Recent posts

#11
Security / Re: Need help with ideas on ho...
Last post by deanwebb - March 11, 2024, 03:49:26 PM
As Otanx mentioned, an outage for the VPN vendor is the same as a VPN failure: you'll reconnect from the home IP during the outage and then go back to the VPN when it is back online.

And if you have it set to only allow traffic via the VPN and not have a local fallback, you'll still have the anomalous ping latency regardless of the choice of router VPN.
#12
Security / Re: Need help with ideas on ho...
Last post by vpnsoicanwork - March 11, 2024, 10:02:15 AM
I ended up really interested about this subject, regardless of my work situation. I was SURE a VPN at router level would do the trick 100%, since all traffic goes thru that tunnel.

In any case, a friend suggested i use a Pfsense hardware firewall and use a VPN service with IPSec, and he says that with that setup the chances of this thing working well are much higher than using a simple router with SSL VPN.

Does that make sense?
#13
Security / Re: Need help with ideas on ho...
Last post by Otanx - March 11, 2024, 09:13:03 AM
There are a few ways even a small company can identify using a VPN to hide locations. One specifically is looking at latency between your device and the server. Say someone is complaining that the server is slow. The server team of course blames the network. The network guys start looking, and see that all the remote users are showing 1 or 2 ms of latency. Except you. Yours is 15ms. Now they need to figure out why so they can tell the server teams it isn't the network. That was without even trying to find you. If as you mention in your post HR asks IT to look then they can focus on you and done.

Also you need to be 100% sure in your config for the IPSec tunnel. What happens if the tunnel goes down for some reason? Does your traffic fail to a local out? Then it becomes trivial to see it. You show up from a local IP, then in seconds you traveled to a different IP in a city hundreds of miles away. My wife had this happen. Her IT noticed she was logged in at home, and then 2 minutes later logged in from LA which is a 4 hour drive away. They flagged her account for suspicious activity almost immediately. It was nothing malicious it was just we had a outage of our local ISP, and we failed over to a backup ISP that is from LA.

-Otanx
#14
Security / Re: Need help with ideas on ho...
Last post by deanwebb - March 08, 2024, 05:14:46 PM
Straight technical answer: If your router VPN terminates in another location, it will have the IP of that remote location as the source IP for all traffic emerging from the VPN.

If they're looking for that, you'll be found out in an instant. If they're not looking for that, well, you may have longer than an instant.  :smug:
#15
Security / Re: Need help with ideas on ho...
Last post by vpnsoicanwork - March 08, 2024, 10:06:59 AM
Thanks for the info! I don't want to get anyone in trouble for helping me with this, also this is a MUCH simpler scenarios than you would imagine, it is a small  firm (private sector) so i am sure they don't subscribe to any services which would be able to track me, and i have a citizenship for both the country they want me to be and the country i am currently.

I will actually be moving back to that country soon(ish) and that is why i would prefer to bypass the bureaucracy and keep this job. I am paying taxes in full in both countries so it is not even about money for me, it is just about a ridiculous situation in which the person making the decisions in the HR side is too uptight to let go :)

Without going too deep into anything, if you don't mind answering just this one question:

- Is using a VPN on the router level effective at all to make they think i am in another country (since i will connect to their VPN)? Or is it just childish to think this will work?

I don't mind losing my job if it does not work, but it has to be at least worth the try, it will be uncomfortable for me to say "oops you got me" if they can very easily tell i am not there, like right away in the first day of connection, hahaha
#16
Security / Re: Need help with ideas on ho...
Last post by deanwebb - March 08, 2024, 08:57:42 AM
Here's the thing... a good number of us are in roles where we have to be in the USA and can't be accessing systems from outside the USA. We can get into trouble or even lose our jobs if we attempt that access and we can lose our jobs if we advocate or even observe discussion of methods of evasion for a role in the Federal Civilian/Defense sphere, including contractor roles.

If your boss says it's OK but HR has an issue, then it's not overall OK within your organization. If we recommend a solution and then the IT department gets a tool that is able to go around that solution, then you don't just have the issue of working in the wrong location, but also are now deceiving the employer deliberately.

