The most informative cyber security blog on the internet!

Notice: By subscribing to Hashed Out you consent to receiving our daily newsletter.

Pro Tip: Don’t watch porn at work—especially if you work for the US government

(1 votes, average: 4.00 out of 5)

Loading...

October 31, 2018 1

Pro Tip: Don’t watch porn at work—especially if you work for the US government

in Hashing Out Cyber Security

“Can I still list you as a reference?”

It’s bad enough getting fired for looking at porn on your work computer, but imagine if your in-office porn habits were responsible for a US government network’s Russian malware infection.

Now that would be an awkward conversation.

Enter our protagonist, a nameless government employee performing his (the employee in the report is not gendered but I think we can all assume it was a “he”) civic duties at the US Geological Survey (USGS) in beautiful Reston, Virginia.

Our salacious civil servant’s pornographic pursuits were discovered during a routine security audit and were apparently so prolific that the US government actually paid someone, Matthew T. Elliott, an assistant inspector general for investigations, to write a report that was then put into the public record (as a result of 2016’s IG Empowerment Act) and will now live on in the annals of history.

That likely makes Professor Pocketpool the most infamous purveyor of pornography… possibly of all-time, as there is now an archived government record that will forever stand testament to just how often this surveyor surveyed human topography instead of whatever he was supposed to be surveying.

So, just how much cubicle porn would you need to consume to get a government report written about you?

About 9,000 pages worth.

We found that [redacted] knowingly used U.S. Government computer systems to access unauthorized internet web pages. We also found that those unauthorized pages hosted malware. The malware was downloaded to [redacted] Government laptop, which then exploited the USGS’ network. Our digital forensic examination revealed that [redacted] had an extensive history of visiting adult pornography websites. Many of the 9,000 web pages [redacted] visited routed through websites that originated in Russia and contained malware. Our analysis confirmed that many of the pornographic images were subsequently saved to an unauthorized USB device and personal Android cell phone connected to [redacted] Government-issued computer. We found that [redacted] personal cell phone was also infected with malware.

I don’t know about you, but I have a ton of questions. None of those would be appropriate here though…

Regardless, my favorite part about this whole report is how with no segue whatsoever it veers from the sordid web history of Fisty McHandenpants straight into a very business-like autopsy of the vulnerabilities it identified:

Website access
Open USB ports

The report then proceeds to suggest to a US government agency that maybe… don’t even let your employees have access to porn sites in the first place.

To give you a frame of reference, our office web filter physically emits a shock of electricity just for trying to navigate to a dating site. I can’t even imagine what it would do for an adult website, I’m guessing it would be like that scene from the Green Mile (don’t look it up at work). Regardless, it’s mind boggling that at the US Geological Survey, all indications point to the fact that they didn’t have any kind of filter installed at all.

We recommend that the USGS enforce a strong blacklist policy of known rogue Uniform Resource Locators (more commonly known as a web addresses) or domains and regularly monitor employee web usage history. Since this incident, the EROS Center has deployed enhanced intrusion detection systems and firewall technology to assist in the prevention and detection of rogue websites trying to communicate with Government systems. An ongoing effort to detect and block known pornographic web sites, and web sites with suspicious origins, will likely enhance preventative countermeasures.

The last sentence (emphasis mine) is the one that fascinates me, because I legitimately wonder if during Matthew T Elliott’s education – as he plied his trade in service of his ambitions – he ever thought, “one day I’ll use these skills to draft a government report where I’ll find an artful way to tell a federal agency not to let its employees pull up porn.”

Apparently, this is not an isolated incident. Many government agencies have had porn problems in the past decade including the SEC, IRS & EPA.

A 2017 watchdog report found copious amounts of porn viewing at a dozen different agencies. And apparently some federal networks are swamped with kiddie porn.

Watching porn can get you infected with malware? …asking for a friend

The obvious answer to this question is yes. But a lot of people don’t really know the specifics of how this happens. It’s just one of those truths we accept but never question, like the fact that yawning is contagious. We all know that, but most people never understand why.

For all intents and purposes, there are a few major attack vectors when it comes to adult content. The first is hacking a legitimate site, typically through the ad networks. The second is with malicious “free” sites. And the third is with links (oftentimes banner ads) to “adult dating sites” that ask you to share personal information. There are also torrents and email attachments, but those two categories aren’t as germane to this discussion.

25% of all malware is porn-related.

Per security researcher Simon Marshall:

Malware is usually distributed through watering hole attacks on both the fixed and mobile Internet; in this instance, criminals hack a porn website or the advertising platform that is used to show ads. Then a redirection automatically sends visitors to a page that serves them with malicious software.

In this case it sounds as if our vapid voyeur was accessing malicious “free” sites that were being run by Russian criminals. In a case like this the attacker has a choice of any number of ways to present the malicious payload.

In other instances, such as with larger video sites, attackers tend to infiltrate through the ad networks and serve infected ads. Conrad Longmore conducted a study a few years ago and found an inordinate amount of malware:

As pornography has become ubiquitous and free, the audience willing to pay for it has dwindled. In the wake of this great democratization of flesh, we have seen the rise of highly trafficked websites whose business model has been built around offering free content to run along ads. And within this largely unpoliced ad bonanza, malware chefs have been given an opportunity to expose their malicious code to a high volume of unassuming porn consumers.

In these cases, the porn is just bait. It’s the digital equivalent of a honeypot (is it?).

Ironically, there is a group of Russian state-backed actors that have gone to great lengths and devoted incredible resources towards infiltrating US government networks while another group managed to accidentally infect one such network just by running a low-rent porn scam.

Suffice it to say the Sultan of Smut (that’s a Babe Ruth pun) lost his job at the US Geological Survey and would likely be smart come up with a more charitable reason for leaving the role when he starts interviewing again.

I think we can all agree that this entire fiasco was tax dollars well spent.

As always, leave any comments or questions below – and Happy Halloween!

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.