Ever Worry Your Co-Workers Will Hack You?

egrizzly

So at work not everybody works in Penetration Testing. Some of us are in audits, incident response, vulnerability management, etc.  Do you all ever worry that the hackers (penetration testers) will use their skills and hack you, invading your privacy, or do you just trust them willy-nilly that they'll be 100% white hats?  How do you normally react to this possibility?

SteveLavoie

Maintain a separation between your work device and home device.  Don't use a personal account on your work device. IF someone try that, he will discover only work-related information and not private information. 

shochan

yeah, I've watched too much Mr. Robot too...I think about it, but not too much...I do value my privacy, but I have nothing to hide except my real name on here, LOL!

LonerVamp

To be fair, it's not just your security team you would want to worry about in that case, but also server/system admins and desktop support teams who likely have some measure of administrative privilege (or ability to get it) to your systems.

And the network team who may have control and visibility into your traffic on the wire. And any systems you use where admins may have visibility (Slack, internal IM logs, email...)

And let's take this one step further. Let's say you're not just another worker peon, but the CFO or CEO holding lots of strategic secrets. Again, where there are many technical teams who can probably read things if they really want to stoop that low.

Ultimately, this level of trust is a managerial and HR issue to mitigate. Managers should know and limit risky behavior and the mind state of their employees. HR should have documentation and procedures in place for responsible hiring and properly punishment if violations are made.

I honestly expect just as much information is leaked due to ignorance in most enterprises, than due to an unethical internal hacker. Namely things like sharing something they didn't mean to share, or putting way too much information into ticketing systems (like vulnerability details)...

tedjames

shochan said:

yeah, I've watched too much Mr. Robot too...I think about it, but not too much...I do value my privacy, but I have nothing to hide except my real name on here, LOL!

Most people don't have anything to hide. But yeah, your privacy is valuable and important to you. Most companies/agencies state in their policies that staff have no expectation of privacy. That means that if your CISO convinces your CEO/Executive Director that the security team needs to snoop around on your work machines, they can and will do it. Emails are not private. They also track and monitor where you go on the internet and how long you spend there. In some local and state governments, anyone can make an open records request. If that happens, the agency has to share, within reason (no vulnerability reports, etc.), the requested information (after it has been vetted by legal). Also, there's an amazing amount of OSINT on government employees that you can find with a simple Google search (including salaries). If I were going to try to hack a co-worker or anyone else for that matter, I'd start with some OSINT. That's how Sarah Palin's Yahoo account got hacked when she was running for VP.

Create and distribute some Canary Tokens throughout your file system with inviting names like passwords.docx or similar. If someone is indeed snooping around, you'll get notified, and all the attacker will see in an empty file. I do it myself.

yoba222

1. I'd be more worried about sysadmins and HR. 
2. The kind of person that has judgement skills poor enough to snoop around in unauthorized places and abuse their power is going to eventually make a poor judgement decision that gets them fired. So things tend to work themselves out.

beads

Talk about a career or at least position ending move. No, if I am not working with professionals I will immediate fire or have them fired in no time. If for whatever reason the first two options fail, I will gladly pack up and move on myself. No time work with any more questionable security people than I have to work.

Frankly, if you feel as though your at risk in your organizatiy on due to sketchy IT or worse, sketchy security (InfoSec or cyber) people you need to have a short chat with your hiring manager and HR before you leave the premises. No questions asked. Security people already have a terrible reputation with organizations in the first place, don't kid yourself. The idea of a fellow employee sounds like a dinner bell for the lawyers to come feast on the corpse of your organization.

Good luck in that environment.

- b/eads

tedjames

In the early '90s, I worked at software company. Everything was UNIX back then. For some ridiculous reason, everybody had root access. Also, I could very easily CD to any user's home directory and view, modify, and delete their files. I snooped around, but of course I didn't modify anything. Ah, fun times! Moral: Don't put anything personal on your work computer, especially not emails. It's like posting to the internet; don't post anything that you don't want the whole world to see.

egrizzly

Quite interesting.  The answers I'm getting here are very encouraging.  I guess it's not a common thing for the so-called white hats to abuse their skills and start peeking into their co-workers PCs.

E Double U

It is less about trust and more about me not really being the worrying type. Things like this are of no concern for me. 

DatabaseHead

egrizzly said:

Quite interesting.  The answers I'm getting here are very encouraging.  I guess it's not a common thing for the so-called white hats to abuse their skills and start peeking into their co-workers PCs.

I think it happens....   I remember 5 years ago I was working on a project and for whatever reason the system administrator came up to me and asked how I liked making 89,209 and did I know that Melaine was making 92,400.  I didn't report him I just said I don't want to know about this type of stuff.  

He was respectful of me, but did one time slip out the bonuses of the architects and sales engineers.  I left shortly after that.....  (not because of that new opportunity)

LonerVamp

egrizzly said:

Quite interesting.  The answers I'm getting here are very encouraging.  I guess it's not a common thing for the so-called white hats to abuse their skills and start peeking into their co-workers PCs.

Oh, I think it happens, I just think many folks have jobs to do, and other just snoop, and no one ever really knows. Is it common? I'd hope not, but there are lots of questionable workers with high level IT rights on workstations with questionable ethics.

I suppose in that case it's less security folks, and more general IT.