Possible to secretly remote view/use another PC?

Turbulent Bill

Hi folks,
My e-working friend is concerned that his boss can access/view his PC without his knowledge or permission. The PC is used both for work purposes and for his personal email, web stuff etc. in the evenings. Work net access is via VPN (which allows remote access for tech support etc.), but the evening stuff just uses a standard broadband connection.

Is it possible that his boss/company can access the PC without the VPN being active, and is there a way to prevent this? I think it's unlikely but I'm not sure. He's thinking of buying a second PC for personal use only, but this sounds like overkill to me. It's a standard PC with WinXP Pro, which is branded by the multinational he works for but otherwise seems standard.

I'm aware that the PC is company property, and do NOT want to start a discussion on how to hack into someone else's machine, just advice on the situation. Thanks!

Paulw

Since the company own the PC, they have the rights to all data stored on the machine.

So, they are well within their rights to check the machine at any time they want, and do not require your friend's permission.

My advice to him - use his work PC for work, and buy a personal PC for personal stuff.

Turbulent Bill

Paulw wrote: »

Since the company own the PC, they have the rights to all data stored on the machine.

So, they are well within their rights to check the machine at any time they want, and do not require your friend's permission.

My advice to him - use his work PC for work, and buy a personal PC for personal stuff.

He's aware that the company has full rights to the PC itself and it's data. However the question was whether it's possible for the company to remotely access data created/accessed outside the company's VPN, and if so how to check whether this is actually happening.

As a concrete example, would it be possible for the company to view webmail (accessed using a standard broadband connection, not via the VPN), file I/O to a USB stick etc.?

It seems a complete waste to buy an entirely separate PC for very limited (and non-conflicting) personal use if it's unnecessary to maintain privacy.

DevilsBreath

they dont need to view what is being done when it is being done.

Every system keeps logs, so once it is connected again they can see what "your Friend" has been up to. IE what webites have been visited.

In terms of webmail. If you mean something like Gmail and that once your not on the VPN at the time, all they will know is that your were on Gmail.

It isn't very often that people get checked up on. Only realy if you have done something in the past that has brough about suspicion.

If its a large multinational your boss shouldn't have access to your system.
The only people that should have access is your IT Department.

bonzodog2

Your friend might investigate whether the PC can boot from an external disk, or use a 'live' CD

tricky D

Logmein and RealVNC are legitimately used for remote control and monitoring but I reckon their processes would display in the Task Manager. The boss could alternatively use a keylogger which would be a lot harder to detect.

28064212

Turbulent Bill wrote: »

He's aware that the company has full rights to the PC itself and it's data. However the question was whether it's possible for the company to remotely access data created/accessed outside the company's VPN, and if so how to check whether this is actually happening.

As a concrete example, would it be possible for the company to view webmail (accessed using a standard broadband connection, not via the VPN), file I/O to a USB stick etc.?

It seems a complete waste to buy an entirely separate PC for very limited (and non-conflicting) personal use if it's unnecessary to maintain privacy.

Yes it is possible for the company to monitor everything. How to check whether it's happening? Well the only way to be absolutely 100% sure is to monitor every packet of information that passes through the computer's network connection (to ensure it's not sending anything to the company in real-time), and every single bit of information written to a hard-disk (to ensure it's not logging anything). In reality, it's not possible to be perfectly sure, especially if they have an admin account on it. The company could have their own custom coded application for it. And even if he could check it's not monitored at the moment, there's no guarantee it won't be monitored in the future.

EDIT: Actually, even monitoring every piece of information wouldn't be enough, the company could have placed a hardware 'bug' on the computer, which could (conceivably) record/send information on what the computer is doing

Basically, yes, if your friend values his privacy that much, they should get their own personal computer for their own personal use

spider guardian

If your friend is using the PC to only check emails and write a few documents then he could consider using a Linux live CD such as Knoppix or Ubuntu. With a USB memory key he could boot from CD and reload his settings for every session. The live CD will completely bypass Windows and any snooping software that his company may have installed. He will still have access to his Windows files.

However the above solution may be a bit cumbersome for a person with no linux experience and the live CD can be quiet slow to start up. But if he's paranoid about security and doesn't want to buy a new PC then the above solution will work.

Another solution would be to install a fresh copy of Windows to another partition, while this is relatively straight forward to do it will need to be done by someone with a bit of technical experience and perhaps on the QT as well. If he done this and later had to give the computer back to the company he could just delete the partition with the new Windows and they wouldn't know any different.

Turbulent Bill

Thanks for all the comments. In summary, I think the chances of really invasive logging and traffic monitoring are very small, and the chance of these being checked are even smaller, but as there's no guarantee it's better to completely separate work and personal stuff on different PCs. Personally I'd be happy to keep it all on one, but I can understand the concern.

Given that increasing numbers of people are working from home (if they're working at all...), it'll be interesting to see the blurring between work and personal computer usage. If people want to check their Gmail, will they really switch between the work PC and their own laptop?

28064212

Turbulent Bill wrote: »

Given that increasing numbers of people are working from home (if they're working at all...), it'll be interesting to see the blurring between work and personal computer usage. If people want to check their Gmail, will they really switch between the work PC and their own laptop?

