Insider IT Hacker 12

[zentastic]

I have had some concerns that a young IT employee of mine was gaining access to our servers. We had changed the admin accounts several times over the past few years to see if he can get in.

We had come across a few weird incidences where we think he gotten in but could never really prove it. All those suspicions came to light just recently. He had gone in and deleted a user account along with all her exchange mailboxes. The reason for us finding this is because I tried to email her and it bounced back. I looked on my server and the account was completely gone. I asked my network admin and she stated that she never touched the account. That left the junior IT person (who btw doesn't have any admin rights).

We had warned him before that if he would like to gain access he must ask permission from either myself or my network gal. He is studying right now to get into the IT field.

So I confronted him about it and he said he used a password cracking tool to get in. I had no choice but to write him up for his actions. He feels that he did it to help out. Am I wrong to feel this is a bad offense? How illegal is password cracking to gain access to a secure server without permission? Now I am not trusting of him, I'm sure his co-workers won't be also. I'm not sure if he planted backdoor ways into my server, if he has access to my personal accounts, has access to our human resources files, etc. How can I stop this from happening again? What password cracking tools are out there that he could have used?

 

[SantaMufasa]

Write him up? Geez, escort him out!!! Be sure to backup everything first. Then while you are escorting him out, assure him that if anything subsequently happens to your system or its accounts, that you will spare no expense in prosecuting him to the full extent of both criminal and civil law. Assure him that if such occurs that he will never work in IT again if you have anything to say about it.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[mattKnight]

An IT staff member using unauthorised software to gain unauthorised access to any system is (or should be) a dismissable offence. If he has (or you honestly suspect he has) placed backdoor accounts or accesses to you servers, then he is dangerous. You need to involve the network admin and your HR dept

It is an issue of trust, sys admins have access, ultimately to all areas. The business needs to trust the sysadmins to not inappropriately access these areas.

It appears that the IT junior has broken that trust, even while trying to be helpful. It is evident thaty you don't trust him, but consider the possibility that somehow you have prejudged the issue?

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[mattKnight]

As ever, santamufasa is quicker (and more succinct) to the submit button...

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[Grenage]

As already mentioned by Dave and Matt; if you cannot trust them, don't employ them. You can't trust people who crack your network and delete user accounts!

As for prevention, if someone has local access to the servers then there is not a lot you can do. If that someone gains administrator rights on the network for any amount of time, then there is nothing you can do.

At the end of the day you can't protect the network from administrators, so you simply do not employ I.T staff you cannot trust. Period.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[biglebowski]

IT staff have to be trusted as they often have access to secure or sensitive data, what this guy has done is a blatant case of gross misconduct. I would immediately fire him and warn him that what he has done could result in him being prosecuted under the computer misuse act

http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

You will never be able to trust this member of staff again and he will be the first point of suspicion for any future incidents.

When I was born I was so suprised I didn't talk for 18 months

 

[CajunCenturion]

I think you need to act quickly and decisively; do exactly what SantaMufasa suggests: escort him out. Now.

This is not a gray area and if anything, you cannot afford NOT to take that action because of the precedent you would set.

--------------
Good Luck
To get the most from your Tek-Tips experience, please read FAQ181-2886
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[LadySlinger]

Agreed with SantaMufasa...Fire the guy. Explain to him that if he attempts to hack into your network again that you will be willing to prosecute him. Hacking is a Federal Offense in the U.S.

Then after firing him, I would hire a security audit to come in and find the loopholes of your network. Perhaps even disable the Administrator account and put a new Admin in its place (like superduperuser)

Breaking in and cracking the admin password is the same as breaking into someones house without a key. Plus he did damage to the network (deleting someone email account). Same idea as him going in to your house and breaking <insert something valuable in your house>. That's just plain stupid of him to ruin his career like that.

 

[edfair]

You might want to have him meet with you and a lawyer in conference to explain exactly what he has potentially created for himself, both employment and legal issues.
But definitely gone.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[sleipnir214]

I agree completely with SantaMufasa. I would like to add one clarification.

When I say, "Escort him out", I mean that you:[ol][li]Gather a medium-sized box, a roll of duct tape, yourself and several people from management. All of you go to his office or workarea without warning.[/li][li]Once in his workarea, tell him to stand up and step away from all computers. If he has a workstation in his workarea, log him off immediately and disable his login.[/li][li]While under the watchful eye of yourself of your company's management, allow him to pack his personal belongings in the box you brought along, but only so much stuff that the box can still be sealed. Seal the box with the duct tape. If he has more stuff than will fit in the box, tell him you or someone from management will pack up the rest of it and ship it to him. Via USPS Bulk-rate mail.[/li][li]Ensuring that he speaks to no other employee of the company or gets within arm's reach of a keyboard, all of you escort him to HR to ourprocess the company.[/li][li]Once he has outprocessed, ensuring that he speaks to no other employee of the company or gets within arm's reach of a keyboard, All of you escort him out of the building.[/li][li]As soon as he is out the door, change all admin password(s) and delete any logins with unusual permissions.[/li][li]Apply LadySlinger's advice about the security audit.[/li][/ol]

Do this immediately. This person cannot be trusted with your company's sensitive and important data.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[jrbarnett]

To add to sleipnir214's advice I'd also ensure that
any access electronic cards for the buildings, company ID cards, keys for offices or server rooms etc he may have had are returned, and add changing the codes on door combination locks to which he would have known to the list of things to do.