On top of that, there are numerous scams where persons claim to be citizens of and living in a certain country during the interview process and then the workload is handed off to a person that lives somewhere else, but the original person acts as the face for the foreign worker. The "face" can have multiple identities and work in 2-3 roles in this manner. Lots of felony fraud counts in that set-up. Not saying that you yourself are party to such a scam, but if we provide a solution to you then we also provide a solution for scammers. The use cases are quite similar.

VPN detection technology is becoming more sophisticated because streaming services want to maintain their licensing for content by limiting it by region. What worked fine in 2023 may not work at all in 2024, we need to keep that development in mind.

The termination point for the VPN in the nation one desires to present as being present in is going to be in a block of IPs that is either known as a pool of VPN termination addresses or can be learned. Those IPs would show up as the source IP for your AnyConnect traffic, as that's what destination traffic has to be routed back to in order to keep the communications going.

A person willing to engage in deeper levels of frauds could create a system of confederates and falsified documents to permit a build-out at a residence to act as a privately-managed VPN termination point, but that itself is risky on multiple levels. The VPN itself may not be properly maintained and thus subject to compromise. Each fraud entered into to create the ruse is itself vulnerable to penetration via other information sources that reveal activity or transactions that prove one was not where one said one was. Do not underestimate the quality or quantity of corporate information-gathering to find deceptive employees.

My firm partners with security vendors that do that very thing. The vendor has multiple sources that are correlated to build a profile on each employee and then maintains continuous updates. Should your name come up at all in the country you're actually living in, the game's over. And should you live under an assumed identity in the other country, then that's one more layer of fraud in the picture. But that's an example of a detection made possible that doesn't even look for a VPN connection. We could potentially solve for the network issue, but your firm likely subscribes to a service such as I've described that would prove false your claim without having to rely on the IT angle for proof.

The easier solution is to have your boss get a waiver from HR. If that works out, great, no deception needed. Best case would have been if you got that clearance prior to moving to the other country. As it stands now, you are currently in a place where you should not be to do the job that you are doing. I don't know how going a legitimate business process route works out for you, but I see it as the only way to do this properly. That, or move back to the country where HR expect you to work from.
#17
Security / Need help with ideas on how to...
Last post by vpnsoicanwork - March 07, 2024, 03:28:02 PM
Hey guys, long story short, nothing illegal here but there is a bureaucratic issue with my current employment. I have moved to a place HR dislikes and i am planning on setting up a VPN so they will think i am where they want, my boss is ok with me being anywhere so i want to give this a go.

I have to connect to my work's VPN using Cisco Any Connect so i cannot have a second VPN app in my PC, so i got myself a router with OpenVPN client so i can have my VPN at the router level, i have tried this setup and it works as opposed to having two VPN clients installed, that one was a no go.

The thing is, i think eventually HR may ask the IT department for a network scan of some sort to find out if i really am where i say i am, so i am researching about dedicated IPs on my VPN but as far as i can tell those IPs also come from the same range they use for dynamic IPs and the range itself can be used to identify i am using a VPN.

My networking knowledge is limited so i need help figuring out what is the best approach i can take here, what i need is:

- My employer needs to think i am in a specific country;
- I need to make it as difficult as possible for them to find out i am using a VPN for that;

That is pretty much it, i would REALLY appreciate all the help i can get with this matter. Again, nothing illegal and my boss actually knows i will be doing this, he is just not getting involved and HR may or may not care enough to try and find out if i am really there...

Thanks!
#18
Security / Re: American Express included ...
Last post by deanwebb - March 07, 2024, 08:29:32 AM
Any time those breach announcements comes out, we need to have HOW that breach happened.
#19
Security / American Express included in t...
Last post by icecream-guy - March 06, 2024, 12:07:25 PM
Data breach exposes American Express credit cards

American Express is warning card members of a third-party data breach. Several other companies that use the hacked merchant processor could also be affected. Exposed American Express Card member data includes account numbers, names, and expiration dates. If exploited, cybercriminals can use this information to commit identity theft.
#20
Security / Re: Providing internet access ...
Last post by deanwebb - March 06, 2024, 09:39:26 AM
Secure file transfer: that's where you have a system where USB drives are created and tagged with the secure file transfer system, then they are checked in at a kiosk prior to installation on the endpoint. If the endpoint has an interactive OS, the kiosk can be a service running locally that blocks untagged USBs or tagged USBs whose contents don't match the file manifest. For headless devices, a hardware kiosk would serve that function at the entry point to the secured area.