Unfortunetly #3 is most likely my only true peace.

there's also the following:

#4 : install TightVNC on her machine, but delete vncviewer.exe from the
program folder... it should run witout a tray icon.  keep tabs on what she
is doing.

#5 : tell us your company's web site URL and we will email comments to her
if it is, indeed, crappy.

- Dixieland
0
Dixieland
1/31/2002 7:38:00 PM
| #5 : tell us your company's web site URL and we will email comments to her
| if it is, indeed, crappy.

i just visited http://kaltecsci.com... is that the web site?  it looks kind
of amateurish, but it's not all that bad, really.

- Dixieland
0
Dixieland
1/31/2002 7:41:00 PM
In article <3C587A06.E9D5E720@kaltecsci.com>, Scott 
<scott@kaltecsci.com> says...

> >
> > PGP no doubt...also, get a different email account and start using that.
> > If she can get into your email, you might want to go around that.
> >
> > www.myrealbox.com
> 
> PGP means I can only send email to people with PGP right?

Pretty much yes.

> I could use a different POP account from work, that's a good idea.
> It's not like she's going to see anything major, but I still want to have control
> over what she can and can't spy on.

How is tolerating this woman's behavior even an option?

> I already had to take down 4 web sites, and leave 3 Yahoo clubs because of her.

You really should have another conversation with her boss about how she 
is using company resources on company time to violate your privacy.

Find a lawyer and ask him what your options are...or find a new job.
0
Golem
1/31/2002 7:50:00 PM
In an article Dixieland, carefully scribbled...
> | #5 : tell us your company's web site URL and we will email comments to her
> | if it is, indeed, crappy.
> 
> i just visited http://kaltecsci.com... is that the web site?  it looks kind
> of amateurish, but it's not all that bad, really.
> 
> - Dixieland
> 
> 
> 

Just looked - Why the pop-ups Scott?

Pilli
-- 
"Never any Peace"
pilli@pilliwinks.net
http://pilliwinks.net
0
Pilli
1/31/2002 9:40:00 PM
"Pilli" <pilli@pilliwinks.network> wrote in message
news:MPG.16c3ca1544669a27989687@news.grc.com...
> In an article Dixieland, carefully scribbled...
> > i just visited http://kaltecsci.com... is that the web site?  it looks
kind
> > of amateurish, but it's not all that bad, really.
> >
>
> Just looked - Why the pop-ups Scott?
>
> Pilli

Hey Pilli,

What kind of popups do you see? I don't get any...


   Beau
0
Beauregard
1/31/2002 11:43:00 PM
mike c wrote:

> ... Like the time Wally from Dilbert said he tranfered
> 1M or so of company data to a secure backup site or something. He took
> credit for copying a file to a floppy.

And it was his resume :)))
0
Cliff
1/31/2002 11:54:00 PM
Mm, thinking

http://www.devitry.com/holes.html

		+

http://www.kaltecsci.com/

		=

		?

Heh-heh
0
DarkBlues
2/1/2002 2:32:00 AM
Reply:

Similar Artilces:

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... http://www.linuxsecurity.com/content/view/125195/171/ ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... http://www.engardelinux.org/modules/index/index.cgi -- js ...

Vulnerabilities and Security, is AJAX secure ?
Hi All, Since Microsoft's SmartClient technology did not succeed as expected (because its complex design and coding), I recently realized that I have no option but to try to improve my projects with AJAX. Although it's understandable to feel fear when using a "new" or "non-mature" technology, I found this document that made me think twice before I update some of my work to avoid users suffer the "POST" pain: http://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities Can somebody provide me some feedback about this text ?, I found it very...

