Feeds

Security audit finds dev OUTSOURCED his JOB to China to goof off at work

Cunning scheme netted him 'best in company' awards

SANS - Survey on application security programs

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.

The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company's main server from Shenyang, China, using the credentials of the firm's top programmer, "Bob".

"The company's IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob's desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator," said Verizon. "Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one."

After getting permission to study Bob's computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob's typical work day consisted of:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn

4:30 p.m. – End-of-day update e-mail to management

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm's human resources department, he was the firm's top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking for a new Detective Mittens video.

Bob is no longer employed by the firm. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Intel sees 'signs of improvement in the PC business' but earnings remain 'Meh...'
Prospects for the future, however, please Wall Street money men
What's a right pain in the ASCII for IBM? Its own leech-like hardware biz
Keep your eyes on our cloud while we remove this pesky thing, say execs
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.