Employee from hell busted by VPN logs

We’ve said it before, but an employee from Hell apparently didn’t get the memo: VPN, as in Virtual Private Network, is not shorthand for secure internet connection.

What the “private” means is that your VPN connection can be made to behave as though you had a direct hook-up to your destination network. What it does not mean is that your hacking forays into your ex-employer’s network – using the company’s own VPN – are going to be hidden away when the FBI starts digging around.

Suzette Kugler, who last year left her job after a 29-year career at PenAir, was sentenced on 12 April for repeatedly hacking the airline’s reservation and ticket system. According to the Department of Justice (DOJ), Kugler pleaded guilty in January to one felony offense of fraud in connection with computers.

As part of the plea agreement, Kugler will pay $5,616 in restitution to PenAir, and the DOJ dropped a second count of the same offense. If it seems like a light sentence, bear in mind that this was her first ever crime.

Kugler had left her job with the southwest Alaska regional airline as of February 2017. According to the local TV station KTVA, PenAir filed for Chapter 11 bankruptcy last year, shuttering most of its operations outside Alaska.

Over her 29-year career, Kugler rose to the position of director of system support. According to her LinkedIn profile, that meant she was responsible for “oversight, policy, procedure and development as it relates to software for customer service and flight tracking.” In other words, she was the administrator of PenAir’s Sabre database system, which the airline used for ticketing and reservations.

She didn’t leave empty-handed. A week before she retired, Kugler used her system privileges to create new, fake employee user accounts, plump with high-level privileges and without any authorization whatsoever.

Handy, that, for paying her ex-employer a little visit – or two, or three – post-departure.

On 5 May 2017, PenAir reported network and computer intrusions targeting the Sabre system to the FBI. Between April and May, Kugler wiped out a former colleague’s access permissions and erased station information – necessary for PenAir employees to get into Sabre – for eight airports. Without that access, they couldn’t book, ticket, modify or board any flight at those eight airports, until the stations were rebuilt by staff working through the night.

Then, on 3 May, Kugler wiped out three seat maps – used to assign seating – from the Sabre system. Without those maps, PenAir employees wouldn’t have been able to board or ticket passengers. Fortunately, the deletion of the seat maps was discovered three days before it would have disrupted flights. PenAir was able to restore the mapping by the time the flights were ready to board: a remediation effort that sucked up “considerable time and expense,” according to the plea agreement.

PenAir said its losses were less than $6,500 and more than $5,000.

On 27 July 2017, FBI agents from Anchorage, Alaska and California executed a search warrant on Kugler’s home in Desert Hot Springs, California. They found two laptops with the Sabre VPN software installed.

Oh, those telltale VPN logs!

Kugler isn’t the first crook to mistake VPN use for a way to cover her tracks. In October, a 24-year-old was arrested for allegedly harassing and cyberstalking his former roommate for over a year, in addition to a number of former high school and college classmates, using email, SMS, social media and phone apps to send death threats, rape threats, bomb threats and even child pornography.

According to the affidavit, Ryan Lin, like Kugler, hid behind a VPN – at least, that’s what he thought he was doing – to create accounts from which to send his poisonous messages.

VPNs hide your computer’s IP address. They encrypt traffic between you and your VPN provider, making it incomprehensible to anyone intercepting it. But your VPN provider isn’t “intercepting” it: your VPN provider gets to see right into that tunnel, witnessing everything passing through your network.

In other words, to quote from words of VPN wisdom that Lin, ironically enough, retweeted a few months before he was arrested:

There is no such thing as VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.