Keeping secure bugs secure
QXQgdGhlIGJvdHRvbSBvZiBVc2VyIFByZWZlcmVuY2VzIHwgRW1haWwgUHJlZmVyZW5jZXMgdGhl cmUgaXMgYSBVc2VyIFdhdGNoaW5nIGZlYXR1cmUuDQoNClRoaXMgaGFzIHRoZSBwb3RlbnRpYWwg dG8gdW5pbnRlbnRpb25hbGx5IGRpc2Nsb3NlIHNlbnNpdGl2ZSBpbmZvcm1hdGlvbi4gVGhhdCdz IGEgYmFkIHRoaW5nLiAgRm9yIGV4YW1wbGUsIHNlY3VyaXR5IHJlbGF0ZWQgYnVncyB3aGljaCBh cmUgZW1iYXJnb2VkLg0KDQpUaGUgc2l0dWF0aW9uIHdlIHdhbnQgdG8gYXZvaWQgaXMgc2Vuc2l0 aXZlIGJ1Z3MgYmVpbmcgc3VibWl0dGVkIHdpdGggaW5hcHByb3ByaWF0ZSBjbGFzc2lmaWNhdGlv biBhbmQgYWNjaWRlbnRhbGx5IGRpc2Nsb3NlZCB0byBhIHdpZGVyIGF1ZGllbmNlLg0KDQpDYW4g dGhpcyBmZWF0dXJlIGJlIGRpc2FibGVkPyBJZiBzbywgSSBjYW5ub3...

Security Trends
Security Trends - What they forget to secure from L33tdawg Sat Apr 20 @ 16:45(Reads: 325) By: obscure Note: This article first appeared over at our affiliates site EyeOnSecurity.net. The original article can be found here. You set up firewalls, e-mail filtering, Intrusion Detection Systems (IDS), personal firewalls, Censor Software (both on network and personal level) and they still get in. What I'm referring to is those pesky VBS, similar worms inhibiting the Windows platform right now and maybe a few real life crackers here and there. For the network administrator, this can be a ...

Netstorage Secure then UN-Secure
Have a problem with Netstorage: I log in under the secure website of https://ipaddress:51443/oneNet/NetStorage and then after drilling down to folder, the secure web site changes to http://ipaddress:51443/oneNet/NetStorage/Documents. Why??? does it go to the unsecure site? Claudia, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the following options: - Do a search of our knowledgebase at http://support.novell.com...

java.security.Security issue
Hi, EAServer 4.2 build 42012 on NT (jdk13). This code works as a Java clientapp but not when the code is inside an EJB in EAServer? Can we register Security provider dynamically? // system var. System.setProperty("javax.net.ssl.keyStore", "<val>"); System.setProperty("javax.net.ssl.keyStorePassword", "<val>"); System.setProperty("javax.net.ssl.trustStore", "<val>"); System.setPropert("javax.net.ssl.trustStorePassword","<val>"); System.setProperty("javax.net.debug", &...

Web resources about - How secure is secure? - grc.security

Secure Digital - Wikipedia, the free encyclopedia
Secure Digital or ( SD ) is a non-volatile memory card format for use in portable devices, such as mobile phones , digital cameras , GPS navigation ...

Facebook To Users: ‘Add Your Phone Number To Help Secure Your Account’
Some Facebook users are seeing alerts above the Graph Search bars on their News Feeds , prompting them to “Add your phone number to help secure ...

Defence Department staff fill unwanted jobs to secure redundancy payouts
Six-figure sums for those quickly moving into vacant jobs about to be abolished.

Quebec Anglican diocese looks to secure future through ethical investing
As shrewd investing is replacing weekly parishioner offerings as a main revenue source, the diocese is looking to ethical investment to build ...

Apple releases third OS X 10.11.4 beta with Live Photos in Messages, secure Notes, more
... to the Notes app last fall, and the 10.11.4 update goes a step further by letting you password protect individual entries behind a single secure ...

Modified GST plan will secure health, education
This modified proposal can place a secure foundation under our health and education systems, while boosting national productivity.

No brainer: Google’s giving you 2GB of free storage to secure your account
... is Safer Internet Day, so Google is giving everyone 2 GB of extra Drive storage to do something that everyone should be doing anyway: secure ...

Online banking: How secure is it?
... Luckily in the cases of RBS, NatWest, and HSBC, no data was stolen; however, they do raise the question of whether online banking is secure. ...

RUBIO CAMPAIGN ADMITS: Uhm, Yeah, Marco's "Gang of Eight" Amnesty Bill Really Didn't Secure the Border ...
... spokesman, Alex Conant, admitted that the 2013 Gang of Eight bill, which Rubio co-authored and ushered through the Senate, did not secure the ...

New Toolbox Set To Secure European Electricity Networks For Renewables Shift
... (TSOs) during a one-day workshop in Brussels on January 26. The prototype is intended to increase security [&hellip New Toolbox Set To Secure ...

Resources last updated: 2/9/2016 7:05:11 AM