Why YSK: It appears several Lemmy Instances are flagged as suspicious and at least 1 instance intentionally using the name of ransomware. A couple of the big enterprise monitoring suites (Fortiguard, ZScaler) will flag your account and may end up with you being pulled into an office for an explanation, or worse.
TL;DR: Keep browsing to your local instance at work for now.
How could you see it was connected to a known tor IP? Would you not just see the IP of the VPN server and not the final destination?
And VPN servers are often flagged for all kinds of shit because some use them for tor or spam.
I think he meant the VPN target was a known tor IP as well
Yeah, it doesn’t read very clear. I’m assuming they meant that the destination IP was for the VPN server and that some deep packet analysis determined that the encapsulated traffic was TOR-bound. Or it was a wild assumption that they were using TOR and they use it synonymously with VPN.
Either one of these events (unauthorized VPN or TOR connections) would be reason enough to look more into the employee’s IT resource usage.
You’ve got it. I have an NDR I mirror packets to and it picked up the connection. I think the guy hit a Tor IP before connecting with NordVPN, but I do remember seeing the connection to Tor that sparked the alert, followed by the traffic to Nord. Either one of those things would have triggered an investigation into the user.
Forwarded that to my security team and washed my hands of it. Wish I knew why users pull stuff like that on company resources. If they just did it at home, I wouldn’t care!
Yeah that kinda sounds like FUD to me as well. He wouldn’t see anything BUT the VPN.