Security Fail: When Trusted IT People Go Bad

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Your trusted IT guy going rogue is no laughing matter...unless we are talking about this guy. And just to be clear, I didn't start laughing at the list of crap this guy pulled until I got to the porn server part.

You investigate and find that not only is your software illegal, it was sold to you by a company secretly owned and operated by none other than your own IT systems administrator, a trusted employee for seven years. When you start digging into the admin's activities, you find a for-pay porn Web site he's been running on one of your corporate servers. Then you find that he's downloaded 400 customer credit card numbers from your e-commerce server.
 

Tolyngee

Supreme [H]ardness
Joined
Oct 17, 2005
Messages
4,516
"So we know that [what's made public] is only the tip of the iceberg," she says.

NDAs tend to keep people very quiet...

(I didn't even say that, though... ;) )
 

DeathCloud

Gawd
Joined
Jul 21, 2005
Messages
1,004
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
15,261
I was going to say, yeah we know about that here in San Francisco... sure enough bip!
 

PR1975

n00b
Joined
Apr 19, 2005
Messages
56
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit

I have three rules:

1: Don't piss off people who make your food.

2: Don't piss off people who cut your hair.

3: Don't piss off people who are armed as part of their job.

I may have to add a fourth now...

-P
 

eldertru

Weaksauce
Joined
Nov 12, 2007
Messages
124
I'm sure its even worse for small businesses. Many of the Small Business owners have no idea how a computer works, nor what a system admin could do if they got mad.

In my community most of the businesses are outsource their IT to one company. Definitely a good article to send to some of your friends.
 

Ultima99

Supreme [H]ardness
Joined
Jul 31, 2004
Messages
4,905
Wow the one about the outsourcing cost $7 million. Ouch. I wonder how long it takes to recoup that loss by the savings from outsourcing.
 

dexvx

[H]ard|Gawd
Joined
Aug 14, 2002
Messages
1,273
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit

How is #2 even relevant in this? He basically defrauded the company and held it hostage.
 

jiminator

[H]F Junkie
Joined
Feb 2, 2007
Messages
11,607
eh, this is nothing new. just now some IT types are getting into a field that was solely owned by criminal accountants and lawyers
 

TechLarry

RIP [H] Brother - June 1, 2022
Joined
Aug 9, 2005
Messages
30,483
Asshats like this make it worse for the rest of us that bust our asses for a living.
 

nutzo

Supreme [H]ardness
Joined
Feb 15, 2004
Messages
7,380
Almost as bad is an incompetent IT person.
I’m still dealing problems 4 years later due to poor design/planning by the last IT person.

One of the first things I noticed after starting my current job, was that the backup hadn’t run for 5 months due to a failed tape drive. Of course the old IT person said that was not possible, must have just failed last week.

Found one critical server that had the OS on a non-raid drive.
 

Taco

[H]ard|Gawd
Joined
Nov 2, 2001
Messages
1,465
Most IT workers are smart enough to balance revenge against a ruined career and/or jail time. More damage is done by incompetence and if a single admin has the ability to accidentally destroy a company there is a management issue.
 

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
I'm sure its even worse for small businesses. Many of the Small Business owners have no idea how a computer works, nor what a system admin could do if they got mad.

In my community most of the businesses are outsource their IT to one company. Definitely a good article to send to some of your friends.
Previous sysadmin in my position (now in prison) claimed it took him 4-8 hours to do a specific task. Ever since he got sent to prison and I replaced his position, for the same task it has only taken ~30 minutes to do.

I'm working myself out of job.
 

Seraphical

Limp Gawd
Joined
Jun 28, 2006
Messages
351
Simply disgusting how many people out there with a little power feel entitled to a piece of the pie.
 

ianken

[H]ard|Gawd
Joined
Feb 21, 2006
Messages
1,953
I dunno, I don't have much sympathy for whatever company outsourced "Sallys" job.
 

az_max

Gawd
Joined
Aug 27, 2004
Messages
651
Does anyone else who consults give the company a packet with admin passwords and network topology? I've done it for the 3-4 companies I've set stuff up for. I always create my own account with domain admin or root privileges and provide the company with the admin password sealed in an envelope. I tell them not to open it or use the admin account at their own risk.
 

a little off

[H]ard|Gawd
Joined
Jun 7, 2002
Messages
1,257
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit

If you follow #2 at all, you are already an idiot.

No one should have total control over your IT network unless they are the sole owner. If my Director tried to set anything even close to being "the one one with the keys" type of system, I don't there there would be one of his employees that wouldn't go to HIS boss and point that out, if not quit over it.
 

brom42

2[H]4U
Joined
Mar 1, 2004
Messages
3,980
That's why you have audits from outside companies.

I am 1 of 2 IT people at my work place. I was the one who suggested yearly audits. I do it because having a 3rd party's eyes look over systems really helps keep everything running smoothly.

Sure they have caught some of our "super users" doing things they shouldn't, but they have also caught things like a critical network share not being backed up, or best practices not being followed on something. Like many places we are badly understaffed, so we have to rush through everything and things get forgotten, or that "temporary" setup become permanent.

So I always say, "Yes, please audit me!" I want to know what I am fucking up, because no one else at my workplace is going to find it.
 

Ultima99

Supreme [H]ardness
Joined
Jul 31, 2004
Messages
4,905
Does anyone else who consults give the company a packet with admin passwords and network topology? I've done it for the 3-4 companies I've set stuff up for. I always create my own account with domain admin or root privileges and provide the company with the admin password sealed in an envelope. I tell them not to open it or use the admin account at their own risk.

At an architectural firm I do work for I make sure the owner knows passwords but emphasize that he and I are the only ones who should know them, and that he should try to only use them under my direction. Were it up to me I'd also tell him only he can touch anything, even printer toner. One time I got a call that the color laser printer stopped working 2 days after switching it from USB to ethernet so I make a trip in there and all the network settings are jacked up, apparently from a guy replacing the toner catridge. :rolleyes:

Access to important things needs to be kept to only necessary personnel but oversight is a must.
 

vengence

Level capped
Joined
Nov 7, 2007
Messages
18,471
Can you afford not to do them?

Sure. If your options are go out of buisness because of the cost of the audit, or make a small profit without auditing, then there's no question you can afford not to. However if you're a company of reasonable size, then you should be auditing it.
 
Top