Insider IT Hacker 12

[zentastic]

I have had some concerns that a young IT employee of mine was gaining access to our servers. We had changed the admin accounts several times over the past few years to see if he can get in.

We had come across a few weird incidences where we think he gotten in but could never really prove it. All those suspicions came to light just recently. He had gone in and deleted a user account along with all her exchange mailboxes. The reason for us finding this is because I tried to email her and it bounced back. I looked on my server and the account was completely gone. I asked my network admin and she stated that she never touched the account. That left the junior IT person (who btw doesn't have any admin rights).

We had warned him before that if he would like to gain access he must ask permission from either myself or my network gal. He is studying right now to get into the IT field.

So I confronted him about it and he said he used a password cracking tool to get in. I had no choice but to write him up for his actions. He feels that he did it to help out. Am I wrong to feel this is a bad offense? How illegal is password cracking to gain access to a secure server without permission? Now I am not trusting of him, I'm sure his co-workers won't be also. I'm not sure if he planted backdoor ways into my server, if he has access to my personal accounts, has access to our human resources files, etc. How can I stop this from happening again? What password cracking tools are out there that he could have used?

 

[flapeyre]

Seriously, he didn't ruin anything. Why ruin his life?

Are you willing to take the chance that he won't ruin something in the future? I would not.

He broke the rules (also the law, by the way). He deleted an e-mail account which could have contained information that the company was required to retain. That is a violation of Sarbanes-Oxley right there, as well as potentially a violation of SEC regulations (if this were a publically-traded company).

He's lucky they just fired him, and didn't go see the U. S. Attorney. Federal judges have no sense of humor when it comes to computer fraud. Just ask Kevin Mitnick.

Feles mala! Cur cista non uteris? Stramentum novum in ea posui!

 

[thegirlofsteel]

Let me tell you how much this post has helped me with the similar problem with my own hacker boy.

Here is my story - and suppose you were in my shoes:

My HB had deleted an employee that was dismissed quite a few years back. The only reason why we kept her profile and computer is because there were many programs and spreadsheets that wouldn't work on a newer XP computer (it is Windows 2000). Anyhoo, my HB deleted the account. I found this out when the person looking at these spreadsheets says he couldn't log into that computer. So I asked my Network Admin and he didn't do it. I call my HB and he said ooopppsss yes I did it. Soorrry!! I asked him how he got in and he skirted the question all the time. I asked him if he had any others he deleted he said no. I at the time was too involved with personal issues with my mother being sick and her eventual death that I just didn't (as per union contract) say this is a verbal warning. I did however ask my network admin to change the password just in case he overheard the password, we left the admin computer up...etc.

Then an issue came up again a couple of months later - this time with a user trying to email our attorney. She kept getting that the user did not exist. Once again I went through my network admin and he said he didn't delete it and so I already knew with the previous incident that it must be my HB. I then emailed him and he once again said oopppss sorry.... and when I asked him how he gained access (since I know he didn't know the password the network admin and I selected) he once again skirted the question. I asked him numerous times how he did it and finally in an email, he wrote "it is very easy to crack passwords".

So I then thought of this as a direct write up. I had written it up and then met with him. I told him I always thought he was bright and that I always can be reached by phone, email, etc....and all he had to do was ask and I would have given him permission to get on the system. He then once again said he was sorry but would like to get mediation and a union steward to come in and not allow this as a write up because he wasn't given a "FORMAL" verbal warning. We went into mediation and he won his case - so all he was given was a slap on the wrist.

I wasn't seeking to fire him nor did I want to write him up in the first place - but the manner in which he went about it, asking him numerous times how he did it and skirting the question really puts me into a distrust of his intentions - even if it were to help out. Why didn't he come straight out in the first place?

Anyhoo, he is still employed here. He is being watched carefully by myself and the network admin. If he were to violate this again, it is to be for his immediate dismissal.

Funny thing about the whole ordeal is that mediation asked him if he knew about the IT Code of Ethics....he said he isn't aware of any code of ethics....I thought - what kind of IT person doesn't know about it!!!

 

[Welshbird]

Wow - ethics seems to be a huge issue for everyone!

I had thought that it was worse for me in my position, but that appears not to be the case.

I work with prescribing data, and in order foor me to perform the kinds of analysis that clients require, I can see the data at a far lower level of accuracy than they would be allowed.

