Developer Health, Gotcha, SecurityLeave a Comment on Keep your employer out of your cyberspace

I have explained for years to everyone I work with that you really shouldn’t mix your personal devices or even personal accounts to a certain extent with your employer. I think for the most part, people do have a certain level of understanding that this is true, but whether, or not they are taking it seriously is different.

On or around 2026-03-11 an Iranian hacker group known as Handala Hack attacked American company Stryker.

Past midnight on Wednesday, outages struck Stryker, as its devices were wiped clean and the company login page was reportedly defaced with the logo of Tehran-linked cyber persona Handala. 

Source: https://cybermagazine.com/news/iran-war-cyber-front-stryker-cyber-attack

Most notably, Microsoft Intune was called out as the method used for wiping out all of the devices. Well that’s too bad I suppose for Stryker. More importantly let’s focus on the employees whose personal devices undoubtedly got caught up in this mess.

Mobile Device Management

Mobile Device Management, also just known as MDM, is how your employer tracks devices they typically own. It’s how they keep threat actors from attacking the company after compromising a device. That’s all fine and well for the employer to protect themselves, but you don’t have to let them on to your personal device. In fact I recommend you don’t.

Trust is a two way street and there is none here

The employer has already shown they don’t trust you by providing MDM as an option to get on to your phone. Again, I understand from the employer’s perspective that this is a proactive defense. Got it. Well I don’t want that crap on my phone. The reason I don’t want it on my phone is for the very real possibility that they:

  1. Could be spying on me.
  2. Can review the contents of my device.
  3. Control what I can and cannot do with my personal device.
  4. Then the most damaging is, they can decide at any time they will just wipe my device.
  5. Or the latest example, a hacker compromises the management portal, then wipes my device.

Therefore, let’s drop the act and agree that we cannot trust each other 👍.

Mobile devices

  • My recommendation to everyone is never install an employers MDM on your phone.
  • They don’t trust you. Therefore, you return the favor in kind and you don’t trust them.

Instead, I strongly recommend you use an SEPARATE device. You use the separate device as your burner. Therefore, you don’t have to even bother reading the giant page of warnings about how they will rape your privacy and your phone if they feel like it.

  1. If you have an old phone or tablet, use that.
  2. If your employer offers company owned phones, then explore that option.
  3. If your employer won’t give you a company owned phone, then buy a crappy burner phone if you are able to.

Worst phone I have ever owned

On 2023-08-15 I purchased the Samsung Galaxy A14 to be my work burner phone. This is by far one of the worst pieces of crap I have ever used. I couldn’t believe how badly it functions for a new phone. I paid a whopping $149.78 for this phone. Never put a SIM card in it, just uses WiFi. It’s slowwwww. But you know what, I use it with Microsoft Teams and Outlook, that’s it. It’s a miserable experience, but I don’t use my phone for mobility that often for it to matter. I take it to the kitchen with me so I can listen to meetings while I am eating. Nothing more.

I will aim a little higher next time, but the point is I have zero worries about this phone getting nuked. Do whatever you want employer, I don’t care, this is my burner.

Company’s laptop

This is where you have to just accept reality. The company’s laptop is NOT YOUR PERSONAL DEVICE. It does NOT belong to you. You are very much BORROWING IT to get work done for your job. Therefore, you should not under any circumstances use it for personal things. Please use your personal device for personal things.

You have to get right with the following truths:

  1. This is not your device.
  2. Your employer is absolutely watching you. I guarantee it.
  3. Your employer can watch your desktop at any given moment and there is nothing you can do about that, see point 1.
  4. Your employer can access any of your work data at any time, because it’s not your personal data, it is the company’s intellectual property. You cannot argue about this especially since you more than likely signed a contract stating as much when you started employment. This is fair so don’t be unreasonable.
  5. Never produce personal works on a employer owned device. You are at extremely high risk of losing the rights to those works to your employer, see points 1 and 4.
  6. Your employer can at a moment’s notice lock you out of your assigned device for any reason. If your device is deemed a cyber threat due to compromise, they have to isolate the node immediately. Don’t take it personally.
  7. Your employer can at a moment’s notice lock you out of their VPN for the exact same reason.
  8. Depending on how your device is setup, you won’t be able to access anything outside of the VPN, and basic internet. This is by design. It stops you from connecting to your work device via RDP from a separate non-work device.
  9. I strongly advise you never under any circumstances plug in a storage device to your work computer, it will set off a silent alarm alerting your company’s security team. Don’t make yourself out to be a threat. This includes but is not limited to:
    • Plugging your phone in to charge it. Don’t do this, it will be seen as a storage device.
    • Plugging in a USB drive. This is absolutely a storage device.
  10. Circumvention of these rules is grounds for termination, do not fuck around. They take this seriously and any incident can land you in front of HR. Follow the rules.
  11. I strongly advise you never access any personal accounts on your work device such as email if you can avoid it. This gets difficult for some of us such as software developers who have specific websites they use to help get their work done.

