Company notices a connection to their VPN from China. It’s live when they spot it, and it’s been up daily for the six months that their logs go back. They’ve been hacked! But… how would the hack compromise their VPN?
It turns out that this was not a technical issue, but a human-scale one.
The person who’d been rated in HR performance reviews as the best developer in the building actually spent his entire day surfing Reddit, eBay, and the cat video channel on YouTube.
How did he manage?
Fed up with the “Office Space” homage that was his professional life, the man simply outsourced his job to China. All the code he “wrote” was produced by a consulting firm in Shenyang. Of his several-hundred-thousand-a-year salary, about $50,000 proved enough to pay the Chinese coders’ bills.
Not one to miss an entrepreneurial opportunity, the man had also started similar scams “working” for other companies in the area, netting him a very sizable profit.
Anti-manipulation: two things.
a) One of the biggest problems with talking on the phone is letting someone talk your ear off. (this goes in person too, actually.) If they’re clever they can lull you into buying their version of reality long enough that you don’t think to poke holes in it.
Note-taking turns out to be a solution. For whatever reason, if you’re translating what someone’s telling you into words on paper or on screen, it’s a lot harder for them to pull off Jedi mind tricks. The bit of the brain that starts not-questioning just seems to get switched out of circuit when the note-taking part gets switched in.
The disadvantage is it takes real practice to think up new questions to ask while taking notes, and even the act of responding can get you out of note-taking mode.
b) Conditioning is another challenge… salesmen refer to this sort of thing as “yes ladders.” If you can get someone to agree that it’s a nice day out, that there’s some wonderful cars on the lot, that they’re really interested in a car… odds go up a lot they’ll also agree they want to buy this one today. This also works in larger and more subtle ways that can be hard to spot initially.
Like all mind games, it basically hinges on the target accepting the rules. Visualizing a different outcome is a neat trick against low-level car-salesman type stuff, as is just spotting it and tossing in a few no’s to foul up their stride. Longer-term issues (bad habits, for one) take a much bigger hammer… picking a moment of extreme intensity (e.g pain, pleasure, fear) to imagine the more desirable result is one potential tool for laying down a new path. (Applied on a larger sociopolitical level, this was the subject of a book, Naomi Klein’s “Shock Doctrine.”)
“the VPN logs showed him logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor. Shortly after making this discovery, they contacted our group for assistance. Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able route traffic from a trusted internal connection to China, and then back. This was the only way they could intellectually resolve the authentication issue. What other explanation could there be?[…]
As just a very basic investigative measure, once investigators acquired a forensic image of Bob’s desktop workstation, we worked to carve as many recoverable files out of unallocated disk space as possible. […]
What we found surprised us – hundreds of .pdf invoices from a third party contractor/developer in (you guessed it) Shenyang, China.
As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.
A typical ‘work day’ for Bob looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.”