Insider IT Hacker 12

[zentastic]

I have had some concerns that a young IT employee of mine was gaining access to our servers. We had changed the admin accounts several times over the past few years to see if he can get in.

We had come across a few weird incidences where we think he gotten in but could never really prove it. All those suspicions came to light just recently. He had gone in and deleted a user account along with all her exchange mailboxes. The reason for us finding this is because I tried to email her and it bounced back. I looked on my server and the account was completely gone. I asked my network admin and she stated that she never touched the account. That left the junior IT person (who btw doesn't have any admin rights).

We had warned him before that if he would like to gain access he must ask permission from either myself or my network gal. He is studying right now to get into the IT field.

So I confronted him about it and he said he used a password cracking tool to get in. I had no choice but to write him up for his actions. He feels that he did it to help out. Am I wrong to feel this is a bad offense? How illegal is password cracking to gain access to a secure server without permission? Now I am not trusting of him, I'm sure his co-workers won't be also. I'm not sure if he planted backdoor ways into my server, if he has access to my personal accounts, has access to our human resources files, etc. How can I stop this from happening again? What password cracking tools are out there that he could have used?

 

[Thargy]

Folks,

By nailing HB while he's still young, he might just learn from his experience and become older and wiser. In the end, this is the ultimate kindness and service to HB.

I recall some events from my youth which make me cringe now, but fortunately some folk (who I loathed at the time) but now respect and admire for their actions, had the good grace to discipline me appropriately. This is commonly called a learning experience, which HB obviously needs.

It is not kind to children to let them run riot.

Regards

T

Grinding away at things Oracular

 

[AlexCuse]

Greg-

Can I take that one? And I won't call you a faker, unless you try to pass yourself off as a good speller ;-)

Sorry to cause such an uproar, especially because on some level I agree with all of you. I just would like to know the whole story before passing judgement on someone. I am sure zentastic did know the whole story, and that he didn't take the decision lightly (the fact that he sought the advice of others proves that).


<sarcasm>
<cowering>
please don't get me fired scary anonymous burger-flipping truck drivers
</cowering>
</sarcasm>




It's a magical time of year in Philadelphia. Eagles training camp marks the end of another brutal season of complaining about the Phillies.

 

[Tarwn]

The whole story would be interesting, but is not necessary.

The facts of the matter are that even if "his superiors superiors asked him to do it" the appropriate action would not be to bring in a password cracker and hack an administrative account to delete a user's account.

The appropriate action in these circumstances is to talk to the person responsible for deleting user accounts. If they do not have time and are wiling to give you access, then you may delete the user's account. If they are willing to do it themselves, then it still gets done.

Only under the circumstances of system recovery from either malicious ex-IT people, virii, hacker or as part of a coordinated systems security test should password crackers be used.
Systems changes should not be done unless either a) the person doing the changes is responsible for the system, or b) the person doing the change has permission (either instance-based or general) from the person who admin's the system
And worst of all:
Unexperienced technicians should not be working on systems they have been told not to work on. In the case of user accounts, we have policies and procedures for what must be done before a user account can be deleted. Certain files and information must be retained for a period of time, certain records must be made of their account usage, etc. Some of this by legal mandate, some as ISO requirements (depending on who is being removed).

I fully agree with the comments above concerning his immediate dismissal. The first attempt and warning should have been all that was necessary to keep this person from doing what he did. No matter how good his intentions, he violated company policies, the trust of his peers and management, and put himself in the position to possibly make gross errors on the companies behalf. The end does not justify the means, no matter how well intentioned that end is.

-T

 

[gbaughma]

AlexCuse:

It's all yours. It's better than those confusing Philly tags. <ROFL>



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[damber]

Chuckle, I wonder what HackerBoy was thinking...