For me, this is constantly on my mind - I have to make sure that my PC is locked at all times it is left unattended. I have to make sure that access to the DB is incredibly well controlled - in fact, it is on another continent!

Generally, no-one else in my office can gain access to it either. My boss has my password and the instructions on how to run some of the reports in case of an emergency, but if I have to leave my password with someone else (when I am on holiday) it gets changed the moment I return to the office.

I can't follow how it is that people don't seem to understand the level of trust required in us for us to do what we do.

If anyone (and I mean anyone - at any level in the company) was found snopping about in *my* data, it would not be a discussion. they would be escorted out, and the contents of thier desks packed for them and couriered to them.

The level of trust must bo absolute, and has to be maintained, no matter what. If that isn't understood, then we all have a problem.



Fee

The question should be [red]Is it worth trying to do?[/red] not [blue] Can it be done?[/blue]

 

[teash]

Blah blah blah, regulations, laws, whatever. Seems like some people are a bunch of tools here with no ability to think outside of a set of guidelines established by a 3rd party. The point is nothing was ruined, and the company quickly recovered (outside the 15 minutes a day to monitor this thread).

Of course, something could have happened. So in a manner persistant with the preemptivene policy of the people of the world.... we should arrest people for speeding because they could potential kill somebody!! Speeding is illegal, killing is illegal, so the illegal act to begin with needs to be addressed! Hence, all people who speed to need to be arrested for murder.

It's sad that you compare a 3rd rate hacker boy who downloaded a program to Kevin Mitnick, a real computer hacker. Different loaf of bread!

Sorry, I think for myself, so I must not be ethical.

 

[teash]

I take that back, the user "damber" had a really good post about what hacker boy may have been thinking.... it was well thought about and made no mention of regulations! Just a possible explaination! Alright folks, man the guillotine!!!

 

[SF0751]

Blah blah blah, regulations, laws, whatever.

Remind me to never work with or purchase from your organization - ever.

Susan
"Opportunity is missed by most people because it is dressed in overalls, and looks like work." - Thomas A. Edison

 

[tazuk]

With all due respect teash I think you are rather missing the point..

Of course, something could have happened. So in a manner persistant with the preemptivene policy of the people of the world.... we should arrest people for speeding because they could potential kill somebody!! Speeding is illegal, killing is illegal, so the illegal act to begin with needs to be addressed! Hence, all people who speed to need to be arrested for murder

So to your way of thinking I shouldn't be prosecuted if I threaten to kill someone, lunge at them with a knife but miss? No harm done after all..

The individual in the situation described by the OP had breached the network before, had been warned yet continued to do it. Regardless of whether or not harm was caused in the specific breach this he showed willingness to ignore specific instructions about access rights and disregard line management.
If I'd have tried that when I worked at the DSS my feet wouldn't have touched the floor on the way out. Even in my current position I wouldn't dream of attempting to crack any password on any machine (be it client or internal) without express permission from my boss. I play with security and hacking measures on my own network and machines if I want to learn, or I clear it with my boss first and use an isolated network.

I've worked in government departments (both local and central), academic institutions, banks and other financial institutions and data services over half of the UK and absolutely none of my previous employers would have regarded this type of behaviour as anything less than 1 step from dismissal for a first offence.


TazUk

Programmer An organism that turns coffee into software.
Unknown Author

 

[teash]

Hey Susan, Just a friendly reminder not to ever work with or purchase from my organization! Ever!

Please do yourself this favor. It will protect yourself from all the evil doers out there. Like password crackers!!! Woooahhhhhhhhh! That's scarey.

Computer security is a misnomer because computers can never be fully secured. You take the biggest, largest computer corporation out there, we'll go with Micro$soft. Even they get hacked, even they have security flaws. Linux is the same way. So your false sense of protection, is just that.... false.


It's probably why I find it hard to work with "professionals". Because they do no wrong, are all holier than the pope and follow every "suit and tie" regulation. I got my degree in computer science only to find most of my peers to be weenies who are scared to take risks, and obey the man!

If everyone followed regulations, we would still have slavery, women couldn't own anything, women couldn't vote, black folks would be counted as only 3/5's of a person..... shall I go on? I think not.

