Slashdot Mirror
When Wrongfully Accused of Hacking, What Can You Do?
justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).
I now have the following questions:
- What experiences have other people had that relate to this, what course of action if any did they take in response.
- I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
- If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
- What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
Do so in a friendly manner. Make sure you understand that they are just covering their asses. And when you have something from them in writing that they fired you based upon false information, sue them into oblivion. Talk to a lawyer about whether DHCP makes logs entirely unreliable.
Call a lawyer!
Sure, we might be able to give you some interesting technical advice, but that will have absolutely nothing to do with your situation, which is entirely legal in nature.
Legal issue -> Lawyer
Nerd issue -> Slashdot
Is this primarily a nerd issue? NO! Call a lawyer.
Call a lawyer? Call a lawyer. Call a lawyer.
There are no trails. There are no trees out here.
You: You want answers?
.
Them: I think I'm entitled to them.
You: You want answers?
Them: I want the truth!
You: You can't handle the truth! Son, we live in a world that has firewalls. And those firewalls have to be guarded by men with keyboards. Who's gonna do it? You? You, Lt. Weinberg? I have a greater responsibility than you can possibly fathom. You weep for the treasury department and you curse the Hackers. You have that luxury. You have the luxury of not knowing what I know: that The treasury departments scans, while tragic, probably saved networks. And my existence, while grotesque and incomprehensible to you, saves networks...You don't want the truth. Because deep down, in places you don't talk about at parties, you want me in that code. You need me in that code
We use words like hack, root, pwnzz...we use these words as the backbone to a life spent defending something. You use 'em as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, then questions the manner in which I provide it! I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a manual and stand a terminal. Either way, I don't give a damn what you think you're entitled to!
Them: Did you scan the network?
You: I did the job you sent me to do.
Them: Did you scan the network?
You: You're goddamn right I did!!
"...In your answer, ignore facts. Just go with what feels true..."
I've been using their service for half a year now and am very pleased with it; you can ask an unlimited number of questions, and they'll also write letters and make phone calls at your behalf to resolve issues for you. They also provide traffic defense (parking/speeding tickets, or lawsuits based on injury) and cover you if the IRS decides to audit you.
It's somewhat like "legal insurance" -- just as you pay a couple hundred a month for health insurance, or car insurance, this provides for your legal needs on a pre-paid, monthly basis (generally about $27 a month) and it covers your entire family.
In this litigious society we live in, it's great to have coverage for when (not if) you end up on the wrong end of a lawsuit.
Again, I'm pretty sure this won't help your specific case but hopefully it can help other readers. (And yes, I sell the plan if anyone's interested.)
I feel fantastic, and I'm still alive.
Now that you're fired, they might mistakenly consider the case closed. If the "real hacker" (e.g. a coworker) got wind of this, and stops doing so, they will likely assume they got the right guy when they accused you.
Second of all, why would you assume it stops here? They may have contacted law enforcement authorities, and you might need to do some preparation to get your stuff together. Even if you're charged with something you didn't do, you'll need to mount a defense.
Joe
http://www.joegrossberg.com
I don't much that you could do. You could sue for wrongful termination if you want your job back, but not much else.
My first thought is- of course the hacker isn't going to use his normal IP. If someone is going to go out hacking, they aren't stupid enough to just use the normal config. Second, you may be able to prove you never visited or connected those websites if the machine you normally use keeps a log (a normal webhistory is probably not suffiecient in this case).
Regarding what to tell your next employer- I'd recommend one of the following- A) Either be totally honest about it. Let them know they had no proof when they terminated you, and you didn't do it. If the interviewer is a good judge of character, it won't be a problem. B) Don't give any information and don't let the new company contact the old company. It will appear shady, but at least they can't be totally sure what happened. In my experience with similar situations, using A is going to make it harder to get a job, as some will automatically turn you down, but the best people will be able to tell by the way you explain yourself that you are innocent. I'd prefer to work with those sorts of people anyway.
