Security team fails to check logs, lets man goof off by outsourcing own job for years

Filed Under: Featured, Security threats

A Naked Security reader with an eye for amusement amongst the doom-and-gloom that so often characterises security stories yesterday pointed out a little beauty.

It's getting a fair bit of coverage, and it goes like this:

• IT checks the VPN logs after neglecting them for years.

• IT spots a connected session from China, right before their eyes.

• IT sees the login was done with the authentication token of an employee.

Hmm. Perhaps he's on vacation? A business trip? Obviously he's not around, so perhaps our geolocation data for the ISP he's using is inaccurate. Perhaps he's in Las Vegas? Everyone deserves a little outing to Vegas once in a while. (I made that bit up. The Vegas theory is nice, but it wasn't in the original story.)

• IT notices the employee sitting calmly at his desk.

At this point the story descends into a conspiracy theories of a Man in The Middle (MiTM) attack or a Man in the Employee's Own Web browser (MEOW) attack, but digging further reveals a really simple explanation.

The bloke has outsourced his own job!

He's found someone in China who'll do his work for him at 20% of his salary, so he's taken a 20% paycut in return for a 100% cut in effort.

OK, so it's outsourcing. No biggie.

Except he's FedExed his two-factor authentication (2FA) token to his doppelgaenger in PRC. Which is a bit of a security worry, to say the least.

Apparently, there are some other details, too:

• His work has been officially rated by HR as best-on-ground for ages.

• He's pulling the same scam with other companies at the same time.

• He spends his whole day in the office goofing off.

The story even gives a little "daily diary," like this:

This story has been widely reported. People are repeating it as fact, sucking in breath, and extracting important security lessons from it.

Examples are: don't give your 2FA token to a foreign national, don't wait years before reviewing your security logs, and don't trust code reviews to HR.

All good advice!

But there's a $64,000 question it raises, namely, "Is the story true?"

And here's the thing. I reckon it's a New Year's hoax.

The story just doesn't seem to fit together as I'd expect.

  • Why would he come into work (he wasn't turning up at the other companies he was rorting, after all) and risk drawing attention to discrepancies in his behaviour, such as being on Ebay when he was supposed to be checking in a clever new Python module?
  • How did his colleagues, who'd surely have taken note of his celebrity status, possibly with some jealousy, miss for years the fact that he never actually did the work he took credit for? Programmers are good judges of each others' abilities and knowledge, as well as stern critics.
  • Why did he send his physical token overseas? He simply wouldn't do that, because then he couldn't log in himself if he needed to cover up anything in his giant scheme. It would be poor self-preservation to give his own access away. He'd keep the token and email them the code every morning, or aim a webcam at it.
  • Where in the schedule above did he have time to organise the work his doppelgaengers had done? Even if they were brilliant coders, it's inconceivable that they could simulate all of his interactions, comments, emails, notes and general office chit-chat realistically.
  • How did such a slick and resourceful operator keep from going stir crazy spending hours with Reddit and LOLcats every day? He'd have been working on his own software product, calling VCs, closing sales, thus being an entrepreneur and a journeyman at the same time.
  • Why didn't his IT department notice from the logs that he was present at work every day yet not at work? They'd never have missed that rather glaring detail for years and years.

Actually, the last point really could have happened.

Even if the story is just an anecdote, a hypothetical lesson, or even a sort of "reverse security test" of all of us to see if we'll endorse a security story as true just because it has a sensible conclusion, I don't rule out that the logs really might have gone unverified for years. That, sadly, does happen.

The problem with most logs is that the majority of the content is routine, humdrum, repetitive, predictable. And checking your logs usually doesn't give you proactive protection. So they get ignored.

But logs always tell a story, and even if this one is made up, it's educational anyway, so read and learn.

Two final comments from me.

  • I'm going out on a limb here and calling this one, "Plausible, but busted."
  • If you're not going to look at your logs, do yourself a favour. Don't collect them in the first place.

What do you think? Myth or truth? Busted or confirmed? Leave us a comment below...

Image of loafing chap on cover page courtesy of Shutterstock.

, , , ,

You might like

22 Responses to Security team fails to check logs, lets man goof off by outsourcing own job for years

  1. Stephen_Vardy · 960 days ago

    Had a look at my small business held in partnership with my wife. How could I pull that stunt right now? Two person online business - how could I outsource something without the 'business" knowing?

    If I could then there is a huge time saving to made. I am looking at every possibility just in case. Already had plans to outsource some of the more technical bookkeeping functions, have specific SAAS database functions etc already in use. Bought Apple and outsourced all the Windoze IT.

    So how to outsource self? All profitable businesses are saleable if you can outsource/nearsource the owners....

    But that would be outsourcing my ego too......
    Decided to outsource the wife instead.


  2. Lesley · 960 days ago

    seems crazy but even NPR has it -

  3. lafemmetechnita · 960 days ago

    I have to agree with "plausible, but busted" on this one. The amount of work and time it would take to keep someone up to date so they could produce relevant code every day takes it closer to busted, for me.

    A comment on your point about access, it's possible that he only needed the token for remote access, and not for access while he was actually in the office. If he never logged in remotely, then why would he need the token? Which begs the question, if he for some reason HAD to log in remotely, would he just call his minion in China to get the correct number?

    • Rsquared · 960 days ago

      If I didn't know someone who did this at my best friends company, I would agree with you, but this is entirely plausible, and in the case of my friend (minus the keyfob to china) is confirmed. Code and all. Except in this case, management was so embarrassed, the person was dismissed without anyone hearing why. Think it doesn't happen, I'd think again.