Defending yourself against your employer

Just like the employer doesn’t trust you, you should very much not trust your employer in the cyber security space. Your employer is as much a cyber security threat as anything or anyone else. They are NOT special and they are NOT your friend. Going back to the Iranian hacker attack example on Stryker for a moment; if employees had MDM installed on their personal devices they got pwned. Their personal data could have been stolen and then just to add insult to injury their personal devices were wiped. Had they kept their employer out of their personal cyberspace this wouldn’t have happened.

Account access

Where possible, separate your work and personal accounts. As I stated previously this is hard to do depending on your profession. Therefore, it is very much a grey area, so use your best judgement.

  • Stackoverflow – I have been using Stackoverflow for years. I built a reputation there, I have always had a personal account tied to this. Starting a work only account is something I didn’t want to do because I would have to rebuild my reputation. Reputation gives you benefits on the site, it’s not just a flashy badge.
  • GitHub – even though GitHub claims you can use your personal GitHub account for your employer, I have opted out of doing this because I don’t trust GitHub or my employer. I created a separate account. When I leave my employer, I will just forget about that account. I will create a separate account for my new employer. Stay out of my personal life.
    • Some developers use this as a way to bolster their GitHub activity.
    • I do not care about this and I also think what those developers are doing is disingenuous. It’s also easy to see right through since those repositories will be private.
  • Email – absolutely not. There is nothing to say here, no excuses. The only exception is you have to sign into your email so you can use it for SSO. That does not mean open up your email. DO NOT do that.
    • One of my biggest regrets is using Gmail SSO because it put me in this position I am describing.
    • I much prefer individual burner accounts now.

This was not meant to be an exhaustive list, just an example of what I deal with. If I need to do something personal, it happens on my personal phone that does not have MDM on it.

By keeping your two world’s separate, you have a zero trust environment. No one can get hurt.

Working at home and company network access

This is a separate type of distrust I have experienced and I have fought back hard with companies I worked for while working remotely. Once again, they don’t trust you, but now they are on your personal home network. This makes them a cyber security threat to you because you are plugging them in behind your firewall. That’s dangerous. I will talk about this in two different contexts:

  • Context 1: Connecting to a VPN on your personal device in order to RDP into a company machine (or even virtual machine).
  • Context 2: Connecting a physical company device to your personal network.

Context 1

So you need to RDP into your work machine to do something. You can connect to the company VPN on your personal machine, but you really shouldn’t for a few reasons:

  1. This can set off your company’s security alarms for a plethora of reasons. They can view you as a threat and now you have a misunderstanding on your hands that you didn’t need. They can also cut your access.
    • I had my access cut once because my company told me that I had network connections from China and other countries showing up. They claimed I was compromised and overreacted as they do.
    • Turns out they were detecting Steam trying to perform game update downloads in the background. From that point forward I had to always shut off Steam when accessing the VPN.
    • I had other seemingly innocuous programs running on my system that would trip their alarm bells.
  2. They now have access to your personal device. You sure you want to do that? You invited them into your personal device by connecting to the employer owned network. Additionally, more often than not there is a somewhat useless legal blurb you have to agree to before accessing company computers remotely. This can be seen as legally binding agreement and if something goes sideways, you might find yourself sitting in front of HR.
    • In other words, are you sure you want your company snooping around on your personal device?
    • If you value your privacy, I recommend you keep them out of your personal device.

My recommendation for this, and this will piss off your employer in some cases, is you create a virtual machine. Only access the VPN from that virtual machine. This effectively has now put your employer inside of a jar that they are not allowed to escape. It is none of their goddamned business what is outside of the virtual machine. I know this upsets them because I had an employer ask me if I was using a VM, then when I told them I was, they said it was a violation of their rules. I then told them to correct this problem they should send me a desktop computer with three monitors, then they shut up. Supposedly, they claimed that I could be siphoning data away with my virtual machine which I know is entirely possible, but I wasn’t interested in getting fired. Either way it is something that really pisses them off, but again they have zero rights in my home. Again – they don’t trust you, so you should not trust them.

Context 2

I would much rather not have to deal with Context 1 ever again if I can. It was very frustrating to deal with an entitled cyber security employee trying to dictate to me how my personal network will be handled or what I was allowed to run on my personal machine such as Steam while threatening my employment.

In this context your employer has issued you a company device such as a laptop. That laptop like I have already established is a company owned device, it does not belong to you. You brought it into your home, so it is behind the firewall. It can be used as a Trojan horse at this point because they didn’t even have to perform a backdoor hack; you have let them in through the front door.

I strongly recommend to protect yourself from your employer’s device, you take advantage of network segmentation meaning VLANs or Virtual LANs. I can’t explain to you how to do that because that’s a separate subject entirely, but it would help if you had proper small business networking equipment. Effectively what you are doing is putting your employer’s device on its own VLAN so it cannot access the rest of your network. The only thing it has access to is internet. That’s it.

This is the same “stick them in a jar” strategy as in Context 1. I don’t trust this machine, just like the employer doesn’t trust me.

Conclusion

I wrote this for all the people who told me I was crazy or paranoid. You can eat it 🖕because I told you so.

by:
companycyberemployeeemployerhackhandala hackintuneiranissuedmdmmicrosoftpersonalprivacypwnedSecurityspacestrykervlanvpnzero trust

Leave a Reply

Your email address will not be published. Required fields are marked *