|
Originally Posted by WSJ part one of two
Admit it: For many of us, our work computer is a home away from home.
It seems only fair, since our home computer is typically an office away from the office. So in between typing up reports and poring over spreadsheets, we use our office PCs to keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by email or instant message.
And often it's just easier to accomplish certain tasks using consumer technology than using the sometimes clunky office technology our company gives us -- compare Gmail with a corporate email account.
Security expert Mark Lobel of PricewaterhouseCoopers describes the most common things employees do on the internet to jeopardize company security.
There's only one problem with what we're doing: Our employers sometimes don't like it. Partly, they want us to work while we're at work. And partly, they're afraid that what we're doing compromises the company's computer network -- putting the company at risk in a host of ways. So they've asked their information-technology departments to block us from bringing our home to work.
End of story? Not so fast. To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. Specifically, we asked them to find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software.
But, to keep everybody honest, we also turned to security pros to learn just what chances we take by doing an end run around the IT department.
For hacking advice, we asked Gina Trapani, editor of Lifehacker.com, an online guide to being more productive on the Web; Leon Ho, editor of Lifehack.org, a blog with a similar mission; and Mark Frauenfelder, founder of the wide-ranging blog BoingBoing.net and editor of the do-it-yourself technology magazine Make.
To find out the risks, we talked to three experts who make a living helping IT departments make the rules and track down the rogue employees who break them. They are: John Pironti, chief information risk strategist at Amsterdam-based IT-consulting firm Getronics NV; Mark Lobel, a security expert in PricewaterhouseCoopers's advisory practice; and Craig Schmugar, a threat researcher at security-software maker McAfee Inc.
THE JOURNAL REPORT
Here, then, are the 10 secrets your IT department doesn't want you to know, the risks you'll face if you use them -- and tips about how to keep yourself (and your job) safe while you're at it.
* * *
1. HOW TO SEND GIANT FILES
The Problem: Everybody needs to email big files from time to time, everything from big marketing presentations to vacation photos. But if you send anything larger than a few megabytes, chances are you'll get an email saying you've hit the company's limit.
Companies cap the amount of data employees can send and store in email for a very simple reason: They want to avoid filling up their servers, and thus slowing them down, says messaging-research firm Osterman Research Inc., of Black Diamond, Wash. And getting your company to increase your email limit can be a convoluted process.
The Trick: Use online services such as YouSendIt Inc., SendThisFile Inc. and Carson Systems Ltd.'s DropSend, which let you send large files -- sometimes up to a few gigabytes in size -- free of charge. To use the services, you typically have to register, supplying personal information such as name and email address. You can then enter the recipient's email address and a message to him or her, and the site will give you instructions for uploading the file. In most cases, the site will send the recipient a link that he or she can click to download the file.
The Risk: Because these services send your files over the Web, they're outside of your company's control. That makes it easier for a wily hacker to intercept files during their travels.
How to Stay Safe: Some of the services are more reputable than others. YouSendIt, for instance, is a start-up run by a former Adobe Systems Inc. executive and funded by well-known venture-capital firms. Others offer little information on their sites about themselves and could be more susceptible to security holes that could let a hacker steal your information.
If the site's backers aren't immediately apparent, there are other clues that can help. Look for a "secure" icon -- in Internet Explorer, it's a little lock on the bottom of the screen -- which signifies that the site is using encryption to protect its visitors' confidential information. A logo from a security company such as VeriSign Inc., meanwhile, means VeriSign has confirmed the identity of the site's owner.
* * *
2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON'T LET YOU DOWNLOAD
The Problem: Many companies require that employees get permission from the IT department to download software. But that can be problematic if you're trying to download software that your IT department has blacklisted.
The Trick: There are two easy ways around this: finding Web-based alternatives or bringing in the software on an outside device.
The first is easier. Say your company won't let you download the popular AOL Instant Messenger program, from Time Warner Inc.'s AOL unit. You can still instant-message with colleagues and friends using a Web-based version of the service called AIM Express (AIM.com/aimexpress.adp). There's also Google Inc.'s instant-messaging service, Google Talk, accessible at Google.com/talk. There are Web-based equivalents of software such as music players and videogames, too -- typically, skimpier versions with fewer features than the regular programs.
The other approach to this problem is more involved but gives you access to actual software programs on your computer. All three of our experts pointed to a company called Rare Ideas LLC (RareIdeas.com), which offers free versions of popular programs such as Firefox and OpenOffice. You can download the software onto a portable device like an iPod or a USB stick, through a service called Portable Apps (PortableApps.com). Then hook the device up to your work computer, and you're ready to go. (But if your company blocks you from using external devices, you're out of luck.)
The Risk: Using Web-based services can be a strain on your company's resources. And bringing in software on outside devices can present a security problem. IT departments like to keep track of all the software used by employees, so that if a bug or other security problem arises, they can easily put fixes in place. That's not the case if you've brought the program in on your own.
Another thing to keep in mind: Some less reputable software programs, especially underground file-sharing programs, could come loaded with spyware and make it possible for your own files to leak onto the Web.
How to Stay Safe: If you bring in software on an outside device, says Mr. Lobel, make sure you at least tweak the security settings on your computer's antivirus software so that it scans the device for potential threats. That's easy to do, usually through an Options or Settings menu. Likewise, if you use a file-sharing service, set it up so that others can't access your own files, also through an Options or Settings area.
* * *
3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS
The Problem: Companies often block employees from visiting certain sites -- ranging from the really nefarious (porn) to probably bad (gambling) to mostly innocuous (Web-based email services).
The Trick: Even if your company won't let you visit those sites by typing their Web addresses into your browser, you can still sometimes sneak your way onto them. You travel to a third-party site, called a proxy, and type the Web address you want into a search box. Then the proxy site travels to the site you want and displays it for you -- so you can see the site without actually visiting it. Proxy.org, for one, features a list of more than 4,000 proxies.
Another way to accomplish the same thing, from Mr. Frauenfelder and Ms. Trapani: Use Google's translation service, asking it to do an English-to-English translation. Just enter this -- Google.com/translate?langpair=en|en&u=www.blockedsite.com -- replacing "blockedsite.com" with the Web address of the site you want to visit. Google effectively acts as a proxy, calling up the site for you.
The Risk: If you use a proxy to, say, catch up on email or watch a YouTube video, the main risk is getting caught by your boss. But there are scarier security risks: Online bad guys sometimes buy Web addresses that are misspellings of popular sites, then use them to infect visitors' computers, warns Mr. Lobel. Companies often block those sites, too -- but you won't be protected from them if you use a proxy.
How to Stay Safe: Don't make a habit of using proxies for all your Web surfing. Use them only to visit specific sites that your company blocks for productivity-related reasons -- say, YouTube. And watch your spelling.
* * *
|