When Wrongfully Accused of Hacking, What Can You Do? 105
justin asks: "Earlier this week, I went into work I was met at my desk by upper management; they wanted to meet with me. I was not sure as to why but when we got into the office, they set a pile of paperwork in front of me, opened it up to a certain page and asked me what it was. The paperwork was a series of (gimpy) logs showing an internal IP address doing a combination of scanning, and then what looked like hacking, of various boxes on the internet (of these there was the US Treasury among other US Government Organizations). The internal IP address was that of the one I am normally (read: not always) assigned by DHCP. I told them I had no idea what this was, that I didn't do it and that I think I would remember hacking into the US Treasury. I was a contracted employee, so I don't think I have any recourse, I was just left high and dry accused of something that I did not do, and their basic sentiment was 'we will investigate this, do you want us to call you and give you your job back if you are innocent?', This seems rather silly to me since you'd think such things would be investigated, before they would decide to fire me. I'm looking to find out who else has been in this situation and how they dealt with it."
"The logs were in a simple format: 'Aug1 11:27 10.1.0.56.port -> treas.gov.port'. Now there had been some problems at work with the recent MS DCOM/RPC bug, and my machine was compromised either the same day, or the day previous to the day of the events I am being accused of. Additionally, because it was an internal IP address, it could have been anyone with access to ifconfig on their machines (They don't have a link layer dump).
I now have the following questions:
- What experiences have other people had that relate to this, what course of action if any did they take in response.
- I know the laws aren't very sympathetic when it comes people saying 'yea that was my computer, but it wasn't me', but it can be proved that my computer was compromised in the same time frame, and also the evidence they have is rather flimsy, what experiences have people had in a similar situation?
- If someone should try to press charges, where can I find a decent attorney that would actually understand the technology and what I was saying. (As I am now unemployed I'd very much so on a budget)
- What should I tell my next prospective employer? Even If they believe me that I had nothing to do with it, that puts one serious doubt in a person's mind.
Thank you, in advance, for any wisdom, anecdotes or suggestions you can pass along."
Have them let you know when they find real culprit (Score:3, Insightful)
Your fucked! (Score:2)
All together now: (Score:3, Insightful)
Sure, we might be able to give you some interesting technical advice, but that will have absolutely nothing to do with your situation, which is entirely legal in nature.
Legal issue -> Lawyer
Nerd issue -> Slashdot
Is this primarily a nerd issue? NO! Call a lawyer.
Call a lawyer? Call a lawyer. Call a lawyer.
Re:All together now: (Score:5, Funny)
Sung to the tune of "If you're happy and you know it"
Re:All together now: (Score:4, Funny)
Call a lawyer, Call a lawyer, Call a lawyer or you're screwed.
You've been axed, but aren't in prison,
getting f**ked by some large dude.
Re:All together now: (Score:1, Funny)
No, wait I'm sure there's something between those 2 extremes. If only I had the imagination to think of it.
Re:All together now: (Score:4, Informative)
Re:All together now: (Score:1)
now...
Soap_box: Why is it that everyone that slightly screwed by anyone always want's to sue? Did you invest all your money in a dot-gone? Sitting on your butt just wishing someone farts in your general direction?
Most people hate lawyer's,
Re:All together now: (Score:1)
Re:All together now: (Score:1)
___
You Want the truth? (Score:5, Funny)
Them: I think I'm entitled to them.
You: You want answers?
Them: I want the truth!
You: You can't handle the truth! Son, we live in a world that has firewalls. And those firewalls have to be guarded by men with keyboards. Who's gonna do it? You? You, Lt. Weinberg? I have a greater responsibility than you can possibly fathom. You weep for the treasury department and you curse the Hackers. You have that luxury. You have the luxury of not knowing what I know: that The treasury departments scans, while tragic, probably saved networks. And my existence, while grotesque and incomprehensible to you, saves networks...You don't want the truth. Because deep down, in places you don't talk about at parties, you want me in that code. You need me in that code
We use words like hack, root, pwnzz...we use these words as the backbone to a life spent defending something. You use 'em as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, then questions the manner in which I provide it! I'd rather you just said thank you and went on your way. Otherwise, I suggest you pick up a manual and stand a terminal. Either way, I don't give a damn what you think you're entitled to!
Them: Did you scan the network?
You: I did the job you sent me to do.
