Reminder from your friendly SOC analyst.

NEVER do anything personal on your work provided devices. Modern Endpoint Detection and Response (EDR) solutions such as Crowdstrike or Palo Alto Cortex XDR can and will see everything you're doing, including going so far as to decrypt your HTTPS traffic to snoop on it.

@cyberfarmer Conversely, don't do anything work-related on your personal devices. It will never work out in your favor and you don't get paid enough for that shit.

@cyberfarmer Even worse than that. We already had the MITM https snooping since some time. But earlier this week they've also installed a tool which will apparently record "definitive" evidence of IP theft (i.e. takes screenshots and recordings in case the "employee does anything other than his/her usual usage pattern").

@kc @mogwai @cyberfarmer Read the AUP signed when you got the device, most places do this annually too. Also, any device provided by a company has zero expectation of privacy from court case precedence, at least here in the US.

@JSkier @mogwai @cyberfarmer at least in the EU there are still restrictions on this kind of thing. It's already been determined that a user's mailbox is considered personal (there are exceptions) your employer can't look at anything on the device marked as personal, and you can't just record what you feel when you feel it. More importantly if you do record it has to be clear and can't be hidden somewhere in a handbook or contract

@kc @JSkier @mogwai Welcome to the US, where we have the freedom to be surveilled 24x7 by merely working at a job

@kc @mogwai @cyberfarmer If it's their server(s) or storage device(s), one should probably not put your personal stuff on it. Yes, there are exceptions to this in unique cases, but it's a good rule of thumb just not to do it, IMO.

@JSkier @kc @cyberfarmer Indeed. I don't have any personal stuff on there anymore.

This is EU by the way. Several people asked about the legality, but according to HR it's compliant with all rules and regulations...

@mogwai @JSkier @cyberfarmer sounds like a simple call to your local data regulator can confirm if that's correct (or possibly even trigger a visit from them)

@cyberfarmer wait, how do they decrypt it? Do the work provides devices have a certificate they use to MITM?

@Byte Could be any number of ways honestly. I know host based decrypting isn't hard tho.

For example on Linux you can dump the SSL encryption keys for any program running curl/libcurl by setting the environment variable "SSLKEYLOGFILE=/path/to/key". Then combine those keys with the captured traffic in wireshark and boom all your data is now cleartext

@cyberfarmer oh, so you can save the keys programs on the device used?

@cyberfarmer would that risk the data being accessible by other people, also, or just the person capturing the keys?

@Byte Whoever has access to the keys can decrypt the data.

And yeah that's just one example. Most of these Endpoint Detection and Response programs run at the kernel level so really they could be doing it in any number of ways

@cyberfarmer wait, so they run on the kernel level on the device being monitored? Then they can just grab the data before it’s even encrypted.

@Byte Some of them probably. There's a lot of different programs and most are totally closed source so who knows really I need to revisit firewalling my work laptop, it's more than a little bit unnerving that it has a rootkit on it that promises to scan the local network

@evelyn @cyberfarmer I recommend having two networks at your house: One for your trusted devices and one for guests. Your work machine is a guest.

@carcinopithecus I think some might be able to be seen in Windows Task Manager or the Program Uninstaller but I'm sure some could evade detection. You could always reach out to your IT department and ask if they use an EDR/MDR solution. If they say yes than it's likely one of these programs are installed.

And side note, not all employers snoop as much as others. I know in Crowdstrike for example HTTPS decrypting has to be turned on explicitly.

What if they gave me just the hardware, and I have setup there system on my own, can the network monitoring do something so intrusive then?

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.