Out- sourcing Your Own Job

Pretty funny but damn, this takes balls, and a complete lack of conscience or regard for co-workers. A developer at Verizon was busted for outsourcing his entire job to China (he FedEx’d his VPN key fob to a Chinese company who then used it to log in as him). While someone in China was writing his code, he sat at his desk and surfed all day.

You can read the story at Huffington Post. I have copied and pasted it below in the event the link dies. Below that is the actual case study from Verizon (from which HuffPost, et al, gathered their material for their write-ups). They wrote it up as why it might be good to practice pro-active log reviews (the employee was caught due to logs showing VPN logins coming in from China which were subsequently thought to be hackers).

Unfortunately, this fellow probably did a HUGE disservice to his fellow employees. He has alerted management and now Verizon is probably thinking, “Wait! We could outsource this entire department.” Hell, they are probably already in negotiations with the Chinese company. While at face level his idea may seem clever, as soon as you scratch the surface, you realize this guy deserves a Douchebag of the Year award.

Developer Outsourced Entire Job To China, Spent Hours Surfing The Web, Watching Cat Videos
The Huffington Post | By Meredith Bennett-Smith
Posted: 01/16/2013 4:31 pm EST | Updated: 01/16/2013 5:14 pm EST

A crafty developer reportedly figured how to get paid to sit and watch cat videos for a good chunk of the day.

It’s a story almost too good to be true — and one which has an almost uncanny resemblance to this fake news story run by The Onion. But according to Verizon’s Security Blog, a U.S. developer actually did find a way to fool everyone at his company into thinking he was working, while in fact outsourcing his entire job to China.

Andrew Valentine wrote up the case study for Verizon, and the story apparently caused such a furor it temporarily crashed the Verizon servers.

Citing the study, the BBC notes the ingenious scam came to light after the employee’s company asked for an audit to investigate “anomalous activity on its virtual private network (VPN) logs” that pointed to an active VPN connection between Shenyang, China, and the employee’s workstation that appeared to be operational for months.

Valentine went so far as to profile the employee, who is not named in the report, and who was paying less than “one fifth of his six-figure salary” on the outsourcing:

Mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator.
A check of the employee’s web browsing history revealed an average schedule. According to the case study, the worker’s day looked like this:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch

1:00 p.m. – Ebay time.

2:00–ish p.m – Facebook updates – LinkedIn

4:30 p.m. – End of day update e-mail to management.

5:00 p.m. – Go home

According to The Register, the employee no longer works for the company that ordered the audit. (As Gizmodo’s Jamie Condliffe quipped, “Looks like he’ll be spending more time on LinkedIn from now on.”)

Help Net Security reached out to Nick Cavalancia, a vice president at SpectorSoft, to gather information on how companies may work to prevent similar schemes.

“We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers’ systems to off-shore firms seems dangerous at best,” Cavalancia said. “What many organizations fail to understand is that with proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident.”

Case Study: Pro-active Log Review Might Be A Good Idea

Andrew Valentine
January 14th, 2013
With the New Year having arrived, it’s difficult not to reflect back on last year’s caseload. While the large-scale data breaches make the headlines and are widely discussed among security professionals, often the small and unknown cases are the ones that are remembered as being the most interesting from the investigators point of view. Every now and again a case comes along that, albeit small, still involves some unique attack vector – some clever and creative way that an attacker victimized an organization. It’s the unique one-offs, the ones that are different that often become the most memorable and most talked about amongst the investigators.

Such a case came about in 2012. The scenario was as follows. We received a request from a US-based company asking for our help in understanding some anomalous activity that they were witnessing in their VPN logs. This organization had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they’d set up a fairly standard VPN concentrator approximately two years prior to our receiving their call. In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review). So, they began scrutinizing daily VPN connections into their environment. What they found startled and surprised them: an open and active VPN connection from Shenyang, China! As in, this connection was LIVE when they discovered it.

Besides the obvious, this discovery greatly unnerved security personnel for three main reasons:

They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated.
The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming.
The developer whose credentials were being used was sitting at his desk in the office.
Plainly stated, the VPN logs showed him logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor. Shortly after making this discovery, they contacted our group for assistance. Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able route traffic from a trusted internal connection to China, and then back. This was the only way they could intellectually resolve the authentication issue. What other explanation could there be?

Our investigators spent the initial hours with the victim working to facilitate a thorough understanding of their network topology, segmentation, authentication, log collection and correlation and so on. One red flag that was immediately apparent to investigators was that this odd VPN connection from Shenyang was not new by any means. Unfortunately, available VPN logs only went back 6 months, but they showed almost daily connections from Shenyang, and occasionally these connections spanned the entire workday. In other words, not only were the intruders in the company’s environment on a frequent basis, but such had been the case for some time.

Central to the investigation was the employee himself, the person whose credentials had been used to initiate and maintain a VPN connection from China.