      • Paul Ducklin · 959 days ago're saying that you're aware of a genuine case that has some similarities to this one, and thus confirms it, despite being completely different in at least one critical detail?


    • Paul Ducklin · 959 days ago

      I guess he didn't need the token when he was in the office.

      But you simply wouldn't reverse the power balance by giving your alter ego the token, right? It's just asking for trouble.

      If you're going to go into work every day, you can cover for the outsourcer if ever he can't log in. But if he has the token, you can't cover for yourself if an emergency came up.

      He'll never get into trouble by not having the token. He's on the other side of the world, for a start. But you very well might. Ergo, you'd keep it.

      In fact, if the other bloke had any sense, he'd insist on it, so he didn't have to wake up and read you the token code every time you thought you'd better login yourself from home and check up on things.

      Plus, if things went sour - and that's a topic for outsourcing urban legends for another day :-) - you'd be at risk of blackmail or bribery if you'd handed over the token. Sure, you could report it as lost to your own IT...but wouldn't it be safer and easier just to hold onto it?

  4. Chris · 960 days ago

    The Verizon Business Security Blog talks about this, so I doubt they're in on some sort of hoax...

  5. Freegan · 960 days ago

    Check it out at source, then decide.

  6. Sam · 960 days ago

    As you have pointed out, I find it hard to believe as it is impossible for any human being to look busy all day at work without doing anything. You can watch videos, play games, drink umpteen number of coffee and chit chat, but even the most laziest employee would get bored eventually to the extend that he/she picks up the mouse and make a few useful clicks. Also with so many excellent coders in countries such as India/ Philippines etc, I am wondering why the blame was put on the poor Chinese. Never seen anyone say no to Chinese food because they keep hacking us...

  7. Connie Taunton · 960 days ago

    No name and company name/details, it didn't happen. Way too easy to make up. Busted.

  8. David Parreira · 960 days ago

    The original story comes out of Verizon

    Don't really want to be the judge of it's legitimacy, still Paul said it all, there is a lesson for us IT people to learn... Logs tell a story.

  9. Dan · 960 days ago

    The version I'd read, on other sites, was that he was telecommuting...hence why he had an RSA token for remote access to the company.

    THAT version makes sense and shows how he could've avoided his boss or anyone else snooping over his shoulder to see that he was never in an IDE bashing out code and was just slacking off on Facebook.

    If he was still physically at his desk in an office, that's a bit more of a stretch that nobody would notice he wasn't doing any work.

  10. Randy · 960 days ago

    Paul, did you really write this article or did you hire a Chinese guy to write it for you? Hope you're enjoying Vegas!

  11. amkaplan · 960 days ago

    Soo.... I fail to see the point of this commentary. Verizon has published that the incident occurred as fact, but you are trying to dispute it? Why?

    • Paul Ducklin · 959 days ago

      Errrrrrrrrrr...because I can?

      Seriously, though, "Why not?"

      It's an interesting story and it's being widely circulated. Several people have stopped me in passing to say, "Hey, did you see the one aobut the bloke who outsourced himself."

      If it's an urban legend - and I hope you will accept that my arguments suggesting it might be aren't just conspiracy theory stuff - then that's fairly interesting, isn't it?

      Just think, if is is an urban legend, you read it here first ;-)

  12. Ben Randamm · 960 days ago

    Did you really recommend not collecting logs? That's insanity. Even if you don't read your logs, at least you've got something to follow up with in case you need some "help" in a forensic discovery. True, logs are not perfect nor bulletproof, but there are now plenty of court cases where logs have made up major evidence.

    • Paul Ducklin · 959 days ago

      Not sure I like the choice of the word "insanity," any more than I like "starving" for "hungry", but I'll leave you with it...

      ...I was being cynical and outre, I guess.

      (There's nothing *literally* wrong with my suggestion, of course. If you are *never* going to look at the logs, don't collect them! It's not just sound advice, it's a truism. Your counter-example relies on collecting the logs specifically so someone can look at them later :-)

      Also, if you're collecting logs and not looking at them, then you're probably not doing security well. Yet logs are a potential gold-mine for any crook or identity thief. So, yeah, if you don't intend to look at them, don't collect them where someone else might do so.

      In short, consider it a figure of speech.

      • RandyR · 957 days ago

        One reason not to collect logs if you don't use them: Depending on how detailed the logs are, if they are not monitored, they can fill up the hd they are on unless they are automatically archived.

  13. anon · 960 days ago

    Obviously he works smarter and not harder ;)

  14. SwissFrank · 959 days ago

    The unassailable reason, I think this is untrue is that anyone with skill in managing off-shored development would be very much in demand as such. (I'm not saying that off-shoring is a big win, but clearly many businesses THINK it might be a big win, and want to do it.) He could have made more money for himself by coming out of the closet, and searching for a job as an off-shore development manager or consultant.

  15. David Berman · 959 days ago

    I echo SwissFrank's thoughts in this: I doubt a person could spend all day wasting his time. Being a good manager of outsourced tech is a hard job in itself. The person doing it has to manage and define problems in both directions. Most development happens on a cycle, such as a test release every Thursday night.

    If someone is doing this, there is going to be a lot of on-the-sly management happening. Spoken language, quality, and local testing aren't going to happen by themselves.

    We've all seen amazing games with atrocious English. Or perhaps you have used programs that work, but were developed so quickly that they aren't robust. If code is used as part of a complicated development system, getting a good fit is hard enough with a team all in the same building!

    So it's an interesting story. And don't try at at work, boys and girls.

  16. Lee · 959 days ago

    True or not Bob has definitely been inspried by this Onion News spoof:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog