Tuesday, July 31, 2007

Ten Things Your IT Department Won't Tell You



-
By VAUHINI VARA July 30, 2007; Page R1
-
Admit it: For many of us, our work computer is a home away from home. It seems only fair, since our home computer is typically an office away from the office. So in between typing up reports and poring over spreadsheets, we use our office PCs to keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by email or instant message.
-
And often it's just easier to accomplish certain tasks using consumer technology than using the sometimes clunky office technology our company gives us -- compare Gmail with a corporate email account.
-
Security expert Mark Lobel of PricewaterhouseCoopers describes the most common things employees do on the internet to jeopardize company security. There's only one problem with what we're doing: Our employers sometimes don't like it. Partly, they want us to work while we're at work. And partly, they're afraid that what we're doing compromises the company's computer network -- putting the company at risk in a host of ways. So they've asked their information-technology departments to block us from bringing our home to work.
-
End of story? Not so fast. To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. Specifically, we asked them to find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software.
But, to keep everybody honest, we also turned to security pros to learn just what chances we take by doing an end run around the IT department.
-
For hacking advice, we asked Gina Trapani, editor of Lifehacker.com, an online guide to being more productive on the Web; Leon Ho, editor of Lifehack.org, a blog with a similar mission; and Mark Frauenfelder, founder of the wide-ranging blog BoingBoing.net and editor of the do-it-yourself technology magazine Make.
-
To find out the risks, we talked to three experts who make a living helping IT departments make the rules and track down the rogue employees who break them. They are: John Pironti, chief information risk strategist at Amsterdam-based IT-consulting firm Getronics NV; Mark Lobel, a security expert in PricewaterhouseCoopers's advisory practice; and Craig Schmugar, a threat researcher at security-software maker McAfee Inc.
-
1. HOW TO SEND GIANT FILES
-
The Problem: Everybody needs to email big files from time to time, everything from big marketing presentations to vacation photos. But if you send anything larger than a few megabytes, chances are you'll get an email saying you've hit the company's limit. Companies cap the amount of data employees can send and store in email for a very simple reason: They want to avoid filling up their servers, and thus slowing them down, says messaging-research firm Osterman Research Inc., of Black Diamond, Wash. And getting your company to increase your email limit can be a convoluted process.
-
The Trick: Use online services such as YouSendIt Inc., SendThisFile Inc. and Carson Systems Ltd.'s DropSend, which let you send large files -- sometimes up to a few gigabytes in size -- free of charge. To use the services, you typically have to register, supplying personal information such as name and email address. You can then enter the recipient's email address and a message to him or her, and the site will give you instructions for uploading the file. In most cases, the site will send the recipient a link that he or she can click to download the file.
-
-
2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD
-
The Problem: Many companies require that employees get permission from the IT department to download software. But that can be problematic if you're trying to download software that your IT department has blacklisted.
-
The Trick: There are two easy ways around this: finding Web-based alternatives or bringing in the software on an outside device. The first is easier. Say your company won't let you download the popular AOL Instant Messenger program, from Time Warner Inc.'s AOL unit. You can still instant-message with colleagues and friends using a Web-based version of the service called AIM Express (AIM.com/aimexpress.adp). There's also Google Inc.'s instant-messaging service, Google Talk, accessible at Google.com/talk. There are Web-based equivalents of software such as music players and videogames, too -- typically, skimpier versions with fewer features than the regular programs.
-
The other approach to this problem is more involved but gives you access to actual software programs on your computer. All three of our experts pointed to a company called Rare Ideas LLC (RareIdeas.com), which offers free versions of popular programs such as Firefox and OpenOffice. You can download the software onto a portable device like an iPod or a USB stick, through a service called Portable Apps (PortableApps.com). Then hook the device up to your work computer, and you're ready to go. (But if your company blocks you from using external devices, you're out of luck.)
-
The Risk: Using Web-based services can be a strain on your company's resources. And bringing in software on outside devices can present a security problem. IT departments like to keep track of all the software used by employees, so that if a bug or other security problem arises, they can easily put fixes in place. That's not the case if you've brought the program in on your own.
-
Another thing to keep in mind: Some less reputable software programs, especially underground file-sharing programs, could come loaded with spyware and make it possible for your own files to leak onto the Web.
-
How to Stay Safe: If you bring in software on an outside device, says Mr. Lobel, make sure you at least tweak the security settings on your computer's antivirus software so that it scans the device for potential threats. That's easy to do, usually through an Options or Settings menu. Likewise, if you use a file-sharing service, set it up so that others can't access your own files, also through an Options or Settings area.
-
-
3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS
-
The Problem: Companies often block employees from visiting certain sites -- ranging from the really nefarious (porn) to probably bad (gambling) to mostly innocuous (Web-based email services).
