This is page 3 of:

Case Against Indicted IT Admin Looks Airtight. Too Airtight

July 13th, 2011

The government’s case—as outlined by that Secret Service memo—certainly sounds airtight. A bit too airtight. For this case to make sense, one has to reconcile two very different images. In this corner, we have a nine-year veteran network administrator who clearly had thought this action through. He created a bogus employee a year earlier, issued him a VPN and then created a bogus Yahoo account to use to activate the account later so the absence of immediate activity in the logs wouldn’t look odd.

In the other corner, he knows that the idea is to have this fake employee later do an attack and get all of the blame. If that’s the goal—and the D.A.’s suggestion is that this was thoroughly thought through (setting up a fake account a year ahead is hardly an emotional last minute move)—why in the world would he use his own credentials to create the bogus account? Wouldn’t that be the first thing checked, especially once someone discovered that John Bare didn’t exist? If it’s this well thought-out, why would this guy leave a perfect trail of IP breadcrumbs leading right to his home?

Why not quietly wait for someone in the VPN token area to go on vacation and then add the bogus employee’s name to a list of new people needing tokens? At least that way, his fingerprints wouldn’t be on the token’s creation.

The defense’s suggestion that this is a frame may sound paranoid and desperate, but this case doesn’t sound like the careful work of a veteran systems administrator. It sounds a lot more like the work of someone who has deliberately chosen to be sloppy. It doesn’t make sense that someone who knows this much about network administration would not know about IP address tracking.

Even though the lack of cover that the defendant apparently took in the case is extreme, the opposite argument—that someone else at Gucci did it—is also a stretch. According to the Secret Service memo, Yin admitted that he had accessed Gucci’s VPN after he was fired. Given the assumption that his personal passwords would have been deactivated, that implies he used different credentials and the Bare credential was indeed found in his home, according to the Secret Service.

Yin also offered an explanation for why he had possession of that credential, which would seem to undermine an argument that the Bare credential was planted in his home by the real attacker.

The argument that Yin was not the attacker has as many logic holes as the argument that he was. And this is a case that has the resources of the New York District Attorney’s office, the U.S. Secret Service and the Gucci IT department. For most cases, IT stands alone. What’s worse than fearing what a disgruntled coder on your payroll might do to your company? How about trying to crack a confusing whodunit with your team, knowing that the wrong move could not only punish an innocent employee but leave a cyberthief on your payroll to attack again?

Benjamin Preston contributed to this piece, reporting from New York City.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.