StuckInYYZ

I broke this thread out as it doesn't really deal with USB-C and is an important topic. Mods feel free to merge if required...

So there are others on this board that are way way smarter and better informed than I am about this topic. But that said... If you see https in the address bar, the contents (in general) are encrypted and protected from whoever is the internet provider (hotel, coffee shop, airline). They can see where you went (and what time and for how long and other meta data) but not the contents (unless they have broken the encryption). If you add a VPN, the internet provider is now the VPN company. The hotel/coffeeshop/airline only sees you have an encrypted connection to them. They won't know where you went. If you use something like TOR, same thing, the hotel/coffee shop/airline only knows you went to a TOR entry node. In the case of the VPN, they know where you went, but not the contents (unless they broke the encryption). Most VPNs claim that they don't log connections, but there are some that do due to laws/regulations and won't admit to it. Regardless,

Your IT guy might have found out depending on how your internet connection was structured... most likely a proxy of some sort (on premise or remote depending on when this was). Most companies don't look at the logs, but many will filter based on risk (mostly reputational but could also be "physical").

Now, to answer about sensitive portals/sites... It really depends on the client. Some of them have layer upon layer upon layer (and so on and so forth) of protection as the data is critical and could compromise a lot of people. For them, the most likely compromised place is sitting between the chair and the keyboard. There's phishing, keyloggers, people who don't like passwords (especially multiple passwords) and so on and so forth (that discussion would take a REALLY long time). Best thing when I'm asked is to question everything and have good computer hygiene. Keep your system up to date (as much as certain people think it's a great inconvenience...wait until they get compromised) and keep any anti-malware stuff up to date. Keep different passwords and always enable multi-factor authentication. If you archive stuff, make sure it's encrypted (if online) or taken offline (eg, USB keys or some other removable media). There are tools out there that can help you.

There are more things you can do depending on how paranoid you are... but let's keep this nice and simple (so far).

Visconti

YYZ - Thanks for the explaining the VPN dynamics. As non-IT/Tech guy, I think I've now got a much better understanding of how the benefits work.

RE: Our IT guy - I think he thought it was something that would lighten up the mood, and I really didn't mind that much. But, afterwards, I told him in private to never do it again, to anyone. I suspect, he got the message loud and clear.

RE: Key Loggers - I'm using a program to manage all of my password. It's called 1Password, and if I recall, a Canadian company? Anyway, I think I've read they claimed key loggers are rendered ineffective when using the program in its native environment. I have noticed that after pasting a password, it clears the clipboard shortly afterwards, though even prior to using this program, I've always manually cleared it.

Thanks again for your insights on this. It's very helpful, and greatly apprecaited.

StuckInYYZ

No worries.

Regarding keyloggers... 1Password is a Canadian company, but don't let that necessarily encourage you. Let's deal with the keylogging first. Key loggers usually just record the physical keys used. The reason you've been told they can be rendered ineffective is because of this. If you copy/paste your password (or in some apps, hotkey or use memory resident functions) they only see copy and paste. Here's the rub though. If your app stores the password in a local file and your system gets compromised (AND they know which app you use), it is possible to still steal your password(s)... They just need to copy your password file from your computer and they already have your master password. A bit of paranoia for sure, but still something to be aware of. If your passwords are kept in the cloud, in theory, they should be safe (if the claims of encryption are to be believed), however, you won't have access if you are offline (I mention this because you could have locally encrypted files being managed such as excel or word files).

There are ways to mitigate the issues of both methodologies, but it's a balance between convenience and security that you have to decide on your own which you subscribe to.

Now, back to the companies. Most commercial password companies use analytical software and it's been raised that there are some privacy issues with most of them. LastPass was used as an example... they had seven components that gathered data on its users. I forget which one, but there was another popular password manager that had something like 11 components... It doesn't matter where they're from (as technically all countries have some sort of law that could force a company to give up at least some information about its users), but it could be a concern...

milski

Since the IT guy was mentioned: it also depends on what device you were using to access those sites. If it is something managed by your company (there are various ways to do that - domain membership, MDM, mobile iron or similar for phones, etc), IT/the company can have access to virtually anything - whatever you type, send or receive. VPN/HTTPS are not a factor anymore since they can either collect the data on your device after decryption, or use other means to decrypt the traffic without causing warnings. Depending on where you live/work the expectations to disclose any of those to employees may vary from fairly rigid to none. At all places where I have worked looking at someone's data for no reason, or discussing what that data is in public would have been a huge problem for whoever did it. I have been lucky with where I have worked though, and I can imagine that things are not so nice at other places.

Visconti

Thanks!

This is very helpful to help me understand this stuff better. Our firm's internal policy is that nothing should be disclosed without a clear business purpose for doing so. As I've said, my penchant for browsing on espn.com was meant to bring some levity to an otherwise dry meeting. He probably felt I wouldn't mind, and I didn't; however, I've made it clear they had better not do it again, to anyone.