...Ambitious young man, fresh from school - trying to impress his peers in his first position out of school (where he hung out with mates, played doom, and learnt about all the cool gadgets on the internet).
...Watches Swordfish, Hackers, AntiTrust and a few other choice films before getting into hardcore "24" (all 5 series) during his holidays and dreams of being the tech guy everyone looks up to.
...Goes into work, tries to do some of the clever stuff but gets told to let the pro's do it.. feels disheartened - tries to do it anyway, gets caught and the passwords are changed.. bugger.
...Chatting with the 'pros'/'gurus' at work he learns about all the cool stories they can tell about hacking and pwning everything.. cool! Damn. No stories of his own worth telling. (
...He gets asked by a senior user (director) to remove an account - and to do it now, even though no-one else is around. He says yes but realises he's not allowed and no-one is around to help.. not to worry, all his life has led up to this point.. he can finally shine by applying the knowledge he's learnt and the tools he can find - crack the password, make the change and he'll have braggin rights for eternity with all of his colleagues! woohoo!
...Damn. Got caught again.
...Boss asks for advice on forum.
...Damn. Fired.
...Boss gets more advice. Now renamed "HackerBoy". All company correspondance now uses this as his name.
...More advice. Now abbreviated to "HB". Files for a name change, as mandated by the company's lawyer and Tek-Tip masses
...Advisors admit to being burger flippin' truck drivers.. Damn. Swears a lifelong ambition to take revenge.

-----

On the face of the statement made by the OP, one could read into it that this guy "HackerBoy" is a real deviant, not worth trusting and had plenty of warning.

But in reality, he may work in an environment where most of his peers act in a way that makes him feel that 'scoring points' is cool. He may also not have been told in any clarity what the issue was in his first verbal warning. He may have been under undue pressure to make something happen without the availability of instant support.. who knows. It could have been a number of things that led to him using that kind of approach to impress/help.

It could also have been the tip of the iceberg of what he was really doing on company property. Which is the issue most have taken up here.. and in a world like ours, who can blame us ?

Would I have fired HackerBoy (or anyone else for that matter) for 'cracking' into a server with malicious intent, or without any remote professional reason (or permission)? Yes, Of Course.

Do we really have all the facts that would help us make that decision ? No. There could have been many reasons leading up to his choice of approach, that may dampen the act itself - there are plenty of ethical reasons to hack a password - and even more 'misguided' ones. Doesn't mean he is public enemy #1.

My point, is that the act of hacking without ethical cause in a company is punishable by expulsion, and potential prosecution. But has all reasonable doubt been removed from the argument that his act was, although very very misguided and 'stupid', actually innocent in intent ?

A similar story...
Some years ago I had a consultant who worked for me. He would always come in very early (6:30am) and leave a little earlier (3:30pm). Fine. I had assigned him to research some tools and such to propose a solution for one of my projects. I get a couple of annoyed comments from others in my team that he seems to be surfing the net a lot. I chat to him, and warn him that wasting time is not acceptable - he apologises and states it's mostly to do with the research. A week later my manager comes to me with a fistful of paper, and says that a system admin has provided her with a list of sites that registered on my account, including: Porn Sites, Hacking Sites, Gaming Sites and lots of Proxies (obviously to get around the security of our internet access). Confused I perused the list and noted several dates when I was out of the country (at that time our remote dial-in didn't permit internet access)... but I had given our new consultant access to the internet using my account whilst his access was set-up. The times also tallied with his early mornings. He was immediately brought in for questioning - he didn't deny anything once presented with the evidence, so he was escorted to his desk to collect his items, and then escorted to the exit. And all access in that area was changed. Unbelievable.


We are right to offer our advice around these type of questions.. but it should always come with at least one health warning: "As we don't have all the facts about your situation, this advice may not completely apply in your case and should be taken in context of your post". The kid likely got a good sense check on his behaviour... but what if the company had pushed for prosecution.. some dumb kid loses his job and gets a police record for what was probably a well intended, but highly misguided action.. that he's never likely going to do again.

We've all done things that were damn stupid when we were young.. and learnt from them....if you haven't, you probably aren't as 'experienced' as you might think you are.

