I'm hoping someone can ease my mind here and tell me if I'm being a paranoid weirdo, or if this is legitimately strange.
My wife works from home with a company issued laptop. She's a teacher and she's on Zoom with students for hours a day. We've never had any issues with our network over the last three years that she's been a virtual teacher.
There's a new tech support guy at her company who's issued new rules. She had a "tech check up" with him yesterday in which he said he's going to need:
Pictures of our cable modem and routers including serial numbers and MAC addresses.
Pictures of any hardware between the cable modem and routers, including serial numbers and MAC addresses.
Pictures of any hardware between router and company issued laptop, including serial numbers and MAC addresses. This is to include any other personal computers that may be on the same segment of the network.
Is this just good, preemptive tech support and I'm overthinking it?
My first thought was that I am not sending him the info on my own, personally owned cable modem, routers and hardware firewall, so he's getting photos of the old Spectrum equipment they dropped off that's been sitting in the closet for a decade, and we'll just tell him it's a VLAN all to itself(which it is). But after sleeping on it I thought that maybe I'm overreacting.
@BE that's certainly excessive with no obvious benefits
@BE That is total over-reach. It is too bad that you don’t have an old dial-up modem, because that is what I would send them and let them figure out what the hell you are using. I understand the reasoning behind it - they want to protect their network, but if they do then provide either a subsidy or equipment that they ‘endorse’. If the current equipment that you have meets the requirements, then politely tell them to ‘piss off’. 😄
@BE The setup meets requirements and that is what they need. It sounds like they are trying to use your situation to gather information about what equipment they should spec for an ideal setup. That’s fine to gather that, but be upfront about it and they should stop being the IT assholes. Unless they want to explain WHY they need the information, they don’t get it. It sounds like IT bully behaviour to me. If you have the required speed, then any issues are with their laptop.
@BE That's a big can of nope. There's no way I'd give that info to them.
@BE I don't think that kind of information is necessary, especially information about other machines on the LAN that are not under management. I could see them asking for the subnet assignment for the local LAN to make sure it doesn't conflict with the issued laptops VPN connection or something but, serial numbers of your personal equipment? No way. The issued laptop needs an Internet connection, that's the only requirement and assumption remote IT support should be making in my book.
@BE I WFH on company-issued equipment, and there's no way they'd receive the serials of anything I owned or rented on my own. (and it's never been necessary, even when needing support on my Rube-Goldbergian setup).
@BE I work for a law firm with stringent security and don't have to provide that kind of info.
@BE As a former sysadmin, I have a vague idea why he wants to know the devices and MAC addresses. I am unsure why he needs ALL the mac addresses - ask. I doubt he needs the serial numbers - definitely ask why.
MAC addresses can be used for identification and access control as in: if a new computer connects from your home, he will be able to tell by the MAC address. He might also want to check if your devices have known security issues / are very old. But serial numbers and other PCs... weird.
@BE @wildrikku The only thing he'd need would be IP address. The rest can be confirmed via logs.
I can hear every DFIR person I've ever met screaming just from proximity to this.
@BE Absolutely no need to provide any of that information. I worked from home with company issued equipment for a major defense contractor and I never had to provide any of this information, nor would I have provided it if asked. As a former IT specialist, I would have asked them why they thought they needed it, then explained how they can manage all of their concerns with decent login credentials, etc.
@BE No. That information would only be needed if the tech support person is now taking on supporting your hardware (routers, modems, etc) that you have at your home. There should be zero need to provide MAC addresses. In fact, I would consider that a breech of security. Spoofing MAC addresses is a thing. Telling a 3rd party your hardware MAC addresses is a risk that that information could be lost in a data breech. Their tech support is asking to take on a whole bunch of liability. I would consult professionals in your area and consider how that data would be secured by the tech support folks at the school system. If you have to do provide that info, get a whole separate set of hardware for your house that is only used for working hours. IMHO.
@BE For what it's worth, I've been working remotely since the pandemic started, and our IT department has never asked for this. They don't need it.
@BE I wouldn’t provide very much detail at all, frankly.
@BE I'd tell him where he can file his request.
@BE hi. we're an information privacy expert.
we've heard of companies asking for this before but it is very much a power trip on their part and we strongly suggest not indulging it. it's only going to lead to additional controlling behavior later if indulged.
@BE OOF. I've just retooted this into the infosec.exchange instance, so you might see a few more folks chiming in.
100% no. There is absolutely no need, unless they're planning on paying for an upgrade of equipment - and even then, they should only need model numbers, not serials and MACs. I cannot imagine that their security logging is tracking that information and they're filtering based on that, especially if there is a VPN in use.
The idea that this person also wants serials and MACs of other personal devices - there is something dodgy going on here and it's raising serious red flags. This is a HUGE overreach. I would definitely be pushing back and taking it higher - chances are, some folks have already provided what he's asked for.
@BE As a penetration tester, this is information I'd be going after upon breaking into your network. There's literally malware written to do this.
Refuse cold. Report this to HR. Report to his superiors. And tell him that an actual hacker said he's not hiding the black hat well.
He's a threat actor.
@BE AND.
Rereading his excuse?
That information is EXACTLY what I'd want if I was going to harass students and make it look like it came from someone else.
And it'd make things like quietly turning on your personal webcams, microphones, etc easy if I wanted to listen in and see if I could get any blackmail information.
