Friday, November 25, 2022

Phishing Is Too Easy - 4: Season to be Scammed Edition

It is Black Friday! And We are in the Season to be Scammed! A few moments ago (I am typing this as fast as I can) I received the following phishing email:

Phishing email pretending to be dicks sporting goods. Description of what to look out for is written below

It's call to action is the claim Dick's (insert jokes here) Sporting Goods decided out of the blue to give me a Yeti cooler if I just click on the "Confirm Now!" link. I usually would spend the time (see the last phishing article I wrote) and look at the email's source to see if it has any interesting teltale signs of phishing. But, this phisher is so lazy he does not deserve a deep dive on the email. So, let me count the ways this is a scam:

  1. Why would Dick's want to send me a cooler? They do have a store here but I make my point not to go there. So they do not know I exist... unless they bought my name off a list. If that is the case, I feel I should ignore them even more.
  2. Why is the name in the return address "Dicks SportinGoods" (blue line) instead of "Dicks Sporting Goods"?
  3. Why is the domain of the return address celimopafeseda (red line)? I could say that I could not find that domain registered anywhere I bothered to look (spent some extra time I really did not need to for this article), but let's be honest: this has nothing to do with dicks.
  4. If I had spend time and looked at the email's header, I would have seen it was sent through outlook.com. But I will not. I am not saying mailed through Outlook is a telltale of a phishing email but I do not like how the path it took while inside their network is obscured. Still, short post this is.

As a result, I think we can safely label this as phishing and move on.

I am disappointed for the lack of pride this phisher has. Do you think some other phisher will redeem my faith on them or is this the best I can expect this Friday?

Saturday, November 5, 2022

On the rise of work-at-home employee tracking

When COVID became a global pandemic, many companies which before have frowned upon teleworking asked its employees to work from home whenever possible. That raised a concern: how would managers verify their underlings were spending their work hours doing the tasks assigned to them? There are many ways to track the time of employees, but the one that has increasingly become the most popular is employee monitoring software. A survey of 1,250 employers by Digital.com found that 6 out of 10 employees require monitoring software for its remote workers.

Why Are Employees Being Tracked?

Employers want to manage their workforce and understand how employees are spending their time. They see employees taking a break from their work tasks and using social media or dealing with their family as potential drain on their productivity, or time theft. According to Digital.com, more than half of the monitored employees spend more than 3 hours every day on non-work activities on company time.

If a business offers consulting services, it has a vested interest in logging its workers' time with a customer so it can properly bill said customer. Also, FLSA requires employers to have accurate records of each hourly employee, and keep it for 3 years.

What is Being Tracked?

Even though this kind of software has been called an extension of traditional time-tracking systems, what it records is more expansive than simple time-tracking:

  • Random screenshots
  • Location (using GPS)
  • Website tracking
  • Log emails
  • Any sounds in the immediate area using the device's microphone
  • Camera
  • Anything that has been typed (keylogging) and any mouse movemens (mouse logging).

Privacy Concerns

"Most employees are OK with (installing employee tracking software). As long as you tell the employee you're implementing it, it's entirely legal" according to Enzo Logozzo, director of sales and marketing for 365 IT Solutions, Toronto. That is not necessarily the case.

  • Per GDPR, consent here is not freely given as there is the risk a refusal to consent to have the software installed may result in the employee being fired. Canadian news media reported recently about a school janitor in Alberta, Canada, who refused last fall to download a mobile app that would help her employer confirm workers were on the job where and when scheduled. She was fired weeks later.
  • While the Canadian privacy law, PIPEDA, states that collection and disclosure of personal data by a company from its employees without their consent is allowed on certain situations, it becomes the onus of the company to justify the collection of data was done for a specific business purpose.
  • Tradionally, American privacy laws such as CCPA are much more lenient towards the business. However, employee tracking software can place companies at odds with other federal regulations. We must expect some of those working from home will on occasion contact their children's teacher or doctor during working hours. Recording of these conversations conflicts with HIPAA, and FERPA.
  • Using a computer built-in microphone may be subject to state wiretap and eavesdropping laws.

Other Issues

In addition to legal issues, aggressive employee monitoring negatively affects business:

  • Employees lose trust in the company. 14% of companies have not informed employees they deployed this software.
  • Once workers find out employee tracking is in use while they work at home, their stress level increased. According to a study run by the insurance company Colonial Life, 26% of the employees said stress was making them less productive and 15%reported feeling less engaged with their job. That is no surprise, as 88% of employers terminated workers after implementing monitoring software.
  • Devices running employee surveillance software are a juicy target for malicious individuals. As these individuals want to collect passwords and other personal information, attacking a computer with employee tracking software saves them time and effort.

Living with Employee Surveilance Software

Protecting your privacy as an employee

  • Ensure company issues you their computer so to minimize the chances of having personal and work data in the same system.
  • Minimize using work computer for personal applications. Ideally you should just avoid, but if that is not possible, this is the next best thing. It may help to think work computer may be taken at any time for any reason; it is theirs after all.
  • Ask if they will issue you a work phone. If not and also demand you to install their app in your personal phone, here are apps to help on that. In fact, that is one of the topics we covered in our DEFCON workshop and something we recommend when dealing with IoT devices. Otherwise, get yourself a dumb phone and show that is the phone you have.
  • Put work computer/device in a separate network than your home one. This may require technical help; VLANs are a great start but the sky is the limit.
  • Create a private location for your workspace. Ideally one that has the door in your front (behind computer). Getting a greenscreen is also recommended.
  • Assume work computer's microphone and camera are always on, so once your work hours are done, place it in a box with sound absorbing foam.
  • Some companies may offer you an exercise tracker device such as Fitbit. Politely refuse it as it records your biometric data, which violates GDPR if you are subjected to it.

Protecting your company's needs while respecting the privacy of your employees

  • Have a clear policy outlining the justification for surveillance
  • Ensure employess understand why they are being tracked
  • Obtain consent from your employees if you are installing employee surveilance programs in their computers and phones. Note that if it is a requirement to work, it is not freely given.
  • Ensure tracking stops after working hours.
  • Hire a professional such as Privacy Test Driver to ensure you comply with relevant privacy laws and provide an environment that fosters productivity while protecting both your company and its employees.