back to article What's the last piece of software you'd expect to spy on you? Maybe your enterprise security suite? Bad news

Enterprise security, analytics, and hardware management tools - the very tools used to keep data safe - are collecting and sharing far more information than customers might think. So says the team from ExtraHop, an analytics firm that studied the networks of its customers and found that in many cases their security and …

  1. djvrs

    AV owned by a Gov

    All you need is government to own an AV product and they have access to everything on everyone's systems that use it...... Result

    1. Jason Brooks

      Re: AV owned by a Gov

      Didn't the US gov force Microsoft to silently add backdoors in the OS years ago? They also forced Yahoo to create backdoors and told them to be quiet or close down. All this came out of the Snowden revelations.

      1. Tom Paine Silver badge

        Re: AV owned by a Gov

        I really recommend doing a bit more background reading on that.

    2. Anonymous Coward
      Anonymous Coward

      Re: AV owned by a Gov

      would save having umpteen tools that look like they do the same thing but have promised to do things subtly different.

  2. Wibble

    Stop spying on me!

    What rights does an employee have over the data slurped from their company laptop? For example personal emails read on that machine.

    Can they demand to know what data's being slurped/stored?

    1. djvrs

      Re: Stop spying on me!

      Should be written in the companies IT policies

      1. big_D Silver badge
        Black Helicopters

        Re: Stop spying on me!

        Agreed. It should be defined.

        And, in general, management / other employees shouldn't be able to read your email, although there may be extenuating circumstances, such as if you are long term sick or on extended leave and your emails/documents need to be checked to ensure the smooth running of the business. But, again, that needs to be defined in the IT guidelines, which you receive when starting at the company.

        On the other hand, we often get paranoid users saying that they are sure management are reading their email. We then politely point out that management doesn't have enough time in the day to do that...

        Or the BOFH anyswer, we could look at your emails, if we wanted to, but they are too boring for us to bother...

      2. GnuTzu Silver badge

        Re: Stop spying on me! -- No Reasonable Expectation of...

        Every place I've worked makes it very clear. {insert mantra here.} But, then I work in places that have to comply with industry infosec standards--which make it very clear that there have to be clear policies--one that users must sign off on--annually--with annual training. In fact, I'm so used to this that t hadn't occurred to how many lame companies might well be out there.

        1. Anonymous Coward
          Anonymous Coward

          Re: Stop spying on me! -- No Reasonable Expectation of...

          In theory, I too work for a firm and in an industry that gets pretty close regulatory attention. We're pretty big (between 1000 - 10,000 users) and we STILL don't have an AUP or sane, properly communicated user-level security policies. No doubt there's enough small print in everyone's employment contract to cover the situation where, e.g., they decide they want to get shot of someone and go fishing through their mail for some kind of justification. (Of course, that would never happen in real life. Oh no.)

      3. Mr Humbug

        Our policy makes it clear that anything we do on IT equipment and services provided by the company is not private. We are allowed reasonable personal use, but it's monitored and certain events (such as file uploads to non-company web server - we trust but verify) generate an alert that is then investigated.

        I don't mind because I get the alerts and do the investigating, but I've had to remind a few people that there is monitoring and, while their personal use is perfectly acceptable and I'm not going to gossip about their personal lives, they might not be comfortable with me knowing everthing I've seen.

    2. fargonebastage
      Coat

      Re: Stop spying on me!

      Don't access personal accounts at your job. The corporation is very likely capturing whether it is encrypted or not. You also have coworkers that have nothing better to do than to fiddle with their colleagues equipment.

      1. big_D Silver badge

        Re: Stop spying on me!

        For our smartphones, the policy is no third party apps, no private data on company phones and no company data on private phones.

        For email, we are warned that we can use the company account for private emails, but we have to remember that in an emergency a supervisor can be given temporary access to the account to retrieve business critical emails.

        That said, the company also tends to set up departmental accounts for important functions, such as purchasing, sales etc.

        1. Jay 2

          Re: Stop spying on me!

          Yeah, I think the general line here is don't have anything in your email that you'd rather not have read out in court. Unlikely to happen, but you never know.

          1. Tom Paine Silver badge

            Re: Stop spying on me!

            The point isn't that your mail's likely to be read out in court; it's a test to see whether it would be awkward embarrassing if your boss or co-workers saw it.

        2. Nunyabiznes Silver badge

          Re: Stop spying on me!

          Ours is similar.