Them: Did you scan the network?
You: You're goddamn right I did!!
Re:You Want the truth? (Score:2)
Dunno what came over me. It was clearly way past my bedtime.
Re:You Want the truth? (Score:3, Insightful)
*cough*
Re:You Want the truth? (Score:1)
Pre-Paid Legal (Score:3, Informative)
I've been using their service for half a year now and am very pleased with it; you can ask an unlimited number of questions, and they'll also write letters and make phone calls at your behalf to resolve issues for you. They also provide traffic defense (parking/speeding tickets, or lawsuits based on injury) and cover you if the IRS decides to audit you.
It's somewhat like "legal insurance" -- just as you pay a couple hundred a month for health insurance, or car insurance, this provides for your legal needs on a pre-paid, monthly basis (generally about $27 a month) and it covers your entire family.
In this litigious society we live in, it's great to have coverage for when (not if) you end up on the wrong end of a lawsuit.
Again, I'm pretty sure this won't help your specific case but hopefully it can help other readers. (And yes, I sell the plan if anyone's interested.)
Re:Pre-Paid Legal (Score:4, Funny)
Re:Pre-Paid Legal (Score:1)
SuDZ
Re:Pre-Paid Legal (Score:1)
even if innocent, you need a lawyer! (Score:4, Insightful)
Second of all, why would you assume it stops here? They may have contacted law enforcement authorities, and you might need to do some preparation to get your stuff together. Even if you're charged with something you didn't do, you'll need to mount a defense.
Re:even if innocent, you need a lawyer! (Score:2)
IANAL, but (Score:5, Interesting)
My first thought is- of course the hacker isn't going to use his normal IP. If someone is going to go out hacking, they aren't stupid enough to just use the normal config. Second, you may be able to prove you never visited or connected those websites if the machine you normally use keeps a log (a normal webhistory is probably not suffiecient in this case).
Regarding what to tell your next employer- I'd recommend one of the following- A) Either be totally honest about it. Let them know they had no proof when they terminated you, and you didn't do it. If the interviewer is a good judge of character, it won't be a problem. B) Don't give any information and don't let the new company contact the old company. It will appear shady, but at least they can't be totally sure what happened. In my experience with similar situations, using A is going to make it harder to get a job, as some will automatically turn you down, but the best people will be able to tell by the way you explain yourself that you are innocent. I'd prefer to work with those sorts of people anyway.
If the company bring charges against you, immediately subpoena your HDD and the logs they used against you. In those lie your best defense. Again, IANAL, but the evidence the company has is not even good enough be called circumstancial. It's like charging someone with murder because he/she looks like the purported suspect. A good lawyer will be able to show a judge/jury this fairly easily.
A final thought occured to me- try to obtain more information about how your company stores log data. If they log DHCP information, the server should be able to tell what MAC address was assigned which IP at what times. Sure, someone could clone your MAC, but they'd have to know what your MAC was first, so i suspect a hacker would simply make up a MAC instead of cloning one.
Re:IANAL, but (Score:3, Interesting)
No, they wouldnt. If X hacker was trying to "Hack The Planet", they'd use a decoy to glean any info about their internal network.
Re:IANAL, but (Score:2)
Re:IANAL, but (Score:2)
nope
>>>If it's done by someone in the same building, physical security is 0 and any theory is possible really.
Not quite right. If they used IPSEC or IPX with signature-authentication (signs every packet with pgp-like hardness, and everything ignores unless right).
>>>The logging machine could have been tampered with or swapping ethernet cards in two machines: MACs are swapped a
Re:IANAL, but (Score:2)
I disagree with some of that. I wouldn't say anything to the next employer, and let them contact the old one. The old guys are in a difficult situation. If they say anything bad about you, they better be willing to accuse of of that in a court of law because you can sue them if they say you used company resources to crack other computers. Many companies have a strict policy of only saying "Yes he worked here, from some date to a latter date."
I would check with a lawyer. Most places have employement "a
Re:IANAL, but (Score:1)
Or don't. Let them have to show that:
Short of that, a good defense lawyer will make them toss it as evidence. If you want to use the HDD contents as evidence, you'll
My advice (Score:3, Interesting)
#2: Feign absolute cluelessness about how this stuff works. Find an outside expert to give a second opinion.
#3: Call a lawyer at the first hint of legal trouble.
