Security team fails to check logs, lets man goof off by outsourcing own job for years

A Naked Security reader with an eye for amusement amongst the doom-and-gloom that so often characterises security stories yesterday pointed out a little beauty.

It’s getting a fair bit of coverage, and it goes like this:

• IT checks the VPN logs after neglecting them for years.

• IT spots a connected session from China, right before their eyes.

• IT sees the login was done with the authentication token of an employee.

Hmm. Perhaps he’s on vacation? A business trip? Obviously he’s not around, so perhaps our geolocation data for the ISP he’s using is inaccurate. Perhaps he’s in Las Vegas? Everyone deserves a little outing to Vegas once in a while. (I made that bit up. The Vegas theory is nice, but it wasn’t in the original story.)

• IT notices the employee sitting calmly at his desk.

At this point the story descends into a conspiracy theories of a Man in The Middle (MiTM) attack or a Man in the Employee’s Own Web browser (MEOW) attack, but digging further reveals a really simple explanation.

The bloke has outsourced his own job!

He’s found someone in China who’ll do his work for him at 20% of his salary, so he’s taken a 20% paycut in return for a 100% cut in effort.

OK, so it’s outsourcing. No biggie.

Except he’s FedExed his two-factor authentication (2FA) token to his doppelgaenger in PRC. Which is a bit of a security worry, to say the least.

Apparently, there are some other details, too:

• His work has been officially rated by HR as best-on-ground for ages.

• He’s pulling the same scam with other companies at the same time.

• He spends his whole day in the office goofing off.

The story even gives a little “daily diary,” like this:

This story has been widely reported. People are repeating it as fact, sucking in breath, and extracting important security lessons from it.

Examples are: don’t give your 2FA token to a foreign national, don’t wait years before reviewing your security logs, and don’t trust code reviews to HR.

All good advice!

But there’s a $64,000 question it raises, namely, “Is the story true?”

And here’s the thing. I reckon it’s a New Year’s hoax.

The story just doesn’t seem to fit together as I’d expect.

  • Why would he come into work (he wasn’t turning up at the other companies he was rorting, after all) and risk drawing attention to discrepancies in his behaviour, such as being on Ebay when he was supposed to be checking in a clever new Python module?
  • How did his colleagues, who’d surely have taken note of his celebrity status, possibly with some jealousy, miss for years the fact that he never actually did the work he took credit for? Programmers are good judges of each others’ abilities and knowledge, as well as stern critics.
  • Why did he send his physical token overseas? He simply wouldn’t do that, because then he couldn’t log in himself if he needed to cover up anything in his giant scheme. It would be poor self-preservation to give his own access away. He’d keep the token and email them the code every morning, or aim a webcam at it.
  • Where in the schedule above did he have time to organise the work his doppelgaengers had done? Even if they were brilliant coders, it’s inconceivable that they could simulate all of his interactions, comments, emails, notes and general office chit-chat realistically.
  • How did such a slick and resourceful operator keep from going stir crazy spending hours with Reddit and LOLcats every day? He’d have been working on his own software product, calling VCs, closing sales, thus being an entrepreneur and a journeyman at the same time.
  • Why didn’t his IT department notice from the logs that he was present at work every day yet not at work? They’d never have missed that rather glaring detail for years and years.

Actually, the last point really could have happened.

Even if the story is just an anecdote, a hypothetical lesson, or even a sort of “reverse security test” of all of us to see if we’ll endorse a security story as true just because it has a sensible conclusion, I don’t rule out that the logs really might have gone unverified for years. That, sadly, does happen.

The problem with most logs is that the majority of the content is routine, humdrum, repetitive, predictable. And checking your logs usually doesn’t give you proactive protection. So they get ignored.

But logs always tell a story, and even if this one is made up, it’s educational anyway, so read and learn.

Two final comments from me.

  • I’m going out on a limb here and calling this one, “Plausible, but busted.”
  • If you’re not going to look at your logs, do yourself a favour. Don’t collect them in the first place.

What do you think? Myth or truth? Busted or confirmed? Leave us a comment below…

Image of loafing chap on cover page courtesy of Shutterstock.