More on the Malware/Child Porn Case

« Mass. Man Avoids Malware-Induced Child Porn Trial | Main | Strange Bedfellows Fight FISA Deal »

June 17, 2008

More on the Malware/Child Porn Case

The Boston Herald covered yesterday’s news that a Massachusetts state employee had child porn charges against him dropped after a forensic analyst found his laptop had been infected with malware.

Best quote:

“Nationally recognized computer forensic analyst Tami Loehrs told the Herald Michael Fiola’s ordeal was ‘one of the most horrific cases I’ve seen.’

“‘As soon as you mention child pornography, everybody’s senses go out the window,’ she said.”

(Link)

If you’re the type to enjoy this sort of thing, Robert McMillan posted a link to the 30-page-long forensic report. It’s chock full of log entries like “Pornographic images appear with no origin and continue for approximately one hour; sites include lolitas, urinelove and scat sites.”

It gets really good around page 25, when investigator Loehrs begins to bring the hammer down on the IT department responsible for the incident. Or rather, the IT department that should be held responsible for the incident, having utterly failed one of its users. Here’s a sample:

“On June 26, 2007, John Glennon testified at an administrative hearing regarding the investigation of the Laptop. He stated that he is responsible for all information technology resources for the company and he is in charge of tracking the computers and he was involved in the investigation of the misuse of the Laptop. Mr. Glennon testified that there is no evidence that anyone else other than the Administrator had ever accessed the Laptop. However, a review of the computer revealed several other accounts that had been created on the Laptop prior to Michael Fiola including diauser, user, test and test2. Unfortunately, all previous accounts had been deleted, thereby eliminating potentially relevant evidence. A review of the SMS and Symantec logs also revealed that the computer was previously setup for BOLLE04 and was actively used prior to the Laptop being issued to Michael Fiola.

“Mr. Glennon went on to testify that it is highly unlikely for Internet files to be on the computer without activity by the user and that there is no way for files to be in the Internet folder without browsing the Internet. A review of the Symantec logs by Mr. Glennon would have revealed the viruses and Trojans that were attacking the Laptop for four and a half months. A review of those viruses and Trojans by Mr. Glennon would have provided an explanation regarding how temporary Internet files can be created on the computer without the user’s knowledge. A review of the temporary Internet files themselves would have revealed suspicious patterns such as pornography appearing with no preceding event; pornography appearing immediately after viruses and Trojans appearing; and 40 website files all created at the same time, a scenario likely impossible for a user to create by browsing the Internet. If Mr. Glennon had discovered the suspicious JavaScript files on the Laptop, he would have learned of additional methods in which files can appear in one’s temporary Internet files folder without their action or knowledge. At the very minimum, Mr. Glennon, as the head of the IT department, must be aware of spam and Internet pop-ups that cause files to be placed in the temporary Internet files folder without any action or knowledge by the user.

“Mr. Glennon also testified that ‘our networks are very secure and they’re monitored’ so it is highly unlikely that the system was hacked. A review of the SMS logs by Mr. Glennon would have revealed that the SMS software was not functioning and as a result, there was no communication with the Laptop while it was in the field for four and a half months leaving the Laptop unmonitored. If, in fact, the networks are monitored, why were the SMS logs riddled with errors - highlighted in yellow and red by the software for easy detection – and unresolved for four and a half months? If the networks are monitored, why did the virus attacks on the Laptop recorded by Symantec go unnoticed and unresolved for four and a half months?”

“At the very minimum, Mr. Glennon, as the head of the IT department, must be aware of spam and Internet pop-ups that cause files to be placed in the temporary Internet files folder without any action or knowledge by the user.”

It doesn’t sound like Mr. Glennon is aware of much. If, by the way, that John Glennon of the Mass. Dept. of Industrial Accidents is the same as this John Glennon, formerly of the Mass. Dept. of Industrial Accidents, it appears he’s enjoying a recent promotion, having left behind a department that “stands by its handling” of the case. And Michael Fiola, the person who was wrongfully accused and fired, is still out of a job.

Shameful.