Depends on whether it actually is a work computer, or it's their personal computer that they do work on (i.e., who owns it). Besides, what many people who work from home do is remotely connect to a computer that is in work

billymitchell

Turbulent Bill wrote: »

Thanks for all the comments. In summary, I think the chances of really invasive logging and traffic monitoring are very small, and the chance of these being checked are even smaller, but as there's no guarantee it's better to completely separate work and personal stuff on different PCs. Personally I'd be happy to keep it all on one, but I can understand the concern.

Given that increasing numbers of people are working from home (if they're working at all...), it'll be interesting to see the blurring between work and personal computer usage. If people want to check their Gmail, will they really switch between the work PC and their own laptop?

If your friend really wants to use gmail out of hours on his work pc, or just wants to browse some general internet, then get them to just tell their boss that they are, shouldnt be any problem really.(unless the boss is an a/hole)

I dont understand the great reason for distrust that your friends comapny will be spying on their internet usage. The only thing they should be worried about is that computer getting a virus on it, but the VPN should hopefully be good enough to check for up to date anti-virus on the client machine before allowing connections

If there is something your friends wants to do but hide from their boss/company, then get their own pc for that!

Dermot Illogical

In reality they will probably only check logs/content etc when the PC is connected to the VPN, if at all. When it's on a private connection it should be reasonably secure unless he/she works with the Men from U.N.C.L.E.
Use portableapps on a USB stick for the personal stuff while disconnected from the VPN and all should be ok. Remove USB while working. All config, history and log files remain on the USB stick.
http://portableapps.com/

BostonB

AFAIK, (I could be wrong) if hes using a VPN all they have to do is check the logs on their own servers/routers because hes going through them to get to the web. If hes not on the VPN, then they can't see. But its certainly not impossible to have something on the PC tracking activity, even remotely when not on the VPN. The other problem is if he has to bring the PC into work, say the HD fails in the middle of something, and theres a mix of home and work stuff on it. It should be covered in the companies IT policy which he should be aware of. Personally it would be just easier to have your own PC.

Turbulent Bill

28064212 wrote: »

Depends on whether it actually is a work computer, or it's their personal computer that they do work on (i.e., who owns it). Besides, what many people who work from home do is remotely connect to a computer that is in work

The PC is company property, hence they own it and everything on it.

billymitchell wrote: »

If your friend really wants to use gmail out of hours on his work pc, or just wants to browse some general internet, then get them to just tell their boss that they are, shouldnt be any problem really.(unless the boss is an a/hole)

I dont understand the great reason for distrust that your friends comapny will be spying on their internet usage. The only thing they should be worried about is that computer getting a virus on it, but the VPN should hopefully be good enough to check for up to date anti-virus on the client machine before allowing connections

If there is something your friends wants to do but hide from their boss/company, then get their own pc for that!

His boss is the real problem - my friend is almost sure he's trying to find grounds for getting rid of him, and worries about personal PC usage being used as a tactic. Without getting into details, the boss' approach sounds incredibly petty, and it's plausible that my friend's concern is legitimate. To my knowledge the personal usage is completely innocent (i.e., nothing to be embarassed about!), but the concern is that anything non work-related could be used against him.

BostonB

The solution then is simple don't use the work PC for anything other than work.

Paulw

Turbulent Bill wrote: »

His boss is the real problem - my friend is almost sure he's trying to find grounds for getting rid of him, and worries about personal PC usage being used as a tactic. Without getting into details, the boss' approach sounds incredibly petty, and it's plausible that my friend's concern is legitimate. To my knowledge the personal usage is completely innocent (i.e., nothing to be embarassed about!), but the concern is that anything non work-related could be used against him.

If that is the case, then he should definitely get his own PC and only use his work machine for work related use.

ED E

Second HDD, job done.

matt-dublin

Depending on the organization options are different.

Here we prevent portable media boot access at the bios level so users can't use the likes of ubuntu live, we also prevent access to USB, CD-ROM, C: Drive and lock down PCs completly to prevent people doing thing they shouldn't be.

IE if they can't do it, they won't get in trouble.

We prevent access to facebook, gmail, eircom.net webmail social networking etc.

Everything forced through Proxy.

We also have the availbility to "shadow" what a user is doing on their pc, all user profiles are saved server side and synced back and mail is actively archived for 3 years and archives are stored for another 5!

When we do allow access to USB keys, they're ironkeys which can be remotely wiped if necessary, also a log of what happens to the file once it leaves the business can be kept (up until the point its removed from the drive)

apparently they like to cover their arses in here!

so really, depending on how paranoid your company is depicts the level of security and monitoring.

matt-dublin

Turbulent Bill wrote: »

The PC is company property, hence they own it and everything on it.



His boss is the real problem - my friend is almost sure he's trying to find grounds for getting rid of him, and worries about personal PC usage being used as a tactic. Without getting into details, the boss' approach sounds incredibly petty, and it's plausible that my friend's concern is legitimate. To my knowledge the personal usage is completely innocent (i.e., nothing to be embarassed about!), but the concern is that anything non work-related could be used against him.

also if this was the case verbal and written warnings would be required before someone could get fired.