So, bit of a super embarrassing story. I was logged onto the corporate VPN for my company from my PERSONAL COMPUTER doing some work on my mobile desktop. I closed the mobile desktop, but didn’t log off the VPN before looking at porn late at night (like 11pm). I put my computer to sleep, woke up this morning, and saw a message that my VPN had been logged off due to inactivity. This means that the thing was running the whole time last night. Now it is safe to say that I am completely freaking out, and I have several questions.
- What can the IT people actually see happened?
- Would they have access to every URL that went through, even though this was entirely on Incognito mode, or would they just be able to track the initial searches?
- If this wasn’t being tracked in real time (I doubt anyone else was awake at 1am), how much digging would they have to to find this?
- I never received any sort of firewall blocking for these NSFW sites, so what are the chances that the IT guy was seeing red flag warnings?
Are they using split-tunneling, or are they forcing ALL of your traffic across the tunnel? If the latter, yeah they got you. If the former, no worries as only traffic destined for your work’s internal network should be traversing the VPN.
As a network admin, I do the former, as there is
no need to waste my bandwidth on your internet browsing…
It will depend on how the VPN is configured to handle traffic. This will be VPN software dependent, but there are basically two modes when the VPN is on.
-
All traffic from your computer goes to your company network then out to the Internet. In this mode, your traffic can be logged and monitored, so the sites visited captured (not necessarily the content if over https). This is not very common, as it would result in overly burdening the corporate vpn traffic, and possibly make just general internet browsing slow (since it has to travel through the VPN and back).
-
Only specific work related traffic goes over the VPN to your office. In this scenario, if you go to a non work related site, the traffic is not monitored or captured. This is probably the most common VPN configuration for companies.
Now, if your VPN takes of DNS resolution, then in both scenarios, they could track domains that are getting resolved.
You can test the scenario by doing a traceroute with and without the VPN. For example, do a traceroute to say CNN (on windows, in a cmd prompt: TRACERT CNN.COM) with VPN of and on. If the route is the same, then it is the second scenario.
Figuring out DNS is a little more complicated, and you’d need to know how to read the output of “ipconfig /all” or nslookup to see what your DNS servers point to with and without VPN on.
If the IT people say anything just tell them you were testing their Firewall and Proxy services and that you have to report that they failed miserably and suggest that they fix it as soon as possible.
Depending on what you were watching there could be some embarrassment and every time you see the IT person you’ll be wondering if they know about your porn habits but if you were on your own time and in you own home you’ll probably be okay (I’m assuming whatever you were watching isn’t illegal in your Country).
I know our IT only really seem to check the logs of sites that get blocked so if you were allowed to connect it may not get flagged for review.
When the it guy did a good job, porn sites would be blocked. I don’t know what VPN Software you use, but there is a chance that Split tunneling is enabled, that means only work traffic(file-shares, Intranet, RDP Sessions) is going through VPN .
They can see everything, but I wouldn’t worry. I think mostly they look for people stealing proprietary intel and stuff. If it makes you feel better, I used to look at hentai on the corporate wifi in the office (unencrypted) for years, and no one said anything.
They can see everything. As an IT guy and other IT guys have already said, most likely they won’t care unless you are into some sick stuff like pedophilia, etc.
Otherwise the worst that happens is that the people in the IT department will be laughing at you in the office and maybe see a smirk in their faces when you pass one by in the hallway.
So that was you last night!
Greatly depends on what infrastructure your company has in place and how everything is configured. Some places just have a VPN with no traffic filtering or monitoring. Other places monitor DNS queries and have automatic alerts setup when someone accesses forbidden material or services.
Does your company contract external IT, or do you only have an internal team? Is it actually a team or just one guy? How big is your company?
You are fucked bro, hope it was worth it…
Would they have access to every URL that went through
They can’t see the URL or what else you did on the website. At most, they can see you visited the X.Y.Z website, which can also be problematic if it goes again company policy.
Yeah as everyone here says, it really depends on how the VPN and stuff is set up. They could log all of your traffic or only some of it, and chances of them doing live monitoring is probably small, but logs will probably tell them. For now, just don’t say anything or do anything rash if they don’t bring it up. You’re probably not the first to do this.
Next time, just try to separate work from private especially if you use the same machine. Definitely create a work profile on Windows/Mac/Linux and keep that for work, and another for you. If you do simple stuff for work, it’s probably better to go on eBay or find some cheap computer/laptop and use that for work, or use a virtual machine for work. This way you’ll minimize your chances of getting in trouble at work for looking at porn or being “distracted”.
Unless you were looking at something illegal that could get them in trouble with their ISP, or someone has a vendetta against you, chances are they don’t care.
Start getting some interviews lined up just in case my dude
I am the IT guy and this is an accurate statement.
Is there a proper way to test this? I logged onto my VPN and Googled “What is my IP address” and it gave me a number that was different from the virtual machine IP and the sequence of numbers I plug into the VPN setup itself. When I logged off the VPN, the IP address did not change.
Yes, but the chances are slim to none. There’s a lot of data and no one generally actively looks through it.
I’m just worried that at midnight on a Friday, there is a lot less data moving, so it’s a much smaller haystack to find the needle(s).
Depends on how many people use VPN and how much data is passing through their VPN logs.
Very few and very little, actually. The company only has a few dozen people, and the number using the VPN at one time can probably be counted on one hand, if not one finger in my case.
So, I tried two different things and got two different results.
Going off the IP address method, it looks like being on the VPN has no bearing on my IP address. The IP address is different from the VPN IP address and the virtual desktop IP address.
HOWEVER
When I do the TRACERT method, the route to “google.com” was different when I was logged on to the VPN versus when I was not logged on.
Does this indicate that the VPN does not use a split tunnel?
If the IT people say anything just tell them you were testing their Firewall and Proxy services and that you have to report that they failed miserably and suggest that they fix it as soon as possible.
Yeah… they know how inept I am with technology, so unfortunately I don’t think that is going to fly.
