The Gucci case, based on not-before-published court records and Secret Service interview notes, provides a rare look into the mechanisms of investigating a retail IT inside job, complete with reviewing logs and figuring out what conclusions to draw. And when the accusations include one network administrator trying to manipulate evidence to point to another IT person, unraveling legitimate and false clues to find the truth can be daunting.
On the one hand, we have a meticulously planned revenge plot of a soon-to-be-fired network admin, who the Manhattan District Attorney's office said prepared a year in advance for the assault by creating a fictitious employee and giving him high-level network access. The alleged plot has the culprit then using a Yahoo.com E-mail account to contact IT five times to activate the VPN token and launch his attack. On the other hand, would someone who had served as the Gucci network administrator for nine years create such a nefarious account using his own account name and password? Would he then access the account and E-mail repeatedly from his home, making no attempt to hide his IP address? Does that sound like the work of an experienced security coder who presumably would know how easily those things are to trace and would also know how easily it would be to avoid?
The defense is suggesting that the fired network admin is being framed by a co-worker. That might sound like a stretch, but is it? What if former Gucci network admin Sam Chihlung Yin had created that E-mail account innocuously, to perhaps test network settings and how they would impact a new employee? That's often done for many reasons. It would explain the lack of an attempt to hide his tracks in creating that account. What if a colleague knew of that E-mail account and the token and realized that those items would make the perfect frame, once Yin was fired?
But that rationale has holes, too, because it would require the co-worker to access the suspect's home network. As the case stands now, neither scenario makes sense, although it does shed much light on how complicated and difficult such IT detective work can be. So prepare to curl up for a classic IT detective story.
Yin was indicted and accused of deleting several virtual servers, shutting down a storage area network (SAN) and deleting corporate mailboxes, a move that Gucci said cost the company "more than $200,000 in diminished productivity, restoration and remediation measures, and other expenses." His defense team has filed documents saying that other Gucci employees had greater access than the accused and then went so far as to list 23 other Gucci employees who it says should be investigated. That theory suggests that other IT employees wanted to do Gucci harm and then used knowledge of Yin to make it look like the recently fired administrator was responsible.
"We challenge the assertion that the defendant alone had access to the system in question and suspect that the District Attorney's Office knows who actually did have access to the targeted systems at the times of the alleged crimes," wrote Yin attorney Matthew Mari. "He was one of at least two dozen persons who could have had access to the computers in question and the investigators either knew or should have known that the changes in the system after the defendant left Gucci would have made it impossible for him to gain entry into the system. They should have known that it was more likely that others could have entered the system and tried to frame the defendant."
The list of others who had access to the system was comprehensive, with number 24 naming "all support staff."
The defense motions, however, do not directly refute any of the material accusations of the Manhattan D.A. Indeed, the government's case specifically alleges that Yin did not use his own VPN to access the Gucci main system—a Unix server called Godzilla—but instead used the VPN credentials he had earlier issued to non-existent employee John Bare.Although it's standard procedure to deactivate any passwords for a terminated employee, there didn't initially appear to be any reason to deactivate every VPN account that employee had issued.
A Secret Service memo of statements Yin gave to Special Agent Timothy Desrochers lays out the essence of the government's case. If true, it would seem that the network administrator's anonymous attack was done without much attempt to cover IP tracks. That seems unlikely, though. If anyone would know of the need to cover IP tracks—and various techniques to do so—it would likely be someone who had spent nine years working as a Gucci network administrator, specializing in security issues.
That said, this is the timeline presented: Yin was fired in 2010. In 2009, someone using Yin's username and password issued a token to someone who didn't exist and the name "John Bare" was used.
"Yin was shown a record from Yahoo related to the creation of the E-mail address email@example.com. Yin admitted to creating the E-mail account but stated he could not recall when he created it or for what reason. Yin was informed that the E-mail was only used to communicate with Gucci IT staff on five different dates," the Secret Service memo said.
