Re: CRIME Surreptitious software

From: Rob Magee (robmagee100@private)
Date: Sat May 15 2004 - 12:41:10 PDT

  • Next message: George Heuston: "CRIME FW: [Information_technology] Daily News 05/17/04"

    Thanks for responding, John. 
    
    Our State of Oregon agencies are pretty much mandated to follow the policies set out by the Department of Administrative Services, or DAS for short. The policy that specifically addresses this situation is the Acceptable Use of Information Related Technology, Number 1.3 of the State IT Policies found at http://oregon.gov/DAS/IRMD/CIO/pol_index.shtml
    
    We in IT have always made this policy clear to everyone, stressing that email, files, network resources will be monitored at any time. That is understood and expected, and, in my opinion, appropriate. After all, we are a publicly funded agency and my personal point of view is that everything we do with taxpayer money should be available for public scrutiny.
    
    However, even in the State Policy, there is a clause under "Control" that states, "...  The agency does not intend to tap phone conversations without notice or due process of law. ... " This shows that they do acknowledge the laws pertaining to privacy as relates to wiretapping. They may not realize that those same wiretapping laws are now starting to be applied to keylogging as well. There is a gray area when it comes to monitoring IM conversations, though the difference is slight between that and phone conversations. In my opinion, when they silently installed keylogging software on my workstation without due process of law, they crossed way over the line. 
    
    Just a quick background on the situation... I was a member of the Network Team, which was composed of the Senior Network Admin. and myself, for a number of years. Under Stan Bunn, and the culture he brought of getting away with everything he could for personal gain at taxpayer expense, we documented and stopped several highly unethical and a couple of illegal acts, projects, etc., by upper management. We knew that doing that would result in big targets being painted on our backs, but we wouldn't have been able to look ourselves in the mirror if we had turned our backs. 
    
       At one time the SNA documented management's involvement in planting false evidence on an employee's computer during an attempt to fire her. (She was one of the most productive developers we had, but also happened to be a transsexual, which offended the sensibilities of our manager at the time) I was acting as the Security Officer for the last couple of years and documented our IT Director repeatedly allowing ex-employee friends to wander our network resources. I got him in a bit of trouble, but he is still the Director, and I have been removed from the Network team and am now 2nd level phone support for our web applications. 
    
       The SNA was targeted for 3 years by management and finally fired last year for writing an email that was insulting to another employee. I pretty much knew that I was next, and have been the recipient of several letters of reprimand for such things as being 6 minutes late to work one month. Now I discovered a botched attempt to silently install Resource Monitor on my workstation, which, among other things, is a keylogger and is configured to send it's data to our Phone Service server, which resides in the IT Manager's office. He and the Helpdesk Leadworker are responsible for that server. You are correct that the Network team may not have installed it on my computer, but considering the lack of skill of the Helpdesk lead and the IT Manager, I think it is highly probable that one of the two Network teammembers set up the install, which was done via Microsoft's SUS.
    
    Well, sorry for the long-windedness. I pride myself in my integrity and am frankly disgusted with the lack of it, demonstrated constantly, by several of ODE's management.
    
    Rob Magee
      ----- Original Message ----- 
      From: John Stone 
      To: crime@private 
      Sent: Saturday, May 15, 2004 8:52 AM
      Subject: RE: CRIME Surreptitious software
    
    
    
      Due to recent regulations and various legal decisions many companies have interpreted rightly or wrongly that they can be legally held liable if their systems were utilized for illegal purposes that resulted in harm to a specific individual or group of individuals. Their fear is as with many areas of law, ignorance is not necessarily a valid legal argument. Most companies are not implementing these technologies to validate that their systems are utilized only for company business (although some certainly are doing so for this purpose) but instead are implementing this technology to miitigate security risk$. By showing that they are monitoring for this activity they hope to show that they are taking appropriate steps to assure their systems are not used improperly. These efforts have accelerated with the implementation of SOX as the executives themselves are finding they can be held liable individually for the security of their systems. The use of systems for illegal actions is seen as a security issue and this technology as a viable and appropriate response to mitigate the associated risk$. 
    