          We have a mandate to archive, in a manner that is immediately accessible, all email for all time. Right now we have ~28 years worth. We are warned that all email is discoverable (legally) and that you should not use work email for personal reasons (common sense there). Supervisors are routinely given access to worker email for one reason or another.

          1. JohnFen Silver badge

            Re: Stop spying on me!

            "Right now we have ~28 years worth."

            You have me beat! I've been keeping all my personal email for years, and recently decided to see how far back my archives go. I only have ~20 years of emails.

          2. steviebuk Silver badge

            Re: Stop spying on me!

            Not in the EU then I assume? As GDPR states you shouldn't keep info for longer than needed. So if you were in the EU and I'd emailed you 5 years ago, I could technically do a SAR request on all emails containing my name and then a Right To Be Forgotten request to ask you delete those.

            If not in EU and not dealing with EU people then can ignore what I've just written.

            1. Sir Runcible Spoon Silver badge
              Coat

              Re: Stop spying on me!

              Is GDPR retroactive? I didn't think it was, but it wouldn't be the first time I was right.

              1. Tom Paine Silver badge

                Re: Stop spying on me!

                It applies to the data you, I mean a Data Controller, was holding at the time GDPR came into force, if that's what you mean. So stuff you collected without a GDPR-compliant "lawful basis" is now in breach, yes. (I'm not a lawyer but that's my understanding.) Yes I realise this puts probably 9/10 orgs into breach immediately.

            2. MachDiamond Silver badge

              Re: Stop spying on me!

              "As GDPR states you shouldn't keep info for longer than needed"

              If the company has contracts with the government, especially military contracts, "needed" is forever. The same might apply to any high tech company that must track purchases and materials for the life of the products they sell. Think aerospace/aircraft. That's also at least decades.

              Best thing is to not use your company supplied tech for personal business. If your supervisor notices you're sending out resumés, you may need that new job sooner than you wished.

            3. Roland6 Silver badge

              Re: Stop spying on me!

              > I could technically do a SAR request on all emails containing my name and then a Right To Be Forgotten request to ask you delete those.

              You could, but were your emails from a business address to me at a business address or personal/private address...

              GDPR, like many things, seems simple but the devil is in the detail.

            4. aks Bronze badge

              Re: Stop spying on me!

              I assume that what's needed is a company review procedure (annually?) where the decision is made about how long the data is needed. Personally, it's forever, certainly more than 20 years but incomplete.

          3. big_D Silver badge

            Re: Stop spying on me!

            We have to delete all emails over 10 years old.

      2. GnuTzu Silver badge

        Re: Stop spying on me!

        Don't be like one of those people who used their work email for Ashley Madison.

        1. Anonymous Coward
          Anonymous Coward

          Re: Stop spying on me!

          Don't be like one of those people who used their work email for Ashley Madison.

          No problem. We use the work email for pornhub.

      3. Steve Davies 3 Silver badge

        Re: Stop spying on me!

        This

        Don't access personal accounts at your job.

        Should be ammended to

        Don't access personal accounts at your job using company owned computer or network equipment.

        By all means (during permitted breaks) use your own phone (and data allowance) to read your own emails. Don't use the company WiFi.

        Then everything you do is separate from the company and is outside their permitted snooping.

    3. Zippy´s Sausage Factory

      Re: Stop spying on me!

      Usually you sign an IT document stating that they can read all the email and web traffic you do at work.

      However in this case they're also talking about stealing corporate information too - trade secrets, patient records (*cough* HIPAA *cough*), that sort of thing. About that corporations will care...

      1. Flywheel Silver badge

        Re: Stop spying on me!

        I think it's a reasonable expectation that if you're at work and using their computing facilities, whatever you type in/get back will be captured and maybe stored. Just don't do it,

    4. Anonymous Coward
      Anonymous Coward

      Re: Stop spying on me!

      The problem here isn't your employer reading your emails (as others say, it should be company policy), its data being slurped by others outside your company

      1. GnuTzu Silver badge

        Re: Stop spying on me!

        Have your proxy admin block trackers for the whole company--especially the replay services.

    5. JohnFen Silver badge

      Re: Stop spying on me!

      In the US, if you're using company equipment, then your employer can legally look at everything that you do on that equipment. This is also usually explicitly spelled out in your employment agreement.

      This is why you should never use company equipment (including the company network and internet feed) for personal use or communications, ever. I use my smartphone (on my own data plan) when I have to do any personal stuff at work.

      1. veti Silver badge

        Re: Stop spying on me!

        This is one of the important differences between US and European regimes. In Europe you have an explicit, though limited, right to privacy at work, even from your own employer.

