Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
spogbiper 3 days ago

This would generally be covered in your corporate acceptable use policy or employee handbook, where ever your employer describes what is allowable on corporate devices and what is monitored when you use them. Some companies also display a notification when you log in along the lines of "This is an XYZ Corp system, all activity is logged and monitored for malicious behavior"

in general, if you're using a company owned device (the target for this product and many others like it) you should always assume everything is logged

cybergreg 3 days ago | parent | next [-]

In the US, on a corporate owned device there is no expectation of privacy.

hyperman1 3 days ago | parent | prev [-]

Is this true outside the USA?

In the EU, employees have an expectation of privacy even on their corporate laptop. It is common for e.g. union workers to use corporate email to communicate, and the employer is not allowed to breach privacy here. Even chatter between worker is reasonably private by default.

I suspect, if the attacker is inside the EU, this article is technically a blatant breach of the GDPR. Not that the attacker will sue you for it, but customers might find this discomforting.

viccis 3 days ago | parent | next [-]

I can't imagine pen testers would be able to work in the EU without being able to access individual workstations without the users' knowledge.

The key difference here is that pen testing, as well as IT testing, is very explicitly scoped out in a legal contract, and part of that is that users have to told to consent to monitoring for relevant business purposes.

What happened in this blogpost is still outside of that scope, obviously. I doubt that Huntress could make the claim that their customer here was clearly told that they would be possibly monitoring their activity in the same way that a "Content to Monitoring" popup for every login on corporate machines does it.

spogbiper 3 days ago | parent | prev [-]

It's an interesting question. Services like Huntress (there are many similar) only work by looking at what is happening on the computer. To some degree they are automated but there is a human review element to all of them where ultimately some person A will be looking at what some other person B did on the system. Not publishing it in a blog like this, but definitely violating the privacy of the valid user and/or a bad guy to some degree