Slashdot Mirror
When Wrongfully Accused of Hacking, What Can You Do?
justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).
I now have the following questions:
- What experiences have other people had that relate to this, what course of action if any did they take in response.
- I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
- If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
- What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
I don't much that you could do. You could sue for wrongful termination if you want your job back, but not much else.
My first thought is- of course the hacker isn't going to use his normal IP. If someone is going to go out hacking, they aren't stupid enough to just use the normal config. Second, you may be able to prove you never visited or connected those websites if the machine you normally use keeps a log (a normal webhistory is probably not suffiecient in this case).
Regarding what to tell your next employer- I'd recommend one of the following- A) Either be totally honest about it. Let them know they had no proof when they terminated you, and you didn't do it. If the interviewer is a good judge of character, it won't be a problem. B) Don't give any information and don't let the new company contact the old company. It will appear shady, but at least they can't be totally sure what happened. In my experience with similar situations, using A is going to make it harder to get a job, as some will automatically turn you down, but the best people will be able to tell by the way you explain yourself that you are innocent. I'd prefer to work with those sorts of people anyway.
If the company bring charges against you, immediately subpoena your HDD and the logs they used against you. In those lie your best defense. Again, IANAL, but the evidence the company has is not even good enough be called circumstancial. It's like charging someone with murder because he/she looks like the purported suspect. A good lawyer will be able to show a judge/jury this fairly easily.
A final thought occured to me- try to obtain more information about how your company stores log data. If they log DHCP information, the server should be able to tell what MAC address was assigned which IP at what times. Sure, someone could clone your MAC, but they'd have to know what your MAC was first, so i suspect a hacker would simply make up a MAC instead of cloning one.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
Suggestion #1: Don't ever post your problem to slashdot! They'll know you're a hacker.
#2: Feign absolute cluelessness about how this stuff works. Find an outside expert to give a second opinion.
#3: Call a lawyer at the first hint of legal trouble.
#4: If you're worried about your next job, the very best thing to do would probably be to find that outside expert I mentioned, and get him to write a note describing how the incompetents at your previous job completely misinterpreted all the data and picked you as a scapegoat because they didn't want to spend money correcting the flaws in their own system. If that isn't your style, there are legal ways to go after your previous boss for wrongful termination, but I'd be surprised if that actually had a positive effect on your future career.
Do you really want to be working for a company that 1) has administrators that stupid and 2) can treat employees like trash like that?
I was talking about similar situations recently with a friend and we both realized that the few times we had been fired unfairly (in one case she was one of two sales reps reaching well over 100% of her quota regularly and the other rep wasn't even close to 100%), we realized those were jobs we originally wanted to keep, but realized (with time and distance) that we were miserable there and were working for jerks.
I'm working for myself now, but I've learned that when management acts that way, you're probably better off somewhere else. Just see if you can do something about getting a good recommendation.
Until you provide more detailed technical information about what they accuse you of doing you are just going to get a lot of INAL advise on you being fired.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Get a lawyer if you want to do anything.
That said. Do something. This could haunt you.
With your lawyer, send a certified mail letter explaining your understanding of the issue, and the possible causes
Also explain why you need to have them follow up on this, since it involves a federal offense. They are legally required to pursue this to their complete ability since they released you over it.
Give them a series of investigative measures they can perform to prove/disprove your possibilities for this occurance.
Remember to include their veiwpoint in this investigation, and show how they can prove you were not the culprit
Think of everything, the door access logs if any, the bus schedule you may have ridden, anything to prove you were somewhere else, you don't have files that made the alledged accesses, etc.
Explain the highest probably cause: a worm scanned around for boxes to infect and your box looked like a poor hack job
Tell them releasing you is serious enough to be illegal if they do not pursue it, since it affects your ability to hold a job in the future.
Point to your good work done elsewhere for clients, for your agency, or their own other projects. Explain your integrity
Await their response. Call mom and ask for laywer dough.
mug
And tape record it, just in case the lies start flowing. A standard procedure in my case. An emailed mp3 to corporate legal is usually enough to make sure they never say anything at all about you when contacted, which unfortunately isn't much better.