When Wrongfully Accused of Hacking, What Can You Do?

justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."

"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).

I now have the following questions:

1. What experiences have other people had that relate to this, what course of action if any did they take in response.
2. I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
3. If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
4. What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.

I'm primarily self taught and with a little less than 3 years experience as a Unix Admin and doing system programming, it is hard enough for me to get a job as it is, never mind with accusations that I was out trying to hack the government on my last job.

Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."

IANAL, but

[rritterson]

I don't much that you could do. You could sue for wrongful termination if you want your job back, but not much else.

My first thought is- of course the hacker isn't going to use his normal IP. If someone is going to go out hacking, they aren't stupid enough to just use the normal config. Second, you may be able to prove you never visited or connected those websites if the machine you normally use keeps a log (a normal webhistory is probably not suffiecient in this case).

Regarding what to tell your next employer- I'd recommend one of the following- A) Either be totally honest about it. Let them know they had no proof when they terminated you, and you didn't do it. If the interviewer is a good judge of character, it won't be a problem. B) Don't give any information and don't let the new company contact the old company. It will appear shady, but at least they can't be totally sure what happened. In my experience with similar situations, using A is going to make it harder to get a job, as some will automatically turn you down, but the best people will be able to tell by the way you explain yourself that you are innocent. I'd prefer to work with those sorts of people anyway.

If the company bring charges against you, immediately subpoena your HDD and the logs they used against you. In those lie your best defense. Again, IANAL, but the evidence the company has is not even good enough be called circumstancial. It's like charging someone with murder because he/she looks like the purported suspect. A good lawyer will be able to show a judge/jury this fairly easily.

A final thought occured to me- try to obtain more information about how your company stores log data. If they log DHCP information, the server should be able to tell what MAC address was assigned which IP at what times. Sure, someone could clone your MAC, but they'd have to know what your MAC was first, so i suspect a hacker would simply make up a MAC instead of cloning one.

I know work is hard to find, but...

[TheWanderingHermit]

Do you really want to be working for a company that 1) has administrators that stupid and 2) can treat employees like trash like that?

I was talking about similar situations recently with a friend and we both realized that the few times we had been fired unfairly (in one case she was one of two sales reps reaching well over 100% of her quota regularly and the other rep wasn't even close to 100%), we realized those were jobs we originally wanted to keep, but realized (with time and distance) that we were miserable there and were working for jerks.

I'm working for myself now, but I've learned that when management acts that way, you're probably better off somewhere else. Just see if you can do something about getting a good recommendation.