I am trying my best not to respond to these posts, because my original one just gave my opinion that you don't have to take extreme actions to get your point across. Especially to a "kid" who is just learning. Maybe you should teach the kid to become more respectful.... but you people would rather beat the hell out of him!!! Like a dog!!!

 

[teash]

I like the "lunge at with a knife and miss" argument. The verbal threat, no, not an offense. However, the lunging knife actually was an attack, and although it missed because of the attacker wasn't skilled enough does put a damper on my argument.

Even given the guy has been warned before, firing someone does nothing good. It puts someone out of work, it makes the employer hire/train another. I just imagine you guys picturing a rouge computer hacker wearing black leather and spikes.... when it's another human being. I think we as a society are so quick to punish, but a little slow to help "guide" another fellow human being to the correct path.

Besides, the original poster, never said anything positive about the guy? Does he produce quality work? Does he stay busy? He is respected by his peers? Is he given the chance to advance, to demostrate his talents? Or do they just stick him in the back cubical and give him busy work? Did anyone ask that? I think not..... all the replies came in the form of give me some "gas/petrol and a match" and we'll burn the devil.

 

[flapeyre]

Besides, the original poster, never said anything positive about the guy? Does he produce quality work? Does he stay busy? He is respected by his peers? Is he given the chance to advance, to demostrate his talents? Or do they just stick him in the back cubical and give him busy work? Did anyone ask that? I think not..... all the replies came in the form of give me some "gas/petrol and a match" and we'll burn the devil.

Sorry, but all of his so-called good qualities are not going to help him, because:

We had warned him before that if he would like to gain access he must ask permission from either myself or my network gal.

And he disregarded that clear warning. You don't let someone like that have access to mission-critical data. He was given a lot more leeway by zentastic than I would have given him. Here, he's gone. Period.


Feles mala! Cur cista non uteris? Stramentum novum in ea posui!

 

[flapeyre]

we should arrest people for speeding because they could potential kill somebody!!

Let me correct a little misinformation.

Actually, a traffic ticket (in the US, anyway) is an arrest. By signing the ticket, you agree to either pay the fine (i.e., plead guilty), or appear for trial on the date. If you don't appear or pay the fine, the police will arrest you - physically. They have that obligation to protect the public. They are not going to wait until the speeder runs down a pedestrian.

IANAL (but my father was, and I do know something about the law).

Feles mala! Cur cista non uteris? Stramentum novum in ea posui!

 

[KornGeek]

teash,

While I understand your point of view, I have to strongly disagree with you. You seem to have a different set of ethics than mine.

I feel that a person who intentionally gains access to areas through illegitimate means is potentially highly dangerous, either because of malicious intent or extreme lack of quality judgement. Either way, I would feel the need to protect myself from this person.

In a non-technical metaphor, if I wake up in the middle of the night to find a stranger in my kitchen, I'm calling the police and having him arrested. It doesn't matter if he wanted to make a sandwhich, if he wanted to rob me, or if he was simply checking to ensure that I remembered to turn off my stove. I won't take the time to counsel him and explain why what he did was wrong. It doesn't matter that he didn't damage or take anything. I'm calling the cops.

I don't wish ill upon him, I simply feel the need to protect myself from the harm he may cause.

 

[teash]

Well, most of the time my opinion isn't the popular one and usually no one agrees with me. This is fine! I expect flack!

If the answer was obvious, why did zentastic post the thread? At least zentastic just "wrote the guy up", but after hearing the jury, he went and fired the guy. There is someone who is incompetent. Decides one action, then based on opinions of others changes his course of action. Waffles anyone?

Who knows! But I hope that if I do something wrong, I get a verbal warning, if I do it again, I get a warning in writing, and the third time, perhaps I get the pink slip! Seems like a natural progression to me?

I hope when you angels do wrong, for your sake, your boss decides to go easy on you. But then again, I don't think "doing wrong" is part of the HIPAA regulations, DOC regulations or the GLBA regulations. So you guys should be safe!!

I bet you guys all voted for Bush in '00 and '04! Sounds like a bunch of republican posts!! I tend to generalize and categorize people into different groups, and again I am doing it here! It's my world and I do what I want

I'm waiting for my company to go out of business, it's just a matter of time. Within a few months, so there isn't much tech work to do here (hence all the posting). But the owner refuses to give up!