-
The Trick: Even if your company won't let you visit those sites by typing their Web addresses into your browser, you can still sometimes sneak your way onto them. You travel to a third-party site, called a proxy, and type the Web address you want into a search box. Then the proxy site travels to the site you want and displays it for you -- so you can see the site without actually visiting it. Proxy.org, for one, features a list of more than 4,000 proxies.
-
Another way to accomplish the same thing, from Mr. Frauenfelder and Ms. Trapani: Use Google's translation service, asking it to do an English-to-English translation. Just enter this -- Google.com/translate?langpair=enen&u=www.blockedsite.com -- replacing "blockedsite.com" with the Web address of the site you want to visit. Google effectively acts as a proxy, calling up the site for you.
-
The Risk: If you use a proxy to, say, catch up on email or watch a YouTube video, the main risk is getting caught by your boss. But there are scarier security risks: Online bad guys sometimes buy Web addresses that are misspellings of popular sites, then use them to infect visitors' computers, warns Mr. Lobel. Companies often block those sites, too -- but you won't be protected from them if you use a proxy.
-
How to Stay Safe: Don't make a habit of using proxies for all your Web surfing. Use them only to visit specific sites that your company blocks for productivity-related reasons -- say, YouTube. And watch your spelling.
-
-

4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP
-
The Problem: If you use a company-owned laptop at home, chances are you use it for personal tasks: planning family vacations, shopping for beach books, organizing online photo albums and so on. Many companies reserve the right to monitor all that activity, because the laptops are technically their property. So what happens if your -- ahem -- friend accidentally surfs onto a porn site or does a Web search for some embarrassing ailment?
-
The Trick: The latest versions of the Internet Explorer and Firefox browsers both make it easy to clear your tracks. In IE7, click on Tools, then Delete Browsing History. From there, you can either delete all your history by clicking Delete All or choose one or a few kinds of data to delete. In Firefox, just hit Ctrl-Shift-Del -- or click Clear Private Data under the Tools menu.
-
The Risk: Even if you clear your tracks, you still face risks from roaming all over the Web. You could unintentionally install spyware on your computer from visiting a sketchy site or get your boss involved in legal problems for your behavior. If you're caught, it could mean (at best) embarrassment or (at worst) joblessness.
-
How to Stay Safe: Clear your private data as often as possible. Better yet, don't use your work computer to do anything you wouldn't want your boss to know about.
-
-
5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME
-
The Problem: You're catching up on work late at night or over the weekend -- but the documents you need to search through are stuck on your office PC.
-
The Trick: Google, Microsoft, Yahoo and IAC/InterActiveCorp's Ask unit have all released software that lets you quickly search your desktop documents. On top of that, some will let you search through documents saved on one computer from another one. How does it work? The search company keeps a copy of your documents on its own server. So it can scan those copies when you do a search remotely.
-
To use Google's software -- among the most popular -- follow these steps on both your work and home PC. First, you'll need to set up a Google account on both machines by visiting Google.com/accounts. (Be sure to use the same account on both computers.) Then go to Desktop.Google.com to download the search software. When it's up and running -- again, do this on both machines -- click on Desktop Preferences, then Google Account Features. From there, check the box next to Search Across Computers. After that point, any document you open on either machine will be copied to Google's servers -- and will be searchable from either machine.
-
The Risk: Corporate technology managers offer this nightmare scenario: You've saved top-secret financial information on your work PC. You set up desktop-search software so that you can access those files when working from home on your laptop. Then you lose your laptop. Uh-oh.
-
Getting hold of your company's internal documents could give others insight into your plans, and losing certain information could have legal repercussions. In particular, myriad state laws regulate how a company has to react when it loses private information about customers or employees; most require notifying those people about the breach in writing. Sending those notifications can be costly for your company -- not to mention damaging to its reputation.
-
On top of that threat, researchers have found vulnerabilities in Google's desktop-search software that could let a hacker trick a user into giving up access to files, says Mr. Schmugar of McAfee. (Those vulnerabilities have since been fixed, but more could crop up, he says.)
Matt Glotzbach, product management director for Google Enterprise, says there are bound to be vulnerabilities in any software and that, to the best of his knowledge, none of the Google Desktop vulnerabilities were exploited by hackers. He adds that when Google finds out about a vulnerability, it quickly fixes it and notifies users.
-
How to Stay Safe: If you have any files on your work PC that shouldn't be made public, ask your IT administrator to help you set up Google Desktop to avoid accidental leaks.
-
-
6. HOW TO STORE WORK FILES ONLINE
-
The Problem: Desktop search aside, most people who often work away from the office have come up with their own solution to getting access to work files. They save them on a disk or a portable device and then plug it into a home computer. Or they store the files on the company network, then access the network remotely. But portable devices can be cumbersome, and company-network connections can be slow and unreliable.