#4: If you're worried about your next job, the very best thing to do would probably be to find that outside expert I mentioned, and get him to write a note describing how the incompetents at your previous job completely misinterpreted all the data and picked you as a scapegoat because they didn't want to spend money correcting the flaws in their own system. If that isn't your style, there are legal ways to go after your previous boss for wrongful termination, but I'd be surprised if that actually had a positive effect on your future career.
Re:My advice (Score:2)
Feign absolute cluelessness about how this stuff works.
Uh, it said that his job was Unix sysadmin. This tactic might work (in fact, probably works just fine) for MSCEs, but it would be the kiss of death for him.
-- MarkusQ
Re:My advice (Score:2)
What can you do? (Score:4, Funny)
Enough with the pretenses! (Score:5, Funny)
Re:Enough with the pretenses! (Score:1, Funny)
Re:don't accuse me! (Score:2)
*Actual lawyer's spelling and grammar?
I know work is hard to find, but... (Score:5, Interesting)
I was talking about similar situations recently with a friend and we both realized that the few times we had been fired unfairly (in one case she was one of two sales reps reaching well over 100% of her quota regularly and the other rep wasn't even close to 100%), we realized those were jobs we originally wanted to keep, but realized (with time and distance) that we were miserable there and were working for jerks.
I'm working for myself now, but I've learned that when management acts that way, you're probably better off somewhere else. Just see if you can do something about getting a good recommendation.
Re:I know work is hard to find, but... (Score:1)
Chris Benard
What you really ought to do is... (Score:4, Funny)
The virus did it! (Score:1)
C''mon (Score:5, Funny)
Ask THEM to go to a meeting with you, show a pile of paper and ask them:
"Boss, how'd you like your wife to know about the e-mails you wrote to your assistant ?" or "How about these pictures of a 6 year old girl fucking a horse, I found in your computer? "
Act like a REAL sysadmin. And don't forget to ask for a raise.
Re:C''mon (Score:1)
I would take the virus approach (Score:1)
If they have that small of a clue.... (Score:2)
How about some details? (Score:3, Interesting)
Until you provide more detailed technical information about what they accuse you of doing you are just going to get a lot of INAL advise on you being fired.
DMCA is the solution (Score:3, Funny)
Recourse and Action (Score:1)
My first step in this case would be to contact a lawyer.
Have him see if your termination is legal. I'm sure there was something in your contract to the effect "If you do something illegal or are suspected of doing something illegal..." but who knows.
Second, If you are innocent, do everything you can to have this pursued to it's ugly end. The evidence they have is circumstantial, so I wouldn't expect this to come to charges or conviction.
maybe you can help them catch the real culprit? (Score:1)
They have every right to suspend your work... (Score:2, Informative)
...But to fire you is different. (Score:2)
That is a reasonable precautionary measure, which is OK.
That is making someone guilty until proven innocent, which is not OK.
The implications for someone's career if they're fired for even possibly doing something like this -- w
Don't flinch when you are walked into "the talk" (Score:5, Insightful)
Here's the hard part, which you can be thinking that you should do in the back of your head, but is hard to do. Reach across the desk and scoop up all the paper you see. Tuck it under your arm like a football and don't let it out. Make sure you get out the building with that paper. Let them escort you from the building or call the police, but don't give up the documents. If they start demanding them back, you know they are fucking around and have no case. If a policeman shows up, ask him his name and then hand him the documents and tell him they are potentially criminal evidence and must be preserved. If the cop hands them back to the boss at that point, it's ok, you just have to write that in a letter or affadavit and document it.
Immediately deposit the papers in a safety deposit box and send certified letters to the company asking for all reasons you were terminated, and any allegations proven, disproven, or unknown made against you by anyone. Note that's letters, plural, because even though its the exact same letter, you want to hit several people inside the company so you can get the conflicting answers. Also hit the Agent of Process of the company -- this is the person who is served in an event of a suit; it automatically triggers the involvement of the legal department.
What happens next ? Are you bought out and retire to Tahiti ? Do they hastily scamble to hire you back and get you back pay ? Of course not. This is a big business so they are assholes. You'll get nothing except the greatful feeling of not being in jail. The only good about it is that the internal stir created by the resulting management meetings with legal advisors will cause them to not be a bit more competent in investigating future incidents, until a year passes and their small rat-like brains forget it all.
