Downtown Shenyang

When corporate executives discover the merits of outsourcing jobs to overseas workers in China or India, that wins them a large bonus for improved efficiency and successful cost-cutting. When an enterprising employee does the same thing, that is a heinous security risk.

Verizon’s RISK Team, which sells enterprise-level security services to large companies, discovered a “severe” security threat when it went to work for a “critical U.S. infrastructure company” (which goes unnamed) that found some unusual activity in its private network logs.

It all started when the company began shifting employees away from in-office work towards cheaper telecommuting. To allow this to happen, a secure virtual private network was established allowing developers to manage their work from home.

When the company began reviewing the network logs, it discovered a curious workday connection being established almost daily originating from Shenyang, China. The company hired Verizon’s RISK Team to consider the implications.

Company security personnel were initially concerned the Chinese had infiltrated their private network even though network access required the use of a rotating token RSA key fob. Even harder to understand, security officials watched the employee working at his office desk at the same time.

Was it a Chinese intelligence agency break-in? Malware? Hackers?

No, it turned out the employee, who Verizon calls “Bob,” had simply outsourced his job responsibilities to a contracting firm in China.

Company officials authorized some infiltration of their own, asking Verizon to review a forensic image quietly obtained from Bob’s workstation. Verizon security officials were surprised when they found hundreds of .PDF invoices sent from the third party contractor-developer… in Shenyang, China. Verizon’s RISK blog explains further:

As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less than one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedEx’d his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.

A typical ‘work day’ for Bob looked like this:

• 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
• 11:30 a.m. – Take lunch
• 1:00 p.m. – Ebay time.
• 2:00 – ish p.m Facebook updates – LinkedIn
• 4:30 p.m. – End of day update e-mail to management.
• 5:00 p.m. – Go home

Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.

[flv width=”360″ height=”290″]http://www.phillipdampier.com/video/WCPO Cincinnati Video Charging phone on the go might be risky 8-9-12.mp4[/flv]

If you use a public cell phone charging station, your data could be at risk, warn security experts. A new breed of hackers are modifying the charging outlets found in airports, phone booths, and other public venues to capture your phone’s data while you charge. WCPO in Cincinnati shows you how it can be done.  (2 minutes)

Amazon.com has quietly introduced a 50 megabyte usage cap on Kindle owners using 3G-equipped models to browse web pages over AT&T’s 3G wireless network. Customers exceeding the limit after July 1 reportedly began receiving this pop-up message on their device:

The Experimental Web Browser is currently only available for some customers outside of the United States and may be limited to 50MB of browsing over 3G per month. This limit does not apply when customers are browsing over Wi-Fi.

The new usage cap does not affect users browsing Amazon.com, Wikipedia, and the Kindle store.

Web browsing on an electronic ink display instinctively has a built-in cap: the limited patience of the user trying to browse websites that were never designed for the Kindle experience.

But some enterprising hackers managed to jailbreak the Kindle device and turn its free 3G connection into a wireless mobile hotspot.

That means Amazon was footing the bill for Kindle owners who have re-purposed the device to provide Internet connectivity to wireless phones, laptops, tablets, and other Wi-Fi enabled devices.

At AT&T’s prices, Amazon decided to pull the plug after 50MB, which is barely enough for a few dozen busy web pages accessed during the month.

ToddTool could have been forced into bankruptcy, taking its 14 employees straight to the unemployment line, had AT&T followed through on its threat to collect a million dollar fraudulent phone bill.

Michael Smith and his 14 employees can now sleep again after AT&T dropped a $1.15 million lawsuit against Smith’s small manufacturing company after the story went viral.

The lawsuit was filed over fraudulent long distance calls placed through Smith’s PBX phone system to the war-torn nation of Somalia over a four day period in 2009.

Smith discovered the fraud after getting long distance bills totaling $891,470 the following month.

More than $260,000 of additional charges were billed by Verizon, Smith’s landline phone company, and Verizon forgave those charges a few months after Smith filed a billing dispute. Verizon noticed the unusual calling activity and temporarily suspended Smith’s international long distance service. The phone hackers then simply used a “dial-around” long distance access code for AT&T to keep the calls going through, resulting in a huge bill from AT&T, which charged $22 a minute for the calls.

Unlike Verizon, AT&T wanted its money and despite multiple attempts to get credit for the fraudulent long distance calls, AT&T refused to relent, filing suit against Smith for the full cost of the fraudulent calls, plus interest.

