PDA

View Full Version : Being spied upon




misterbigsize
May 5, 2008, 12:51 PM
Good afternoon everyone. I'm a director of an ad agency. I believe our IT manager is going through my emails (we use Entourage). Is there any way of finding out whether or not he is?

He supplied me with my mac in the first place and I simply don't know enough to be able to understand if he has some piece of spyware in there. He holds the administrator account on my machine.

If there isn't a way, is is possible to lock my entourage account so that he cannot access it?

Thank you very much.



icoffee
May 5, 2008, 12:57 PM
You might try MacScan. They have a 30 day free trial http://www.versiontracker.com/dyn/moreinfo/macosx/28901

I also use Little Snitch to monitor incoming and outgoing connections http://www.versiontracker.com/dyn/moreinfo/macosx/17642

And why not remove his admin account?

FJ218700
May 5, 2008, 12:59 PM
If you're the director, get admin status and delete his account.

filevault your account and firewall the computer.

If you need computer help, he can fix it from your login while you watch.

aLoC
May 5, 2008, 12:59 PM
If you want to know what he is doing you have to spy right back. Maybe install a hidden cam on him.

Eidorian
May 5, 2008, 01:00 PM
If they're an administrator it's rather hopeless. At least you can run 'last' command. Then again if your user files are on the server it gets even more messy.

aLoC
May 5, 2008, 01:01 PM
If they're an administrator it's rather hopeless.

Exactly. Which is why I suggested he try something outside of the computer.

ebel3003
May 5, 2008, 01:02 PM
Unfortunately, even if you were the admin of your own computer, he would still have the capabilities of intercepting the e-mails server-side. That is assuming you have an in-house e-mail server.

yellow
May 5, 2008, 01:04 PM
Logically speaking:

1) What makes you think he is reading your email?
2) If he was reading your email, it wouldn't be on your Mac, it would be read on the entourage server, over which you have no control.
3) If you remove the admin account, that would surely be flag for him.
4) Is this your work email? So what if he's reading the email, there shouldn't be anything but work-related communications in there.

I'm not sure that a random forum is the best way to address this situation, particularly given that you admit to knowing nothing about Macs.
If this is an HR issue, take it to HR.
If this is an IT issue, take it to corporate IT.
If this is a security issue, hire and outside source to come in for definitive proof.

Eidorian
May 5, 2008, 01:05 PM
Exactly. Which is why I suggested he try something outside of the computer.Any device to which one has physical access has NO meaningful security.

On that note, who actually needs physical access if they're an IT administrator. ssh works just fine. Why not check the mail server side? Network home directories exist for a reason. I don't really care if a fellow administrator reads my work mail It's for work. I respect their privacy as well.

Sky Blue
May 5, 2008, 01:07 PM
take a look in System Preferences > Sharing and see if Apple Remote Desktop is on. He could be using this to physical see your screen.

If you're using Exchange he could be looking at your emails on his own computer, he doesn't need to look at yours.

Sun Baked
May 5, 2008, 01:15 PM
If he is reading them and sharing the info, fire him and get a new IT manager.

lemons
May 5, 2008, 01:21 PM
Could an email tripwire (http://www.makeuseof.com/tag/are-you-sure-your-email-isnt-being-hacked/) help? :D

vanmacguy
May 5, 2008, 01:24 PM
Hmm, this is a tough one to solve technologically.

As a Mac admin currently and a Windows admin in a past life, I know that Systems Administrators can see *anything*.

There was a survey of Fortune 500 CEO's that ranked their Systems Administrators as second only to their Doctors with regard to how much they trust them.

There's not a lot you can do really. If you block his access to your local computer, they will have access to the Exchange server and therefore your mailbox. You could download all your mail to a local mailbox and delete it from the server, this would stop him seeing it once it's been downloaded. You could send a message to yourself and in it say that you know he's reading your mail and that he needs to stop.

