System Admin Shuts down Servers, Deletes Core Files on the Day He Is Fired

Probably was directly in response to the nonsensical short period of time criminals were actually serving a while back in that state.

From the 90s in Virginia:

The prison sentence was really just for the benefit of the public who would hear of a murder, be happy the guy got 50 year sentence, but then not realize that, on average, 5.5 years later he was out on the streets again like nothing ever happened, while his victim is still in the ground.
Yeah well the point is you can't assume what a sentence will actually mean, it depends on the local laws. If this happened in VA, he would be serving at least 8.5 years, the end.
 
If this happened in VA, he would be serving at least 8.5 years, the end.
Imagine this crazy idea though... criminals actually serve the time they were sentenced. 10 years = 10 years. 15 years = 15 years. :eek:

And if people say "well, what's their incentive to be good"... that incentive would be not having their prison sentence extended for breaking further laws in prison, along with punishments for further hostile behavior, like removing luxuries or being bumped to a higher security tier, including up to solitary confinement.
 
  • Like
Reactions: Lunas
like this
Just think though he can still be sued for the lost business/cost. And this situation is not the type of hacking that you get job offers after everything is over this is the type of thing that gets you blackballed from a lot of IT. Chances are this guy will never be able to get a "good" job again.

I think the saddest thing was this shut down the company for a while and they needed a contractor to fix this. I guess that's what they get for not having a systems admin with any skill... It should have been a simple case to roll back the changes made using a backup failing that. System recovery and finding an account with proper admin privileges. It seemed like the only one he changed was all the other IT. It should have been fixable in house unless he did more damage than it said.
 
Last edited:
Good. There are serious penalties for industrial espionage or sabotage. This, being the latter, carries steep consequences.
 
He was sentenced to 10 years, that doesn't mean he will serve 10 years.

If you ever wonder when watching cop shows how the guy they are pulling up has ten assault charges, armed robbery, grand theft auto, etc on their records and yet somehow they are not in jail, is because we release people on parole far in advance of their convicted sentences.

Jails are just too full to keep even 1% of the population behind bars, and these days there are a lot more than 1% of people that are harmful to the 99% of us.

That's all a state by state thing. For example, in Virginia, they have truth in sentencing laws, where you HAVE to serve 85% of your sentence, the end. So in that state he would get 8.5 years minimum, no matter what. In other, he could be walking in 2 years, it all depends.

He was NOT sentenced yet so both of you are arguing incorrectly here (for this story not in general). He has just plead guilty last week, sentencing is in June. At that point the judge can sentence him for UP TO 10 years. So until June we don't know if he is getting 1 year, 10 years or between that as nobody has told him what his punishment will be yet.
 
10 years where taxpayers are paying for him and he isn't earning money to pay restitution, let's leave him in there for 15 years. That'll teach him! /s

The guy who lit my god sister on fire with lighter fluid only got 15 years and that was aggravated mayhem and torture. Soooo punishment should probably fit the crime and all that old chaps.
 
Or set up a remote backdoor so you can do it from home at a later date.
Or do something that slowly degrades the network performance, instead of breaking something that's immediately noticeable.
You seem way too experienced at this :barefoot:

On the other hand, this is why you first revoke permissions, then fire someone who has access to key systems.
 
I dont understand this. The actual IT admin/manager should have done what is common practice and even taught on certs such as security+ ( Last time I looked at it was 2005 but it was there).

REVOKE PERMISSIONS before you layoff/fire someone.