Re:Don't flinch when you are walked into "the talk (Score:2, Insightful)
Sorry Mr.Coward, but I am a young man, and I have never been in a situation like this. Could you please explain further how this would help you? Are you banking on them not having any copies of the supposedly incriminating documents? Seems like a foolish thing to gamble on. Are you just trying to create confusion along with your depar
Re:Don't flinch when you are walked into "the talk (Score:3, Informative)
Re:Don't flinch when you are walked into "the talk (Score:2)
options (Score:3, Interesting)
Get a lawyer if you want to do anything.
That said. Do something. This could haunt you.
With your lawyer, send a certified mail letter explaining your understanding of the issue, and the possible causes
Also explain why you need to have them follow up on this, since it involves a federal offense. They are legally required to pursue this to their complete ability since they released you over it.
Give them a series of investigative measures they can perform to prove/disprove your possibilities for this occurance.
Remember to include their veiwpoint in this investigation, and show how they can prove you were not the culprit
Think of everything, the door access logs if any, the bus schedule you may have ridden, anything to prove you were somewhere else, you don't have files that made the alledged accesses, etc.
Explain the highest probably cause: a worm scanned around for boxes to infect and your box looked like a poor hack job
Tell them releasing you is serious enough to be illegal if they do not pursue it, since it affects your ability to hold a job in the future.
Point to your good work done elsewhere for clients, for your agency, or their own other projects. Explain your integrity
Await their response. Call mom and ask for laywer dough.
mug
Game on... (Score:4, Informative)
If the company is terribly illiterate when it comes to technology, it should not take much to truly scare the bejesus out of them. Get the ball moving on a wrongful termination suite. I suspect it will take nothing more than having your attorney formally request a copy of the log files. Move to negotiate, but be persistent. Most small/mid-size companies will settle rather than going the distance. They will posture, however, since they are looking for a quick brush-off. Most people will spend hours at the bar griping about how they were wronged, most never get a lawyer. Much like rebate 'programs', that is what they are counting on. You may get your job back, you may get damages - best to ask for both. Take the time once you do get your job back to find another, however... because this one is done. Exit fast...
Hell, I've seen folks busted for robbing us blind get a years wages for 'wrongful termination'. The mind boggles... evidence is overrated.
Re:Game on... (Score:1)
Correct items, incorrect order.
First off, best to get a lawyer. Involving a lawyer early, before you say anything other than your name, could and often does nip this sort of thing in the bud.
Second, best to be innocent. This is not a requirement if the first item is sufficeintly skilled.
Lawyer (Score:3, Informative)
What to tell... (Score:3, Informative)
It is *highly* unlikely that this company will reveal anything regarding the nature of the incident to any other company. Most companies of any size have a "neutral reference policy" that allows them only to say "yes, he worked here from date x to date y." I would suggest not using your manager as a reference, but I would not suggest saying that your new employer may not contact them, since they probably won't tell anything damaging and to refuse the right to contact will damage you.
As far as getting your job back, forget it. That's the problem with being a contractor - it's easier to get rid of you than deal with you.
(p.s. Don't tell anybody, but I have a degree in HR -- easiest B.S. to get in a hurry -- so I'm not totally blowing smoke here, although I've never worked in the field.)
Re:What to tell... (Score:2)
Re:What to tell... (Score:1, Interesting)
Re:What to tell... (Score:2)
Heh... I once watched a manager give a lengthy phone description of how great a former employee was, only to find after a quarter hour that he wasn't speaking to that employee's new employer, but to a different potential employer who didn't realise he'd already got a new job... Surreal conversation, though, amazing what people will say without knowing who they're speaking to...
Your rights (Score:2)
Hiring a lawyer would not do you any good because even if you could prove that you were innocent, the boss could still fire y
First thing to do? (Score:2, Informative)
But.. (Score:2)
Basically unless they have video of you actually hacking then how can they prove it was you?
Here is a story about a guy in the UK that got arrested for allegedly downloading child porn on his machine however his machine was found to be compromised by a trojan thus getting him off the hook. [theregister.co.uk]
Ive been twice in this situation (Score:3, Funny)
I was called up and warned about it. I was never again to use ping, telnet, nbtstat, arping or use linux on ANY of the workstations. Yes thats true, these were the rules.