What really needs to be fixed however by the sound of it is the trust between the two of you. And this is not something that can be solved by technology.

You need to know if he is looking at your mail.

You need to know why he would look at your mail.

You need to understand that if your mail is all work-related (and it *should* be while it's coming through a work mail server), then there's no reason that you should have a problem with him seeing it (apart from it being extremely rude).

If he's looking at it for voyeuristic reasons, then he needs to be fired.

I would suggest that a difficult conversation is required. Before you have that conversation though you need absolute proof that he's reading it.

If you have the proof and you have the conversation, there's no way (if he's got even half a brain) that he's going to admit to reading it for voyeuristic reasons though, so you need help with that one.

I'd get the proof, have the conversation, then talk to HR and have them deal with it.

Good luck.

<EDIT>

I just re-read your post and see that you're a Director and he's a Manager. So not all of what I originally said here will apply because you can just fire him so I removed some of it.

</EDIT>

Les Kern
May 5, 2008, 06:52 PM
Hmm, this is a tough one to solve technologically.

As a Mac admin currently and a Windows admin in a past life, I know that Systems Administrators can see *anything*.
</EDIT>

True. That's what I am and I can sure see everything if I want to. But I don't want to. You think he's doing so, you can NOT assume. And guess what? If they are half-way decent you will never know with certainty. SO I have a suggestion...
Use work e-mail for work. Only. Ever. It is not yours.
Don't accuse, you will be crushed like a bug.
Don't try retribution. Again, you will be crushed.
Tell no one... anywhere. They WILL let it out, and you will be crushed.
Never, EVER try to screw the admin. Do you understand?
Don't like the rules? Quit.
Sorry to be harsh, but that's just the way it is. Now of course if it IS proven, you can take the steps you need to take. The BEST way to do it is lay an e-mail trap. Document JUST what you do with screen shots and a nice letter to nobody. Make sure the trap is not illegal, immoral, or belittles the company... something simple and harmless.
OR, better yet, ignore everything I said and just work.

CanadaRAM
May 5, 2008, 06:59 PM
If your company is like most, your employment contract has language to the effect that the use of company computers and accounts comes with no guarantee of privacy, and that use of company assets for personal purposes is forbidden. Thus from a personal privacy point of view, you would have no case.

However from a corporate director point of view, your concern would be if the IT person was contravening any of his contract as to rules of behaviour, misusing company assets, or trading in corporate secrets (outside of the firm).

beatsme
May 5, 2008, 06:59 PM
Good afternoon everyone. I'm a director of an ad agency. I believe our IT manager is going through my emails (we use Entourage). Is there any way of finding out whether or not he is?

He supplied me with my mac in the first place and I simply don't know enough to be able to understand if he has some piece of spyware in there. He holds the administrator account on my machine.

If there isn't a way, is is possible to lock my entourage account so that he cannot access it?

Thank you very much.

about all you can do is watch what you say. It doesn't matter whether he has physical access to your machine or not. If he has administrative level access to the server/email client, then he can read anything and everything that goes through. That's just how it is, unfortunately.

also, if he's the local admin of your machine, then you can't install any kind of encryption without his knowledge. You're kind of screwed here.

what makes you suspect?

VideoFreek
May 6, 2008, 02:57 AM
You need to understand that if your mail is all work-related (and it *should* be while it's coming through a work mail server), then there's no reason that you should have a problem with him seeing it (apart from it being extremely rude).You can't be serious. The OP is a director, not a cubicle-dwelling drone, which means he can be routinely dealing in e-mail that NO employee, not even the IT admins, should see (sensitive HR matters, compensation data, upcoming office closures, M&A activities, etc.).

To the OP; I would hire a PI to watch this guy via hidden camera, etc. Of course, to be on the right side of things ethically, your suspicions must be well-grounded, supported by at least circumstantial evidence, and not mere paranoia. But, IT Admins HAVE to be the most trust-worthy employees in your organization, they literally hold the keys to your kingdom. As we used to say during the Cold War--"trust, but verify." :D

MikeDTyke
May 6, 2008, 04:35 AM
This is a delicate situation and does depend on the IT policies defined.