Seriously. even IT helpdesk at my current job has access to things such as software repositories, phone systems, remote login, the freaking master IP address list of every device on our 24 campus network, and more. Basically the only thing they do not have access to is the actual network hardware. ( VDI host systems, Switches, Routers, Storage arrays, ect)

in short, if one of the helpdesk people or even worse, one of my fellow field techs decided to screw something up, it probably wouldnt cause lasting damage. ( backups are nifty!) It would, however be a serious pain for a few days, especially if they were actually fairly intelligent and did something such as put a small script out on a storage server that would login to vdi at set intervals using a student/admin login. propagate the files out to all the student vdi machines we have using one of our generic logins. ( we have a login per school as well as for individual students), then run the script using an algorithm for delay. The script would run linpack + bring up several youtube videos to stream.

end result: CPU usage on all the host servers would skyrocket, network usage would skyrocket, this would cause no one to be able to access anything on the host servers that arent affected by the cpu virus directly. all work grinds to a halt.

They revert the image back on all the vdi hosts, but our smart helpdesk person had actually placed it there months ago in the normal software repository folder buried in with the ccleaner install files. ( so he/she has an excuse to go there often enough to reset the timer)

eventually, they start everything from scratch on the vdi hosts, losing months of work. unfortunately, since the main file is actually stored on a separate storage folder, it just repropagates, changes the delay, and it happens again a few weeks later. rinse and repeat. they will end up completely wiping every drive and partition for the whole network and have to completely reset everything back up, since they cant trust the backups.


hmmm, I think I just figured out how to take down my works infastructure. oops.
 
Imagine this crazy idea though... criminals actually serve the time they were sentenced. 10 years = 10 years. 15 years = 15 years. :eek:

And if people say "well, what's their incentive to be good"... that incentive would be not having their prison sentence extended for breaking further laws in prison, along with punishments for further hostile behavior, like removing luxuries or being bumped to a higher security tier, including up to solitary confinement.
Well hope you feel like paying higher taxes then, prisons don't come cheap. The prison system is happy to get rid of as many as they can, they're overflowing as it is.
 
Well hope you feel like paying higher taxes then, prisons don't come cheap.
There are actually studies that show that as expensive as jailing someone is, typically the cost to society is far cheaper than it is having them running about, putting people in danger, committing crimes, and the high amount of resources required for law enforcement to track them down and finally catch them, and then process them in court again for their next short prison stint. In the end, it would have been far cheaper and safer for everyone to have them complete a reasonable sentence.

One thing I think we can all agree on, is that some states in the past letting murderers go after only 5.5 years and rapists after 3 years was pretty crazy and unnecessary public endangerment and not sufficient deterrent considering the unlikelihood of being caught and even then successfully prosecuted in the first place.

In Houston for example, I would gladly pay more taxes to have double the current police force size, as we have so much unchecked criminality and that itself is expensive and ruins quality of life and creates slums as the affluent people simply move up North and reduce the tax base. Before long, Houston will be the next Detroit.
 
There are actually studies that show that as expensive as jailing someone is, typically the cost to society is far cheaper than it is having them running about, putting people in danger, committing crimes, and the high amount of resources required for law enforcement to track them down and finally catch them, and then process them in court again for their next short prison stint. In the end, it would have been far cheaper and safer for everyone to have them complete a reasonable sentence.

One thing I think we can all agree on, is that some states in the past letting murderers go after only 5.5 years and rapists after 3 years was pretty crazy and unnecessary public endangerment and not sufficient deterrent considering the unlikelihood of being caught and even then successfully prosecuted in the first place.

In Houston for example, I would gladly pay more taxes to have double the current police force size, as we have so much unchecked criminality and that itself is expensive and ruins quality of life and creates slums as the affluent people simply move up North and reduce the tax base. Before long, Houston will be the next Detroit.

Rope and boards are cheap, time to bring back hangings for punishment.
 
Rope and boards are cheap, time to bring back hangings for punishment.

There are countries that hand out punishments like this very easily, might want to visit one for a few months and see how it works out before wishing it anywhere else :p
 
If you were really going to do something like this, you should have a boat with a good supply of rum and an encryption algorithm set to run once you are out of the country. Ransom that shit from an island somewhere.

But seriously fail on many fronts.
 
If a help desk worker has enough access to do something like this, they had it coming.
the term help desk can have very different meaning. Some places refer to all their IT as help desk. Partly because of cost. If you call somebody a system admin you pay them system admin rates. However you call them help desk and give them more responsibility than normal help desk and you can get away with offering less money.

so I wouldn't get too hung up on the job title.

The thread title and the article both state he was a sysadmin. That would be a fair bit higher on the chain than a basic "help desk" guy, I would think.
 
Would have been better off planting a poison pill in the backups and main system that encrypted everything every week or so/
 
What a fool. It probably would have been tough for the company to stop him since he stole usernames\passwords from his colleagues and used those credentials to do the damage. Youd have to have security and password policies beforehand to prevent something like this. Too bad the article doesn't say what he was fired for.
 
Last edited:
On the other hand, this is why you first revoke permissions, then fire someone who has access to key systems.

"Why can't I make these changes? Aww, fuck. I'm getting fired! I can't fuck up the servers, I'm going to go kick my bosses ass and burn the place down! FUCK YOU!!!!!!"

"Oh. The server is down? Ooops. My bad."
 
"Why can't I make these changes? Aww, fuck. I'm getting fired! I can't fuck up the servers, I'm going to go kick my bosses ass and burn the place down! FUCK YOU!!!!!!"

"Oh. The server is down? Ooops. My bad."
Turn off all servers grind everything to a halt because you want to fire a single person?
It's highly unlikely that someone will resort to actual violence and property damage. The chances of that are minuscule compared to them trying to screw things up with their access, especially if they think they can get away with it.
 
Turn off all servers grind everything to a halt because you want to fire a single person?
It's highly unlikely that someone will resort to actual violence and property damage. The chances of that are minuscule compared to them trying to screw things up with their access, especially if they think they can get away with it.

I was just joking about a fictional person overreacting because the server was down and wouldn't let him make changes... :)
 
  • Like
Reactions: M76
like this
The article said he did the remote backdoor thing made it look like a printer on the network. He just apparently did it while still in the parking lot.

I do not in his position I would probably just have made things difficult for my replacement. As in any macros or shortcuts or group policy I setup would get wiped any email to or from me would get wiped and as my last step my user account would be wiped. I would probably setup a script to do it so I can just hit run.


Na, the article said he used that account from his workstation at work. Not from the parking lot or remotely.

I'm actually still trying to figure out this part where they say he created a user account disguised as a network printer. It sounds like bullshit or such a poor example of IT practices that ... well it fits all the way around anyway.

First problem I see that he was able to collect passwords from other IT members, which is only really useful for two things. To gain someone's else's rights and access, or to hide who did what. So right off the bat, even if they had reasonable separation of duties, they had horrible internal security.

The next problem. Trashing systems and servers is one thing, but if you have good DR in place than it's not supposed to be that hard to recover. Backups and snapshots, these things can work wonders if you get to them right away. Usually the help desk guy doesn't know enough to even know where these things are or how to get rid of them. Even if the guy is more knowledgeable and smart organization keeps backups offsite, buildings do burn down occasionally.

The last big problem, if you are going to fire someone. You lock him out and you don't give him access to anything. Just escort him to the door with a box in his hands.
If you are just letting him go, staffing, downsizing, part of life, let him work out his time if you trust him completely, but if you want to play it safe, lock him out and send him home with two weeks pay and a promise that he'll get a good reference.

Overall, I don't think this can happen unless your IT and security is pretty bad to begin with, or extremely small.
 
I dont understand this. The actual IT admin/manager should have done what is common practice and even taught on certs such as security+ ( Last time I looked at it was 2005 but it was there).

REVOKE PERMISSIONS before you layoff/fire someone.

Seriously. even IT helpdesk at my current job has access to things such as software repositories, phone systems, remote login, the freaking master IP address list of every device on our 24 campus network, and more. Basically the only thing they do not have access to is the actual network hardware. ( VDI host systems, Switches, Routers, Storage arrays, ect).

So the Army's Help Desk has access tooo phones and email and the IT Ticketing system. They take the phone calls and correctly route the tickets to the appropriate teams. The teams have people who accept the tickets and assign the technicians.

No Army help desk guy can get to systems.

And when I worked at NETCOM, I saw a guy fired once, the Military police came in, let the guy pack his shit in a box and escorted him out of the building and for all I know, off the base. That's how they fire people. If they are just letting someone go or loosing a contract, it's not that dramatic.
 
Last edited:
There are actually studies that show that as expensive as jailing someone is, typically the cost to society is far cheaper than it is having them running about, putting people in danger, committing crimes, and the high amount of resources required for law enforcement to track them down and finally catch them, and then process them in court again for their next short prison stint. In the end, it would have been far cheaper and safer for everyone to have them complete a reasonable sentence.

One thing I think we can all agree on, is that some states in the past letting murderers go after only 5.5 years and rapists after 3 years was pretty crazy and unnecessary public endangerment and not sufficient deterrent considering the unlikelihood of being caught and even then successfully prosecuted in the first place.

In Houston for example, I would gladly pay more taxes to have double the current police force size, as we have so much unchecked criminality and that itself is expensive and ruins quality of life and creates slums as the affluent people simply move up North and reduce the tax base. Before long, Houston will be the next Detroit.
Oh I was just explaining the rationale for letting prisoners out early. The justice system is strained on pretty much every front, so you can see letting people out early as a way of trying to make a square peg fit in a round hole.

Rope and boards are cheap, time to bring back hangings for punishment.
Actually because of the appeals process for capital cases, it costs more to execute someone than it does to imprison them for the rest of their life.
 
Na, the article said he used that account from his workstation at work. Not from the parking lot or remotely.

I'm actually still trying to figure out this part where they say he created a user account disguised as a network printer. It sounds like bullshit or such a poor example of IT practices that ... well it fits all the way around anyway.

First problem I see that he was able to collect passwords from other IT members, which is only really useful for two things. To gain someone's else's rights and access, or to hide who did what. So right off the bat, even if they had reasonable separation of duties, they had horrible internal security.

The next problem. Trashing systems and servers is one thing, but if you have good DR in place than it's not supposed to be that hard to recover. Backups and snapshots, these things can work wonders if you get to them right away. Usually the help desk guy doesn't know enough to even know where these things are or how to get rid of them. Even if the guy is more knowledgeable and smart organization keeps backups offsite, buildings do burn down occasionally.

The last big problem, if you are going to fire someone. You lock him out and you don't give him access to anything. Just escort him to the door with a box in his hands.
If you are just letting him go, staffing, downsizing, part of life, let him work out his time if you trust him completely, but if you want to play it safe, lock him out and send him home with two weeks pay and a promise that he'll get a good reference.

Overall, I don't think this can happen unless your IT and security is pretty bad to begin with, or extremely small.
He was fired and left the building by 10:30 the damage was to the point it crippled the company by 11:30. I imagine around 10:15 he was fired they had him take any personal effects and leave by 10:30. How in the hells was he allowed to sit there edit the group policy to demote all of the admin accounts before fucking the I presume windows server install. All from outside via a "printer" with admin privilege connected to his personal workstation...

So either he was left unsupervised at his desk and he signed in via a second account he had made to do this and he had planned to do this for quite some time as he knew exactly what to do to kill it all and make it so nobody could fix anything...
I would be surprised if this company had backups even though it sounded as though his job would have been to make them.

All and all i would say the lesson to be learned here is be careful how you handle firing your system admin who runs all your shit so you can replace him with a unskilled immigrant who you plan on paying 30% what you have to pay the old admin...
 
He was fired and left the building by 10:30 the damage was to the point it crippled the company by 11:30. I imagine around 10:15 he was fired they had him take any personal effects and leave by 10:30. How in the hells was he allowed to sit there edit the group policy to demote all of the admin accounts before fucking the I presume windows server install. All from outside via a "printer" with admin privilege connected to his personal workstation...

So either he was left unsupervised at his desk and he signed in via a second account he had made to do this and he had planned to do this for quite some time as he knew exactly what to do to kill it all and make it so nobody could fix anything...
I would be surprised if this company had backups even though it sounded as though his job would have been to make them.

All and all i would say the lesson to be learned here is be careful how you handle firing your system admin who runs all your shit so you can replace him with a unskilled immigrant who you plan on paying 30% what you have to pay the old admin...

So he had set up a user account called "Big Dumb Office Ptr", that was assigned to the Domain Admins group.
Log in, launch AD, go to the Admin group, hit the Member's tab, remove everyone but the "Big Dumb Office Ptr". 2 minutes max.
RDP into the Domain Controller C:\ RD /S close your window, log off. It will take a little while but in not too much time that Dc will stop doing it's thing and shits going to come to a halt. 30 sec max.

But WTF, I mean you are supposed to be able to recover from a complete failure of a DC. If they couldn't do this, they were weak.
 
So he had set up a user account called "Big Dumb Office Ptr", that was assigned to the Domain Admins group.
Log in, launch AD, go to the Admin group, hit the Member's tab, remove everyone but the "Big Dumb Office Ptr". 2 minutes max.
RDP into the Domain Controller C:\ RD /S close your window, log off. It will take a little while but in not too much time that Dc will stop doing it's thing and shits going to come to a halt. 30 sec max.

But WTF, I mean you are supposed to be able to recover from a complete failure of a DC. If they couldn't do this, they were weak.
I know right Pop a recovery disk into the server boot recovery and rollback. Or at worst start loading the latest backup you have access to. All of this is Systems administration 101... Honestly I would give the guy a pass. If his replacement can't fix what he did leaving his replacement has no business taking his job...

Not to mention the whole business relies on 1 network to run. WTF if my network goes down the only thing we lose the ability to do is take credit card payments. We can still do reservations and such.
 
This guy was clearly an amature looking to strike out and be mean. SO MANY MORE EFFECTIVE WAYS TO BE HARMFUL.

Modify sp_who or sp_who2 to launch a script to update a critical row of data in all connected db servers to a null value and cascade to all other servers. Then after you leave just wait.. someone's going to run it.. revenge complete. Yea you would be a huge ass and If I were your boss I would hire someone with big fists to beat you. But you started it at that point.

Anyway... yea the kid was a dumbass probably did something stupid to get let go in the first place.
 
This guy was clearly an amature looking to strike out and be mean. SO MANY MORE EFFECTIVE WAYS TO BE HARMFUL.

Modify sp_who or sp_who2 to launch a script to update a critical row of data in all connected db servers to a null value and cascade to all other servers. Then after you leave just wait.. someone's going to run it.. revenge complete. Yea you would be a huge ass and If I were your boss I would hire someone with big fists to beat you. But you started it at that point.

Anyway... yea the kid was a dumbass probably did something stupid to get let go in the first place.

What different does it make who started it?
 
This guy was clearly an amature looking to strike out and be mean. SO MANY MORE EFFECTIVE WAYS TO BE HARMFUL.

Modify sp_who or sp_who2 to launch a script to update a critical row of data in all connected db servers to a null value and cascade to all other servers. Then after you leave just wait.. someone's going to run it.. revenge complete. Yea you would be a huge ass and If I were your boss I would hire someone with big fists to beat you. But you started it at that point.

Anyway... yea the kid was a dumbass probably did something stupid to get let go in the first place.
Or in a idea that would not get him prosecuted have a script setup as his exit strategy the script would first remove any documents and emails with my name in them any and all emails i sent or received would be gone my email account and all information would be deleted. Anything i had partially finished deleted and everything i customized to help me reset to base state.

Basically i would take all my tools and leave.
 
Or in a idea that would not get him prosecuted have a script setup as his exit strategy the script would first remove any documents and emails with my name in them any and all emails i sent or received would be gone my email account and all information would be deleted. Anything i had partially finished deleted and everything i customized to help me reset to base state.

Basically i would take all my tools and leave.


Sure but it isn't like that shouldn't still be spotted. Perhaps it could go awhile without notice but sooner or later some script he wrote would be noticed as missing and the search would be on.

At some point the boss is going to ask the team to recover the shit from backups and unless the guy is going to try and strip his stuff from the backups as well, it's not gone. It's just out of sight for awhile.

If it were me, I'd simply leave something behind that nobody can get rid of, or at least it's too costly to be worth getting rid of, and isn't worth getting rid of cause it's not really embarrassing or anything damaging.

That way they just have to live with it, the boss will hate it, the guys will love it, and you won't go to jail over it.
 
moral of the story is:

Remove the guy's privileges BEFORE you fire the guy.

We already had a far more serious version of it happen in the past (see Pacific Southwest Airlines 1771).
 
You do something like this and you pretty much will never work in the industry again.
That said, IT employees should find out they are fired, when they are unable to log onto anything at their work. Lock them out, then send them down to HR, or where ever, for their termination.
Not true. In our Politically correct, lawsuit fearing world a great many employees aren't able to be thoroughly vetted because it breaks HRs policy. We are disallowed from looking into the applicants social media (for instance) at our companies hiring process.
 
Probably was directly in response to the nonsensical short period of time criminals were actually serving a while back in that state.

From the 90s in Virginia:

The prison sentence was really just for the benefit of the public who would hear of a murder, be happy the guy got 50 year sentence, but then not realize that, on average, 5.5 years later he was out on the streets again like nothing ever happened, while his victim is still in the ground.

Rope and boards are cheap, time to bring back hangings for punishment.

Put jails like this in existence in America, and the prisoners themselves will begin to agree that they deserve the punishment:

(one of Russia's toughest prisons)

In (non-Soviet) Russia, prison live INSIDE the prisoner's mind!

Far, far, FAR worse than a mere shanking or beating in an American jail -- spend time in a tough Russian jail, and you, the prisoner, will be BEGGING for the "mercy" of a death penalty!
 
Na, the article said he used that account from his workstation at work. Not from the parking lot or remotely.

I'm actually still trying to figure out this part where they say he created a user account disguised as a network printer. It sounds like bullshit or such a poor example of IT practices that ... well it fits all the way around anyway.

First problem I see that he was able to collect passwords from other IT members, which is only really useful for two things. To gain someone's else's rights and access, or to hide who did what. So right off the bat, even if they had reasonable separation of duties, they had horrible internal security.

The next problem. Trashing systems and servers is one thing, but if you have good DR in place than it's not supposed to be that hard to recover. Backups and snapshots, these things can work wonders if you get to them right away. Usually the help desk guy doesn't know enough to even know where these things are or how to get rid of them. Even if the guy is more knowledgeable and smart organization keeps backups offsite, buildings do burn down occasionally.

The last big problem, if you are going to fire someone. You lock him out and you don't give him access to anything. Just escort him to the door with a box in his hands.
If you are just letting him go, staffing, downsizing, part of life, let him work out his time if you trust him completely, but if you want to play it safe, lock him out and send him home with two weeks pay and a promise that he'll get a good reference.

Overall, I don't think this can happen unless your IT and security is pretty bad to begin with, or extremely small.

That really isn't that hard to understand the account. Some printers and devices need an active directory account to pull a list of all users for stuff like scan to email or other features. All my phones can log into AD to pull a list of contacts into the phone for a phone book. So that part really isn't that odd that a device on your network would need a basic account able to log in and do a basic lookup of account names.

