this post was submitted on 03 May 2024
30 points (89.5% liked)

cybersecurity

3030 readers
2 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

FWIW, this isn't to do with me personally at all, I'm not looking to do anything dodgy here, but this came up as a theoretical question about remote work and geographical security, and I realised I didn't know enough about this (as an infosec noob)

Presuming:

  • an employer provides the employee with their laptop
  • with security software installed that enables snooping and wiping etc and,
  • said employer does not want their employee to work remotely from within some undesirable geographical locations

How hard would it be for the employee to fool their employer and work from an undesirable location?

I personally figured that it's rather plausible. Use a personal VPN configured on a personal router and then manually switch off wifi, bluetooth and automatic time zone detection. I'd presume latency analysis could be used to some extent?? But also figure two VPNs, where the second one is that provided by/for the employer, would disrupt that enough depending on the geographies involved?

What else could be done on the laptop itself? Surreptitiously turn on wiki and scan? Can there be secret GPSs? Genuinely curious!

all 20 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 6 months ago (2 children)

There are ways, but the VPN/Personal Router route will thwart 99.99999% of businesses out there (For a non-cellular enabled laptop and you refuse a work phone)

The remaining .000001% that go the extra mile are going to be dealing high security, confidential secret stuff like TS gov defense contracts or something

[–] [email protected] 5 points 6 months ago* (last edited 6 months ago) (1 children)

Your cybersecurity team is going to be annoyed with you using a non-corporate VPN if you have one. Any monitoring they have will probably have something that will ping on using common VPNs, but at most companies, consequences there likely won't make it to HR. May make it to your manager though if they think it's a sign of compromise.

[–] [email protected] 1 points 6 months ago (1 children)

Ez-Pz, cheap VPS + VPN server

Or I think there are also VPNs that advertise using "residential IPs", I know that's a thing with SOCKS proxy services.

[–] [email protected] 3 points 6 months ago

Yeah, common VPSes are monitored too, it's a very easy add. Alert on IP ranges from a publicly maintained and easy to find list is not a hard ask. If you ran it through AWS, it would probably pass a lot of basic checks. Using residential IPs will probably get you a bit of time, but I can't imagine there being a good way to do that without it being very hard for the VPN provider to keep up and very easy for a security company to just make a new list of IPs and assume the whole range is bad.

Your best defense here though is that your cybersecurity team probably doesn't care that you're doing this once it's determined that you aren't a malicious actor as long as you aren't creating too many alerts.

[–] [email protected] 1 points 6 months ago (1 children)

When I use a VPN I am disconnected from anything relating to my companies network. Includes email. They use microsoft services.

[–] [email protected] 1 points 6 months ago (2 children)

When you use the VPN are you using/opening the VPN on the device itself instead of a dedicated wireless router configured with the VPN instead?

If so, that's your problem, otherwise it's like the other commenter said, they're probably detecting a common VPN IP if you're using a common service. Grab a cheap VPS in your desired location and setup a VPN server and connect to that instead

[–] [email protected] 1 points 6 months ago

Yep, on the device itself. Thanks!

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago)

Or spin up an ec2 instance yourself and route everything from there.

Amazon can get you fixed ip for cheap.

[–] [email protected] 10 points 6 months ago (2 children)

I made devices to track wildlife via gps and an embedded simcard and GSM radio to report tracking data. It would be trivial to install a device to basically turn the laptop into one of those tracking devices. But this is beyond what a typical business would consider doing.

[–] [email protected] 9 points 6 months ago

Depending on how accurate you want it, the simcard is plenty. If your goal is "don't be in France", you really don't need more..

[–] [email protected] 5 points 6 months ago

yea, that's what I'd figure. However easy a GPS setup would be, most businesses are, I'd guess, relying entirely on network snooping/logs. Which, if true, seemed pretty fallible once I started thinking about it.

[–] [email protected] 6 points 6 months ago

I ran a VPN on my router, and forgot to turn it off a couple of times before logging in to work. Our work VPN recommended their VPN nodes that were close to the router VPN location. So they were just doing iplookups. I think most companies aren't going to do much more than that. That said, if they're determined to get your location then they can get it. You usually don't have much control over your work computer and there are a bajillion different ways to get your real location.

[–] [email protected] 4 points 6 months ago

Skimmed most of the thread and there are a lot of guesses, the actual answer is presumably impossible given the parameters. Asset management tracking software is pretty much permanent tracking these days, screen idle time, keystrokes per minute, application focus tracking. A lot of higher end devices have gps chips in them by default, your works VPN reports it's trace route so it will have general geographic location. Microsoft and Google cooperate accounts even offer remote hard drive wipes to protect company secrets, regardless of the location. My work gets reports of where people connect from as part of the RTO policy. We had someone working from their parents house for a few weeks and got emailed by HR asking why they were logging in from an unapproved area. Most places can pull this data, but not all of them act on it.

[–] [email protected] 3 points 6 months ago (1 children)

Most places will use IP based location services so if you use a router based VPN to appear in another place it will hide you well enough for the initial glance.
Conditional access policies may out you though. Several places will deny known VPN endpoints from logging in. But if you get a VPS hosting server and run your own endpoint you will be less likely to get nabbed by that one.

GPS in laptops is almost unheard of. Sure there are specific models built for specific use cases that have them but a regular corporate laptop is not.

[–] [email protected] 4 points 6 months ago (1 children)

AGPS probably does work though for location. Many work laptops have sim cards for 5g, and that means connectivity permanence and assisted gps from cell tower triangulation.

However I know from testing things like m365 login just accepts the ip location of vpn endpoint.

My advice is it depends: and it mostly depends on the effort of the sysadmin and the level of logs they look into. The timing of the log from your vpn connection and your location. If they own the networks you did connect to, those networks will know where you are.

Use your personal device for personal things. End of story.

[–] [email protected] 4 points 6 months ago

Oh one different situation: because I've been on the side of supplying logs to cyber forensic analysts as part of cyber insurance post breach, the level of scrutiny will matter. If they find you're doing something they don't want on work equipment near or around a cyber incident you'll be part of the post breach recommendations. As in, what to remediate.

[–] [email protected] 2 points 6 months ago (1 children)

If you have a VPN server set up at home, and like a portable router that allows you to establish a VPN connection to your home connection... And then you connect your work machine to your portable router that's connected to your home... Fairly certain you would always look like you're working from home.

[–] blarth 2 points 6 months ago* (last edited 6 months ago) (1 children)

I was looking into this for a family member who wants to look like they’re in a location a couple hundred miles away occasionally. I think the only pitfall might be if they are made to use an authenticator that can query their GPS location in order to enact conditional policies that restrict their location.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition

[–] [email protected] 2 points 6 months ago

Yeah if you have to use the authenticator app and it has GPS you might be hosed.