Programmer secretly outsourced his entire job to Chinese firm
Critical infrastucture company discovered open VPN...
By John E Dunn | Techworld | Published: 17:14, 16 January 2013
A US programmer working on critical infrastructure secretly outsourced most of his highly-paid and security-sensitive job to Chinese programmers while he surfed eBay, updated his Facebook profile and watched videos of cats, Verizon has reported.
The story sounds as incredible as it must have been serious – but read on because there is a final twist.
Called in by a concerned company worried about anomalies in its logs, Verizon originally suspected that the company’s network had been compromised by Chinese hackers after discovering access from a Shenyang-based company through an unauthorised VPN.
Related Articles on Techworld
Incredibly, after studying six-months’ worth of server logs, it turned out that the access appeared to happen daily and sometimes for an entire workday at a time.
The victim firm believed it had become the victim of a dastardly new malware attack able somehow to re-route traffic between countries via their network but the explanation turned out to be a mild-mannered family man and employee called - to spare his anonymity - “Bob”.
Highly proficient in C, C++, perl, java, Ruby, php, and python, what Bob had been up to became apparent as soon as investigators took a closer look at the hard drive of his workstation.
What they found were hundreds of PDF invoices from a Chinese developer for the programming work he was supposed to have been carrying out himself.
To allow the incredible outsourcing scam to work, Bob had even FedExed his RSA authentication token to the Chinese developers so they could log in through the VPN.
Then investigators looked at Bob's web browsing history to see what he’d been up to during his worktime;
“A typical ‘work day’ for Bob looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – eBay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home.”
The Chinese firm had been paid $50,000 for their work, a small part of his annual salary.
The punchline? Bob was considered an excellent worker, praised for handing in his clean code on time. “Quarter after quarter, his performance review noted him as the best developer in the building," said Verizon.
Less amusing is that the company Bob was coding for worked on critical infrastructure (Verizon leaves the firm unnamed for obvious reasons).
"We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers' systems to off-shore firms seems dangerous at best," commented Nick Cavalancia of Internet monitoring firm, SpectorSoft.
"What many organisations fail to understand is that with effective, proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident," he said.
The full Verizon case study can be found at Verizon's website (note: has been innaccessible for periods).
Comments
Wm. Cerniuk said: Change Bob to Company X and all of the sudden it is ok and defensible in the name of capitalism Wonder how often companies themselves do this
rkp said: Genius Taking advantage of a great arbitrage opportunity Growing up in a corrupt part of India I was made aware of the job of illegitimate clerk IC IC was the private employee for a regular government employee usually someone with a clerical job The employee could sit around all day and do nothing but collect bribes in addition to his salary He would share part of the bribes with the IC who will do the actual work This has taken that paradigm to a whole new level