A Contract Killing: The Drama of Government IT Work

Our anonymous CSO's tawdry tale of an IT services contract rollicks through software piracy, dope sales and worse. Who says government work is dull?

The government doesn't get its fair credit for drama. To wit, I was the security lead on an IT services contract with a government agency, on a job that went from routine to rollicking. A little background: This contract required training in a wide variety of areas—mischarging, sexual harassment, security and privacy, conflict of interest, and others that focused on confidentiality, integrity and ethics. Complete participation was required per the contract. Failure to do so could lead to termination. Emphasis on the "could."

After a mini St. Valentine's Day Massacre—a letter received on Valentine's Day alerting our company that our ratings were in the low 70s, meaning no contract bonus and the certainty that heads would roll—a new Program Manager was brought in. He was a fixer, brought in to correct the course of this contract. We soon found the fixer was really a "rule by intimidation and ridicule" type of leader. His job was to improve the periodic ratings in order to secure millions in bonus dollars. His compensation hinged upon this. Dollars were awarded based upon the ratings derived from specific measurements as per the contract.

Our job was peripheral to this bigger contract drama—until we actively scanned for vulnerabilities and found an anomaly we could not verify. Like an arsonist calling in the fire, a tech lead pointed us toward a couple of IP addresses that we could not scan. We traced the IP numbers to their physical location and found two servers located in an office. Per the requirements of the contract, we began to gather information off the two servers. What we found on those servers was quite exciting—and extremely disturbing:

- W2K3 running on both;
- Eval copies with cracked licenses now unlimited;
- Illegal copies of firewall software with rules specifically established to obfuscate any detection.

Firewall rules were created to allow by IP and name. Those named were part of the contract's two warring IT factions, IT operations and IT engineering, which were engaged in a struggle for control of the IT landscape. Dynamic IP allocation was required for all within the organization. Those with static IPs needed security approval. This had not occurred. Having a static IP allowed one such conspirator to access the servers in question off the internal network. His full name was on the rule.

The servers had never been patched or upgraded. The servers were running anti-virus software illegally acquired, loaded and never updated. They held 100GB of production data (including all server and desktop images for the organization).