Man Outsources His Own Critical Security Job To China; Pays Out-Of-Pocket

rated by 0 users
This post has 7 Replies | 1 Follower

Top 10 Contributor
Posts 26,742
Points 1,209,640
Joined: Sep 2007
ForumsAdministrator
News Posted: Wed, Jan 16 2013 12:53 PM
Verizon's Risk Team has published a blog post on a mind-boggling security adventure (it's the only term that really fits) detailing just how poorly some IT workers -- including those working for "critical infrastructure" companies -- understand the meaning of the term. The saga began when a US-based company contacted the VRT, asking for their help in tracing a puzzling VPN connection. The company had conducted an audit of its own VPN and found a sustained, regular connection being maintained from Shenyang, China.

That's bad. Worse, the company had deployed a two-factor authentication system that used physical RSA keyfobs. Someone was logging in to their system despite this precaution. The developer whose account had been compromised, meanwhile, was in the office at his computer. The company's first thought was that the developer's computer had somehow been compromised by malware that had routed traffic to China and back. This type of stealthy man-in-the-middle interception can work -- witness the Red October malware system we detailed just days ago -- but that system is unprecedented in scope and capability.

Further research indicated that the connection wasn't new. It appeared in the entire six months of logs that the company retained. So was this a massive security breach by a heretofore-unknown trojan?

Nope. We'll let the VRT tell you in their own words.
As it turns out, Bob (not his real name) had simply outsourced his own job to a Chinese consulting firm. Bob spent less than one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.

A typical ‘work day’ for Bob looked like this:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time.

2:00 – ish p.m Facebook updates – LinkedIn

4:30 p.m. – End of day update e-mail to management.

5:00 p.m. – Go home
Not only had Bob perpetrated this scam with multiple companies in the area, he'd gotten model performance reviews while doing so, with repeated complements for his clean, neat code. He was, in fact, rated the best developer in the building. He maintained the scam by simply paying the Shenyang company out of his own pocket.


This would actually be smarter

The ironic thing is that under different circumstances, Bob might've gotten himself a nice raise and promotion. Competent coders are an asset and any company wanting to work in international markets would be interested in local developers that are more familiar with native customs and designs. Given that Bob worked for a company that's apparently critical to US infrastructure, his decision to use a Chinese firm isn't just lazy -- it's profoundly stupid.
  • | Post Points: 80
Top 150 Contributor
Posts 635
Points 5,705
Joined: Sep 2012
Location: Canada
ForumsAdministrator
Moderator
RWilliams replied on Wed, Jan 16 2013 2:52 PM

LOL @ the picture.

I can't believe he got away with it for any length of time. I admit I've jokingly thought of that prospect in the past; I can't imagine someone actually went through with it.

  • | Post Points: 5
Top 500 Contributor
Posts 164
Points 1,630
Joined: Nov 2010
MCaddick replied on Wed, Jan 16 2013 3:35 PM

Kudos to 'Bob' :)

Provided the work gets done this kind of thing really shouldn't be an issue other than a potential security risk. Why should only big faceless corporations be allowed to outsource jobs?

  • | Post Points: 5
Top 100 Contributor
Posts 1,114
Points 11,290
Joined: Jun 2010
Location: Pennsylvania
CDeeter replied on Wed, Jan 16 2013 4:53 PM

Bob you da man! lol

  • | Post Points: 5
Top 50 Contributor
Posts 3,112
Points 38,335
Joined: Aug 2003
Location: Texas
acarzt replied on Wed, Jan 16 2013 7:46 PM

lol this guy is a genius.

IT contracting companies do it all the time! They get more than double what the employee actually doing the work does!!

An IT contracting company will compete with other companies to place an employee. The company get's paid say $200,000/yr and they provide someone to fill a slot and pay that person $80,000/yr or less! While $80,000 is still pretty decent... it's no where near $200,000!

  • | Post Points: 35
Not Ranked
Posts 4
Points 35
Joined: Sep 2011

Seriously? Hey, it still took them at a minimum 6 months to find out. If they only keep logs for 6 months, he could have been doing it for a year, two years, who know?

  • | Post Points: 5
Top 150 Contributor
Posts 758
Points 10,695
Joined: Sep 2009
eunoia replied on Fri, Jan 18 2013 10:41 AM

.

...pending.

  • | Post Points: 5
Top 150 Contributor
Posts 756
Points 7,645
Joined: Nov 2012
Location: Dallas, Tx
Dorkstar replied on Fri, Jan 18 2013 11:09 AM

acarzt:

lol this guy is a genius.

IT contracting companies do it all the time! They get more than double what the employee actually doing the work does!!

An IT contracting company will compete with other companies to place an employee. The company get's paid say $200,000/yr and they provide someone to fill a slot and pay that person $80,000/yr or less! While $80,000 is still pretty decent... it's no where near $200,000!

There was a FML (fmylife.com) a while back about a guy who applied for a IT job, when he went in for the interview they asked how much he expected his hourly wage to be, he asked for $12.  The interviewer exclaimed,"That's a whole lot cheaper than the last guy!  We were paying him $120 an hour!".  

Which brings me to my short stint in the IT world.  I find that when it comes to IT work, 90% of people end up in $12-$20 an hour jobs that they usually hate.  No one really wants to play tech support, or help desk, but that's just where the majority of the jobs seem to be.  However, most people don't understand the value of someone in IT, nor do they understand the weight of their college education.  While the starting pay can be great for someone fresh out of college or high school, there often isn't many places within IT that you can move up into, unless you switch companies.  This level of confusion allows employees in IT to basically do as they please, people never understand what is going on, you can bust your ass and not be working hard enough, or you could be outsourcing your job and be the best employee in the world...until you get caught.

Now saying that, my friends dad was the webmaster for match.com and brought in $135 an hour.  A guy I play poker with is some sort of IT director/manager for AT&T and brings in over 100k a year.  So i'm not saying it's not possible, i'm just saying that most people get their degree and settle into a field they have no passion for.  Which of course seems to be the exact path this guy took.  

 

 

 

  • | Post Points: 5
Page 1 of 1 (8 items) | RSS