Hopefully this has helped him, and early enough in his career/life not to seriously affect his future adversely.

A smile is worth a thousand kind words. So smile, it's easy!

 

[svanels]

At the end of the story, if things had been different.

Suppose, HB would have been given the freedom to stay and play his games unnoticed, and a maior disaster happened?

Probably HB, would have losen his job anyway, together with his superior zentastic as acountable for the IT structure.

Steven

 

[lionelhill]

I'm still deeply worried by the attitude that the full story is not necessary.

Every dispute has two sides, and only the most naive referee would make a decision before taking account of both. Yes, it's highly likely this chap's committed a very serious offence, but I'm not prepared to condemn him on one person's word, with no material evidence.

I'd point out that zentastic has posted 3 threads in tek-tips, two of which have been requesting justification for taking action against an underling. There's obviously a serious problem going on between him/her and the underling; quite possibly it IS all the underling's fault. But I'm not sure it's helpful to charge in like a bull in a china shop and come up with instant solutions to something that may go considerably deeper.

 

[sleipnir214]

but I'm not prepared to condemn him on one person's word, with no material evidence.

Are you on the discipline committee of zentastic's company?

If you are, you should have access to all material evidence pertinent to the situation.

If you are not, you are not condemning anyone -- all you're doing is positing your opinion on a hypothetical ethical question.

You could be right. Maybe zentastic has it out for HackerBoy. Maybe HackerBoy dated zentastic's sister and 5 years ago broke her heart when he dumped her and zentastic has been waiting, plotting his revenge against HackerBoy. Maybe zentastic is some kind of psychotic who picked HackerBoy at random out of a crowd at a football game and decided for kicks to ruin his life. Maybe the ruin of HackerBoy's life is the necessary first step of zentastic's inevitable plan toward world domination and had we only counselled zentastic to keep HackerBoy on-staff we wouldn't have to worry about our grandchildren and all their contemporaries being the slaves of his grandchildren, bwa-ha-ha-ha-ha.

We can theorize and imagine all we want. But in the end we can only opine about ethical quandaries that are posted here as they are posted here, not make any real-world decisions.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[flapeyre]

Based on the information provided to us here, which, admittedly, may be incomplete, HackerBoy committed a dischargeable offense (and, if the company in question is publicly held, and in the USA, also exposed his company to liability under Sarbanes-Oxley). I don't have a problem with the responses given to the OP. HackerBoy learned an expensive lesson.

Feles mala! Cur cista non uteris? Stramentum novum in ea posui!

 

[lionelhill]

OK, OK, point taken; I just hope that no one who IS on the chap's disciplinary committee (including perhaps zentastic) is influenced in any way by our uninformed opinions (and you're right: my opinion is certainly no better founded than anyone else's here).

Which raises the question of what possible good we're doing arguing about it. Sorry, people. I didn't mean to turn this into an issue.

 

[gbaughma]

Here's a couple of points....

1) Had zentastic's superiors given HB a directive to remove the account "in any way possible", then the superiors would have also come to HB's aid when Zentastic requested HB's last cheque.

2) Zentastic's company should have "due process" in place for employee redirection; and it sounds like it was, since HB had already been warned for the offense once.

3) Zentastic's original post was a scenario asked of other IT professionals, most likely to validate his *own* gut instincts about what should be done in a situation like this. I know that I like to get a "reality check" before making decisions like that; I have gone so far as to go up to our HR person and say "I need a reality check; here's what happened, and here's how I feel I should respond... does that seem in order to you?"

4) Even if there were *not* written policies in place regarding the hacking of passwords, I think that everyone here would agree that it is an "unwritten" code of ethics for anyone in the IT field.