        1. Sir Runcible Spoon Silver badge

          Re: Stop spying on me!

          That might well be the case, but I wouldn't rely on it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Stop spying on me!

            You're correct. A sufficiently bent admin would simply take a snapshot of a domain controller and a snapshot of the email server....and restore them both onto a new, isolated network. Then its simply a matter of resetting your password, logging in as you, and reading all of your personal email. Once the admin has what they were looking for its a trivial matter to delete these vms and you'll never know that your account was accessed because the system event logs never reached your company's log server.

            On the other hand, this is the best method to use if you have a complicated update or change scenario to implement. You simply clone all of the necessary pieces onto a separate, isolated network and you can then run through the process, documenting every little thing. You won't have to translate computer names, ip addresses, service account names from your test environment when writing the change documentation because you're using copies of the actual systems.

      2. Anonymous Coward
        Anonymous Coward

        Re: Stop spying on me!

        This is why you should never use company equipment ... for personal use or communications, ever.

        This is why I have my own personal toilet bowl next to my desk for personal use. Since I don't have personal flushing water, I tend to leave my turd there after used.

        For some reason, all my colleagues looks funny when they come to my desk. Not to mention, management had decided to move my desk closer to the restroom...

        /joke

        1. Sir Runcible Spoon Silver badge
          Unhappy

          Re: Stop spying on me!

          Why did you put the /joke on? I was enjoying the mental imagery of all the flies buzzing around and the *actual* aroma lines wafting through the air, and you went and spoiled it.

      3. eldakka Silver badge

        Re: Stop spying on me!

        This is why you should never use company equipment (including the company network and internet feed) for personal use or communications, ever.

        Well, I'd say for personal use that you care whether it is intercepted by work.

        For example, I read the register from my work desktop daily, or catch up on the news via typical news sites on slow days. I don't care if my employer sees that.

        And sometimes if I read something interesting while at work, e.g. an article on VPNs, or a good place to buy Pi accessories, something I wouldn't want to be accessing on company resources, I'll use my work email to send to my personal email that link for further use when at home, since I can't access personal emails at all on work equipment (webmails are all blocked, can't connect to external mail providers, etc., this is why I find the Registers use of email as a means of reporting errors in stories unusable, as I can't access personal email at work, and I won't use work email for that, and I'm not so keen as to revisit it once I get home from work to then use the corrections email link).

        I don't care if my work sees those.

        But I don't use work to access porn, or politically sensitive sites (e.g. wikileaks), or streaming sites (netflix, youtube, etc.), or things I have to login to with accounts I care about like online banking, or social media, or gaming sites, (most of everything I've just mentioned, except banks, are all blocked at the proxy server anyway).

        But for general news browsing/reading, including account logins to news sites if I decide to comment? Bleh, work can see that.

        1. Sir Runcible Spoon Silver badge

          Re: Stop spying on me!

          Most* company proxy intercepts for encrypted traffic will exclude sensitive sites such as banks and NHS websites etc.

          *In my experience, ykmmv*

          *I went metric for the lulz

          1. eldakka Silver badge

            Re: Stop spying on me!

            Most* company proxy intercepts for encrypted traffic will exclude sensitive sites such as banks and NHS websites etc.

            Oh yes, my employer claims this as well - and you can check it by seeing the certificate chain for the website you are on, as if it is intercepted, there'll be the organisations proxy server certificate in the chain. However, this is a pain to do repeatedly, because even if when you first went to the banking site the certificate chain checked out, you'd have to check it every single time to make sure they haven't changed that rule, and that would become old real fast.

            Also, it's not just the proxy that could get your details, since you are using a work laptop, there could be a corporate keylogger or other monitoring software (the biggest threat to corporations is inside exfiltration rather than an external hacker) running for security, so even though the comms might be secure, the desktop isn't.

            So best not to risk it really. But if I desperately need to access something like my bank account from work, I can use my personal phone instead, or pull my personal tablet out of my bag and use that. Which hopefully is a rare event :)

            1. Tom Paine Silver badge

              Re: Stop spying on me!

              Corporate keylogger? You're worried that your employer's recording every keypress on every system in the organisation, and then filtering / reviewing them? Relax, they're really not.

        2. JohnFen Silver badge

          Re: Stop spying on me!

          "For example, I read the register from my work desktop daily, or catch up on the news via typical news sites on slow days. I don't care if my employer sees that."

          Fair enough. But you're still taking a risk -- it's awfully hard to predict what an employer may get upset about!

          Personally, the less my employer knows about me outside of my work-related activities, the better.

