You may have heard the story about the computer programmer who outsourced his work duties and sat in is office watching cat videos all day. “Bob” was an “inoffensive and quiet” programmer in his mid-40′s, with “a relatively long tenure with the company” and “someone you wouldn’t look at twice in an elevator.”
His company noticed some “anomalous activity” in their VPN logs and called in a consultant. Unfortunately for Bob, his company was a U.S. critical infrastructure company. That anomalous activity was traced back to a connection in China. Red flags were raised and security alarms went off in people’s minds. The company thought it was being hacked, spied on, or infected with spyware from an unknown force in China, putting US infrastructure at risk.
Two things caused the investigators to scratch their heads: (1) The company had a two-factor authentication for these VPN connection. That means you needed a rotating token RSA key fob for network access. (2) The developer whose credentials were being used was sitting at his desk in the office. As a result, the VPN logs showed him logged in from China, yet the employee was sitting at his desk. Even worse, the VPN connection to China was shown to go back many months, before the company was even monitoring the VPN.
Fearing that Bob’s computer was infected with a trojan horse or other malware, the investigators cloned Bob’s desktop and searched its contents. Instead of nasty computer viruses, they found hundreds of .pdf invoices from a third party contractor in China.
It turned out that this was Bob’s typical day:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
Bob had physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials. The contractor worked for a fifth of the cost of his salary. Bob pocketed the difference, surfed the internet, and managed his contractor.
- Case Study: Pro-active Log Review Might Be A Good Idea by Andrew Valentine in Verizon Risk Team’s Security Blog
- ‘Bob’ outsources tech job to China; watches cat videos at work by Jaikumar Vijayan in Computer World