We’ve said it before, but an employee from Hell apparently didn’t get the memo: VPN, as in Virtual Private Network, is not shorthand for secure internet connection.
What the “private” means is that your VPN connection can be made to behave as though you had a direct hook-up to your destination network. What it does not mean is that your hacking forays into your ex-employer’s network – using the company’s own VPN – are going to be hidden away when the FBI starts digging around.
Suzette Kugler, who last year left her job after a 29-year career at PenAir, was sentenced on 12 April for repeatedly hacking the airline’s reservation and ticket system. According to the Department of Justice (DOJ), Kugler pleaded guilty in January to one felony offense of fraud in connection with computers.
As part of the plea agreement, Kugler will pay $5,616 in restitution to PenAir, and the DOJ dropped a second count of the same offense. If it seems like a light sentence, bear in mind that this was her first ever crime.
Kugler had left her job with the southwest Alaska regional airline as of February 2017. According to the local TV station KTVA, PenAir filed for Chapter 11 bankruptcy last year, shuttering most of its operations outside Alaska.
Over her 29-year career, Kugler rose to the position of director of system support. According to her LinkedIn profile, that meant she was responsible for “oversight, policy, procedure and development as it relates to software for customer service and flight tracking.” In other words, she was the administrator of PenAir’s Sabre database system, which the airline used for ticketing and reservations.
She didn’t leave empty-handed. A week before she retired, Kugler used her system privileges to create new, fake employee user accounts, plump with high-level privileges and without any authorization whatsoever.
Handy, that, for paying her ex-employer a little visit – or two, or three – post-departure.
On 5 May 2017, PenAir reported network and computer intrusions targeting the Sabre system to the FBI. Between April and May, Kugler wiped out a former colleague’s access permissions and erased station information – necessary for PenAir employees to get into Sabre – for eight airports. Without that access, they couldn’t book, ticket, modify or board any flight at those eight airports, until the stations were rebuilt by staff working through the night.
Then, on 3 May, Kugler wiped out three seat maps – used to assign seating – from the Sabre system. Without those maps, PenAir employees wouldn’t have been able to board or ticket passengers. Fortunately, the deletion of the seat maps was discovered three days before it would have disrupted flights. PenAir was able to restore the mapping by the time the flights were ready to board: a remediation effort that sucked up “considerable time and expense,” according to the plea agreement.
PenAir said its losses were less than $6,500 and more than $5,000.
On 27 July 2017, FBI agents from Anchorage, Alaska and California executed a search warrant on Kugler’s home in Desert Hot Springs, California. They found two laptops with the Sabre VPN software installed.
Oh, those telltale VPN logs!
Kugler isn’t the first crook to mistake VPN use for a way to cover her tracks. In October, a 24-year-old was arrested for allegedly harassing and cyberstalking his former roommate for over a year, in addition to a number of former high school and college classmates, using email, SMS, social media and phone apps to send death threats, rape threats, bomb threats and even child pornography.
According to the affidavit, Ryan Lin, like Kugler, hid behind a VPN – at least, that’s what he thought he was doing – to create accounts from which to send his poisonous messages.
VPNs hide your computer’s IP address. They encrypt traffic between you and your VPN provider, making it incomprehensible to anyone intercepting it. But your VPN provider isn’t “intercepting” it: your VPN provider gets to see right into that tunnel, witnessing everything passing through your network.
In other words, to quote from words of VPN wisdom that Lin, ironically enough, retweeted a few months before he was arrested:
There is no such thing as VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.
Sandra Simmons
The article is hilarious, and very informative. Thanks
Anna Nyms
She got caught by petty vandalism. Why did she bother to go to the trouble of setting up a couple of accounts for her to use, then use them to draw attention to herself?
Wilderness
I do think her sentence is too light.
Richard Blade
She should have been given a complimentary year at the local county jail at a minimum. She would beoutin 6 months with good behaviorand never want to go back
Anonymous
Of course there are logfiles. But they get overwritten the next day.
Why would they keep the logfiles? Storage costs money and backups require maintenance. And if they get exposed with saved log files, they loose all customers. Without logs you make more money and less work to do and less risks. (as a VPN provider).
OK, for big company hacks it is not a good idea to trust only on that VPN.
FBI but also others, can hack a VPN-provider server in no time and captures it all in real time.
