No doubt, you have all heard about the brilliant â€˜software developerâ€™, dubbed Bob, at a US-based critical infrastructure company that outsourced his job to China, but fell foul of his employer. To recap, this family man in his 40s hired developers in China to do his coding for him.
By all accounts, Bob was an â€œinoffensive and quietâ€ but talented man versed in several programming languages, who took advantage of his companyâ€™s telecommuting policy to the extreme. His â€˜sub-contractorsâ€™ must have been pretty good at their jobs too because he apparently received excellent performance reviews for the last several years in a row, even being hailed the best developer in the building – his code was clean, well-written, and submitted in a timely fashion.
The Next WebÂ (TNW), which broke the story, reports that Bob had the same scam going across multiple companies in the area, earning â€œseveral hundred thousand dollars a year,â€ and only paying the Chinese consulting firm â€œabout fifty grand annually.â€Â According to TNW, the scheme was discovered accidentally. The firmâ€™s telecoms provider, Verizon, received a request asking for help in understanding anomalous activity it was witnessing in its VPN logs: an open and active connection from Shenyang in China.
Needless to say, somebody from China having access into their VPN must have been frightening, especially for long periods. The investigators could not understand how this was happening and only after they used forensic means to monitor Bobâ€™s desktop did they make the startling discovery of hundreds of PDF invoices from the Chinese company to Bob, and the fact that he was on social media sites most of the day that the penny dropped. If you are wondering how the Chinese stepped around the security requirements, it seems Bob just sent them his RSA token by FedEx. Brilliant!
Sadly, the company no longer employs Bob. Youâ€™d think someone with his business acumen and cost-cutting skills would make good management material. He was, after all, able to reduce costs by 80 percent and still produce excellent code. Maybe they kept the invoices for future reference?
However, his actions raise a number of questions. Is it possible that Bob is the only person in the world working online or telecommuting that has thought of this ruse? Probably not! And what a great ruse it was.
You canâ€™t blame him for doing it; after all, he has watched a large chunk of US manufacturing â€˜outsourcedâ€™ to China by some very big, and legitimate companies. He may have just been following the example they set – charging the same price for your goods and services in the US but getting them done for you in China at a fifth the price.
A budding capitalist he may have been, but Bob was not so clever about covering his tracks. He should have realized that Chinese traffic into the VPN would someday be noticed. And why did he send the RSA token to them when he could have just sent the numbers by instant messaging each time they logged in. Maybe this was simply too much work for him?
Most important of all for VPN customers of any ISP or CSP is that Verizon was able to track down the activity (at least after being tipped off) and then use it is a case study warning other firms of a simple, yet effective, activity that may expose them to potential risk. It does highlight yet another source of extra revenue for ISPs and CSPs that can offer to monitor unusual traffic over VPNs and provide warnings. In this particular case, apart from the Chinese IP addresses coming up there were little else to attract attention. Offering to monitor security for customers must be a potential winner on the back of this story, surely.
First published at TM Forum as The Insider