“Bob” is the alias given to a seven figure salary software developer who recently hit the headlines. Here is a brief overview of Bob’s working day: He arrives at 9 am and surfs Reddit for about two hours, then watches his favorite cat videos. At 11:30 am, he takes lunch and then dedicates one hour for Ebay and one hour for Linkedln and Facebook updates. Before the end of his working day, he just updates his email and goes home at 5 pm. Bob’s attendance to office was very regular, he was a common face.
Bob works for a company called Verizon. He is a top employee earning a great salary, doing very little work. All of Bob’s bosses praised his efforts as Code Developer in the company. His record was perfect: punctual, outstanding work with exceptional results. He continued to earn excellent reviews for his performance over his many years at the company and He was acknowledged the best developer who wrote clean codes and awarded as the best developer every quarter when his performance was reviewed.
However, all was not as it appeared, as Bobs personal records of his working day did not co-inside with the results he was obtaining. So, how did he manage this?
Well, he outsourced his job. For years, Bob was not actually working; he was hiring overseas employees to do it for him. He was getting away with it for a few years, until security at his company began to get suspicious about overseas log-ins on the company network. Once the company realized that their private network was being hacked, they brought in the investigating team and found that one of their employees was using his computer and credentials to allow log in from overseas.
Verizon Security Blog discovered that the hackers were a third party developer/contractor from Shenyang, China. They were accessing the company system legally, with proper authorized login credentials. The security agency was even more suspicious of Bob, believing that he may have been pulling multiple scams at several companies. The investigators at Verizon were positive that Bob had similar arrangements with other companies. According to Security Blog, Bob paid the Chinese consulting firm fifty grand annually though he earned more than several hundred thousand dollars a year.
Verizon found out that the third party used an attack vector that was unique which was shocking as the company had protected their VPB connections doubly. A RSA rotation key fob was also factored in and though the developer was sitting at his desk, he was actually logged in from China. Initially, the company suspected malware that was initiating the VPB connections from Bob’s workstation via an external proxy. Verizon discovered that the VPN logs were in operation for at least 6 months from Shenyang and occurred every day, spanning the entire working day occasionally.
Verizon turned their attention to Bob as they were unable to find out how the internal system of the company was being accessed using his credentials. They looked at his profile and found information about him that would not arouse any suspicion. He was just a software developer. However, when they examined a forensic image of his workstation desktop they discovered numerous PDG invoices from a consulting firm in Shenyang, China. This led them to discover that he had shipped his RSA token to China to skirt the security requirements.
It is possible that the books written by former kick boxer, Tim Ferriss, “Outsourcing Life” and “Disappearing Act: How to Escape the Office”, may have been the inspiration for this. I for one congratulate Bob for a job well done.