Ever wonder why the economy is seemingly always a day away from imploding?
Bob was his company’s best software developer, got glowing performance reviews and earned more than $250,000 a year.
Then one day last spring, Bob’s employer thought the company’s computer system had been attacked by a virus.
The ensuing forensic probe revealed that Bob’s software code had in fact been the handiwork of a Chinese subcontractor.
Bob was paying a Chinese firm about $50,000 a year to do his work, then spent the day surfing the web, watching cat videos and updating his Facebook page.
The incident was revealed Monday on a blog by security experts at the American telecom firm Verizon Enterprise Solutions and has quickly been the talk of tech websites.
“While the large-scale data breaches make the headlines and are widely discussed among security professionals, often the small and unknown cases are the ones that are remembered as being the most interesting,” wrote the blog author, Andrew Valentine, a Verizon senior forensic investigator.
He said the creative but deceitful programmer, whom he called by the pseudonym “Bob,” was a family man and long-time employee in his 40s, “inoffensive and quiet. Someone you wouldn’t look at twice in an elevator.”
For the past two years, the firm, “a U.S. critical infrastructure company,” had increasingly been getting employees to telecommute or work from home.
To connect remotely to the company computer system, staffers needed a personal identification number, which changed at regular intervals. Employees were issued security tokens, small devices that updated them with the latest generated PIN.
Last spring, the company grew concerned about computer security breaches and asked its IT department to inspect more closely its remote-access logs, looking for unusual patterns of activity.
To their surprise, they saw that someone connected into their network every day from Shenyang, a city in the historical Manchurian north of China, near the Korean peninsula.
More interestingly, the Chinese intruder was logged in using Bob’s PIN and credentials, “yet the employee is right there, sitting at his desk, staring into his monitor,” Mr. Valentine wrote.
“Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able [to] route traffic from a trusted internal connection to China, and then back. This was the only way they could intellectually resolve the authentication issue. What other explanation could there be?”
Verizon investigators were contacted. They inspected Bob’s workstation, trying to find whether he had unintentionally downloaded some Chinese computer malware.
Instead, the cyber-sleuths discovered hundreds of invoices from a software developer in Shenyang.
The investigation revealed that Bob had outsourced his job. To get around the changing PINs, he couriered his security tokens to the Shenyang subcontractor.
Looking at his web browsing history, investigators found that Bob spent his workday checking sites such as Reddit, Ebay, Facebook and LinkedIn and watching cat videos. Then he would type an e-mail at the end of the day to update management about his “work” and left at 5 p.m.
The Chinese contractor Bob picked did an excellent job.
“His code was clean, well-written, and submitted in a timely fashion,” Mr. Valentine noted. “Quarter after quarter, his performance review noted him as the best developer in the building.”