A Sordid Tale
One anonymous CSO's account of the dark side of security that goes beyond hackers and thieves. BY ANONYMOUS
I HAVE A PARANOID security team. Which is good.
I also have paranoid users who don't trust security people. Which is not so good.
I discovered this when a coworker came into my office, red in the face, eyes puffy and obviously greatly upset.
"What on earth is the problem?" I asked in my best official-yet-caring management voice.
Between sobs, she explained that, a week earlier, she had gotten an e-mail about the upcoming Summer Olympics in Greece. Since her nephew was hoping to be on the U.S. track team, my coworker was hoping to learn something that might help him. It took a while for a webpage to open up, but when it did, she read all about Greece and the Olympics.
Two days later, she got an e-mail from an unknown address asking for $50 or they would tell her management that she had been surfing pornography sites. They even said they could prove she had downloaded child pornography!
"They even told me which directory it was in on my computer," she cried. "And sure enough, when I looked there, I found the most disgusting pictures."
This was one of the most conservative people I know, and of course she would never do such a thing. She had even asked me once if it was OK to write a personal letter on her desktop and print it off on one of our laser printers.
The Olympic site was immediately suspect to her because it had taken so long to load the pages. "My computer is never that slow," she said.
"Did you pay them?" I asked.
"No," she said. "But they sent another e-mail this morning reminding me I had only two days left to pay them. So I figured I'd better talk to you about it."
Unfortunately security sometimes involves dealing with scumbags who prey on others. I knew immediately that this was an extortion attempt and calmed her fears. And, as I said, we have a pretty good security crew. Wonderfully paranoid. So I set them on a path to track down the offending organization and get to the bottom of what was going on.
First reports came rolling in almost instantly. My coworker had kept all her e-mails from the extortionist and had not turned off her system since the files were transferred to it, so the IS people had a pretty good look at logs and files to find out what they could reconstruct and get some ideas. They could see that she had, indeed, gotten the e-mail and then clicked on the URL, just as she said. Logs on her system showed an FTP file transfer from an IP address in Bulgaria. In all, there were three files that were named the same as the three we found on her system. They also found some text and GIF files about Greece. The system keeps 20 days' worth of file caches on what users have viewed on the Web, and if you know where to go on the system, you can see all of it.
The team copied everything to a CD. They also copied her Internet and website caches to CD in case we needed them later. They made a complete copy of her hard drive and burned that to a DVD.
"Looks as if things happened just as she said," the internal information security manager told me.
After that, we checked her e-mail client and the server backups. She had received an e-mail two days after the initial message asking for money and a credit card number. Luckily, she didn't give them one.
Here's the interesting part, though. When we were checking the firewall access logs, we found that the same IP address was active 27 times that day to other end user systems on our network. Twenty-seven times! We did some checking and found that at least 15 other employees were hit with the same scam on the same day.
Why hadn't anyone told us? I was completely aghast.
That's when I learned about the paranoid users. Some knew it was a scam, but some were truly afraid of losing their job. A few confessed to visiting porn sites on their computer at home and thought this was related. Three employees responded to the threat by divulging credit card numbers and now have problems with charges on their card.
We told them what was going on and had them call their credit card companies right away.
Then we put some blocks in our e-mail filters to kill off any more e-mails like that one. We've blocked the IP addresses from FTP and Web access in case the same culprits try it again. I think that will cover the bulk of it for now. If they change addresses or e-mail message types, we'll need to do the same procedure again, of course. Filtering is a very on-or-off type of experience. We won't pick up any changes in the attack automatically, and so we'll need to see a sample to tune the filters and kill off other variants of the message as well. It's the same problem we have with the spam filters. Spammers have an easy time tweaking messages to get around any filters we set up.
What fun. Security gets messy when it involves employees' privacy and protection from things like this. I have had to deal with the lovelorn stalker e-mail and the vicious ex-spouse mail several times.
This was my first extortion scam, but it turns out, it wasn't the first that my company has dealt with.
"We have this down to a science," my security team told me proudly.
"What do you mean by that?" I asked. "Why haven't I known about the others?"
"They happened before you came to work here," they explained. But they happened.
Apparently, we've had get-rich-quick schemes, extortion by people claiming to know where users live and to be watching them, and one targeted parents and claiming that their kids were being watched. All kinds of awful nonsense. "We usually put in the blocks, save the data to CD, call the FBI and send them copies of what we find," they told me. "It's like a fire drill for us now. We know what to do automatically."
"How often does something happen?" I wondered.
"Oh, probably 10 or so times a year...."
It seems it happens a lot more often than most people think. Most companies don't have an internal information security department to investigate and block this stuff, and many employees never say anything about it for fear of losing their job. One of my fed buddies told me that the government estimates that several million dollars are lost by employees every year to this sort of activity.
I arranged for a company meeting to let everyone know what was going on and what we were doing about it. At the end of the meeting, I asked why it was that almost 30 people knew and yet only one came forward to tell us.
"We were afraid of losing our jobs," said one employee.
"Why was that?" I asked.
"Because the former CSO had several people fired because she suspected—falsely—that they had visited porn sites. Some of us went to bat for them and told her they didn't do it, but she insisted that their activities were chronic and that she had logs off the Web filtering system that proved they were chronic offenders," the employee answered.
Several others chimed in: "We can't trust the security department to hear our side of the story, so it's better to keep quiet."
Checking back with the security teams, I found out that the rumors were true about my predecessor and that people were fired for what she
thought was porn-surfing during office hours on company equipment.
The technology staff tried to explain to her that what she thought was surfing was really those pop-up browser ads for porn sites. Some legit websites allow sponsored pop-ups for the porn-ad industry, and those erroneously make it look like the employee is frequenting porn sites.
Sometimes, the pop-ups keep coming up and that means that their activities look repetitive toward a porn IP address that they may never have actually visited on their own. But the former CSO wouldn't take the time to listen, so some employees got fired for visiting porn sites they never actually visited.
Well, at least I now know why I've been treated as The Great Unwashed by some employees. Many security tyrants out there don't consider all angles to a potential security problem.
At least for now, my coworker's problem with pornography is solved, and the employees know that I am not the Ogre of Security Departments Past. Let's hope that will stick with them for a while.
Nevertheless, I'll need to continue to educate employees about security and try to figure out how to get them to trust my new security regime.
This column is written anonymously by a real CSO at a major corporation.
ILLUSTRATION BY MICHAEL MORGENSTERN
Is Minority Report (the movie) merely a fiction? A newest research report from Harvard tells otherwise.