5) Nobody should ever take terminating one's position in a half-hearted matter (see other posts I've made on this subject; I'm just too lazy to cross-reference them right now.) What you are saying when you have to fire someone is "I am now eliminating your source of income; you must now go out and find other income immediately before potentially losing your home, car, and even family." Those decisions *never ever* come easy. My job is more than a job; it's my vitality. I am fully aware that like a majority of Americans, I'm 2 missed paychecks away from being homeless.

While I understand, and agree that, most stories have two sides, there are some situations or acts that there *is* no justification for. There is nothing that I saw in Zentastic's posts about being "asked by senior management"... it was stated "he feels he did it to help out". Well, help out with WHAT? Evidently this wasn't anything that Zentastic knew about, or he wouldn't have tried to e-mail the non-existant account. The reality of the situation is that HB compromised a system without permission, regardless of intent. Furthermore, it seems that HB didn't have the knowledge of what he was doing if he *was* trying to "help out", because he deleted the wrong account anyway!

On the topic of "being asked" (which I still have yet to find... maybe I'm missing it...) if I were in that situation, and senior management (it would have to be someone OVER the system administrator's head) came to me and said "I need this account deleted RIGHT NOW!", my response would have to be "I don't have access. The only way that I could do that is if I hacked the admin password... I will need a *directive* from you stating that you want me to hack the admin password to perform this task." I have, in the past, said things like that to my boss. "Boss, I don't agree... but if you are giving me a directive to do this, it will be done. Is this, in fact, a directive?" (Yes, I have used those exact words.) If that was the case, and HB was given a superior's *directive*, then HB would not have been fired, and this wouldn't have even come to light, because Zentastic (who for whatever reason was out of touch, no cell phone, no pager, no home phone; fairly unlikely for a sysadmin, IMHO) would have been addressed as soon as he returned to work by the superior.

Additionally, (I should have been a lawyer... I'm enjoying the HECK out of this!)... HB then did not disclose his actions to Zentastic; instead it was "discovered". If HB had been given a directive, I would have tried my best to get a hold of MY supervisor, or at the very *LEAST* sent an e-mail saying "I was given a directive to remove an account immediatly; I was unable to get a hold of you; I had to hack the admin password; please meet with me ASAP so we can go over the details, and change the Admin password."

Nope. I stand by it. The "other side" of the story is irrelevent in this case. HB knowingly, and without a directive from his superiors, compromised the computer system by using hacking tools to override the administrative password, then proceeded to delete an active user's account. Additionally, HB neglected to report this to his supervisor (Zentastic) in a timely manner, causing additional security risk to the company.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[damber]

Greg,

My story was a hypothetical parody, aiming to point out what *could* have been, and not me postulating that this is what did happen in this case. That's the point of most legal systems.. exclude all reasonable doubt before labelling someone guilty... and the story is very viable - I've seen it happen before (not necessarily with people cracking passwords, but similar scenarios). As people have pointed out, and yourself included, there isn't a full story here, with plenty of gaps where we have 'assumed' things, intentionally or not.

As I said, it is likely I personally would have made the same decision - in fact I did for something similar. The act itself (regardless of intent) warrants a serious action, such as was taken.

I'm just not comfortable with taking a leap of faith judgement on someones future like that, and offering the gatekeeper of that persons future advice that is exclusively dismissive of what might be the truth. I would have advised that this is likely to be a dismissable offence, but that there are actions that need to be taken to ensure all reasonable doubt has been removed - and added a health warning to what I say - I've no way of knowing enough about the situation to give a hard cold answer either way.

So, although the destinations are the same, I would say that the difference in journey is critical to being a fair and trustworthy leader, that ensures compliance not only with legal standards, union standards (if relevant) and governing bodies, but also with moral standards we all like to see in our favour if in a similar position.

Think any hack attempt is clear cut illegal ?
Think again...

http://www.nzherald.co.nz/section/story.cfm?c_id=1&objectid=10403297

This guy is stupid, but was found to be innocent, there are plenty more 'grey area' issues out there - not having all the necessary facts before you make a decision is like building an application without asking the users what they want.