John

 

[thegirlofsteel]

Wow...this sounds to close to what has happened to me just this last week. Same thing except the Junior I.T. guy deleted an Attorney's account!! OUCH!!! I see exactly what you're going through. I had to write up my guy too but we have certain protocols to go through since we are a Union shop.

I would like to know the same answers as zentastic. What tools can I use to deter this and also detect it?

 

[SantaMufasa]

we have certain protocols to go through since we are a Union shop

...And I presume that while you are going through the prescribed protocols, should the perpetrator wreck any additional havoc, that the Union will cover all damages and liability that you suffer, correct?



Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[Stella740pl]

...And I presume that while you are going through the prescribed protocols, should the perpetrator wreck any additional havoc, that the Union will cover all damages and liability that you suffer, correct?

Yeah, right. It just sounds funny. In real life, it might cause you even more damages, if it finds that you fired a Union member without following due protocols, and, if it is so, may force you to take the person back - or to follow some more protocols, and file a lawsuit, etc., etc.

 

[gbaughma]

We had warned him before that if he would like to gain access he must ask permission ....

Well, there you go.

He's been warned, and:

1) He accessed administrator accounts without permission
2) He brought in software (namely password hacking software) without permission.
3) He installed/used said hacking software without permission.
4) He disabled/deleted an active account without authorization, potentially destroying user data.
5) It was not an "accident"

He is in violation of your MIS/IT policies on several counts (or should be, if not, you gotta look at those).

I don't see how he could maintain that he was "helping out" by deleting someone's mailbox and account; I know that I would lose a *lot* of information if someone deleted my mailbox.

At the *VERY* least (if you're not going to walk him out of the building), he should have the "thin ice" speech; if he is still on a probationary startup period, get rid of him. That's what the startup period (we call it "gap" or "Getting Acquainted Period") is for.

If you end up giving him the "Thin Ice" speech, it should go something like this: (this is the way I would handle it anyway, if I wasn't allowed to fire him, but I had to give the speech)

"Your actions recently were absolutely unacceptable. You have #1: Violated company policy by bringing in unauthorized software, #2: Violated company policy by gaining access to administrator accounts without permission, #3: Cost the company time and money by deleting user data, and #4: Withdrawn every penny of emotional trust in *every* person in the building. Any one of these is a 'CLM', or 'Career Limiting Move'. From this point forward, you are to... (and name them off, one at a time, the expectations). Failure to meet these expectations will result in your *immediate* termination. If you feel at this point you are unable to follow those expectations, then you may find other employment. Am I making myself *perfectly* clear on this matter?"

Maybe I'm sounding hard-nosed... but I had to give a similar speech when an assistant of mine was using *MY* desktop computer to surf porn..... I was *SO* not happy.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[flapeyre]

Make certain no electronic media of any kind leaves the premises with him until it has been looked at. It might contain sensitive data that he could use.

I don't know if he has remote access capability from his home PC, because that is another sticky wicket. He may have company information at home that her is not entitled to see.

Feles mala! Cur cista non uteris? Stramentum novum in ea posui!

 

[LadySlinger]

What tools can I use to deter this and also detect it?

Personally I keep a window open of everything going in and out of our fire wall. Granted I am one person at my place of business and can't do watch this everyday, so I'll go through at the end of the week and check logs. I'll find out what type of activities are going on through my firewall.

 

[zentastic]

Thank you all for the advise. I have taken them all and have already called for his last check from corporate.

 

[sleipnir214]

Keep in mind that if you decide to run off this clown, you must not give him warning. If he's willing to crack passwords on his own network, he's capable of leaving at least one "present" behind on the network.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[lionelhill]

Has anyone considered the possibility that he might be silly and inexperienced rather than evil?

We have no background here on why he deleted someone's e-mail account. There's a gnomic statement that he thought it was helpful, so presumably someone (the user?) asked him to do it. The internet is awash with dodgy tools for all sorts of jobs, so it may not have occurred to him that password cracking is a dubious activity. In his mind, it might fall in the same category as using one of the many disk-copying tools to copy a protected disk.

We also have a huge leap from unauthorised 'help' attempts to deliberate "planting a back door", which is a completely different kettle of fish. Is there any evidence for a back door, or is this a suspicion?

We also have other vague unproveable suspicions, which quite possibly cloud the present situation. And we have a frank admission from the culprit that he did it, which is curious behaviour. Why not just deny everything?

Before condemning someone, it'd be useful to hear their side of the story.