HOW TO HACK GMAIL

<<

divine

Newbie
Newbie

Posts: 12

Joined: Mon Dec 11, 2006 5:11 pm

Location: Dallas

Post Thu Jun 19, 2008 9:44 am

Re: HOW TO HACK GMAIL

Efferri wrote:Keylog the suspected user's terminal.  This will eliminate any legal issues (I am assuming the terminal and IT equipment is owned by the company)... Keylogging will also eliminate encryption as an obstacle.

Plus, if you AREN'T who you say you are, it will be a little more difficult to install a keylogger and have logs sent to you remotely. Problem Solved.

~Efferri


Mmmmm, that is not completely correct, and no offense intended Efferri but just hear me out a sec. I have been dealing with legal issues like this for a major Fortune 100 Financial institution for years now and have a lot of experience in this area (preventing data leakage and prosecuting those who would sell your trade secrets).

I have seen employees successfully sue their employers for tactics like that EVEN when their is a signed agreement acknowledging no expectation of privacy on company owned equipment. This type of tactic CAN fall into the realm of violating your employees rights even if you own the equipment and is very tricky to handle in court, because you have selected THAT employee for a level of monitoring beyond the rest of your employees it can also fall into the realm of discrimination.

Personally I would avoid this type of situation altogether and deploy a tool like Vontu as Don suggested. It is forensically sound, generally accepted as a standard in legal communities for IP (Intellectual Property) loss cases and keeps your company protected from discrimination responses from your employees.

-Jordan
-Jordan
CEPT, CREA, C|EH, MCSE:Security (too many others that I don't care about to list)
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Thu Jun 19, 2008 10:40 am

Re: HOW TO HACK GMAIL

[quote=divine]...is very tricky to handle in court, because you have selected THAT employee for a level of monitoring beyond the rest of your employees it can also fall into the realm of discrimination.[/quote]

It's been my impression, though I am a bit newer to this field than many of you, that for an organization to employ the use of keyloggers, it must be done across the entire operation.  Otherwise, not only will the evidence be inadmissible in court, but the company opens itself up to litigation.

I could be wrong, but that's the way I've always understood it.
Reluctant CISSP, Certified ASS
<<

Efferri

User avatar

Newbie
Newbie

Posts: 3

Joined: Wed Jun 18, 2008 5:58 pm

Post Thu Jun 19, 2008 11:00 am

Re: HOW TO HACK GMAIL

No offense taken what-so-ever.  That's what these forums are for.  I don't claim to be an expert on the laws of the land (or even savvy).  I merely speak from personal experience.  I have had to resort to this two times in the past 11 years, and it has served me well.  Granted, we had a blanket disclaimer on all login screens notifying the user of monitoring, and also have them all sign a pretty lengthy Appropriate Use Agreement (which includes a CYA page of monitoring jargon.)

So, when I offered the KL suggestion, I was assuming the individual would be bright enough to check with his/her superiors before implementing anything.

;)
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Thu Jun 19, 2008 12:28 pm

Re: HOW TO HACK GMAIL

That is very true, any action like a keylogger or privacy violation to an employee needs to be first OKed by HR and/or Legal council really.  I actually had an issue earlier this year where I had to go through so much friggin paperwork it made my head hurt... because a user was going places with their federal laptop they should not have been.  I had to prove that I had not singled out this employee for investigation, but rather they had come to me... when their laptop stopped working.  (Anyone say... Viruses?)  I quickly discovered their computer full of... well lets not go there.  None the less, it was a friggin headache, and the user had brought the infected/filled computer to me.  Setting up an appliance that blanket covers the office is probably the best.  Blanket keylogging for a smaller organization is semi-doable I suppose though.
"Bad.. Good?  I'm the guy with the gun"
<<

divine

Newbie
Newbie

Posts: 12

Joined: Mon Dec 11, 2006 5:11 pm

Location: Dallas

Post Thu Jun 19, 2008 1:54 pm

Re: HOW TO HACK GMAIL

oneeyedcarmen wrote:[quote=divine]...is very tricky to handle in court, because you have selected THAT employee for a level of monitoring beyond the rest of your employees it can also fall into the realm of discrimination.


It's been my impression, though I am a bit newer to this field than many of you, that for an organization to employ the use of keyloggers, it must be done across the entire operation.  Otherwise, not only will the evidence be inadmissible in court, but the company opens itself up to litigation.

I could be wrong, but that's the way I've always understood it.
[/quote]

yes, that is exactly my point, you have to be able to prove that you had not singled out the employee, hence blanket coverage is the best way to go IMO.
-Jordan
CEPT, CREA, C|EH, MCSE:Security (too many others that I don't care about to list)
Previous

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software