    6. Potemkine! Silver badge

      Re: Stop spying on me!

      What rights does an employee have over the data slurped from their company laptop?

      A company should publish the 'IT bill of rights' to warn the employees. Once that done, most of the time an employee has no rights. If this is a company laptop, then the company has any right over the data inside. There are few limitations if the data are explicitly marked as private/personnal in some countries but that's it.

      Be smart, don't do personal business on a company laptop. Everyone has a smartphone now.

    7. I.Geller Bronze badge

      Re: Stop spying on me!

      They spy because they need to explain, annotate your search queries and sell theses explanations to advertisers. AI explain search quires internally, you own these explanations, you decide what to do with them.Search engines, like Google and FB, can go to the hell! You don't need them anymore, this is AI.

    8. Jove Bronze badge

      Re: Stop spying on me!

      Don't use corporate devices and networks to conduct personal matters.

  3. Anonymous Coward
    Anonymous Coward

    Get on with it!

    Data is the new oil and every single developer wants to profit from his/her chance to become the equivalent of an oil baron.

    1. JohnFen Silver badge

      Re: Get on with it!

      Not every developer. There are plenty who have more respect for their end users than that.

  4. Claptrap314 Silver badge

    So now the people PAID to secure systems are slurping? MUST NAME

    He's nothin' but a low-down, double-dealin', back-stabbin', larcenous, perverted worm!! Hangin's too good for him!! Burnin's too good for him!! He should be torn into little bitsy pieces and buried alive!!!

    1. Ugotta B. Kiddingme Silver badge

      Re: So now the people PAID to secure systems are slurping? MUST NAME

      I regret that I can only upvote you once. +1 for the "Heavy Metal" reference.

      STERRRRRRRRRRRRRRRN!

  5. tcmonkey
    FAIL

    "What's the last piece of software you'd expect to spy on you? Maybe your enterprise security suite?"

    No - with their love of getting into every conceivable part of the system they're installed on, they're one of the first things I would suspect. Nice try, though.

    1. JohnFen Silver badge

      On the other hand, this is far from universal practice.

      I've been working on enterprise security software for various companies for a long time now, and none of the companies I've worked for engages in any form of telemetry or phoning home for any reason. The security risk is too great. Instead, the standard practice has been to keep reasonably detailed logs on the customer's machines, and supply a utility that the customer can run to collect the data from the logs to supply to us when needed.

      That way, the customer can review the data being sent, and must proactively engage in sending the data to us. This is an extremely important security measure, and I personally wouldn't trust any security software that does otherwise.

      1. stiine Silver badge

        Seriously?

        Wow, a collection of security suites that rely on the preservation of data on the infected, probably encrypted, possibly wiped, end-point devices? Pray tell me which ones these are so I can avoid them like the plague they are.

        1. Tom Paine Silver badge

          Re: Seriously?

          Of course not. The set "customer's machines" is a superset of "possibly compromised machines".

        2. JohnFen Silver badge

          Re: Seriously?

          I never said the data was kept on the end-point devices, nor that the data was only kept in one place. The key is that the data is not transmitted off of the customer's machines without the customer intentionally making that happen.

  6. bigtreeman

    back in the day

    Once upon a time, in a faraway land, our employer had a dodgy little box secreted away under a set of stairs.

    It was connected to the PABX and recorded quite a lot of stuff.

    Until one day the box blew up and it was brought out to the workshop for a technician to fix.

    The technician did quite a lot of sniffing around and discovered the full extent of the bosses eavesdropping.

    Pretty soon everyone in the building became aware of this and were very careful about dissing the boss over the phone.

    Then we all lived happily ever after.

  7. Christian Berger Silver badge

    Actually it's the first piece of software I'd expect to spy on me

    After all it's not there to "secure" anything, but give people the feeling they made a sensible contribution to security without having to understand the problem at all. People don't buy such products because they actually do anything, they buy such products because they come with advertising they can cover their asses with if something did happen.

  8. Hans 1 Silver badge
    WTF?

    I have caught Avast MiM ... yes, your antivirus, man-in-the-middle-kingdoming its paying corporate customers.

    I reported incident as soon as I saw it and disabled it.

    How much info is it sharing with mothership ? Nobody knows ...

    1. JCitizen
      Megaphone

      CCleaner

      Used to delete Avast's cookies so they couldn't spy, but of course they keep being re-applied. The information is already down wind even when deleting cookies. However even that is suspect now, because Avast's corporation bought out Piriform, the makers of CCleaner. Now I have to put up with popup advertising again, and probably now CCleaner spies on me.