If the company bring charges against you, immediately subpoena your HDD and the logs they used against you. In those lie your best defense. Again, IANAL, but the evidence the company has is not even good enough be called circumstancial. It's like charging someone with murder because he/she looks like the purported suspect. A good lawyer will be able to show a judge/jury this fairly easily.
A final thought occured to me- try to obtain more information about how your company stores log data. If they log DHCP information, the server should be able to tell what MAC address was assigned which IP at what times. Sure, someone could clone your MAC, but they'd have to know what your MAC was first, so i suspect a hacker would simply make up a MAC instead of cloning one.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
Suggestion #1: Don't ever post your problem to slashdot! They'll know you're a hacker.
#2: Feign absolute cluelessness about how this stuff works. Find an outside expert to give a second opinion.
#3: Call a lawyer at the first hint of legal trouble.
#4: If you're worried about your next job, the very best thing to do would probably be to find that outside expert I mentioned, and get him to write a note describing how the incompetents at your previous job completely misinterpreted all the data and picked you as a scapegoat because they didn't want to spend money correcting the flaws in their own system. If that isn't your style, there are legal ways to go after your previous boss for wrongful termination, but I'd be surprised if that actually had a positive effect on your future career.
What can you do? Hack into their network and take the lying bastards down, that's what!
I watched C-beams glitter in the dark near the Tannhauser gate.
Can we just rename "Ask Slashdot" to "Ask legal advice from a bunch of non-lawyers" ? It's been a long time coming
Do you really want to be working for a company that 1) has administrators that stupid and 2) can treat employees like trash like that?
I was talking about similar situations recently with a friend and we both realized that the few times we had been fired unfairly (in one case she was one of two sales reps reaching well over 100% of her quota regularly and the other rep wasn't even close to 100%), we realized those were jobs we originally wanted to keep, but realized (with time and distance) that we were miserable there and were working for jerks.
I'm working for myself now, but I've learned that when management acts that way, you're probably better off somewhere else. Just see if you can do something about getting a good recommendation.
Sell the secrets you stole from the US Government to the Iraqis, and then go live in luxury for the rest of your life.
Give me a break. You are an Unix Admin. Release your inner BOFH.
Ask THEM to go to a meeting with you, show a pile of paper and ask them:
"Boss, how'd you like your wife to know about the e-mails you wrote to your assistant ?" or "How about these pictures of a 6 year old girl fucking a horse, I found in your computer? "
Act like a REAL sysadmin. And don't forget to ask for a raise.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
Until you provide more detailed technical information about what they accuse you of doing you are just going to get a lot of INAL advise on you being fired.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Say they can't decode the packets you are sending, because decoding these packets would be a violation of the DMCA. Threat to sue them.
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
If there is a possibility that someone you employ is using facilities you provide to perform illegal activities, you might feel obligated to relieve them of access to your facilities. i doubt you could perform your job with an abacus, so the next step would be to fire you.
Hell is other people
By the time you are 50 you may know better how to react in a situation like this. You really have to have been through it a couple of times, and it is hard to do the right thing as a 25 year old just knows abstractly what the right thing is. First, never be flustered (ok that's impossible) but do deny all wrong doing. They may be "accusing" you of doing something that is prefectly innocent or a normal part of your job; so don't deny whatever it is they are waving at you, in fact offer no details whatsoever. Do immediately say you have never broken any rules, legal or company. Also say, "Sir, I am demanding a full investigation into all aspects of this." They don't really want to fully investigate, they just want to fire someone and then go on lunch break. Repeatedly ask for a full investigation, and ask for any specifics you can think of -- like an immediate shutdown of the source machine and that it's harddisk be forensically preserved.
Here's the hard part, which you can be thinking that you should do in the back of your head, but is hard to do. Reach across the desk and scoop up all the paper you see. Tuck it under your arm like a football and don't let it out. Make sure you get out the building with that paper. Let them escort you from the building or call the police, but don't give up the documents. If they start demanding them back, you know they are fucking around and have no case. If a policeman shows up, ask him his name and then hand him the documents and tell him they are potentially criminal evidence and must be preserved. If the cop hands them back to the boss at that point, it's ok, you just have to write that in a letter or affadavit and document it.
