This is page 3 of:
Case Against Indicted IT Admin Looks Airtight. Too Airtight
The government’s case—as outlined by that Secret Service memo—certainly sounds airtight. A bit too airtight. For this case to make sense, one has to reconcile two very different images. In this corner, we have a nine-year veteran network administrator who clearly had thought this action through. He created a bogus employee a year earlier, issued him a VPN and then created a bogus Yahoo account to use to activate the account later so the absence of immediate activity in the logs wouldn’t look odd.
In the other corner, he knows that the idea is to have this fake employee later do an attack and get all of the blame. If that’s the goal—and the D.A.’s suggestion is that this was thoroughly thought through (setting up a fake account a year ahead is hardly an emotional last minute move)—why in the world would he use his own credentials to create the bogus account? Wouldn’t that be the first thing checked, especially once someone discovered that John Bare didn’t exist? If it’s this well thought-out, why would this guy leave a perfect trail of IP breadcrumbs leading right to his home?
Why not quietly wait for someone in the VPN token area to go on vacation and then add the bogus employee’s name to a list of new people needing tokens? At least that way, his fingerprints wouldn’t be on the token’s creation.
The defense’s suggestion that this is a frame may sound paranoid and desperate, but this case doesn’t sound like the careful work of a veteran systems administrator. It sounds a lot more like the work of someone who has deliberately chosen to be sloppy. It doesn’t make sense that someone who knows this much about network administration would not know about IP address tracking.
Even though the lack of cover that the defendant apparently took in the case is extreme, the opposite argument—that someone else at Gucci did it—is also a stretch. According to the Secret Service memo, Yin admitted that he had accessed Gucci’s VPN after he was fired. Given the assumption that his personal passwords would have been deactivated, that implies he used different credentials and the Bare credential was indeed found in his home, according to the Secret Service.
Yin also offered an explanation for why he had possession of that credential, which would seem to undermine an argument that the Bare credential was planted in his home by the real attacker.
The argument that Yin was not the attacker has as many logic holes as the argument that he was. And this is a case that has the resources of the New York District Attorney’s office, the U.S. Secret Service and the Gucci IT department. For most cases, IT stands alone. What’s worse than fearing what a disgruntled coder on your payroll might do to your company? How about trying to crack a confusing whodunit with your team, knowing that the wrong move could not only punish an innocent employee but leave a cyberthief on your payroll to attack again?
—Benjamin Preston contributed to this piece, reporting from New York City.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