Smith told a Salem, Mass. newspaper if he paid the bill, it would force his company into bankruptcy and put his 14 employees on the unemployment line.

The company claims in its lawsuit Smith should have known better — securing his PBX system more effectively against international long distance fraud and that under Federal Communications Commission regulations, AT&T is entitled to collect from the owner of the phone line, regardless of who actually made the call.

Smith told The Salem News he’s tried to resolve the matter, even reaching out to the CEO of AT&T, but a secretary at the company called and said that once AT&T refers a case to outside counsel, they are done talking.

AT&T later offered to waive the accumulating interest charges on the unpaid balance (now $197,000 and growing) if Smith paid the company $891,470 for the phone calls to Somalia.

Smith filed a countersuit instead, claiming AT&T is abusing the legal process and violating Massachusetts consumer protection laws. A judge was pushing the case to mediation.

Smith’s interview with the Salem newspaper came at additional risk: AT&T’s lawyers threatened they would take action if he “disparaged” the company’s name in the media.

After the story ran nationwide this morning on the Associated Press wire service, the company suddenly dropped the case.

In a statement sent to the media, AT&T writes it is no longer pursuing its claims against Michael Smith, of Ipswich, “though we are entitled by law to collect the amounts owed.”

Recognizable New Yorkers are fed up trying to keep track of new security measures thrown at them by their telecommunications companies.

The New York Times Fashion & Style section (really?) took a dive into the frustrating world of pre-assigned passwords, captcha codes, and user verification questions that confound New York’s more prominent citizens, sometimes with hilarious results.

“It’s a nightmare,” the comedian Tracey Ullman told the newspaper. “These passwords just keep getting longer and longer. I try to think of a startling emotional thing that jogs my memory or something that’s frightening, or my grandmother’s name with 666 at the end. But I really don’t know what to do.”

In an effort to respond to an increasingly security-conscious online world, providers are password protecting subscriber information and equipment to keep prying eyes out. But sometimes those anti-hacking, anti-eavesdropping, anti-identify theft efforts become mind-boggling to confused customers who end up locked out of their own accounts.

Among the latest trends: locking down wireless routers with passwords straight out of the box.

Bernhard

Any long time Wi-Fi user already knows America’s largest open wireless network does not come from AT&T or Verizon Wireless. It comes from a company formerly known as “Linksys” (today Cisco). Customers confounded by wireless security simply plug in their new routers and start using them without setting any Wi-Fi password or enabling security measures.

Time Warner Cable tried to lick that problem by issuing pre-assigned passwords to customers using the company’s wireless router. Unfortunately, comedian Sandra Bernhard, never smart to antagonize, ended up with one that came with a mish-mosh of letters and numbers (they range from 13 to 28 characters) that cannot be changed.

“We have that one written down somewhere, but where it is I’d be hard pressed to tell you,” Bernhard told the newspaper, noting that her relationship with the cable provider is “an S&M experience without the pleasure.”

Verizon and AT&T love their creative security questions, designed to verify you are who you say you are. But New Yorkers who think too deeply about the questions are sure to be tripped up by the experience.

Jeffrey Leeds, a fixture on the New York social scene, tells the Times he hates questions like, ‘What is the name of your first girlfriend,’ because he unsure if that means the first girl he slept with or the first one he liked who never returned his phone calls.

The confusion inevitably leaves hapless customers writing down their password and security questions on sticky notes or in a notebook, which entirely defeats the purpose of private “only you should know” passwords.

Courtney Love thought she could outwit the hackers with her own system, based on mnemonics.

“You use the lyrics to a song,” she said, for example, “ ‘Lucy in the Sky With Diamonds’ — litswd-1 — and that way you can’t forget it.”

But the newspaper reports that worked until Love was tripped up by “Hey Jude.”

“I kept forgetting if it was ‘Hey Jude, don’t make it bad’ or ‘Hey Jude, don’t make it sad,’ ” she said. “So I gave up on that.”

But the most reviled security measure of all is the deadly, incomprehensible “captcha” code — the barely decipherable slanted text and numbers that real humans are supposed to be able to identify but spammers using automated tools cannot.

“Don’t you hate those?” Ullman said. “I always get those wrong because it looks like they were written by someone on LSD. It’s awful.”