Employee profile –mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator. For the sake of case study, let’s call him “Bob.”

The company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator. Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one.

As just a very basic investigative measure, once investigators acquired a forensic image of Bob’s desktop workstation, we worked to carve as many recoverable files out of unallocated disk space as possible. This would help to identify whether there had been malicious software on the system that may have been deleted. It would also serve to illustrate Bob’s work habits and potentially reveal anything he inadvertently downloaded onto his system. What we found surprised us – hundreds of .pdf invoices from a third party contractor/developer in (you guessed it) Shenyang, China.

As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.

A typical ‘work day’ for Bob looked like this:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time.

2:00 – ish p.m Facebook updates – LinkedIn

4:30 p.m. – End of day update e-mail to management.

5:00 p.m. – Go home

Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.

This entry was posted on Monday, January 14th, 2013 at 2:46 pm and is filed under Editorial. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

U.S. Dept of Home- land Security & Java

Wow. Java and Oracle really getting beat up lately. Java seems to be following the downward spiral of Adobe Flash (in terms of viability in being used for web apps/websites). First, Apple sticks a fork in them, and now the government. Homeland Security has recommended that users disable Java in their web browsers. Ouch. That hurts.

The full story at NBC News. I’ve copied and pasted it below in case the link dies.


US warns on Java software as security concerns escalate
By Jim Finkle

The U.S. Department of Homeland Security urged computer users to disable Oracle Corp’s Java software, amplifying security experts’ prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

“We are currently unaware of a practical solution to this problem,” the Department of Homeland Security’s Computer Emergency Readiness Team said in a posting on its website late on Thursday.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the agency said. “To defend against this and future Java vulnerabilities, disable Java in Web browsers.”

CERT’s instructions on how to do so can be found here, under “Solution.”

Oracle declined on Friday to comment on the warning.

Paul Wagenseil, senior editor for security at TechNewsDaily, writes that “it’s easier than ever before to disable Java in browsers. The latest version of the Java Control Panel for Windows has a checkbox under the Security tab labeled ‘Enable Java content in the browser.’ Uncheck that and all your browsers should be Java-free.”

If you are running an earlier version of Java 7 for Windows, “you’ll have to disable each browser individually.”

To make sure Java is really disabled, Wagenseil writes, users can visit this site to check.

“For versions of Java older than Java 7 (which you shouldn’t be running anyway), the de-Javafication process for Internet Explorer involves editing the Windows Registry,” he notes. “If you don’t know what that is, don’t do it. Instead, stop using Internet Explorer entirely.”

Wagenseil says that “Unless you use Java professionally — such as by developing Web or Android apps, updating a Website or using Adobe’s Creative Suite software package — you don’t really need it.”

What is Java?

Java is a computer language that enables programmers to write software utilizing just one set of code that will run on virtually any type of computer, including ones that use Microsoft’s Windows, Apple’s OS X and Linux, an operating system widely employed by corporations.

Computer users access Java programs through modules, or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox.

The U.S. government’s warning on Java came after security experts warned on Thursday of the newly discovered flaw.

It is relatively rare for government agencies to advise computer users to completely disable software due to a security bug, particularly in the case of widely used programs such as Java. They typically recommend taking steps to mitigate the risk of attack while manufacturers prepare an update, or hold off on publicizing the problem until an update is prepared.

In September, the German government advised the public to temporarily stop using Microsoft’s Internet Explorer browser to give it time to patch a security vulnerability that opened it to attacks.

Prime target for hackers

Java is so widely used that the software has become a prime target for hackers. Last year Oracle’s Java surpassed Adobe’s Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.

It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

They said developers of several popular tools, known as exploit kits, which criminal hackers use to attack PCs, have added software that allows hackers to exploit the newly discovered bug in Java to attack computers.

Similar scare last August

Security experts have been scrutinizing the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.

At the time they advised businesses to allow their workers to use Java browser plug-ins only when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems.

Java suffered another setback in October when Apple began removing old versions of the software from Internet browsers of Mac computers when its customers installed new versions of its OS X operating system. Apple did not provide a reason for the change and both companies declined to comment at the time.

Adam Gowdiak, a researcher with Polish security firm Security Explorations, told Reuters he believes that Oracle fails to properly test its software fixes for security flaws. “It’s definitely safer for users to stay away from Java ’til Oracle starts taking security seriously,” he said.

(Editing by Dan Grebler)

(c) Copyright Thomson Reuters 2013.

NYT Magazine Web Article – “Snow Fall”

Check out Snow Fall, a New York Times Magazine online article. Great use of HTML5/CSS3/jQuery, and a nice, clean, simple design.

Make sure to interact with the photos. And there are several chapters to view (accessible via the top nav and at end of each story).

I love how they are translating the magazine app feel onto a website. We’re going to see a lot more of this. Much easier than apps – for both consumer and producer.

And better yet, here is the case study – a Q&A with the New York Times team themselves.