What's on that laptop?
My employer has given me a new laptop to plug into my home network. Here's what I know is running on it (so far). These are rough notes, not a polished essay.
Arctic Wolf
Scans all sorts:
- Geo-location of the machine, meaning that it tries to snoop on your location whenever the machine is turned on (though, as I write this, GeoIP places me 185 miles' drive away, so the company would be well advised to ignore it)
- Installed software
- Wi-Fi networks both available and in use (so it knows where you are and who else is there with you, if other people have the same spyware installed)
- ARP table (so it sees every machine on the network, including those belonging to your spouse, under-aged children and any visitors who use your Wi-Fi)
- Windows event logs
- Process table (so it sees every program you run)
- SSL certificates
- Network configuration
- Installed patches
- System configurations (too vague to be informative)
https://www.vlcm.com/arctic-wolf https://arcticwolf.com/uk/solutions/agent/
SentinelOne
- Process Creation, termination and exit (so it sees every program you run, and when it starts and stops)
- File Creation (it sees every document you write, even if you delete it afterwards, but also every temporary file created by every program you run, such as your browser)
- File Modification (it watches you work on documents)
- File Deletion
- File Rename
- DNS (it sees the name of every Internet host you connect to and every Web site you visit)
- TCPv4 Connection (it sees every Web page you visit, but also every time you download email from your ISP or connect to a machine on your home network)
- TCPv4 Listen (you shouldn't run any kind of server on a work machine. If you do, though, and if your home PC connects to it, SentinelOne will know. Who knows what Windows does in the background?)
- HTTP Request (again, every Web page you visit, every picture on every page, and every advertising and tracking request if you've not got round to blocking those yet)
- Login and logout (beware the person who believes that you're not working when you're not logged on)
- Registry Key Creation (every time any software touches the registry, SentinelOne will see what it does)
- Registry Key Rename
- Registry Key Delete
- Registry Key Export
- Registry Key Security Changed
- Registry Value Creation
- Registry Value Modified
- Registry Value Delete
- Registry Key Import
- Scheduled Task Register
- Scheduled Task Update
- Scheduled Task Delete
- Scheduled Task Start
- Scheduled Task Trigger
SentinelOne conducts man-in-the-middle attacks against encryption by, for example, installing browser plugins that the user can't disable or remove. If you log into any server on a system running SentinelOne, you should assume that the company has the password. If you type in a credit card number or home banking credentials, you should assume the company has them.
https://www.sentinelone.com/wp-content/uploads/2017/06/SentinelOne_Deep_Visibility_Overview.pdf
S1 also logs vaguely-named things such as “behavioural indicators”, “cross process” (is this another name for IPC?) and command scripts, and can do a full disk scan. It claims to be able to detect malware that attackers have masked.
https://johntuckner.me/posts/sentinelone-deep-visibility-export https://www.sentinelone.com/wp-content/uploads/2022/04/SentinelOne-IR-Handbook.pdf (page 12)
A facility called Singularity Ranger (on page 36 of the manual) crawls all over your network and reports on every device it finds, whether it belongs to work, you, or anyone else. It can run either actively (by sending packets and seeing who responds) or passively (by just watching packets as they flow across your network), so its activity may not show up on a packet capture.
https://www.sentinelone.com/platform/singularity-ranger/
There's a script library that can gather even more information and perform remote code execution on a computer: see page 36 of the manual. Remote code execution is an obvious risk in the wrong hands, or if a compromised machine sends instructions to your laptop.
SentinelOne is planning to add the ability to retrieve a memory dump (again, see p.36 of the manual). This will enable it to see documents you've typed but never saved, text you've entered into Web forms but not submitted, and perhaps passwords saved in memory by poorly written programs.
SentinelOne is so intrusive that, when I build code, SentinelOne uses up the entire house's outgoing bandwidth, just reporting back on what I'm doing. In fact, it keeps sending data at line rate for several minutes after I stop building, because my domestic Internet connection can't keep up with the volume of data that SentinelOne sends.
FortiClient
This is the client to the work VPN, but it does a lot of surveillance as well.
- It sends hardware information about the client machine (MAC address, etc), software information (such as the OS version) and the ID of the user: https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/577341/telemetry-data
- It looks at executables you run and documents (.doc, .pdf, etc.) that you open: https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/838652/cloud-based-malware-protection
- It watches Web browsers, office applications and PDF viewers as they run, so it may be able to see what you do in those applications: https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/190092/antiexploit
- It looks at files downloaded from the Internet, read from networked drives, or received by email. (It's not clear whether just receiving them by email is enough to trigger a scan, or whether you have to try to open them.) It sends them to the office or to the cloud. https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/554226/sandbox-detection and https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/632693/removable-media-access
- It watches every Web page you visit: https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/136297/web-filter and https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/446110/antivirus
- It can mount man-in-the-middle attacks against HTTPS Web pages (so it can snoop on passwords, credit card numbers and the contents of Web pages even if your browser displays a padlock), but only on Google Chrome: https://docs.fortinet.com/document/forticlient/6.2.6/administration-guide/52942/web-browser-plugin-for-https-web-filtering
Code42
Code42 offers a backup product and also a surveillance product called Incydr. I believe my laptop has only the backup product, but presumably some computers in other companies are running Incydr. (Someone must be buying it.)
Incydr is clearly designed to protect the company from its own employees. It seems to be mostly file-based: creation, modification, deletion, movement of files, as well as copying to removable media or transferring to email or the cloud.