Having worked contract for a couple of Ad agencies i would assume there's no IT Policy in place. As you are a director you would ideally be placed to push for this. It's a two way contract basically defining what the users of the system are entitled to do and you don't need to be too strict. On the other side of the coin it can define the roles and access of IT when it comes to corporate data.

Define the policy, ie. email is retained in the event of a legal issue but is not actively monitored. Depending on your email server ie. Exchange have the IT person create an admin account with access to all mailboxes. This account's password should be set by the MD and then written and sealed in the company safe. Make it clear that anyone caught misusing or viewing other peoples mail will be fired and that the systems will be audited on a regular basis.

This should deter him, if you think the above is too much or if you don't think this will put him off. Send something really provocative about him to the MD, prepping him of course that you don't really mean it. If you get a response from the IT guy then you have him.

M.

misterbigsize
May 6, 2008, 01:42 PM
Thank you all for your responses. To answer some of your questions,

Yes, I am a director and as such am privy to information which he is not.

I'm not concerned about personal email as this is a work account and I do use it strictly for work.

The company is large, we have offices in other locations and the subject of salaries and, more importantly, hiring and firing are discussed.

I was hired to turn the company around. My arrival was seen by those who knew themselves to be vulnerable as a threat. It was.

The most senior person I fired was a personal friend of our IT guy. Our IT guy is fairly solitary and, as far as I can ascertain, has very few friends.

I know for a fact that before I fired the friend, the friend was waging a rear-guard action trying to discredit me. The IT guy helped.

I have no proof now that he is looking, but I know he is still in close contact with the person I fired. As I know he blames me for his friend's dismissal, I know he doesn't like me. I strongly suspect that he is still looking and it makes me very uncomfortable to discuss anything that may potentially harm the business - or benefit our competitors.

He is good at his job, very bright and would be extremely difficult to replace. I can't fight him because he could do too much damage. I could have him walked out of the building, but I'd prefer not to. If I had proof - one way or the other - I would be in a better position to act.

Thank you again for your feedback.

iSee
May 6, 2008, 10:39 PM
Hmm, this is a problem.
You really do need to be able to trust your IT people.

Realistically, you aren't in much of a position to hide your e-mails from him if he wants to read them.

Here's some info, to help you can understand what I mean:
* He could log in to your machine in various ways and access the local email databases there, or run your email client. He probably wouldn't, though, because there are more convenient ways to access your email...
* He could simply set up another email client to connect to your email account. He'll be able to read your email the same way you do. Obviously he would know all the necessary connection information. He wouldn't necessarily need your email account password, either. There are generally admin passwords that would give him access.
* All of your email is typically stored in a database on a server somewhere. He would have direct access to that machine and all the files on it.
* Email is sent and received through mail servers (could be the same or different machine as the last point). These could be set to log all incoming or outgoing messages and read those logs.
* Etc. Email is not a very secure system, particularly not from the person with the most access to and knowledge of your email infrastructure.

As a temporary lightweight spot-fix, you could try sending sensitive materials enclosed in a password-protected zip file (there are tools to crack these, but if you choose a long, difficult password it won't be practical). I'm not sure of a good GUI-based workflow for doing something like this off the top of my head.

Obviously you need to resolve your issues with the IT guy ASAP. Don't be disconcerted that he is introverted--many very competent and professional IT people are. You could sit down with him a lay out your concerns. Be respectful and professional and don't accuse but tell him how you feel (sorry, I'm sure this is obvious.) Something along the lines of "I need to be able to trust the IT group, and especially you. Given your relationship with so-and-so, I've been having a hard time doing that..." Don't forget to mention how much you value his intelligence, etc. This will give you a chance to feel him out. Then again, I'm not sure how much he helped that guy you let go. If you can't come to feel that you can trust him then you really do need to get rid of him. It might make sense to give him a generous severance package that pays out a bonus over time. The bonus would be contingent on a some kind of no-compete, no-damage clause that would discourage him from abusing any backdoors he may know about. The main thing, though, is not to treat him in an insulting way. It sounds like he is a successful and talented IT manager, so he should be inclined to act in a professional and ethical manner. Even if you feel aggrieved, bite your tongue and get him quietly out the door.