@catbailey@infosec.exchange @BE@qoto.org Tell him a career defender agrees with the hacker. This is smelly garbage.
I could see, maybe, giving the MAC address of the hardware between the computer and the internet, but there's no way in hell he needs photos or serial numbers. Tell him to fuck off.
@julie @BE Oh I can get the MAC once I'm into the router, easy enough. Don't even need to ask.
BUT if I wasn't going near their network and wanted to make it look like something DID come from their network (and therefore not mine)? Oh totally need that, and asking for it with a flimsyass excuse means there wouldn't be any hint of a record of my accessing their hardware to get the info I wanted to paste into the metadata of something fishy.
@catbailey@infosec.exchange @BE@qoto.org Assuming it's a company computer and there's any sort of security agent on it (AV, EDR, some sort of log collector) he should already know the MAC address of everything between the machine and the internet.
I keep going back to him wanting the information "in case a student complains" -- like seriously if it's outside school routes IT'S A POLICE MATTER AND HE STAYS OUT OF IT. He is not Internet Rambo, he is not Cyber James Bond. (I should know, I know both.) He's an idiot who was hoping no one would know what he was doing because they're not tech-savvy.
Which means he sucks at recon, too.
@catbailey@infosec.exchange "If a student complains" about what? Getting a virus from a Zoom call?
@julie Going through replies, it's not made clear -- that's the only reason the kid would give and refused to answer otherwise.
Which makes me think he's going to harass students and frame whoever pissed him off that week.
@catbailey@infosec.exchange Honestly, it sounds more like a power trip than anything else to me. Could he be planning on harassing students? Sure. Not sure someone asking so loudly for this kind of information would have the skills to effectively impersonate/frame someone, though.
But now I want to know: Is he requesting this same info from students? If so ... what the fuck even more.
@julie Oh BLOODY hang on a tick
@catbailey@infosec.exchange School IT staff are THE WORST.
I'll just ... leave this here ... https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School_District
@catbailey@infosec.exchange @BE@qoto.org Oh, I missed the part where he wants the info about other devices on your network. I've never, ever needed to know this bullshit and I've been a security professional for 13 years.
Seriously, tell him "no."
"No" is a complete sentence.
@BE @girlgerms you’ve already gotten good answers. Which is: NOPE
The one thing I’ll add: was this “the IT guy said verbally” or “the IT guy shared a real, approved policy”?
If the former, start by asking for the latter. If the latter? Uh, I’d start researching local labor laws. And possibly prospective employers.
@TindrasGrove @BE @girlgerms And his criminal record because if he doesn't have one now he's about to.
@catbailey @BE @girlgerms oooof I did not consider that (probably tells you something about privilege)
@TindrasGrove @BE @girlgerms I'm straight up thinking like a bad guy -- that's literally my job. If a test target gave me what he's demanding there wouldn't need to be a test, the door is wide open and the silverware packed for carrying.
@catbailey @BE @girlgerms im currently in a world of aggregate statistics, which is a bit different mindset.
Not just no, but GTFO.
If they aren't paying for the equipment, they don't get to know about the equipment.
If they push at all, my answer would be: Company provides a separate Internet drop dedicated for her to use exclusively for company business. They pay for install, modem, wiring, etc.
Which they should be doing anyway if they want to control it, instead of leaching off your drop.
@BE I imagine that you've got your answer now, but I'll agree with those who said you should report this behavior to the IT guy's supervisor.
@BE At most, I would provide a logical map of what your network looks like if there is a problem that might be network related. Pictures and serial numbers? Nope, unless it is their equipment.
@BE I know I've already said quite a bit on the topic, but reading through and seeing his reasoning and excuse for asking for this information brought up something else.
If a student complains about a teacher, the contact complained about was either through school VPN or not. If so, he doesn't need the other info.
If not, that's something to be handed over to law enforcement. They have forensics people. They will handle it. (And if they need what he's demanding it generally involves a search warrant.) It's not in his scope and not in his domain, metaphorically or literally. He is not a cop, he has as much right to know even what your household equipment IS much less the details of it as I have to know the exact details of the contents of your wallet and the back of your wife's sock drawer.
I'm thinking about his excuse -- why would he preemptively be thinking about "a student complaining"? Why would he have any reason to think that anything but work equipment might be involved?
Which leads me to wondering how many students he intends to harass and who he intends to pin it on. If it was just the equipment stuff I'd be thinking running warez servers on your stuff (I'm old), but that *specific* one?
@BE See my more recent replies -- they DO NOT need it AT ALL.
@BE Wait.
Is he requesting the same information from students as well?
Does any of this go across state lines?
Because if the answer to either is "yes" quite honestly I'd be tempted to see if I knew a friendly FBI person to do a sanity check with. Absolutely serious.
@BE I've been techsup -- and in fact when the school district went to virtual in the early days of the pandemic and couldn't get things together I did literally exactly that for not just my kids but everyone in their classes because I was sick of them losing learning time.
Note that I didn't even need to know the OS most of the time, or who the people were, or IP addresses.
If he's asking for all that info, he's either less competent than my 12yo, unable to do basic research, and therefore unqualified OR he's planning something with the information.
@BE I’m so curious. My husband has a work issued computer that can’t do so much because of the limits out on it but with his security key they don’t need to know anything about our cables and such.