Immediately deposit the papers in a safety deposit box and send certified letters to the company asking for all reasons you were terminated, and any allegations proven, disproven, or unknown made against you by anyone. Note that's letters, plural, because even though its the exact same letter, you want to hit several people inside the company so you can get the conflicting answers. Also hit the Agent of Process of the company -- this is the person who is served in an event of a suit; it automatically triggers the involvement of the legal department.
What happens next ? Are you bought out and retire to Tahiti ? Do they hastily scamble to hire you back and get you back pay ? Of course not. This is a big business so they are assholes. You'll get nothing except the greatful feeling of not being in jail. The only good about it is that the internal stir created by the resulting management meetings with legal advisors will cause them to not be a bit more competent in investigating future incidents, until a year passes and their small rat-like brains forget it all.
Get a lawyer if you want to do anything.
That said. Do something. This could haunt you.
With your lawyer, send a certified mail letter explaining your understanding of the issue, and the possible causes
Also explain why you need to have them follow up on this, since it involves a federal offense. They are legally required to pursue this to their complete ability since they released you over it.
Give them a series of investigative measures they can perform to prove/disprove your possibilities for this occurance.
Remember to include their veiwpoint in this investigation, and show how they can prove you were not the culprit
Think of everything, the door access logs if any, the bus schedule you may have ridden, anything to prove you were somewhere else, you don't have files that made the alledged accesses, etc.
Explain the highest probably cause: a worm scanned around for boxes to infect and your box looked like a poor hack job
Tell them releasing you is serious enough to be illegal if they do not pursue it, since it affects your ability to hold a job in the future.
Point to your good work done elsewhere for clients, for your agency, or their own other projects. Explain your integrity
Await their response. Call mom and ask for laywer dough.
mug
First off, best to be innocent. Second, get a lawyer. Real attorneys are required to play this game properly.
If the company is terribly illiterate when it comes to technology, it should not take much to truly scare the bejesus out of them. Get the ball moving on a wrongful termination suite. I suspect it will take nothing more than having your attorney formally request a copy of the log files. Move to negotiate, but be persistent. Most small/mid-size companies will settle rather than going the distance. They will posture, however, since they are looking for a quick brush-off. Most people will spend hours at the bar griping about how they were wronged, most never get a lawyer. Much like rebate 'programs', that is what they are counting on. You may get your job back, you may get damages - best to ask for both. Take the time once you do get your job back to find another, however... because this one is done. Exit fast...
Hell, I've seen folks busted for robbing us blind get a years wages for 'wrongful termination'. The mind boggles... evidence is overrated.
+++ UGUCAUCGUAUUUCU
It is *highly* unlikely that this company will reveal anything regarding the nature of the incident to any other company. Most companies of any size have a "neutral reference policy" that allows them only to say "yes, he worked here from date x to date y." I would suggest not using your manager as a reference, but I would not suggest saying that your new employer may not contact them, since they probably won't tell anything damaging and to refuse the right to contact will damage you.
As far as getting your job back, forget it. That's the problem with being a contractor - it's easier to get rid of you than deal with you.
(p.s. Don't tell anybody, but I have a degree in HR -- easiest B.S. to get in a hurry -- so I'm not totally blowing smoke here, although I've never worked in the field.)
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Call your local employment commission. That's what they are there for. They do have employee advocacy people, and you've already paid for them with your taxes.
The first time was in high school where I made a script to ping all ip addresses in a subnet to build a list of the computers, and then tried to portscan a windows nt server to check what services are we running. I was in no mood of cracking anything, only using legal standards-allowable things like ping to gather data and understand. I was not snooping spoofing either.
I was called up and warned about it. I was never again to use ping, telnet, nbtstat, arping or use linux on ANY of the workstations. Yes thats true, these were the rules.