      Personally I do not expect privacy when utilizing company equipment for personal business. I instead appreciate the fact that my organization understands that a limited utilization of company resources for personal business is normal and thank them for allowing me to do so. If I require a level of privacy I utilize my own equipment at my own costs. 
    
      Now as for the security issues this might raise one can only hope that the network team has put in place the proper security precautions to safeguard the information discovered. Not to protect the privacy of the individual, althogh that should be a consideration, but instead to safeguard the assets of the company that could be compromised if information such as passwords were left vulnerable. 
    
      Finally this definitely should be discussed with the network team as I saw nothing in the discussion indicating such a discussion had already taken place. What if it wasn't the network team that attempted the installation?
    
      John Stone 
      Consulting Manager 
      Symantec Security Services 
      (541) 335-5641 
    
    
    
            "Forensic Computer Service, Inc." <sales@private> 
            Sent by: owner-crime@private 
            04/30/2004 12:58 PM 
           To "Rob Magee" <robmagee100@private>, <crime@private>  
                  cc  
                  Subject RE: CRIME Surreptitious software 
    
                  
    
           
    
    
    
      First let me state that I am not an attorney, so this should not be taken as
      legal advice.
    
      In the business arena my experience has been it is lawful to install
      whatever one wants on equipment providing the company owns it, with the only
      acceptable provision being that it may not invade personal privacy.  Video
      cameras, for example, can be installed to monitor employees but are not
      permissable in bathrooms, or other places where people have a "reasonable
      expectation of privacy".
    
      Some companies/organizations explicitly state in their policy manuals that
      such monitoring/recording may be done by the company.
    
      I'm sure there are those that will disagree with me that in Missouri we
      monitored (in another life of mine) and recorded, without any previous
      warning, calls made by the sales department.  Our counsel approved this
      because no employee has any reasonable expectation of privacy while using a
      phone system and phone lines owned by the company.
    
      From your Email I see you are with a government agency.  I would hope they
      have published policies on installing and using spyware on employees, but I
      certainly don't know what's permissable and what's not in Federal, State and
      local government operations.
    
      While I personally find what you said they did below offensive, in the
      private business world I see this alot and it's based on the premise that
      the employee is using a company owned computer to perform his/her job
      functions on company time and getting paid for it.
    
      I would consider taking the facts and the hard evidence, up the
      chain-of-command (in writing of course) and either it will be stopped and
      someone gets in trouble, or, you will get told it's policy.  Either way you
      force the issue to get resolved not just for your benefit but for everyone
      else who works there.
    
      Regards,
    
      G. Chatten
      FCS
    
      -----Original Message-----
      From: owner-crime@private [mailto:owner-crime@private]On Behalf Of
      Rob Magee
      Sent: Friday, April 30, 2004 1:36 PM
      To: crime@private
      Subject: CRIME Surreptitious software
    
    
      Yesterday, the network team botched a silent install of Resource Monitor
      (resourcemonitor.com) on my computer when I logged in. I noticed it when I
      had to reboot after the install conflicted with MS's handwriting and speech
      module for Office and crashed.
      This software is aimed at monitoring staff application use, but goes a step
      further by adding screenshot capture and keylogging.
      My question is, is it legal to have silently installed keylogging software,
      even though that feature may not be enabled? My understanding is that
      keylogging is the digital equivalent of wiretapping, but I need some
      clarification.
      Thanks all.
      You can respond to me at:
      Rob Magee
      Outreach Helpdesk Team
      Oregon Department of Education
      (503) 378-3600 ext. 4495
      robmagee100@private <mailto:robmagee100@private>
    



    This archive was generated by hypermail 2b30 : Sat May 15 2004 - 13:15:06 PDT