      Avast was supposedly good about ending that phone home feature as long as you bought the software - not sure about that, but it did end the pop up ads. I don't plan on buying CCleaner anytime soon, so you have to put up with that when using free software - I suppose it is only fair. Once Malwarebytes became an anti-virus, I had to ditch Avast - MBAM was the only AV/AM worth buying in my estimation, so now that is my only AV solution. The line between viruses and malware is so thin, it isn't worth the distinction anyway.

      1. Tom Paine Silver badge

        Re: CCleaner

        The line between viruses and malware is so thin, it isn't worth the distinction anyway.

        Umm. I'm not sure how to break this to you, but in coloquial usage in the industry "virus" is a synonym for "malware". The former has a bunch of unfortunate associations that are a handy tool for figuring out whether the person you're talking to knows anything about security. If someone tells you "My machine has been infected by a virus", they're not a security person.

  9. eldakka Silver badge

    I'm a little confused as to how this could happen in an enterprise (the usual users of enterprise software), or even anything bigger than 20-employee business. Well, excluding cloudy SaaS services, as you get what you deserve there.

    Surely there are no outbound ALLOW rules on your firewalls and proxy servers that would allow this to happen? I mean, the usual config is DENY ALL, then provide an enumerated whitelist (source address to destination address:port+protocol)of what is allowed out. Therefore for such software to talk home, the enterprise would have to explicitly configure their firewall to allow the explicit source devices to communicate to the explicit external addresses, therefore these products can only phone home with the explicit consent of the organisation (by configuring the firewall to allow the outbound communication).

    1. Mr Humbug

      Yes, you're right. But one rule you will almost always find is

      Any user device to destinationTCP ports 80,443 on any destination IP address.

      Often this can, and does, go through a proxy, but that's not always the case. And even if it is, the proxy is normally looking for malicious stuff coming back, rather than strange traffic going out.

      1. eldakka Silver badge

        Errm, no, any any enterprise I've worked in I've never seen that.

        No user device is allowed access out through the firewall. Every user advice has to authenticate to the proxy server before being allowed to use the proxy server.

        Although, thinking about this, if you use some sort of SSO/Kerberos type system, especially through AD, then you end up with the 'computer' being authenticated for that user login, so any comms from that computer are authenticated against the proxy server. Therefore any software running on that computer can access the proxy. And those proxies are usually blacklist based (allow all destinations unless you are going to a naughty site). Whereas organisations not using SSO, where, for example, if you fire up your browser you have to enter your credentials into the browser session, therefore only that browser session is authenticated, as opposed to anything on the computer, would be more secure in this case. However, more of a pain in the arse to use as a user.

        Still, even in that case, I'd expect the IT Security team to notice the pattern - all desktops keep accessing some specific targets, and add those targets to the blacklist and start a whack-a-mole process.

        1. Tom Paine Silver badge

          if you use some sort of SSO/Kerberos type system, especially through AD, then you end up with the 'computer' being authenticated for that user login, so any comms from that computer are authenticated against the proxy server [..]

          No, this really isn't how AD authentication works.

  10. Anonymous Coward
    Big Brother

    Vendors phoning home data

    .. we don’t know why these vendors are phoning home data .. in all likelihood, their phoning home of data was either for a legitimate purpose .. or the result of a misconfiguration.”

    Or as part of the strategy by the spooks to hoover-up the worlds data?

  11. Bill Michaelson

    My frikkin' LG dishwasher does this too

    It's exasperating. At least my light bulbs are secure. I think.

    1. JohnFen Silver badge

      Re: My frikkin' LG dishwasher does this too

      Why do you let it?

  12. adam payne Silver badge

    "But the fact that large volumes of data are traveling outbound from a customer environment to a vendor without the customer’s knowledge or consent is problematic."

    No not problematic just plain wrong.

  13. Gnosis_Carmot

    Name names!

    I get so tired of reports like this where the names are left out. Naming the perpetrators is the only way to get this kind of action to go away.

    1. Roland6 Silver badge

      Re: Name names!

      I think what they really want you to do is buy their "Real-Time Analytics for Performance Monitoring and Network Security, Backed by Machine Learning" platform...

      There is an interesting Gartner report on Network Traffic Analysis, but Forbes/ExtraHop do a reasonable summary of the five takeaways.

  14. Anonymous Coward
    Anonymous Coward

    Personal use ?

    If you can http/https out of your company network, you just setup your own server at home, and use a browser to access it as a remote screen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019