How secure is secure?

Thanks to this group and all the high tech individuals who frequent it I
have learned how to protect my PC from the inside out.  But what about
security risks to my info 'before' it gets to my computer?  Like my mail
box on the server.  Could someone hack into that and thumb through my
mail?
If so, how would I ever know?
(The short story)
We have a rogue employee at my work who one day decided to run the web
site, she got in tight with the ISP, got tools to set and delete
passwords on a protected directory on the server.  Who knows if she has
telnet access to other things, like my email box.  I've talked to the
boss about it, but so has she, the boss isn't going to take a stance.
She is the most two faced, lying SOB I've ever ran across, and she digs
to find dirt on me.
I know she's never going to touch anything on my PC again (thanks to you
guys), but is it possible to protect myself if she can get into the
server?

-Scott
0
Scott
1/30/2002 6:23:00 PM
grc.security 16608 articles. 3 followers. Follow

16 Replies
3726 Views

Similar Articles

[PageSpeed] 53

"Scott" <scott@kaltecsci.com> wrote in message
news:3C583A38.C7367AE8@kaltecsci.com...
> I know she's never going to touch anything on my PC again (thanks to you
> guys), but is it possible to protect myself if she can get into the
> server?
>

PGP is your friend where email is concerned. If someone has access (legal or
a hack) to the server -- or ANY link the mail goes through to its final
destination -- they can read every word unless it is encrypted.

Phil
0
Phil
1/30/2002 7:00:00 PM
Scott <scott@kaltecsci.com> wrote in message
news:3C583A38.C7367AE8@kaltecsci.com...
| Thanks to this group and all the high tech individuals who frequent it I
| have learned how to protect my PC from the inside out.  But what about
| security risks to my info 'before' it gets to my computer?  Like my mail
| box on the server.  Could someone hack into that and thumb through my
| mail?

the short answer is, yes, anyone could crack the server and read your files,
email, etc, if they know what they're doing and if the server is secure
enough.

| If so, how would I ever know?

short of running an Intrusion Detection System on the server, you wouldn't.

| (The short story)
| We have a rogue employee at my work

rouge meaning what?  is she fired?  was she doing something that she
shouldn't be?

| who one day decided to run the web
| site, she got in tight with the ISP, got tools to set and delete
| passwords on a protected directory on the server.

does she have any business running the web site?  who is in charge of the
site?  how large is your company... do you have an IT department or director
of technology?

| Who knows if she has
| telnet access to other things, like my email box.

usually, your email would be handled by a server other than the web server.
most companies should manage their own email server, but many don't.  if she
is able to socially-engineer her way with the ISP then she could be able to
get other resources.

| I've talked to the
| boss about it, but so has she, the boss isn't going to take a stance.

not going to take a stance?? did you say that she has access to things that
she shouldn't?  if he doesn't get it then i PRAY for you the time someone
serious tries to attack your systems.

| She is the most two faced, lying SOB I've ever ran across, and she digs
| to find dirt on me.

well... here's the million dollar question... why would there be any "dirt"
on you on office systems?  i mean, there's absolutely NO reason on the face
of the earth for you to handle personal matters (email, web surfing,
messages, etc) using company computers or resources.  therefore, if all that
is ever in your email box are messages about company direction and tasks
then what can she find?

| I know she's never going to touch anything on my PC again (thanks to you
| guys), but is it possible to protect myself if she can get into the
| server?

it's not possible unless people around there start to take the IT
infrastructure seriously.  please give us a better understanding as to who
she is and what all your jobs are at this company.

- Dixieland
0
Dixieland
1/30/2002 7:03:00 PM
> rouge meaning what?  is she fired?  was she doing something that she
> shouldn't be?

She's the office manager, and now "web designer".
I used to be in charge of all the web based stuff but I got busy with other
things and she bought a HTML book and talked the boss into taking over.  I'm
only mad about that because she has no clue what she's doing and the site is a
mess.  "It looks good in IE" though...

