Busted by security audit: Developer outsourced critical infrastructure job to China

Dear software developers: How would you like to get paid a six-figure salary with a work day that looks like this:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos.

11:30 a.m. – Take lunch.

1:00 p.m. – Ebay time.

2:00 – ish p.m Facebook updates – LinkedIn.

4:30 p.m. – End of day update e-mail to management.

5:00 p.m. – Go home.

Busted by security audit, software developer outsourced critical infrastructure job to China so he could watch cat videos on Reddit

That is what “Bob” did, according to the Verizon Security blog. Yes, that is a cached version since the story is so good that Verizon’s server has crashed. Bob is the fake name given to a software developer working for a U.S. critical infrastructure company. In a deviously clever move, Bob outsourced his actual work to a company in China for a mere one fifth of his salary. This left him plenty of time to surf and play at work.

The company “had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they’d set up a fairly standard VPN concentrator approximately two years prior to our receiving their call,” wrote Verizon's Andrew Valentine. “The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob.”

Verizon was called in to investigate since “the company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator.” Valentine referred to that theory as “convoluted.” 

However, Verizon uses the case study as reasoning for pro-active log reviews. The VPN logs only went back six months, but showed a connection from Shenyang, China, to Bob’s workstation. But then again, Bob was sitting right there at his desk.

Bob was described as an “inoffensive and quiet” family man in his mid-40’s who was well-versed in C, C++, Perl, Java, Ruby, PHP, Python, etc. He was “someone you wouldn’t look at twice in an elevator,” stated Valentine. In fact, for the last several years, Bob’s HR records showed that “he received excellent remarks. His code was clean, well-written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.”

But Bob was slick when it comes to getting around the authentication. Verizon explained, “He physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day.” Furthermore, after Verizon investigators acquired a forensic image of Bob’s desktop workstation, they found hundreds of PDF invoices from the Chinese contractor.

Even if he wasn’t truly the “best developer,” Bob was certainly enterprising. Verizon also found evidence that Bob was pulling the same outsourcing scam on other companies. Bob no longer works for the critical infrastructure company. On the bright side, Bob probably has plenty of time for his social media addictions, including watching cute cats being silly on Reddit.

Software developer outsourced job to watch Reddit cat videos

Nick Cavalancia, Vice President of SpectorSoft told Help Net Security, “We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers' systems to off-shore firms seems dangerous at best. What many organizations fail to understand is that with proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident."

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies