San Fransisco Officials Locked Out of Their Own Network

Another disgruntled IT worked causing mayhem, remember the guy that destroyed all the medical records?

He got a pretty hefty sentence, now we have another who has locked everyone out of the new ‘state of the art’ computer network in San Fransisco – he’s on a $5 million dollar bail so I’d say he’s in big trouble too.

A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.

Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city’s new FiberWAN (Wide Area Network), where records such as officials’ e-mails, city payroll files, confidential law enforcement documents and jail inmates’ bookings are stored.

He was pretty well paid it seems and he must have had top level access to the entire WAN infrastructure as he has managed to lock everyone out. Thankfully the system is still running and there appears to have been no damage so far but that doesn’t mean he doesn’t have some backdoor or logic bomb that can wipe out all the records and data.

I think the Government and the law enforcement guys need to handle this very carefully.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn’t work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.

He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.

Childs has worked for the city for about five years. One official with knowledge of the case said he had been disciplined on the job in recent months for poor performance and that his supervisors had tried to fire him.

“They weren’t able to do it – this was kind of his insurance policy,” said the official, speaking on condition of anonymity because the attempted firing was a personnel matter.

Seems like he was trying to play the get out of jail free card…I’m not sure it’ll work though. I’d say he’s heading for big trouble…and however secure it is if they have physical access to the systems it’s only a matter of time before they crack his passwords and regain control of the system.

Then Mr. Childs your power play is finished and you are looking at a few years of having your backdoor cracked..

Source: SFGate

Posted in: Legal Issues, Networking Hacking Tools

, ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

31 Responses to San Fransisco Officials Locked Out of Their Own Network

  1. Shall0w July 21, 2008 at 9:47 am #

    There’s an interesting take on this story over here:

    While he’s definitely in the wrong, if whats wriiten is true it shows a totally different side to the argument.

  2. Bogwitch July 21, 2008 at 11:43 am #

    I’m a little confused by this – there must be more to this story.

    It sounds as though he was still working for the SF authority at the time of his arrest, therefore any ‘tampering’ must be related to something outside of his remit. After all, he cannot be accused of tampering with what was his job.
    As for the failure to release access details, that’s just stupid. It sounds as though he’ll be out of a job anyway so he might as well release the information. That way, any subsequent wrongful dismissal litigation or counter action would have a greater chance of success. By refusing to disclose the information requested he isportraying himself in a bad light where disclosure would present the ‘nothing to hide’ standpoint, unless he was hiding paedo porn in the config files!

  3. zupakomputer July 21, 2008 at 2:49 pm #

    Wasn’t something similar in the latter part of the Terminator TV series (esp. after reading the article linked in the first reply).

    And yet, in real life again, the City charges ahead to automate everything. It probably includes the traffic lights too, just like in the TV series…good plan! Put all the important required services in in such a way that any old terrorist can take them over.
    Good thing that Belgium Doesn’t Exist! then managerial types – cause that’s where skynet the website is registered to.

    I’m looking forward to when one of these stories comes up – but instead the machines have AI and they also agree with who put them together, and we can watch the idiots buiding a world that depends upon them get “assimilated into the borg”.

    Funny, I seem to remember some conspiracy literature saying exactly the same kind of thing happens when manager-types want secret stargates and time machines built for them too. Quick! get the intructions off who built it so you can use it for evil!

    How to leave your HAARP in San FranCisco……..

  4. gmckee July 21, 2008 at 3:16 pm #

    This is certainly an interesting situation. I believe that the article that Shallow referenced helps to expand on what we know about the situation but it almost sounds like it (the article) was trying to justify Childs

  5. Navin July 22, 2008 at 2:29 pm #

    $5 mil?? I’m just wondering if he actually complied with the cops the first time they interrogated him, by around how much would his sentence be reduced?

    I do understand that perhaps he had a “proper reason” for his actions but I still would want to know. As bogwitch pointed out, he

  6. gmckee July 22, 2008 at 3:52 pm #

    The $5 Million is actually a bond. A bond is money that a defendant is required to deposit with the court in order to get out of jail while they await trial. Some make the distinction at this point and it is called being out on bail but I

  7. razta July 22, 2008 at 7:58 pm #

    Very informative post! I do agree that he is inocent until proven guilty, however from what ive read id say hes more likely to be guilty.