-
The Trick: Use an online-storage service from the likes of Box.net Inc., Streamload Inc. or AOL-owned Xdrive. (Box.net also offers its service inside the social-networking site Facebook.) Most offer some free storage, from one to five gigabytes, and charge a few dollars a month for premium packages with extra space. Another guerrilla storage solution is to email files to your private, Web-based email account, such as Gmail or Hotmail.
-
The Risk: A bad guy could steal your password for one of these sites and quickly grab copies of your company's sensitive files.
-
How to Stay Safe: When you're thinking about storing a file online, ask yourself if it would be OK for that file to be splashed all over the Internet or sent to the CEO of your company's top rival. If so, go for it. If not, don't.
-
-
7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL
-
The Problem: Many companies now have the ability to track employees' emails, both on work email accounts and personal Web-based accounts, as well as IM conversations.
-
The Trick: When you send emails -- using either your work or personal email address -- you can encrypt them, so that only you and the recipient can read them. In Microsoft Outlook, click on Tools, then Options and choose the Security tab. There, you can enter a password -- and nobody can open a note from you without supplying it. (Of course, you'll have to tell people the code beforehand.)
-
For Web-based personal email, try this trick from Mr. Frauenfelder: When checking email, add an "s" to the end of the "http" in front of your email provider's Web address -- for instance, https://www.gmail.com/. This throws you into a secure session, so that nobody can track your email. Not all Web services may support this, however.
-
To encrypt IM conversations, meanwhile, try the IM service Trillian from Cerulean Studios LLC, which lets you connect to AOL Instant Messenger, Yahoo Messenger and others -- and lets you encrypt your IM conversations so that they can't be read.
-
The Risk: The main reason companies monitor email is to catch employees who are leaking confidential information. By using these tricks, you may set off false alarms and make it harder for the IT crew to manage real threats.
-
How to Stay Safe: Use these tricks only occasionally, instead of as a default.
-
-
8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON'T SPRING FOR A BLACKBERRY
-
The Problem: Anyone without a BlackBerry knows the feeling: There's a lull in the conversation when you're out to dinner or an after-work beer, and everyone reaches for their pocket to grab their BlackBerry, leaving you alone to stir your drink.
-
The Trick: You, too, can stay up to date on work email, using any number of consumer-oriented hand-held devices. Just set up your work email so that all your emails get forwarded to your personal email account.
-
In Microsoft Outlook, you can do this by right-clicking on any email, choosing Create Rule, and asking that all your email be forwarded to another address. Then, set up your hand-held to receive your personal email, by following instructions from the service provider for your hand-held. (That's the company that sends you your bill.)
-
The Risk: Now, not only can hackers break into your personal account by going online on a
computer, they can also break into it by exploiting security vulnerabilities on your mobile device.
-
How to Stay Safe: There's a kosher way to access work email on some devices, by getting passwords and other information from your IT department.
-
-
9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY
-
The Problem: If you do have a BlackBerry, you've probably got a different problem: You want to get your personal email just as easily as work email.
-
The Trick: Look at the Settings area of your personal email account, and make sure you've enabled POP -- Post Office Protocol -- a method used to retrieve email from elsewhere. Then log in to the Web site for your BlackBerry service provider. Click on the Profile button, look for the Email Accounts section and click on Other Email Accounts. Then click Add Account and enter the information for your Web-based email account. Now your personal emails will pop up on the same screen as your company email.
-
The Risk: Your company probably uses a whole bunch of security technology to keep viruses and spies out of your files. When you receive personal email on your BlackBerry, it's coming to you without passing through your company's firewall. That means viruses or spyware could sneak onto your BlackBerry via a personal email, says Mr. Schmugar of McAfee. Worse yet, he says, when you plug your BlackBerry into your work computer, there's a chance that the malicious software could jump onto your hard drive.
-
How to Stay Safe: Cross your fingers and hope that your personal email provider is doing a decent job weeding out viruses, spyware and other intruders. (Chances are, it is.)
-
-
10. HOW TO LOOK LIKE YOU'RE WORKING
-
The Problem: You're doing some vital Web surfing and your boss turns the corner. What do you do?
-
The Trick: Hit Alt-Tab to quickly minimize one window (say, the one where you're browsing ESPN.com) and maximize another (like that presentation that's due today).
-
The Risk: The good news is that there are no known security risks.
-
How to Stay Safe: Get back to work.
-
--Ms. Vara is a staff reporter in The Wall Street Journal's San Francisco bureau.
Write to Vauhini Vara at vauhini.vara@wsj.com