Verizon 的程序员Bob

//z 2013-01-17 13:10:20 IS2120@BG57IV3.T4034071972.K[T23,L104,R1,V394]
美国电信运营商Verizon的安全审计发现，美国某公司的一位顶尖程序员将自己的工作外包给中国沈阳的一家软件公司。
Verizon为该公司的雇员提供了VPN允许他们在家里工作。内部的审计发现，公司明星程序员Bob的VPN登陆日志显示他固定的从中国沈阳访问公司主服务器。调查排除了恶意程序或黑客入侵的可能性。Verizon的进一步分析发现，Bob雇用了沈阳的一家软件咨询公司去做他的日常编程工作，通过FedExed提供了他的双步认证令牌，将薪水的五分之一支付给外包公司，自己则去上网冲浪，比如在Reddit上逛几小时，然后去吃饭，再上ebay血拼，更新Facebook 和LinkedIn，最后给经理发送每日工作邮件，上床睡觉。他的计划一直行之有效，在公司人力资源眼里他是最高效的程序员之一，被认为是C, C++、Perl、Java、Ruby, PHP和Python方面的专家。目前Bob已被解雇。

其日程安排：

• 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos.
• 11:30 a.m. – Take lunch.
• 1:00 p.m. – Ebay time.
• 2:00 – ish p.m Facebook updates – LinkedIn.
• 4:30 p.m. – End of day update e-mail to management.
• 5:00 p.m. – Go home.

Unsurprisingly, Bob no longer works for the firm.

//z 2013-01-17 13:10:20 IS2120@BG57IV3.T4034071972.K[T23,L104,R1,V394]

Security audit finds dev OUTSOURCED his JOB to China

Cunning scheme netted him ‘best in company’ awards

By Iain Thomson in San Francisco • Get more from this author

Posted in Security, 16th January 2013 01:29 GMT

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.

The firm’s telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company’s main server from Shenyang, China, using the credentials of the firm’s top programmer, “Bob”.

“The company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator,” said Verizon. “Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one.”

After getting permission to study Bob’s computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob’s typical work day consisted of:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn

4:30 p.m. – End-of-day update e-mail to management

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm’s human resources department, he was the firm’s top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking out the latest Detective Mittens video.

Bob is no longer employed by the firm. ®

//z 2013-01-17 13:10:20 IS2120@BG57IV3.T4034071972.K[T23,L104,R1,V394]

With the New Year having arrived, it’s difficult not to reflect back on last year’s caseload. While the large-scale data breaches make the headlines and are widely discussed among security professionals, often the small and unknown cases are the ones that are remembered as being the most interesting from the investigators point of view. Every now and again a case comes along that, albeit small, still involves some unique attack vector – some clever and creative way that an attacker victimized an organization. It’s the unique one-offs, the ones that are different that often become the most memorable and most talked about amongst the investigators.

Such a case came about in 2012. The scenario was as follows. We received a request from a US-based company asking for our help in understanding some anomalous activity that they were witnessing in their VPN logs. This organization had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they’d set up a fairly standard VPN concentrator approximately two years prior to our receiving their call. In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review). So, they began scrutinizing daily VPN connections into their environment. What they found startled and surprised them: an open and active VPN connection from Shenyang, China!  As in, this connection was LIVE when they discovered it.

Besides the obvious, this discovery greatly unnerved security personnel for three main reasons:

• They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated.
• The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming.
• The developer whose credentials were being used was sitting at his desk in the office.

Plainly stated, the VPN logs showed him logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor. Shortly after making this discovery, they contacted our group for assistance. Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able route traffic from a trusted internal connection to China, and then back. This was the only way they could intellectually resolve the authentication issue. What other explanation could there be?

Our investigators spent the initial hours with the victim working to facilitate a thorough understanding of their network topology, segmentation, authentication, log collection and correlation and so on. One red flag that was immediately apparent to investigators was that this odd VPN connection from Shenyang was not new by any means. Unfortunately, available VPN logs only went back 6 months, but they showed almost daily connections from Shenyang, and occasionally these connections spanned the entire workday. In other words, not only were the intruders in the company’s environment on a frequent basis, but such had been the case for some time.

Central to the investigation was the employee himself, the person whose credentials had been used to initiate and maintain a VPN connection from China.

Employee profile –mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator. For the sake of case study, let’s call him “Bob.”

The company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator. Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one.

As just a very basic investigative measure, once investigators acquired a forensic image of Bob’s desktop workstation, we worked to carve as many recoverable files out of unallocated disk space as possible. This would help to identify whether there had been malicious software on the system that may have been deleted. It would also serve to illustrate Bob’s work habits and potentially reveal anything he inadvertently downloaded onto his system. What we found surprised us – hundreds of .pdf invoices from a third party contractor/developer in (you guessed it) Shenyang, China.

As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.

A typical ‘work day’ for Bob looked like this:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time.

2:00 – ish p.m Facebook updates – LinkedIn

4:30 p.m. – End of day update e-mail to management.

5:00 p.m. – Go home

Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.

The story goes a little something like this. A developer at a US-based critical infrastructure company, referred to as “Bob,” was caught last year outsourcing his work to China, paying someone else less than one fifth of his six-figure salary to do his job. As a result, Bob had a lot of time on his hands; in fact, during the investigation, his browsing history revealed this was his typical work day:

• 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos.
• 11:30 a.m. – Take lunch.
• 1:00 p.m. – Ebay time.
• 2:00 – ish p.m Facebook updates – LinkedIn.
• 4:30 p.m. – End of day update e-mail to management.
• 5:00 p.m. – Go home.

Again, I want to emphasize that I haven’t invented this schedule for the sake of making this story more interesting or to have a snazzy headline. This comes straight from Verizon; take that as you will.

Apparently Bob had the same scam going across multiple companies in the area (this part is a little unclear given that he clearly couldn’t physically go into work for all of them), earning “several hundred thousand dollars a year,” and only paying the Chinese consulting firm “about fifty grand annually.” At the unnamed company, he apparently received excellent performance reviews for the last several years in a row, even being hailed the best developer in the building: his code was clean, well-written, and submitted in a timely fashion.

Folks, you can’t make this stuff up. Here are the rest of the crazy details, which Verizon says it released because although this wasn’t a large-scale data breach that made headlines, the case had a unique attack vector.

Apparently the scheme was discovered accidentally. Verizon received a request from the US company asking for help in understanding anomalous activity it was witnessing in its VPN logs: an open and active connection from Shenyang, China.

This was alarming because the company had implemented two-factor authentication for these VPN connections, the second factor being a rotating token RSA key fob. Yet somehow, although the developer whose credentials were being used was sitting at his desk staring into his monitor, the logs showed he was logged in from China.

This unnamed company initially suspected some kind of unknown (0-day) malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy, route that VPN traffic to China, and then back. When Verizon investigated, it eventually noticed that the VPN connection from Shenyang was at least six months old, which is how far back the VPN logs went, and it occurred almost daily and occasionally spanned the entire workday.

Unable to explain how an intruder could have possibly been accessing the company’s internal system on such a frequent basis, Verizon decided to look more closely at Bob, since it was his credentials that were being used. Here’s how his the case study described him:

Employee profile –mid-40′s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator.

All it took was a look a forensic image of Bob’s desktop workstation to discover hundreds of PDF invoices from a Chinese consulting firm in Shenyang. How did he get around the security requirements? He physically FedExed his RSA token to China.