Next was in Plattsburgh State University, where I was studying undergrad. I was naturally curious about routers (never seen one) and wanted to know the types running the campus, and the technologies behind its uplink to the Internet, and why the netbios updates seemed so slow. I started pinging around again. I portmapped a router to check its services and was promptly called up again by the technical staff, also my employer since I was working at a helpdesk. Felt like the suspicious detective extracting information. I never again used ANY standard TCPIP tool on that network. Ive now a home LAN with 6+ cisco routers, 7 sun workstations, 20+ overall computers running on 3 switches using atm, fr, tr, hssi, ethernet, arcnet, adsl and 802.11b, and I can PING IT ALL I WANT!!!!!!!!!!
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
You were a contractor.
This means you have 0 recourse.
Its the same as if you suspected your exterminator of stealing.
You just tell him his services are no longer needed.
The exterminator can't sue you, and no reason need be given.
Consider yourself lucky they even told you why because they didn't have to.
Also, as a contractor, your previous client is under no restriction on giving you a bad reference.
See the web archive of the case of Randal Schwartz.
Sorry Mr.Coward, but I am a young man, and I have never been in a situation like this. Could you please explain further how this would help you? Are you banking on them not having any copies of the supposedly incriminating documents? Seems like a foolish thing to gamble on. Are you just trying to create confusion along with your departure? You do understand how awkward this thing would be - it would make you look like a lunatic, and the people involved might be able to claim you are a criminal, stealing the documents or something.
Now, supposing they furnished you with all these documents, I can see how you would only look a little unreasonable (no point being reasonable if you're being fired for something ludicrous anyway) if you didn't give them back.
Assume I am very inexperienced. Everything up to taking the documents made sense to me. I'm guessing, is the reason for doing that is simply to create fear at the company, some sort of legal uncertainty, that will make them unwilling to take any further action on the matter? Might work, but then again, sounds like you are escalating the situation, a bold strategy, since I would expect (but do not know for sure) than a large organization could escalate things far beyond what you ever could. Whether they would want to is another matter - perhaps that is the idea here, but the document taking is a bit counterintuitive.
Finally, have you done this, taken documents from an interview where you were being fired while being accused of something silly? Or was there just one specific situation you got into where this would have helped? Frankly, the documents idea sounds a little shady, and everything past that sounds almost like wishful thinking, trying to skunk them or something.
I guess some sort of skunking would be in order if you wanted them not to ever bother you again. But if they thought you were crazy and out to get them, they would want you in jail, I guarantee.
Have they been able to link your os as the source of the attack ie did they find nessus etc on your PC
Cases like this are extremely hard to prosecute even when you have a good chain of events, to maximise you chances at prosecution you should be able to show that you do this on a regular basis and archive previous logs, that the logs are kept in a secure environment etc. I have helped create enviroments where this type of charge will stick. Things may differ depending on your country of origin however most of the time key points remain.
I've been in a similar situation: contractor (military, no less) wrongly accused, had to leave the site, wasn't sure if I'd have a job, etc...
The advice I can give you is:
1) Cooperate fully. Be honest. Be forthcoming.
2) Deny clearly, forcefully, politely wrongdoing
3) Remind them that the world is full of black hat hackers, some of whom have tremendous skill.
4) Ask them how to clear your name and how you can help achieve that.
5) Remind them of your benefit to the organziation -- acomplishments etc.
6) Tell them you understand this needs a full investigation. Tell them you have confidence in them to gather the evidence that will clear you.
7) Remind them that a false positive might be them next time.
Some advice on your specific question:
1) Do you know what you were doing at that particular time? Where you in a meeting? On the phone? Using another machine? Find proof: coworkers at the same meeting, phone records. Look at file timestamps. If one of the offending timestamps occurs in a period where you can prove you weren't using the computer, you are cleared.
2) Ask for network logs connecting to your machine. If this is a normal PC, there should be any from strange places. If there are, that was the bad guy, not you. If they don't have such logs, point out that keeping logs is critical for clearing the innocent and exposing the criminal.
3) If you are on a Unix box, ask that chkrootkit be run to identify if you've been hacked and had a rootkit installed. Hackers often install rootkits to avoid detection and this program finds them.
It is so that you can have copies of the exact documents that they are using to accuse you. His point, I believe, is that these documents may be very difficult to get in a legal proceeding, particularly if it's bogus.