June 30, 2013
Hello all and sorry I have not replied to any if all comments. After a short time at this call center, I knew when to cut my losses and got out of there in the most creative way. Lets just say at the time of my employment, Convergy’s security system and security practices were non-existent and very worrisome. I thought about doing my civil duty and notifying the company’s that have contracts with them, but came to the conclusion that I would be labeled a whistle-blower and would probably be imprisoned by the methods I used for the discoveries I had found, by Convergy’s charging me under Canada’s criminal code of cyber-crime, if that is to say, of course, my methods of network auditing fall under such criminal code. Therefore I was more or less coerced to keep quiet.
However, since it has been quite a while and protected now under the statue of limitations, have not caused any damages or malicious intent from my auditing, I do feel the need now to reveal my findings.
All of Convergy’s is connected to each other world-wide using several domain controllers running Microsoft Server 2001 which several have not been patched and may be vulnerable to numerous attacks. Access to numerous servers, client computers, shares, networked printers and corporate data is possible with very little effort implementing the right knowledge, determination and tools to achieve such a goal. No data was encrypted not even customer/client data. Some systems had lists of default and current username/passwords written in clear-text. Of this discovery, gaining access to unix based systems via telnet with root privileges was an easy task. Access to switches and routers did not pose much difficulty either, which could be reconfigured in a malicious way, re-routing network traffic (including IP telephony) off-site if one where so inclined to do so.
Local access to achieve wide variety of access was easily obtained as the group policy setting still included the ability to create new users with higher privileges while logged in under the assigned username given to an employee. This allowed the ability to log off and log back on using the new set of credentials. Access to the computers USB ports and the computers BIOS allowed the ability to plug in a USB drive loaded with linux and auditing software, allowing the potential resetting and changing of the administrator password as well, the Domain Controller account.
Readers might ask then, how could a person possibly get away with doing so much auditing without notice? That is where the negligence of senior staff and officials come in. There was only one network administrator on the premises who was only passively monitoring the network. For example, he would only respond when a problem arose by someone reporting an issue with the network or something obvious, ie: The telephone network suddenly shutting down. It is next to impossible for one over worked and under paid administrator to handle such tasks, which is why it is almost always too late to take action before damage has been done. Floor staff were busy with inexperienced agents on the phone and Team Leaders busy doing everything BUT monitoring calls. It was pretty easy to profile the Team Leaders to know when it was safe to audit and when not to. If a person with malicious intent had the time and the creative know how, one could have logged into the administrative panel on the software (will not disclose) used to manage calls and place recorded calls into the queue so that it would not only show a person always in a call, but when anyone wanted to listen in to the call, it could be heard by the third party and be non-suspecting. Sometimes certain features of a particular software can be exploited. Yes, these recordings were accessible on a hidden share. Hiding something is NOT secure. Simple network browsing software can and will find them. After that, simple scripting can handle the rest. Picking a time slot for my schedule was essential as well. Non-busy time blocks were essential which meant very few agents, very few calls and a nearly completely empty building. Computers, themselves were not physically secured and the side panels of the computers were only secured by zip-ties. Armed with anything that can cut a zip tie, be it a file nail, scissors, a nail clipper, and a screw driver, one could easily remove the hard drive and any other component. With a nearly completely empty building, computers themselves could be removed. There have been thefts.
The most shocking discovery was that the company’s building security was on the same network and accessible, potentially viewing all security camera’s (as they are not Closed-Circuit) and completely shutting down all building security. If this was the case at the time, then security access to all centers would have been possible. Does anyone see the dangers here? If you are going to have building security systems on a network, it should always be on it’s OWN network with it’s own networking hardware and if that’s not financially possible, then at the very minimum, on it’s own virtual network.
Because there was no immediate access to the hardware, key cards could not be tested, but I could only fathom the notion that the information on the key cards were not encrypted/protected either, allowing a person to write information onto a similar compatible card, granting unsuspecting access to the entire building, entering and leaving at will.
Are the clients of Convergys even aware of such vulnerabilities? Did Convergys know they are playing with fire and how much damage this can do to not only their business, but their name as well? What about the shareholders? What about the American people, who entrust their company with their personal information? They are even more fragile now with all the leaks about the NSA illegally monitoring their own citizens.
I suppose people just choose to ignore and don’t really care.
I wonder what would happen if the Anonymous group got a hold of key information and decided to use it? We are all slaves of corporate commercialism and all have given up freedom and invalided the constitution and unwilling to take it back.
Working at Convergys and ditching the resturant industry was the best move I have made. However, just like all workplaces, there are instancess of inappropriatness which are noticed.
What is it like working at Convergys from my perspective? Well I will attempt to describe as much as I can starting with the hiring process
I came about the Convergys ad in the job bank, and to be honest wasn’t something I had interest in. The job postings which I printed out, where somewhat random and the only common thing they all had in respect to each other was that they were high pay, and had nothing to do with cooking. I did apply to all of them, and someone in the Convergys HR department was the only person who got back to me.
I arrived quite early for my interview and they were more than happy to start the process early. The first step was the most basic of pc knowledge aside from where the power button is located on the computer. There was also a typing test which was rediculous and done on a website, which the paragraph could be easily copy and pasted giving you 100 percent accuracy and very fast typing score, however, I followed my own morals and typed as I would normally. After these, followed video propaganda about Convergys which lasted about 15 minutes, which still did not make it clear to me what Convergys was about. In fact, I had no clue what Convergys was about. Their actual company website was tailored to prospective blue collar clients which still did not make it clear what Convergys offered.
After completing the mini computer test I was to have an actual interview with an HR representative, which read scripted questions which I had to try and apply to my previous employments. After this interview I was hired.
3 weeks of training following the initial interview process took place in which at the time, seemed like it was good. There were probably 15 or so people in the class and our training consisted of basic product knowledge and basic troubleshooting steps with bits and peices of Comcast propaganda as if the service was being sold to us. Something else that I felt unappealing was that it seemed as if we were supposed to be brainwashed into thinking we were Comcast and employed by Comcast. I suppose in a sense this would be something we would have to get used to because the customers think we are Comcast, which holds true to this day. The training material was mixed with spoken word, powerpoint presentations and paper. Quizes and “assessments” were pretty easy, but answers where all open book and basically handed to us. Just about every bit of learning material came without a hiccup and most of it was something I had knowledge of walking in the door. There was one peice of training material that I liked, and it was phone simulation, where the program would make a call as a customer using scripted problems in which we would respond with our voice and trouble shoot using hands on experience. Although not near comparable to the real world experience, it was very helpful.
3 weeks of this training was supposed to be followed by 1 week of transition where we would have the opportunity to get real world experince as a CSA, however was inturrupted very early by the opportunity to be trained in home networking, which was another service of Comcast, which our center was to take over from Winnipeg’s center. After 1 day of HSI transition and about another week of CHN training, we were on our way to the floor with our newly developed or refined skills.
The highlight of the training was this transition period which was spectacular because not only did we get a tate of the real world application, but we were also accompanied by several transition agents who where there for support in case we got stuck on a problem. I am sure we were all nervous, which is a natural reaction, but the amount of support for that week of transition was amazing and was enough to make me comfortable and get used to the repetitious problems customers face.
more to comeTBA