But as I said, I can totally understand the 'fire him' responses - we live in a world where this kind of thing destroys our trust and community integrity.

A smile is worth a thousand kind words. So smile, it's easy!

 

[thegirlofsteel]

Hi all,

This proved to be quite a discussion. One that is quite ironic that this just happened to me. Like I stated above, my company is unionized (if that's a word) so there are very strict rules before we fire anyone. I call it the 5 strikes you're out....Coaching and Counseling, Formal Verbal, written, then dismissal without pay, then of course termination. Where do you draw the line? The problem with where I work is that these standards are for our social workers and not to IT personnel.

I wrote up my IT guy directly. I don't think this is an offense that requires any coaching and counseling or formal verbal. IT JUST SHOULDN'T BE DONE!! No company union or not should condone this behavior...no matter if it is "just to help out". He's LUCKY I gave him a WRITTEN WARNING instead of shown the door. We are contracted by the state and I'm sure if they learned of this, they would ask for immediate removal of this employee.

I too am aware and am too kind hearted to show the person the door. That's the opportunity I gave him. I am giving him a stronger warning - than just a verbal - only by giving him a written sends out the clear message (I feel). So unlike zentastic, I am following our union rules. I know that any other company would have immediately terminated him. My junior IT guy has to understand that.

As far as getting the junior it guy's side of the story....its a moot point! No matter what, as others stated, he brought in software to crack passwords, he broke into the system admins account, he did this without upper administration approval (even if he did - like they said, they would have blocked his firing), and he has deleted a user account without permission. At my company, he deleted an ATTORNEY's account with all his cases emails!!

 

[sleipnir214]

Think any hack attempt is clear cut illegal ?

Don't confuse illegal with insubordinate.

HackerBoy is eligible for termination because he was insubordinate -- he disobeyed a legal order from a superior. It is only a secondary or tertiary consideration that the insubordinate act itself was potentially illegal.




Want the best answers? Ask the best questions! TANSTAAFL!

 

[LadySlinger]

Wow, this is turning out to be quite a thread. Lionhill did point out HB's side of the story (where is it?) vs. Zentastic's side.

All it really boils down to though is that this forum is all based on opinions of facts. Hacking is against most Computer Use Policies and can result in termination of employment, as we all know. Plus if the company has lost extremely critical data that results in the company losing a significant amount, then legally the company could go after HB. That also results in their name being published in the media and can add embarrassment to company ("That company hired an IT person that hacked into the company? Shame on them!").

Who knows though...maybe Zentastic is really working for the government and is checking up on us to see what we would do (WWTTITD?)

 

[damber]

Don't confuse illegal with insubordinate.

I'm not, I'm stating that proving someone guilty is not always black and white - even when shown damning 'evidence' - if it was that easy there would be a computer with a database instead of a judge and jury.

No-one is questioning that HackerBoy is in the wrong based on the facts presented - but with the absence of information and some leading statements, what is being questioned is the certainty by which we deliver our 'verdicts' and the way in which we deliver our advice - especially about the actions to take.

Who knows though...maybe Zentastic is really working for the government and is checking up on us to see what we would do (WWTTITD?)

You never know... maybe this is part of their Cyber Storm project:

http://www.homelandstupidity.us/2006/09/18/homeland-security-not-ready-for-cyber-storm/

;-)

A smile is worth a thousand kind words. So smile, it's easy!

 

[SantaMufasa]

...WWTTITD...

Is this an SLA that I didn't know about?

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[lespaul]

it's a pun....WWJD? (What would Jesus Do?)

WWTTITD (What would Tek-Tips IT Do?)



Leslie

Anything worth doing is a lot more difficult than it's worth - Unknown Induhvidual

Essential reading for anyone working with databases:
The Fundamentals of Relational Database Design
Understanding SQL Joi

 

[SantaMufasa]

WDITOT? IMNHRTGATTTTM.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[svanels]

WTIDIOT

Steven