Oh, one more thing. I've never used a password cracking tool, never been arrested, never been wrote up, verbally warned, or fired! Never hacked a computer! I did illegally connect to someones wireless router one time. Borrowed their internet why mine was down for a few days!!

Good luck to you suit and tie people. I sometimes wish I wasn't such a rebel! But then I would be like the rest of the people

Also forget "teash" because I probably will post in other forums and might need your guys and girls help sometime!! So remember, you never saw me!!!!

Last reply on this thread! Promise!

 

[KornGeek]

teash,

Dude, lay off the caffeine. You seem a little tense.

If a person does something wrong, then they should be dealt with appropriately. In many cases, this might be the verbal warning, written warning, termination route. In other cases, more extreme measures are justified.

I've done things wrong. I've been written up. However, I've never been fired. Then again, I've also never cracked passwords.

If I go to the fridge and eat a coworker's sandwhich, I would expect a verbal warning (and maybe a butt-kicking from the coworker). If I walk into the office and take a chainsaw to my boss's desk, I'm not going to expect a verbal warning and have everything return to normal. At a minimum, I would expect to be fired. Hacking passwords to gain access to protected areas of a system is a severe offense and deserves more than a slap on the wrist.

As far as the politics go, I'm very liberal and tend to vote Democrat, but good job with the broad stereotyping. ;-)

Also, I do wear suits and ties on rare formal occasions, but for personal preference I'm a jeans and T-Shirt (especially with funny sayings) kind of guy.

I won't forget you, nor will I hold our difference of opinion against you. I can disagree with a person and still respect them. I would also expect the same treatment in return (and have no reason to believe I wouldn't receive it).

Finally, yes, my opinion of how to deal with the hacker is harsh, but I consider it to be a serious offense. You favor giving a lighter punishment because you view it as a minor offense. I believe the difference of opinion has more to do with the severity of what happened and very little to do with what should be done about it.

For instance, I think you would agree that if the offense was serious (such as he was threatening to kill his coworkers), it would be grounds for dismissal. Also, I agree that if the offense were minor (such as forgetting to put a cover page on a TPS report) a verbal warning would be appropriate. We simply disagree on the severity of this incident.

Even though I disagree with you, I applaud your courage in defending your point of view. I look forward to politely disagreeing in the future!

 

[SantaMufasa]

Well, most of the time my opinion isn't the popular one and usually no one agrees with me.

Surprise, surprise, surprise ! Teash, an "opinion" to be taken seriously requires a modicum of reason and intellect. There is good reason that "usually no one agrees with" you. We have our reputations, self-respect, and the respect from others to think about.

Last reply on this thread! Promise!

Frankly, Teash, I am positive that you will be much happier elsewhere since your perception of "ethics" is clearly no where in the same universe as reality.

I'm waiting for my company to go out of business, it's just a matter of time. Within a few months, so there isn't much tech work to do here (hence all the posting).

Is there any wonder that your employer is going out of business? Do you bear any culpability? If your employer hired you and anyone else with your "ethics", then closing the doors there is a foregone conclusion.

I don't think "doing wrong" is part of the HIPAA regulations, DOC regulations or the GLBA regulations.

Such a statement speaks volumes about you.

I bet you guys all voted for Bush in '00 and '04! Sounds like a bunch of republican posts!! It's my world and I do what I want

"Your world" is one that absolutely needs therapy. The very legislation in the U.S. that turns the lack of ethics (that you seem to advocate) into prosecutable offenses is named after Senator Paul Sarbanes (D-MD), co-author of the Sarbanes-Oxley Act. Senator Sarbanes would take great offense at your lumping him in with Republicans and implying that Republicans have some monopoly on ethics.


Your implication that "suit-and-tie Republicans" are the only people that would waste their time on (IT) ethics and that any free-thinking, right-thinking Democrat would scoff at the ludicrous concept of expecting ethics in IT and business, is an egregious slam to anyone of the Democrat-party persuasion that reads your unbelievable statements here.

(I'm still trying to figure out how anyone could have wasted their time hitting the button that labelled "Thank Teash for his valuable post!")

My words here may sound harsh and intolerant of your insipid drivel, but no one reading this thread must ever confuse your confusion with acceptable behaviour in our industry.