> Who is in charge of the
> site?  how large is your company... do you have an IT department or director
> of technology?

She is now, she refuses any form of help.  She even had the FTP password changed
to lock me out.  I got that fixed because I require the server for other
things.  I'm a product engineer, and I am the network admin., although there
isn't much to our network. The company only has 4 active employees including the
boss. I'm the only "technical" one of the bunch. Our products are digital test
equipment and software.

> usually, your email would be handled by a server other than the web server.
> most companies should manage their own email server, but many don't.  if she
> is able to socially-engineer her way with the ISP then she could be able to
> get other resources.

We host the ISP's hub upstairs in our building, they give us bandwidth and
server space for rent.
She has gotten on my PC in the past, copied links, and I recently found a 3"
stack of printouts she had been making from my posts in yahoo clubs.  'I
wondered why she would close windows whenever I walked into the front office'
Many posts were made from home, or on lunch break, regardless, she had no right
to spy on me.

> not going to take a stance?? did you say that she has access to things that
> she shouldn't?  if he doesn't get it then i PRAY for you the time someone
> serious tries to attack your systems.

He is the least technical, so he figures it's just a personality conflict.

> it's not possible unless people around there start to take the IT
> infrastructure seriously.  please give us a better understanding as to who
> she is and what all your jobs are at this company.

She's been with the company for 13 years (to my 4 years), before that, Taco
Bell.
She's now a wannabe designer, IT, geek without a clue.
Might it be possible that I could telnet into my server stuff and keep an eye on
things?
0
Scott
1/30/2002 7:44:00 PM
hi Scott:

screw telnet. use secure shell.

parts of this sound all too familiar, she probably laid the boss. small
companies are sometimes fun to work for, but i'd still send out resume`s,
just in case. maybe she convinced the boss that she's checking to see what
you do on company time. Like the time Wally from Dilbert said he tranfered
1M or so of company data to a secure backup site or something. He took
credit for copying a file to a floppy.

aside from that, in the interest of security, let me convey to you the
extent of my IT vocabulary:

Linux, Free BSD, Apache, QMail, secure shell, vpn, PGP (for sure!) , telnet
off, finger off, rlogin off, etc., Samba (for the winders boxes), you get
the picture. But the most important tech terms are "bitch down the road. see
ya." and "pointy haired boss out the door." you shouldn't be sacrificed for
those lamers. get in with some people yourself and turn the tables.
someone's bound to have a suggestion or two. get tight with the other
employee. you'll need an ally just to keep a good frame of mind. I had one
in a small company, we became friends ' cause we could both see right thru
the lamers. He was a technician and electronics was not really in his blood.
we'd do lunch or take rides ( we were honest reporting our time, also) and
I'd debunk all the myths about the company's product in developement which
never worked.  but they paid us well to try and ran out of $.

hope things work out to YOUR advantage. you're working with neo-cheaters and
no, I don't subscribe to the whole neo-tech crowd's point of view. just some
things.

her expertise in tacos says it all. what a scream! so what kind of dirt did
she get from yahoo? since most of the world probably knows by now, let US in
on it :-)

regards,
mike

Scott <scott@kaltecsci.com> wrote in message
news:3C583A38.C7367AE8@kaltecsci.com...
> Thanks to this group and all the high tech individuals who frequent it I
> have learned how to protect my PC from the inside out.  But what about
> security risks to my info 'before' it gets to my computer?  Like my mail
> box on the server.  Could someone hack into that and thumb through my
> mail?
> If so, how would I ever know?
> (The short story)
> We have a rogue employee at my work who one day decided to run the web
> site, she got in tight with the ISP, got tools to set and delete
> passwords on a protected directory on the server.  Who knows if she has
> telnet access to other things, like my email box.  I've talked to the
> boss about it, but so has she, the boss isn't going to take a stance.
> She is the most two faced, lying SOB I've ever ran across, and she digs
> to find dirt on me.
> I know she's never going to touch anything on my PC again (thanks to you
> guys), but is it possible to protect myself if she can get into the
> server?
>
> -Scott
>
0
mike
1/30/2002 8:39:00 PM
In article <a39fsm$2c3s$1@news.grc.com>, Phil Youngblood <yngbld@net> 
says...

