Security Fail: When Trusted IT People Go Bad

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Your trusted IT guy going rogue is no laughing matter...unless we are talking about this guy. And just to be clear, I didn't start laughing at the list of crap this guy pulled until I got to the porn server part.

You investigate and find that not only is your software illegal, it was sold to you by a company secretly owned and operated by none other than your own IT systems administrator, a trusted employee for seven years. When you start digging into the admin's activities, you find a for-pay porn Web site he's been running on one of your corporate servers. Then you find that he's downloaded 400 customer credit card numbers from your e-commerce server.
 
"So we know that [what's made public] is only the tip of the iceberg," she says.

NDAs tend to keep people very quiet...

(I didn't even say that, though... ;) )
 
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit
 
I was going to say, yeah we know about that here in San Francisco... sure enough bip!
 
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit

I have three rules:

1: Don't piss off people who make your food.

2: Don't piss off people who cut your hair.

3: Don't piss off people who are armed as part of their job.

I may have to add a fourth now...

-P
 
I'm sure its even worse for small businesses. Many of the Small Business owners have no idea how a computer works, nor what a system admin could do if they got mad.

In my community most of the businesses are outsource their IT to one company. Definitely a good article to send to some of your friends.
 
Wow the one about the outsourcing cost $7 million. Ouch. I wonder how long it takes to recoup that loss by the savings from outsourcing.
 
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit

How is #2 even relevant in this? He basically defrauded the company and held it hostage.
 
eh, this is nothing new. just now some IT types are getting into a field that was solely owned by criminal accountants and lawyers
 
Asshats like this make it worse for the rest of us that bust our asses for a living.
 
Almost as bad is an incompetent IT person.
I’m still dealing problems 4 years later due to poor design/planning by the last IT person.

One of the first things I noticed after starting my current job, was that the backup hadn’t run for 5 months due to a failed tape drive. Of course the old IT person said that was not possible, must have just failed last week.

Found one critical server that had the OS on a non-raid drive.
 
Most IT workers are smart enough to balance revenge against a ruined career and/or jail time. More damage is done by incompetence and if a single admin has the ability to accidentally destroy a company there is a management issue.
 
I'm sure its even worse for small businesses. Many of the Small Business owners have no idea how a computer works, nor what a system admin could do if they got mad.

In my community most of the businesses are outsource their IT to one company. Definitely a good article to send to some of your friends.
Previous sysadmin in my position (now in prison) claimed it took him 4-8 hours to do a specific task. Ever since he got sent to prison and I replaced his position, for the same task it has only taken ~30 minutes to do.

I'm working myself out of job.
 
Simply disgusting how many people out there with a little power feel entitled to a piece of the pie.
 
I dunno, I don't have much sympathy for whatever company outsourced "Sallys" job.
 
Does anyone else who consults give the company a packet with admin passwords and network topology? I've done it for the 3-4 companies I've set stuff up for. I always create my own account with domain admin or root privileges and provide the company with the admin password sealed in an envelope. I tell them not to open it or use the admin account at their own risk.
 
two rules of thumb

1)Dont piss of people who handle you food

2)Dont piss off people who control your IT shit

If you follow #2 at all, you are already an idiot.

No one should have total control over your IT network unless they are the sole owner. If my Director tried to set anything even close to being "the one one with the keys" type of system, I don't there there would be one of his employees that wouldn't go to HIS boss and point that out, if not quit over it.
 
That's why you have audits from outside companies.

I am 1 of 2 IT people at my work place. I was the one who suggested yearly audits. I do it because having a 3rd party's eyes look over systems really helps keep everything running smoothly.

Sure they have caught some of our "super users" doing things they shouldn't, but they have also caught things like a critical network share not being backed up, or best practices not being followed on something. Like many places we are badly understaffed, so we have to rush through everything and things get forgotten, or that "temporary" setup become permanent.

So I always say, "Yes, please audit me!" I want to know what I am fucking up, because no one else at my workplace is going to find it.
 
Does anyone else who consults give the company a packet with admin passwords and network topology? I've done it for the 3-4 companies I've set stuff up for. I always create my own account with domain admin or root privileges and provide the company with the admin password sealed in an envelope. I tell them not to open it or use the admin account at their own risk.

At an architectural firm I do work for I make sure the owner knows passwords but emphasize that he and I are the only ones who should know them, and that he should try to only use them under my direction. Were it up to me I'd also tell him only he can touch anything, even printer toner. One time I got a call that the color laser printer stopped working 2 days after switching it from USB to ethernet so I make a trip in there and all the network settings are jacked up, apparently from a guy replacing the toner catridge. :rolleyes:

Access to important things needs to be kept to only necessary personnel but oversight is a must.
 
Can you afford not to do them?

Sure. If your options are go out of buisness because of the cost of the audit, or make a small profit without auditing, then there's no question you can afford not to. However if you're a company of reasonable size, then you should be auditing it.
 
Back
Top