Mobile Wireless Security

Monk · Jan 5, 2010

WNYC had a self-described workplace privacy expert on the air yesterday. He was discussing the usual cautions on sending personal emails using company email accounts and equipment. He said the only form of electronic communication in which he felt it was safe sending personal messages would be over a wireless Internet connection. So, for example, if you have a company BlackBerry, and use a hotmail or yahoo account using the wireless Internet interface, then he said it was very difficult for the company to monitor. He claimed that the messages were served over the provider's servers, so the company would have to go back to their provider to retrieve them, and that this is almost never done. However, I know that my corporate email on my BB is served (at least initially) over a company server. So I'm wondering if he really knew what he was talking about?

He was also asked about using IM, and said that, since it's delivered over the company's server, messages could be monitored (although, I've heard otherwise; someone in my company's IT department said it was difficult to monitor chat and they have banned us using chat to transfer documents to anyone out of the office because they feel it's a violation of Sarbanes Oxley because it can't be monitored).

Lou Grant · Jan 5, 2010

It's allot easier than you think for a company to monitor IM's on their equipment:

http://www.dailyamerican.com/articles/2009/12/16/news/local/news220.txt

but I think that expert may be right about using the BB internet to check/send gmail/yahoo mail from your phone - unlike corporate networks, your company cannot monitor your BB Internet traffic as that is kept on the BB servers. Maybe they could get that info from BB (if they ask pretty please?) but highly unlikely for the average company provided BB equipment

BigRiddah · Jan 5, 2010

Monk said:

True. If you use the phone carrier's data connection & use non-corporate email (yahoo, gmail, etc.) then it would be difficult for the company to monitor it. They would have to get a subpoena in order to force the phone company or yahoo to hand over records.

Monk said:

Corporate email on any PC/Mac/smartphone can be tapped & monitored with varying levels of difficultly. Assume that they are spying on you via your corporate email.

Monk said:

Unless you are using some form of encryption in your IM conversation, your IM message is sent as human readable text and it is being monitored and thus your attachments are not secure from hackers or internal corporate IT spies. This is extremely easy to do and I have used a variety of tools to examine IM conversations, for example wireshark. Again, assume that they are spying on you via unencrypted IM.

elmo16 · Jan 6, 2010

BigRiddah said:

True. If you use the phone carrier's data connection & use non-corporate email (yahoo, gmail, etc.) then it would be difficult for the company to monitor it. They would have to get a subpoena in order to force the phone company or yahoo to hand over records.

Corporate email on any PC/Mac/smartphone can be tapped & monitored with varying levels of difficultly. Assume that they are spying on you via your corporate email.

Unless you are using some form of encryption in your IM conversation, your IM message is sent as human readable text and it is being monitored and thus your attachments are not secure from hackers or internal corporate IT spies. This is extremely easy to do and I have used a variety of tools to examine IM conversations, for example wireshark. Again, assume that they are spying on you via unencrypted IM.

I thought the Sarbanes Oxley bill was about forcing companies to fully and honestly disclose their financial status. It seems to me that your IT manager is afraid of insider information being leaked.

elmo16 · Jan 6, 2010

Monk said:

I thought the Sarbanes Oxley bill was about forcing companies to fully and honestly disclose their financial status. It seems to me that your IT manager is afraid of insider information being leaked.

This is the post I was trying to link to, not the one above.

Monk · Jan 6, 2010

As I understand it, and someone with more knowledge of this is welcome to jump in, part of Sarbanes Oxley deals with Internet security as it relates to confidential client information, and public companies now have to be compliant.

elmo16 · Jan 7, 2010

Sounds to me like your IT department doesn't want people using their computers for personal IM, but they don't want to look like bad guys, so they made up this Sarbanes Oxley stuff. It also makes them look smart too.

TheMac · Jan 7, 2010

Sarbanes Oxley would be a great name for a provider.

elmo16 · Jan 7, 2010

I've looked around, and haven't found anything on the internet about hacking CDMA (3g) wireless internet, although there does seem to be software that allows you to listen in on GSM cell phones.

elmo16 · Jan 7, 2010

TheMac said:

So far, none, I checked.

elmo16 · Jan 7, 2010

*** doesn't even have a single listing for providers named Sabrenna, although there were plenty of Samantha's

elmo16 · Jan 7, 2010

I guess I should have myself tested for ADHD again.

Monk · Jan 8, 2010

elmo16 said:

We can use IM (and do), we just can't transfer documents to anyone outside of the office via IM.