Have your next IT guy thoroughly review the IT infrastructure and change all passwords, etc. (And make sure the documentation for everything is up-to-date while he/she is at it!)

Good luck!

logandzwon
May 8, 2008, 10:23 AM
These other guys have basically said what I would say if you asked me personally. The summery is that this is not an IT issue, or a technical issue.

alFR
May 9, 2008, 05:35 PM
Start encrypting all your sensitive corporate emails with PGP, either the paid version (http://www.pgp.com/index.html)or one of the free ones like GNU PG (http://macgpg.sourceforge.net/). Even with supercomputer access the sun would be a brown dwarf before he'd be able to read anything.

aLoC
May 9, 2008, 09:54 PM
Start encrypting all your sensitive corporate emails with PGP, either the paid version (http://www.pgp.com/index.html)or one of the free ones like GNU PG (http://macgpg.sourceforge.net/). Even with supercomputer access the sun would be a brown dwarf before he'd be able to read anything.

PGP is only useful if you have privacy when entering the decryption key, but sysadmin can potentially monitor your screen/keyboard/disk. Perhaps if the encrypted emails were transferred to a network detached personal laptop for reading, but then that is getting ridiculous. Businesses simply have to have an IT admin they can trust.

127079
May 28, 2008, 05:44 AM
Its time to man up son! approach professionally like the posts above say and see what is up

Dorfdad
May 28, 2008, 09:52 AM
Why not hire an outside source to come in independaetly and do a complete system diagram and overview of the servers for a couple of reasons.

#1. Document what software and versions and patches you currently have installed and running in case things go south with this person and you have to replace him. No knowing what he will destroy, backdoors left open etc. Close all un-needed ports ssh etc if not 100% needed.

#2. Ask him for the administrative password on your local machine and change it. If you need assitance he can do it with you.

#3. This is probably the most important thing you need to do listen well. Ive been on both sides of this before.


Schedule a meeting with the guy. Be professional and clear the air, tell him upfront you think he's talented and an asset to the company and your not looking to replace him at all, explain that you were hired to fix things, and you are going to do this at any cost. You may wish to let him know some things about why the other guy was let go and explain you need him to work with you, explain to him you need to trust him if he's going to maintain control on the servers and tell him what your concerns are. It's not easy im sure and I would recommend that you inform HR or your Boss or Owner of the meeting and invite them as well so everyone knows the deal..

There are so many ways for people to get information keyloggers, screen captures, etc... So the best policy is to have good, forcefull communications with this guy. he can undermind everything your trying to do and make you look bad as well so you need to get him on your team or find someone else.

There are plenty of Good trustworthy IT guys and just ask us we all know better than the last one!

Good luck let us know how it goes!

adrian.oconnor
May 28, 2008, 10:11 AM
As a Mac admin currently and a Windows admin in a past life, I know that Systems Administrators can see *anything*.

Comment #13 by vanmacguy is spot on and you should follow his advice.

If you don't trust your admin then revoke his rights and let him go. Find someone you do trust (or learn to do it yourself and be prepared to spend the time doing it).

A sysadmin can read, change and delete any file on the network. They can read any email. You must be able to trust them.

P.S. If he is a power-crazed loon, as you suspect, revoke his rights before you fire him because he'll probably try and sabotage your network in retaliation. Get another network admin to check for backdoors too - hidden admin accounts, VPN tunnels, that kind of thing. Pay a consultant if that is what it takes.

GGJstudios
May 28, 2008, 11:18 AM
.