After Verizon was called in to carry out an extensive security audit of a US-based company’s VPN logs, it was discovered that one of their top progammers had figured out a somewhat ingenious way to slack off and still get a fair share of work done in impeccable time.
It all started when the company set up a VPN with a two-factor authentication protocol, allowing employees at the company to work from home as part of their plan to move towards a telecommuting lifestyle. In May 2012, the company decided to actively monitor its VPN logs and noticed that there were actions taking place between them and a computer located in Shenyang, China.
After calling in Verizon for a more in-depth analysis, they found that the connection between the two systems was actually active at the time and that the Chinese user was interacting with their system using one of the employee’s VPN credentials. It so happened that while the connection was active, Bob (the programmer who’s credentials were being used) was at his office desk at the time, and this initially led them to think that company’s systems may have been infected with some type of zero-day malware.
While Verizon only had 6 months of logs to work with, they found that the connection was established on a very regular basis, around the hours of 9am to 5pm, the same hours that Bob worked. After combing through his computer for historical evidence, they found out that he had actually outsourced his job to a Chinese consulting firm to do his work via the company’s VPN while he spent all day in the office looking at pictures of cats or updating his other social networking profiles. He had sent his RSA token (two-factor authentication key) via Fedex, paying them about $50,000 a year while he raked in about five times that. What tipped off Verizon were the hundreds of .pdf invoices from the Chinese contracting firm for services being rendered to him (i.e. them doing his job for a fee).
Bob’s typical work day looked something like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
While the scheme worked well, Bob didn’t do a good job at covering his tracks, maybe because he assumed that it was pointless to hide the fact given that the company didn’t check its logs back in the days.
He was a qualified programmer and was able to code in C, C++, perl, java, Ruby, php, python. Bob received excellent ratings from the HR department for delivering work on time and in more than proper shape, and was seen as an average and stable family man.
It was also discovered that he had pulled the same stunt at many other firms, allowing him to bring in hundreds of thousands in cash while he wasted away his time browsing funny pictures and videos.