Comment by clankyclanker
5 years ago
Probably, but is that a conspiracy theory so much as an insurance policy? Being able to competently complete that sort of nightmare investigation is probably why the investigator was re-hired annually.
A packet capture of the config files would show something was up to anyone suspicious, but knowing what to do about it is a completely different story.
The 'conspiracy' part of my conspiracy theory is not that they hired a security consultant, but that they explicitly guided him to the exact hardware[1] with the correct metric to detect it[2] asking him to test for a surprisingly accurate hypothetical[3], even going so far as to temporarily deny the suggestion of the person they're paying to do this work[4]. This is weirdly specific assuming they had no knowledge of the compromise.
Of course, I have no non-circumstantial evidence and this could all be a coincidence, which is why my comment is prefixed with "conspiracy theory".
1: "However, he asked me to first look at their cluster of reverse gateways / load balancers"
2: Would have likely been less likely to find the issue with active analysis given the self destruct feature
3: "Specifically he wanted to know if I could develop a methodology for testing if an attacker has gained access to the gateways and is trying to access PII"
4: "I couldn't SSH into the host (no SSH), so I figured we will have to add some kind of instrumentation to the GO app. Klaus still insisted I start by looking at the traffic before (red) and after the GW (green)"
Perhaps "the guy responsible for building the kernel" noticed his laptop was compromised. Then they'd know of a theoretical possibility of a compromise.
Not wanting to instrument the Go app could be an operational concern.
It sounded to me like they had a suspicion and specifically wanted the contractor to use his expertise in a limited way that would catch if the suspicion was right.
Perhaps they had noticed the programs restarting and when trying to debug triggered it.
Sometimes commercial companies get a tip from intelligence agencies:
"Your <reverse gateway> devices are compromised and leak PII." Nothing more.
#4 is a reasonable request. If the client wants to verify the lower level ops instead of higher level application and deployment, the instrumentation would be counterproductive. That could happen if he was thinking something on the lines of "there's a guy here that compiles his own kernel on a personal laptop, I wonder what impact this has".
The other ones could be explained by him being afraid of leaking PII, and most PII being on that system.