Anonymous
You seem highly confused about what logs are. Logs are not large by any means. Years worth of vpn logs can be saved on a single 1tb disk. It doesn’t even matter how many users you have. Now, it does depend on what their storing, but very few people are interesting enough for a vpn provider to want to store every single packet. Only thing logs usually contain is the user id(if applicable), the usersIP, the external ip the vpn is using, the ip the user is accessing, amount of data downloaded, type of data downloaded (nowdays everything is ssl/tsl, very little they can actually tell what is), and time the user connected/disconnected and visited ips. It may sound like a lot, but you could store days worth of this crap with 1000 users on vpn, and still not reach the size of a single quality photo.
It’s well known that von providers take logs (especially work vpns). Often the privacy statement mentions what is logged, and for how long. 1 day logs, are usually only offered by higher end vpn providers.
And you seem overly stressed about FBI hacking. The FBI doesn’t hack much. For the most part, its along the lines “illegal activity occurred on your network, do you want to be arrested?”, ‘no, it wasn’t me. My buisness runs vpn servers, see!’, “OK, but we will have to hold you responsible if you don’t comply with our investigation or cease your services”, ‘sure, here are the logs. Not enough? Here, this is our main server, you can view live data from it, and even intercept traffic and replace it with your own!’.
Its pretty much the same conversation with ISPs. A vpn just means they have at two more calls to make before they get to you.
Out of county vpns can be a little more difficault, but America has pretty strict laws that any vpn/proxy/tor/filehost/etc server operator will quickly become familure with.
Andy M.
It depends on the VPN provider and the type of service it provides. Work VPNs will most certainly keep logs. VPN providers that “promise” anonymity will not (you hope). Your ISP probably will. And so on. VPN just encrypts your traffic between two endpoints. It doesn’t mean it provides anonymity, as that depends on the type of service you have with the VPN provider.
Frank Yeruham Leavitt
The best means of communication is face-to-face or an envelope with a stamp. Who needs this hi-tech stuff?
Dr Yeruham Frank Leavitt,
Ben Gurion University, Retired,
ISRAEL
Eddie
your article is misleading.. the employee was using a work based VPN.. not a credible comerical VPN
Paul Ducklin
The article is about getting busted by VPN logs. The headline says, “employee… busted by VPN logs”. The reminder is that VPN connections may be private (e.g. from eavesdropppers) but aren’t anonymous because the service provider responsible for the other end on the VPN tunnel knows who you are. The tunnel provider could be your employer, your ISP, your coffee shop, your dedicated commercial VPN provider, or a crook. The point is, they can figure who you are, How is that misleading?
Anonymous
not really, many services don’t keep logs.
Anonymous
A good VPN service has no idea who you are, and discards any logs as soon as they are not needed.
Definitely not reliable for doing illicit activities, but a respectable start.
Anonymous
The article tries to suggest that the users assumed anonymity from the company’s VPN, when in reality she was probably just using it for its given purpose, to access the internal network of her ex-company. The article ignores the possibility that maybe she did use other methods to mask her IP before connecting to the corporate VPN gateway e.g. Private VPN tunnel or a Proxy Chain. If she performed multiple attacks on the business, its not out of the question that in one of those attacks she forgot to mask her original IP and instead connected directly to the company VPN therefore giving away her home address.
WeHeardYouTheFirstTime
No, no ,YOU’RE trying to suggest this, over and over and over again in multiple comments, droning on about how there exist commercial VPNs that don’t keep logs. Or say they don’t keep logs. Whether they do or don’t keep logs, VPNs aren’t about anonymity. You need more than just a point-to-point encrypted tunnel to provide anonymity. Ask anyone on the Tor team.
Dude, this article is about “employee busted by VPN logs”, it is not about whether there exist VPN services that don’t keep logs. You can’t complain that this article is wrong because it happens to be about a different subject to the one that you want it to be about. Start your own blog about “log-free VPNs and how not to get busted” and tell your story there.
Anonymous
The article is misleading because she wasnt using the VPN to hide her Identity, she was using the VPN to access internal systems. These are two entirely differently things. She wasnt using a commercial vpn designed to hide her Identity, she was using a vpn designed to access internal systems inside a secure network.
Mark Stockley
As Duck said, regardless of use case, “service provider responsible for the other end on the VPN tunnel knows who you are”. Your comment implies that if she’d been using a VPN to hide her IP she wouldn’t have been vulnerable in the same way, but commercial VPNs designed to hide your IP behind their own know who you are too, or at least which IP you’re connecting from. Just ask the FBI, or the Waltham stalker.