    As for the ultra stong password being stored in a safe, I think this would be a good idea. You, the company owner, would have to be the only person to have access to the safe. Another point is, wouldnt (Childs) need that password from time to time to take care of the network? If not, and he had a seperate admin account on the network, couldnt he just change/crack the password of the companys backdoor admin account?

  8. zupakomputer July 22, 2008 at 8:41 pm #

    For the record I got more that the article wasn’t saying what he did was ok at all – it does state on more than one occaision it’s not trying to do that. It’s saying how common it is for people that set up networks and the like, especially if they are the only one doing so as was the case here (according to the info), to feel personally caring about them – like it is their child. And also that they do not trust non-technical managerial types to know what they are doing when it comes to their having passwords that can alter the network.

    It could effectively mean – there’s no point in your setting up security etc, if someone that has never studied or worked in the area then has the ability to alter what you have done; what if something goes wrong thereafter – who gets the blame? Probably the guy that designed it? even if he took what care he could to ensure that nobody changed or altered anything.

    It’s no big secret that in every area, especially politics and so forth, there’s always people in charge of things that they have no actual comprehension of. They make decisions based on figures on paper – not actual reality, not how things work for real.

    Also I could be being too sharp here – but my initial reaction to reading this bit:

  9. grav July 23, 2008 at 1:00 am #

    It’s cases like this in which hacking tools come into use. If another case like this occurs and the authorities aren’t able to get back in and he is unwilling to divulge the password, would black hats be hired to get in?

  10. razta July 23, 2008 at 7:44 am #

    I suppose if they dident have some one “in the know” already working for them, then yes, they would have to hire outside help, maybe not black hats. I bet theres loads of InfoSec compnays on the phone to them trying to sell their services, big money for the company that gets in.

  11. Navin July 23, 2008 at 2:44 pm #

    I totally agree wid razta

    There are loads of security companies (who sometimes employ black hatters) who are generally employed to get the job done. And as razta has pointed out, they charge by the second $$$$!!

  12. gmckee July 23, 2008 at 3:48 pm #

    Razta, The point I was trying to make with the admin account info locked into a safe was that there would be more than one account with the appropriate access. Useful in case of emergencies but as you rightly pointed out it wouldn

  13. zupakomputer July 23, 2008 at 6:24 pm #

    Another guy that just showed up and thinks I am another poster here?! looks more to me that ratza thought he was guilty.

    I think it’s me you should be directing that at – your issue with the ‘buts’, since it was me who replied about what you wrote about that.

    While I do think most anything is 0 or 1, the problem with everything is that you never have the whole picture other than with your own life to be able to fully make that call – 0 or 1. You have to know what people’s real motivations are before you know if they are right or wrong. And that’s one main reason I’d never go into law enforcement or anything of the kind – maybe if I was so super-psychic I knew why anyone really did what they did and how they came to be born on Earth in the first place, then I’d consider it. Some things you know are wrong but those rarely have much to do with any laws; unless it your lucky day.

  14. zupakomputer July 23, 2008 at 6:35 pm #

    sorry about the typo! razta I meant. i honestly got that wrong and wasn’t being one of those c***s that pretends to get something wrong on purpose.

  15. gmckee July 23, 2008 at 7:10 pm #

    Sorry, I saw my last post as a continuation of a thought concerning the article Shallow cited rather than a response to you specifically. Since Razta had asked a direct question I thought I should answer that first and perhaps that is what caused the confusion.

    For the most part I don

  16. zupakomputer July 24, 2008 at 2:28 pm #

    Mea culpa – someone I worked with many years ago (in an IBM offshoot factory, when there used to be computer jobs here) told me the priest would say that phrase as part of mass, and they’d always do the reply as: “me a cowboy, me a cowboy, me a Mexican cowboy”.

  17. Navin July 24, 2008 at 4:34 pm #

    @ zupakomp


    I’m to blame. The literal translation from the Latin is ‘through my own fault’. Even those who don’t speak Latin could probably make a guess that this phrase means ‘I am culpable’, or words to that effect.