> 
> "Scott" <scott@kaltecsci.com> wrote in message
> news:3C583A38.C7367AE8@kaltecsci.com...
> > I know she's never going to touch anything on my PC again (thanks to you
> > guys), but is it possible to protect myself if she can get into the
> > server?
> >
> 
> PGP is your friend where email is concerned. If someone has access (legal or
> a hack) to the server -- or ANY link the mail goes through to its final
> destination -- they can read every word unless it is encrypted.

PGP no doubt...also, get a different email account and start using that.  
If she can get into your email, you might want to go around that.

www.myrealbox.com
0
Golem
1/30/2002 10:47:00 PM
>
> PGP no doubt...also, get a different email account and start using that.
> If she can get into your email, you might want to go around that.
>
> www.myrealbox.com

PGP means I can only send email to people with PGP right?
I could use a different POP account from work, that's a good idea.
It's not like she's going to see anything major, but I still want to have control
over
what she can and can't spy on.
I already had to take down 4 web sites, and leave 3 Yahoo clubs because of her.

Thanks
-Scott
0
Scott
1/30/2002 10:56:00 PM
Off topic but I had too...:)  Except for the part about her working for the
company 13yrs and her previous job at Taco Bell I would say she sounds an
AWFULL lot like my Ex-Wife.

I personally think you have a couple choices with this type of person.  #1)
Denial of Information (which sounds like your doing)  #2) Counter attack
with your own Information (If you can prove she's incompetent and misusing
company resources to spy on you then you may get the upper hand) #3) Find
new imployment

Good luck,

Chris
0
Chris
1/30/2002 11:05:00 PM
"Scott" <scott@kaltecsci.com> wrote in message
news:3C587A06.E9D5E720@kaltecsci.com...
> >
> PGP means I can only send email to people with PGP right?

Just so you have all the info, that is not *entirely* correct. The primary
function of PGP is to correspond with others having PGP. It *is* free and
secure so anybody with clue should have it -- don't get me started. <g> Back
to my original thought after the commercial, you can create a
self-decrypting file that could be read only by those provided the correct
pass phrase.

Phil
0
Phil
1/30/2002 11:39:00 PM
> I personally think you have a couple choices with this type of person.  #1)
> Denial of Information (which sounds like your doing)  #2) Counter attack
> with your own Information (If you can prove she's incompetent and misusing
> company resources to spy on you then you may get the upper hand) #3) Find
> new imployment
>
> Good luck,
>
> Chris

Thanks
Unfortunetly #3 is most likely my only true peace.
0
Scott
1/31/2002 2:01:00 AM
| Thanks
| Unfortunetly #3 is most likely my only true peace.

there's also the following:

#4 : install TightVNC on her machine, but delete vncviewer.exe from the
program folder... it should run witout a tray icon.  keep tabs on what she
is doing.

#5 : tell us your company's web site URL and we will email comments to her
if it is, indeed, crappy.

- Dixieland
0
Dixieland
1/31/2002 7:38:00 PM
| #5 : tell us your company's web site URL and we will email comments to her
| if it is, indeed, crappy.

i just visited http://kaltecsci.com... is that the web site?  it looks kind
of amateurish, but it's not all that bad, really.

- Dixieland
0
Dixieland
1/31/2002 7:41:00 PM
In article <3C587A06.E9D5E720@kaltecsci.com>, Scott 
<scott@kaltecsci.com> says...

> >
> > PGP no doubt...also, get a different email account and start using that.
> > If she can get into your email, you might want to go around that.
> >
> > www.myrealbox.com
> 
> PGP means I can only send email to people with PGP right?

Pretty much yes.

> I could use a different POP account from work, that's a good idea.
> It's not like she's going to see anything major, but I still want to have control
> over what she can and can't spy on.

