Slashdot Mirror
When Wrongfully Accused of Hacking, What Can You Do?
justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).
I now have the following questions:
- What experiences have other people had that relate to this, what course of action if any did they take in response.
- I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
- If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
- What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
Do so in a friendly manner. Make sure you understand that they are just covering their asses. And when you have something from them in writing that they fired you based upon false information, sue them into oblivion. Talk to a lawyer about whether DHCP makes logs entirely unreliable.
Call a lawyer!
Sure, we might be able to give you some interesting technical advice, but that will have absolutely nothing to do with your situation, which is entirely legal in nature.
Legal issue -> Lawyer
Nerd issue -> Slashdot
Is this primarily a nerd issue? NO! Call a lawyer.
Call a lawyer? Call a lawyer. Call a lawyer.
There are no trails. There are no trees out here.
Now that you're fired, they might mistakenly consider the case closed. If the "real hacker" (e.g. a coworker) got wind of this, and stops doing so, they will likely assume they got the right guy when they accused you.
Second of all, why would you assume it stops here? They may have contacted law enforcement authorities, and you might need to do some preparation to get your stuff together. Even if you're charged with something you didn't do, you'll need to mount a defense.
Joe
http://www.joegrossberg.com
By the time you are 50 you may know better how to react in a situation like this. You really have to have been through it a couple of times, and it is hard to do the right thing as a 25 year old just knows abstractly what the right thing is. First, never be flustered (ok that's impossible) but do deny all wrong doing. They may be "accusing" you of doing something that is prefectly innocent or a normal part of your job; so don't deny whatever it is they are waving at you, in fact offer no details whatsoever. Do immediately say you have never broken any rules, legal or company. Also say, "Sir, I am demanding a full investigation into all aspects of this." They don't really want to fully investigate, they just want to fire someone and then go on lunch break. Repeatedly ask for a full investigation, and ask for any specifics you can think of -- like an immediate shutdown of the source machine and that it's harddisk be forensically preserved.
Here's the hard part, which you can be thinking that you should do in the back of your head, but is hard to do. Reach across the desk and scoop up all the paper you see. Tuck it under your arm like a football and don't let it out. Make sure you get out the building with that paper. Let them escort you from the building or call the police, but don't give up the documents. If they start demanding them back, you know they are fucking around and have no case. If a policeman shows up, ask him his name and then hand him the documents and tell him they are potentially criminal evidence and must be preserved. If the cop hands them back to the boss at that point, it's ok, you just have to write that in a letter or affadavit and document it.
Immediately deposit the papers in a safety deposit box and send certified letters to the company asking for all reasons you were terminated, and any allegations proven, disproven, or unknown made against you by anyone. Note that's letters, plural, because even though its the exact same letter, you want to hit several people inside the company so you can get the conflicting answers. Also hit the Agent of Process of the company -- this is the person who is served in an event of a suit; it automatically triggers the involvement of the legal department.
What happens next ? Are you bought out and retire to Tahiti ? Do they hastily scamble to hire you back and get you back pay ? Of course not. This is a big business so they are assholes. You'll get nothing except the greatful feeling of not being in jail. The only good about it is that the internal stir created by the resulting management meetings with legal advisors will cause them to not be a bit more competent in investigating future incidents, until a year passes and their small rat-like brains forget it all.
You were a contractor.
This means you have 0 recourse.
Its the same as if you suspected your exterminator of stealing.
You just tell him his services are no longer needed.
The exterminator can't sue you, and no reason need be given.
Consider yourself lucky they even told you why because they didn't have to.
Also, as a contractor, your previous client is under no restriction on giving you a bad reference.
*cough*
A man talking sense to himself is no madder than a man talking nonsense not to himself.
Sorry Mr.Coward, but I am a young man, and I have never been in a situation like this. Could you please explain further how this would help you? Are you banking on them not having any copies of the supposedly incriminating documents? Seems like a foolish thing to gamble on. Are you just trying to create confusion along with your departure? You do understand how awkward this thing would be - it would make you look like a lunatic, and the people involved might be able to claim you are a criminal, stealing the documents or something.
Now, supposing they furnished you with all these documents, I can see how you would only look a little unreasonable (no point being reasonable if you're being fired for something ludicrous anyway) if you didn't give them back.
Assume I am very inexperienced. Everything up to taking the documents made sense to me. I'm guessing, is the reason for doing that is simply to create fear at the company, some sort of legal uncertainty, that will make them unwilling to take any further action on the matter? Might work, but then again, sounds like you are escalating the situation, a bold strategy, since I would expect (but do not know for sure) than a large organization could escalate things far beyond what you ever could. Whether they would want to is another matter - perhaps that is the idea here, but the document taking is a bit counterintuitive.
Finally, have you done this, taken documents from an interview where you were being fired while being accused of something silly? Or was there just one specific situation you got into where this would have helped? Frankly, the documents idea sounds a little shady, and everything past that sounds almost like wishful thinking, trying to skunk them or something.
I guess some sort of skunking would be in order if you wanted them not to ever bother you again. But if they thought you were crazy and out to get them, they would want you in jail, I guarantee.
Have they been able to link your os as the source of the attack ie did they find nessus etc on your PC
Cases like this are extremely hard to prosecute even when you have a good chain of events, to maximise you chances at prosecution you should be able to show that you do this on a regular basis and archive previous logs, that the logs are kept in a secure environment etc. I have helped create enviroments where this type of charge will stick. Things may differ depending on your country of origin however most of the time key points remain.