VPNs, of all stripes, no not provide anonymity.
Jrock
I still don’t think you grasp the term VPN…it does not matter if it’s a “credible commercial” or private…a VPN is a VPN period. Which makes this article very much not misleading, and quite accurate. You are assuming that all “credible commercial VPN” services provide complete anonymity which is absolutely not the case.
Anonymous
Shoulda used another VPN or tor before connecting into the insecure VPN.
Andy M.
The VPN WAS secure. It wasn’t anonymous. A ***WORK*** VPN is designed to be secure, not anonymous.
Steve
Am I missing something? NO jail time, NO fine… just restitution? Restitution isn’t a penalty, so she basically got off scot-free on the criminal matter.
Larry
What if you are using 2 VPN 1 inside another
Chris
Poor article… What’s missing is the identify of the VPN provider. This would be a key piece of information – which VPN is not providing an effective service for anonymity?
Mark Stockley
VPNs don’t provide anonymity.
Mahhn
I took it for granted that the VPN was the companies (that was being invaded).
As the story says she; “used her system privileges to create new, fake employee user accounts”.
Our company’s VPN can only be accessed by our companies VPN software/configuration/permissions. I don’t care what service you buy elsewhere, you will not be authorized to connect unless all the pieces fit – software, token, account, PW.
I can see some people being confused if they aren’t familiar with corporate VPNs. Even most users just know enough to make it work- most of the time lol.
JD
“your VPN provider gets to see right into that tunnel, witnessing everything passing through your network.”
This is incorrect, please read up on how vpns work before writing something like this.
Mark Stockley
How is it incorrect? The user creates an encrypted tunnel that starts at point A and ends at the VPN provider’s server. Where the encrypted tunnel stops it’s the VPN provider doing the decryption. It’s literally the VPN provider’s job to strip away the tunnel.
If the messages passing through the encrypted tunnel are themselves encrypted (e.g. HTTPS, SMTP over TLS, Tor etc) then the VPN provider obviously can’t see past that encryption. They still get to see HTTP traffic, unencrypted email, a bunch of metadata, hosts in SNI messages, DNS requests etc.
JD
In short, the encryption is end to end. The ISP does not get to see right into the tunnel. Once the tunnel is established they can see the amount of data but the data is not readable. Now since they are the ISP they can MIN the connection but that would also require hacking ipsec or an SSL certificate depending on the type of vpn.
Bryan
You’re conflating “ISP” and “VPN provider.” Rarely are they the same–and in this case they’re not.
JD
Really? Please explain how the VPN provider is decrypting without the key?
Mark Stockley
User connects from point A to point B using VPN. Point A encrypts tunnel, point B decrypts tunnel. Point B can see past decryption since that is entirely the reason for point B’s existence.
In the text, and in my comments, the VPN provider is point B. We are not referring to the vendor that sold or created the software for point B, if that’s what you mean.
Paul Ducklin
A VPN is an encrypted tunnel between two points on the internet. At your end you encrypt your data and shove it into the tunnel. At the other end the VPN provider decrypts it and passes it onwards. The encryption lasts only between you and the provider. Therefore the provider knows who you are (at least at the IP level, else how would they route back the replies to your traffic?) and can see the original, unencrypted contents of your traffic (else how would they be able to route it onwards to its intended final destination?).
The VPN provider not only has the key, they *must* have the key, in the same way that a web server you connect with using HTTPS has the key to unlock your web traffic.
JD
Mark, I am talking corporate remote access / site to site not VPN service apps out on the I internet.
Steve C#
Clearly the company was not using Multi Factor Authentication with their VPN. That was a serious security oversight. Also, she should have been put in jail on grounds of stupidity if she had been the Director of System Support.
Mahhn
it says she created fake accounts before leaving the company. Which suggest that’s what they were for.
Magyver
JD, dude, I ‘ve been reading all of this and I have 2 questions for you – Do you really think the people who I believe are the most reputable computer security firm of it’s type in the world don’t know how corporate VPN’s work?
Do you really think you know more about the subject than not just Lisa the author, but the entire management and writing staff at Sophos?
I trust these guys, they’ve proved time and time again that they know more than me, and Sophos’ mission is to help the little guy free of charge..
Sophos makes it’s money from the major corporations who trust Sophos and their track record, not the little guys like us..
Anonymous
Hey this article say she got busted by the logs after they raider her house maybe the logs where on her laptops at least that is how I read that.