[ale] A story of Proactive Log Review and the best developer in the world.

JD jdp at algoloma.com
Wed Jan 16 09:13:02 EST 2013


Summary:
* Security at small IT shop is actually proactively looking at system logs.
* They see a VPN connection from China. Suspicious.
* They are using RSA-based fob authentication. All commercial with vendor
support. (JD: A few yrs ago, RSA had a leak that made predicting the numbers on
a fob possible if the fob serial number was known. I think RSA had a spreadsheet
with that data stolen).
* Research shows the VPN connection is active every day
* the fob being used is always the same. It is assigned to a well-known,
respected, liked employee, family man, mid-40s. Always got excellent annual reviews.
* Security figures someone inside the company had their PC hacked
* Further research shows a few emails with PDFs from China to the mid-40s
programmer, so security thinks it is a targeted attack using PDF. A common
attack vector.
* Security mirrors his PC and scans for malware, rootkits, viruses.
* Security talks to the employee who finally volunteers that he had sent his fob
to a company in China to perform software development. He had "outsourced" his
coding.
* Further research finds that he's performing work for a few other "client
companies" and earning a few hundred $K annually.

I don't recall any concrete statement about non-disclosure agreements being signed.

This is all from memory, so please correct what I got wrong.  Read it a few
hours ago.


On 01/16/2013 08:47 AM, Jim Kinney wrote:
> VERY short read:
> 
> 
>   Error establishing a database connection
> 
> 
> 
> :-)
> 
> On Tue, Jan 15, 2013 at 11:18 PM, Brandon Wood <woody at 2143.net
> <mailto:woody at 2143.net>> wrote:
> 
>     This isn't a long read; well worth your time. :)
> 
>     http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/
> 
>     Shamelessly stolen from Reddit. 
> 


More information about the Ale mailing list