Next was in Plattsburgh State University, where I was studying undergrad. I was naturally curious about routers (never seen one) and wanted to know the types running the campus, and the technologies behind its uplink to the Internet, and why the netbios updates seemed so slow. I started pinging around again. I portmapped a router to check its services and was promptly called up again by the technical staff, also my employer since I was working at a helpdesk. Felt like the suspicious detective extracting information. I never again used ANY standard TCPIP tool on that network. Ive now a home LAN with 6+ cisco routers, 7 sun workstations, 20+ overall computers running on 3 switches using atm, fr, tr, hssi, ethernet, arcnet, adsl and 802.11b, and I can PING IT ALL I WANT!!!!!!!!!!
Re:Ive been twice in this situation (Score:1)
Re:Ive been twice in this situation (Score:3, Funny)
That's an easy one. It's because NetBIOS fucking sucks.
Contractor. (Score:3, Insightful)
This means you have 0 recourse.
Its the same as if you suspected your exterminator of stealing.
You just tell him his services are no longer needed.
The exterminator can't sue you, and no reason need be given.
Consider yourself lucky they even told you why because they didn't have to.
Also, as a contractor, your previous client is under no restriction on giving you a bad reference.
Re:Contractor. (Score:2)
Nonetheless, it is in your interest to try and keep your name clear as best possible. Contractors rely heavily on their reputations. Your only reference is likely to be under some sort of slander law (IANAL et al) which I could see applying if the accusations are baseless.
If you are faced with 'formal' accusations (criminal charges, etc.), get a lawyer. Immediately. This includes being asked for a chat by _any_ law enforcement agency. Do not volunteer any information without consulting an attorney.
If
Be sure to review my case (Score:5, Informative)
Re:Be sure to review my case (Score:2)
Twelve step program for people like this (Score:4, Informative)
I was lucky... (Score:1)
The VP of IS, howe
What do they have (Score:2, Insightful)
Advice & Sympathy (Score:4, Informative)
The advice I can give you is:
1) Cooperate fully. Be honest. Be forthcoming.
2) Deny clearly, forcefully, politely wrongdoing
3) Remind them that the world is full of black hat hackers, some of whom have tremendous skill.
4) Ask them how to clear your name and how you can help achieve that.
5) Remind them of your benefit to the organziation -- acomplishments etc.
6) Tell them you understand this needs a full investigation. Tell them you have confidence in them to gather the evidence that will clear you.
7) Remind them that a false positive might be them next time.
Some advice on your specific question:
1) Do you know what you were doing at that particular time? Where you in a meeting? On the phone? Using another machine? Find proof: coworkers at the same meeting, phone records. Look at file timestamps. If one of the offending timestamps occurs in a period where you can prove you weren't using the computer, you are cleared.
2) Ask for network logs connecting to your machine. If this is a normal PC, there should be any from strange places. If there are, that was the bad guy, not you. If they don't have such logs, point out that keeping logs is critical for clearing the innocent and exposing the criminal.
3) If you are on a Unix box, ask that chkrootkit [chkrootkit.org] be run to identify if you've been hacked and had a rootkit installed. Hackers often install rootkits to avoid detection and this program finds them.
A similar case (Score:2)
Similar? Shoddy and incompetent investigation by the fired employee's superiors.
The whole vmyths.com site is extremely interesting. Funny too. I highly recommend it.
ANAL (Score:2)
Trinity, is that you? (Score:1)
"What?"
"I just thought um... you were a guy."
"Most guys do."
No Evidence (Score:2)
Be careful of contractual obligations, but be aware that you cannot sign over your first born child - doesn't matter if your John Hancock is on it.
In Oz you can sue for lost income in the period, including any income potentially earnt if your reputation had not been impugned.
Basically - they have not taken even a modicum of "due care" in the collection of this "evidence".
You PC should have been quarantined and audited by a security professional, the firewall logs (
And the SysAdmin in all this was... where? (Score:2)
Whether or not this has a direct impact on your case, the security (or lack thereof) of your system is the responsibility of, well, the System Administrator. If s/he has such a weak security system in place, my suspicious would fall upon him/her/it, either for ineffectiveness, or at worst, nefarious purposes (hack and blame the user).
Technical ideas (Score:1)
Since it's easy to quietly steal/borrow an unused IP address that isn't being used, but