Verizon's Risk Team has published a blog post on a mind-boggling security adventure (it's the only term that really fits) detailing just how poorly some IT workers -- including those working for "critical infrastructure" companies -- understand the meaning of the term. The saga began when a US-based company contacted the VRT, asking for their help in tracing a puzzling VPN connection. The company had conducted an audit of its own VPN and found a sustained, regular connection being maintained from Shenyang, China.
That's bad. Worse, the company had deployed a two-factor authentication system that used physical RSA keyfobs. Someone was logging in to their system despite this precaution. The developer whose account had been compromised, meanwhile, was in the office at his computer. The company's first thought was that the developer's computer had somehow been compromised by malware that had routed traffic to China and back. This type of stealthy man-in-the-middle interception can work -- witness the Red October
malware system we detailed just days ago -- but that system is unprecedented in scope and capability.
Further research indicated that the connection wasn't new. It appeared in the entire six months of logs that the company retained. So was this a massive security breach by a heretofore-unknown trojan?
Nope. We'll let the VRT tell you in their own words.
As it turns out, Bob (not his real name) had simply outsourced his own job to a Chinese consulting firm. Bob spent less than one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.
A typical ‘work day’ for Bob looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
Not only had Bob perpetrated this scam with multiple companies in the area, he'd gotten model performance reviews while doing so, with repeated complements for his clean, neat code. He was, in fact, rated the best developer in the building. He maintained the scam by simply paying the Shenyang company out of his own pocket.
This would actually be smarter
The ironic thing is that under different circumstances, Bob might've gotten himself a nice raise and promotion. Competent coders are an asset and any company wanting to work in international markets would be interested in local developers that are more familiar with native customs and designs. Given that Bob worked for a company that's apparently critical to US infrastructure, his decision to use a Chinese firm isn't just lazy -- it's profoundly stupid.