In 2012, Verizone security team received a call from a US company specializing mission critical infrastructure services saying that they see traces of abnormal VPN activity. That company was promoting telecommuting instead of typical office environment for their workforce; hence they had a VPN solution for their developers to work from home in some days. They had setup a VPN concentrator solution sometime in 2010 and their IT department started actively monitoring its usage logs from May 2012. They were surprised to see an active and live VPN connection to their facility from Shenyang, China!
They were highly unnerved as they were one of the US’s mission critical infrastructure providers and they were probably under the threat of an initiated VPN attack initiated from China.
The security mechanism used is a fairly standard two factor method; User’s credentials and then rotating RSA token generated from a hand held token generator.
And surprisingly at the same time the user who’s credentials were used to login was seen in the office working at his desk staring at the monitor just as usual. Before coming to Verizone, the company security specialists were convinced that there is some malware routing traffic to China through their proxy by some strange means; they wanted Verizone to catch the malware.
The Verizone security team started digging into the issue and they found that this strange connection is not new. It was there active during working days for the past 6 months where VPN logs were available. Surprisingly it was active during the full span of office hours almost all those days. When the investigation team found that the connection initiation uses user credentials, they started studying about the employee as well.
He was a software developer in his mid 40s, experienced with C, C++, perl, Java etc. who was there for a while. He was a quite family man who is not very noticed, but was a good asset to the company. Verizon security team called him “Bob” in their case study.
As a basic forensic measure, Verizone wanted to check whether there was malicious software activity in Bob’s PC. So they managed to get an image of the hard disks and recovered many files from the free disk space which might have been freed after deleting those files. Hoping to see an accidently downloaded malware which could have caused this, they were astonished seeing hundreds of deleted invoice pdf files from a third party contractor in Shenyang, China.
It’s revealed that Bob has outsourced his work to a Chinese outsourcing firm and got his work done for just a 20% of his paycheck. No wonder there is an ever increasing trend to outsource! To cover the authentication, Bob has FedExed his RSA token generator to China so that the Chinese developer who is supposed to work on behalf of him could use the token generator along with his credentials to login to the VPN during each workday.
So what was Bob doing all day without doing his job? Investigators later found his web browsing history, which explains that. He was used to surf Reddit for a few hours, then watch cat videos until lunch. After lunch he starts browsing EBay, FaceBook and Linked in where at the end of the 8 hour day he send an end of the day email to the management before he leave the office.
Bob was smart enough to do the same across few other companies as well while earning few hundred thousand dollars by spending only $50,000 for the Chinese developers per annum. It was a well run outsource business!
This is the coolest part of the story:
Bob was identified as the best developer in the building; His code was well written and clean and always on time! Bob has received continuous positive remarks for excellence at work several years in a row.
Some say outsourcing can reduce efficiency, long term maintainability blah blah… but, Bob showed that it’s not the case with his case study! We never know what really happened after the incident.
Was he convicted of the breach of the company NDA policy? Or was he being promoted as an outsourced development account manager role and the development work was outsourced to the same Chinese sub-contractor? Then you better find the name of the company and buy their shares! Cos, they are going to go profit this year with a fivefold cost reduction!
What was the highest risk that you’ve taken in your workplace?
If you are dare to open up, use our comments section to tell us your views.
If I were Bob’s manager, I would certainly promote him as the outsourcing manager and outsource a bunch of development work to China!
For those who know the lack of predictability and consistence performance of outsource development teams and the pain in managing them, will certainly appreciate Bobs skills. Bravo!!!
I’m a lazy bugger too… I have outsourced few small web site projects keeping a fair cut of 75% to an Indian company!
Its an eye opener for the corporate world; with the global trend of outsourcing at a lower cost, can they really trust employees?
We might be able to see strict NDAs and periodic reviews of user actions on company resources in the future.
This could go worse and security people might even monitor your desktop one day!