How is tolerating this woman's behavior even an option?

> I already had to take down 4 web sites, and leave 3 Yahoo clubs because of her.

You really should have another conversation with her boss about how she 
is using company resources on company time to violate your privacy.

Find a lawyer and ask him what your options are...or find a new job.
0
Golem
1/31/2002 7:50:00 PM
In an article Dixieland, carefully scribbled...
> | #5 : tell us your company's web site URL and we will email comments to her
> | if it is, indeed, crappy.
> 
> i just visited http://kaltecsci.com... is that the web site?  it looks kind
> of amateurish, but it's not all that bad, really.
> 
> - Dixieland
> 
> 
> 

Just looked - Why the pop-ups Scott?

Pilli
-- 
"Never any Peace"
pilli@pilliwinks.net
http://pilliwinks.net
0
Pilli
1/31/2002 9:40:00 PM
"Pilli" <pilli@pilliwinks.network> wrote in message
news:MPG.16c3ca1544669a27989687@news.grc.com...
> In an article Dixieland, carefully scribbled...
> > i just visited http://kaltecsci.com... is that the web site?  it looks
kind
> > of amateurish, but it's not all that bad, really.
> >
>
> Just looked - Why the pop-ups Scott?
>
> Pilli

Hey Pilli,

What kind of popups do you see? I don't get any...


   Beau
0
Beauregard
1/31/2002 11:43:00 PM
mike c wrote:

> ... Like the time Wally from Dilbert said he tranfered
> 1M or so of company data to a secure backup site or something. He took
> credit for copying a file to a floppy.

And it was his resume :)))
0
Cliff
1/31/2002 11:54:00 PM
Mm, thinking

http://www.devitry.com/holes.html

		+

http://www.kaltecsci.com/

		=

		?

Heh-heh
0
DarkBlues
2/1/2002 2:32:00 AM
Reply:

Web resources about - How secure is secure? - grc.security

Secure Digital - Wikipedia, the free encyclopedia
Secure Digital or ( SD ) is a non-volatile memory card format for use in portable devices, such as mobile phones , digital cameras , GPS navigation ...

Facebook To Users: ‘Add Your Phone Number To Help Secure Your Account’
Some Facebook users are seeing alerts above the Graph Search bars on their News Feeds , prompting them to “Add your phone number to help secure ...

Defence Department staff fill unwanted jobs to secure redundancy payouts
Six-figure sums for those quickly moving into vacant jobs about to be abolished.

Quebec Anglican diocese looks to secure future through ethical investing
As shrewd investing is replacing weekly parishioner offerings as a main revenue source, the diocese is looking to ethical investment to build ...

Apple releases third OS X 10.11.4 beta with Live Photos in Messages, secure Notes, more
... to the Notes app last fall, and the 10.11.4 update goes a step further by letting you password protect individual entries behind a single secure ...

Modified GST plan will secure health, education
This modified proposal can place a secure foundation under our health and education systems, while boosting national productivity.

No brainer: Google’s giving you 2GB of free storage to secure your account
... is Safer Internet Day, so Google is giving everyone 2 GB of extra Drive storage to do something that everyone should be doing anyway: secure ...

Online banking: How secure is it?
... Luckily in the cases of RBS, NatWest, and HSBC, no data was stolen; however, they do raise the question of whether online banking is secure. ...

RUBIO CAMPAIGN ADMITS: Uhm, Yeah, Marco's "Gang of Eight" Amnesty Bill Really Didn't Secure the Border ...
... spokesman, Alex Conant, admitted that the 2013 Gang of Eight bill, which Rubio co-authored and ushered through the Senate, did not secure the ...

New Toolbox Set To Secure European Electricity Networks For Renewables Shift
... (TSOs) during a one-day workshop in Brussels on January 26. The prototype is intended to increase security [&hellip New Toolbox Set To Secure ...

Resources last updated: 2/9/2016 7:05:11 AM