The memo also said Yin was then shown an IP log from that E-mail account and that it "was created and accessed exclusively from" the same IP address that routinely accessed Yin's personal Yahoo account.
"Yin admitted that he had accessed Gucci's VPN after being fired in order to retrieve personal documents and technical notes he had stored on the network. Yin stated he could not recall the date when he accessed the VPN or where he had stored the files on Gucci's network," the government notes said. "Yin also stated that he could not recall how many times he had accessed Gucci's VPN after he was fired. Yin stated he could not recall which VPN token he used to access Gucci's VPN after he was fired."
The agents then used more IP address records. "Yin was shown a record from QRadar from the night of Nov. 12, 2010. Yin agreed that it indicated Gucci's VPN being accessed from [the IP address Verizon said was associated with Yin's home address] by Bare," presumably linking Bare VPN access with Yin's home.
During a search of Yin's home, agents said they found two VPN tokens. "Yin stated that the VPN tokens were from Gucci and he had not returned them when he was fired because they were old. Yin also indicated that he had two tokens because one must have been turned into him and he forgot to give it to the people who handle the VPN tokens at Gucci," the memo said. "Yin stated he did not know why he had a token issued to Bare and could not recall if he used it."
This was a strange line: "Yin told investigators that he could not recall what his duties were at Gucci and denied having an advanced knowledge of their network infrastructure." He was a nine-year veteran network administrator for Gucci and he said he didn't have an advanced knowledge of its network infrastructure? How could he have held that role and not possessed such knowledge? This raises three questions: Did the agents get anything this guy said written down correctly? If they had accurate notes, did he expect anyone to believe that? And if the notes are accurate and he really didn't know much about the Gucci network, what took Gucci so long to fire him?The government's case—as outlined by that Secret Service memo—certainly sounds airtight. A bit too airtight. For this case to make sense, one has to reconcile two very different images. In this corner, we have a nine-year veteran network administrator who clearly had thought this action through. He created a bogus employee a year earlier, issued him a VPN and then created a bogus Yahoo account to use to activate the account later so the absence of immediate activity in the logs wouldn't look odd.
In the other corner, he knows that the idea is to have this fake employee later do an attack and get all of the blame. If that's the goal—and the D.A.'s suggestion is that this was thoroughly thought through (setting up a fake account a year ahead is hardly an emotional last minute move)—why in the world would he use his own credentials to create the bogus account? Wouldn't that be the first thing checked, especially once someone discovered that John Bare didn't exist? If it's this well thought-out, why would this guy leave a perfect trail of IP breadcrumbs leading right to his home?
Why not quietly wait for someone in the VPN token area to go on vacation and then add the bogus employee's name to a list of new people needing tokens? At least that way, his fingerprints wouldn't be on the token's creation.
The defense's suggestion that this is a frame may sound paranoid and desperate, but this case doesn't sound like the careful work of a veteran systems administrator. It sounds a lot more like the work of someone who has deliberately chosen to be sloppy. It doesn't make sense that someone who knows this much about network administration would not know about IP address tracking.
Even though the lack of cover that the defendant apparently took in the case is extreme, the opposite argument—that someone else at Gucci did it—is also a stretch. According to the Secret Service memo, Yin admitted that he had accessed Gucci's VPN after he was fired. Given the assumption that his personal passwords would have been deactivated, that implies he used different credentials and the Bare credential was indeed found in his home, according to the Secret Service.
Yin also offered an explanation for why he had possession of that credential, which would seem to undermine an argument that the Bare credential was planted in his home by the real attacker.
The argument that Yin was not the attacker has as many logic holes as the argument that he was. And this is a case that has the resources of the New York District Attorney's office, the U.S. Secret Service and the Gucci IT department. For most cases, IT stands alone. What's worse than fearing what a disgruntled coder on your payroll might do to your company? How about trying to crack a confusing whodunit with your team, knowing that the wrong move could not only punish an innocent employee but leave a cyberthief on your payroll to attack again?
—Benjamin Preston contributed to this piece, reporting from New York City.