Once your current company finally gives up the ghost, and you start looking elsewhere for work, if you have even a shred of what you call "ethics", then one of the important components of any job interview in which you participate must be that you disclose to the interviewer the feelings that you shared, above...Good luck in your search for a Democrat employer that shares your beliefs.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I provide low-cost, remote Database Administration services: www.dasages.com]

 

[gbaughma]

Amazing. Simply amazing. Frankly, I'm at such a loss over the total ignorance of the last few posts (and you guys know that I usually speak no ill will....)

Just an FYI, in Illinois, 30 MPH over the posted speed limit is a FELONY. I had a local (minnesota) police officer say once "That's not right..." I said "What's not right? 85 in a 55? How about 55 in a 35, where kids are playing?"

It's not a question of admins being "holier than thou". It's a question of *ethics*. And as far as HIPAA, DOC, and GLBA Regulations (which I am *very* versed with all three... and refer to regularly), "doing wrong" is very defined.

If I were not to take action on PHI (Personal Health Information) being "hacked", we would lose our license. Plain and simple.



Just my 2¢

"What the captain doesn't realize is that we've secretly exchanged his dilithium crystals for new Folger's Crystals." -- My Sister
--Greg

http://parallel.tzo.com

 

[flapeyre]

I have to wonder if teash is the OP's hackerboy on his day off.

No, probably not. Unfortunately, miscreants such as HackerBoy, who think they are the greatest thing since the invention of the transistor, have given rise to an entire sub-industry of IT. They give all of us professionals a bad name. I wish the law were set up so that such people could never again work in our field.

If anybody thinks that's not fair, well, neither are layoffs in IT. I had to go back to school to learn new skills when I lost my job in 1990; so can they. Sell used cars. Run for Congress (heck, we have an impeached federal judge serving there now).
[/rant]

Feles mala! Cur cista non uteris? Stramentum novum in ea posui!

 

[Grenage]

I think the amusing point is that he was awarded a star, for what I can only assume were threads composed simply to bait people


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Tarwn]

This is not a case of admins sitting on an Ivory Tower and passing down judgement on an action that they themselves are not brave enough to do. This is not an action where a technician thought outside the box and merely found another way to complete an outstanding task.

The easiest problem is that the so-called HB deleted an email account. In most companies that is not done, or there is a process for archiving emails before account deletion in order to be compliant with legal requirements in their industry or country. These policies are laid out as part of the guidelines for an IT department and company, and violation of that policy is worth a verbal or written warning when it occurs.

But that is not the issue at hand. The issue at hand is that a member of the IT department used a password cracking tool to gain administrative access to the system. The fact that they were able to gain access is not the issue, but the method they used is. The moment you sit down in front of a computer and decide to crack a password, you are making an ethical choice to violate security on that system or network. There are a few situations where this is warranted, but breaching security for so small a matter as to remove an email account when there are other people responsible for that system is not one of those situations. This was not an accidental action, just a poorly chosen, unethical one.

My level of access at my company is high enough that I could very easily view the private documents of any member of our executive team if I were curious about how the company was doing. Without breaching any security, I could read through those documents, or emails between executives, or payroll information. I do not do this because I have no reason to. If I am asked to delete an email account, I pass that on to one of the administrators. Not only do I not know the policies as well as they do, but they are the ones that are ultimately responsible for it being done the right way.


IT members must have a high level of ethics as part of their job. It is not a simple matter of simply following the Acceptable Use policy, or whatever equivalent our various companies have. We must have an understanding of what our jobs require, what information we are and are not allowed to access, and the proper way to interact with the systems, based on both legal policies and business policies. Deciding to knowingly act outside those guidelines on multiple occasions, irregardless of the level of skill or quality of work you have done, is a violation of your position and all the reason that is needed to find a new employee that will work under those guidelines.


While I have additional commentary to make on Teash's posts, I believe it was well enough summed up by Dave and Greg.

 

[Foamcow]

I don't even think it's a question of ethics.
It's a matter of common sense and following rules.

The company pay your wages and ultimately put a roof over your head and food in your kid's mouths.
The company set the rules.
You play by the rules whether you agree with them or not, or you go find another company with rules that suit you.
At the end of the day, the company has the luxury of setting the rules for their own game.



<honk>*:O)</honk>

Earl & Thompson Marketing - Marketing Agency Services in Gloucestershire