As for the list, I thought he just had a list of everyone's account and not actually their password. As for where the attack happen, it actually was from the parking lot. This one might not have made that clear, but a different article worded it a little different for both the list and the attack. When this started t happen they found that in his email he had a list of every account in the system (which is what he pulled and emailed before he actually left the building). He then remotely logged into and started changing passwords and breaking stuff in the order that it was on the list. Although even a lot there makes little sense.

The DR part confused me because if you read the articles they actually say that the damage was so bad that they had to buy a new physical server and reinstall the software. I can't wrap my head around what you could do that would prevent the software from being able to be reinstalled on the old hardware.

He was fired and left the building by 10:30 the damage was to the point it crippled the company by 11:30. I imagine around 10:15 he was fired they had him take any personal effects and leave by 10:30. How in the hells was he allowed to sit there edit the group policy to demote all of the admin accounts before fucking the I presume windows server install. All from outside via a "printer" with admin privilege connected to his personal workstation...

So either he was left unsupervised at his desk and he signed in via a second account he had made to do this and he had planned to do this for quite some time as he knew exactly what to do to kill it all and make it so nobody could fix anything...
I would be surprised if this company had backups even though it sounded as though his job would have been to make them.

All and all i would say the lesson to be learned here is be careful how you handle firing your system admin who runs all your shit so you can replace him with a unskilled immigrant who you plan on paying 30% what you have to pay the old admin...

One article stated that it took them 1 hour to get him out of the building.
 
I don't think anyone would start off with the intent to react to being fired like this, but I can imagine several scenarios that could provoke it.

HR:"So your manager has thrown you under the bus for X and you've been promoted to guest"

Or maybe:
Boss:"So these are our newest employees from Calcutta. Your job is to now teach them your job so they can replace you. They're not very experienced, so we expect you to be available to fix everything when they eventually break it. Also, you're fired once they know your job"
 
Actually because of the appeals process for capital cases, it costs more to execute someone than it does to imprison them for the rest of their life.

That's not a problem with capital punishment, that's a problem with people who are against it, doing everything they can to delay the punishment.
 
That really isn't that hard to understand the account. Some printers and devices need an active directory account to pull a list of all users for stuff like scan to email or other features. All my phones can log into AD to pull a list of contacts into the phone for a phone book. So that part really isn't that odd that a device on your network would need a basic account able to log in and do a basic lookup of account names.

As for the list, I thought he just had a list of everyone's account and not actually their password. As for where the attack happen, it actually was from the parking lot. This one might not have made that clear, but a different article worded it a little different for both the list and the attack. When this started t happen they found that in his email he had a list of every account in the system (which is what he pulled and emailed before he actually left the building). He then remotely logged into and started changing passwords and breaking stuff in the order that it was on the list. Although even a lot there makes little sense.

The DR part confused me because if you read the articles they actually say that the damage was so bad that they had to buy a new physical server and reinstall the software. I can't wrap my head around what you could do that would prevent the software from being able to be reinstalled on the old hardware.



One article stated that it took them 1 hour to get him out of the building.

OK, I'm not used to such things cause classified networks, well we rarely purchase products with such features for security reasons.

But I can see you setting printer settings and assigning the printer a user account. But it's still a user account, it's not a printer device in with all the computers. They are two different classes of AD object, they have different properties, and I have never heard of one being used for the other. Still, you could be entirely correct in what happened, and the people who explained this to the reporter or the reporter himself is just too clueless to write it accurately even after an explanation.

The article that was linked says he collected usernames and passwords.

Also, I don't think these devices are "logging into AD", they are using standard commands that software and devices use to query AD and AD responds to devices that are joined to the domain. They don't log in.
 
Seems like it would have been cheaper to NOT to have fired him....
if he had done nothing to harm the company the company would have saved 10+ an hour off his salary assuming his replacement makes 10 or more less than him...
 
Back
Top