    It orignates in the Confiteor (part of the catholic mass) where sinners acknowledge their failings before God.

    me a cowboy??

  18. Morgan Storey July 31, 2008 at 2:24 pm #

    We see this time and time again. Unfortunately there are people even in infosec who can’t be trusted. The biggest threat as Schneir said is IT departments. It is the ultimate insider threat, and they are given major power. I think you will see in years to come IT people in each department, then they simply get assistance on high level tech from the main IT department, sure this one person could go bad, but all they can do is take down the one department.
    This was just a simple network ownage, get in a handful of decent network eng guys and wipe it and rebuild. I think we will soon see some admin really putting the data to ransom, bulk erase the backups or just encrypt them, then encrypt the file and email servers file systems, set the encrypted partitions or folders to simply dismount after 24hours if the admin’s usb key isn’t present in one of the servers.
    Then as he is leaving he takes his usb key, goes home and wipes it.
    GAME OVER. He doesn’t give them the passphrase or whatever and all hope is lost.
    IT managers must realize they can’t put this kind of company destroying power into one persons hands.

  19. Navin July 31, 2008 at 3:43 pm #

    ++1 Morgan

    But its sad that even with such stuff happening right round the block, companies still trust their Infosec employees with admin access to the entire dataserver

    Why get robbed? Why don’t you just hand over your money to the thugs? thats all i can say

  20. gmckee July 31, 2008 at 4:39 pm #


    What you say is sad but true. What other choice do companies have though?

    Companies can take some actions to try to mitigate the risk associated with having an insider turn on the company but there are never any guarentees. At some point you must simply trust the people you have working for you. I guess that is what offended me so much about this situation. It was a complete violation of trust.

  21. zupakomputer July 31, 2008 at 5:14 pm #

    Yeah I know – I’ve been to a whole heap of Catholic masses in my time, but in this country they weren’t doing Latin masses anymore by the time I was at school. So I was just saying, what this guy I worked with used to do in reply, with his mates, cause ‘mea culpa’ phonetically sounds like ‘me a cowboy’. I don’t know – maybe you have to be Scottish to hear it with that inflection.

    The best one for me was being in a Genova cathedral and the priest came out and sang in Italian, “we’re closing” to get people to leave.

    Morgan: that would be the sensible way to do it though, have it decentralised like the internet itself. But if it’s not done right, then it’s still open to being poisoned.

  22. Morgan Storey August 1, 2008 at 10:03 am #

    @zukakomputer: very true, a chain is only as strong as it’s weakest link. I guess it would limit damage, but is also limits knowledge, and limits the work that one of these people has to do, which would also limit experience. There is no answer I can think of, short of very granular control and an IT literate upper manager. This is where CIO/CSO’s who are IT literate enough to control the admin passwords would be useful; they could simply be very granular in the control they give to one person, and have backup accounts.
    It still doesn’t stop my attack vector, the only thing that could do that is the same upper manager monitoring key systems, and they don’t really have time for that.
    I don’t know. Maybe having a code of ethics, and or Psych-reviews like the armed services. I myself believe I have a high level of ethics, I have had access to a corporate bank account user/pass that had access to a few million dollars (unlimited transfer too), I did nothing but my job and used these details to setup, test and deploy the system. I then encouraged the user to change their password, and went on about my day. That didn’t stop the jokes from colleagues; “cmon just hit transfer and next week we can both be on a beach in spain drinking margaritas”.

    @navin & Darknet: I spoke too soon, I tried to post the above and got the WP error again.

  23. zupakomputer August 1, 2008 at 2:02 pm #

    But realistically though if you’d transfered that money to yourself they’d have known it was you, and you’d have been easily caught anyway (unless – you happen to be a master of disguise and hold an array of fake passports?! private planes, etc; in which case you wouldn’t have been working a job!).

  24. gmckee August 1, 2008 at 7:41 pm #

    :) ‘me a cowboy’ I did get it. Perhaps it was my Scottish half speaking to me down the ages. Of course the Irish side was slowing things down a bit…

  25. Navin August 2, 2008 at 10:55 am #

    Oh yeah….. morgan’d prolly be surrounded by a battalion of the FBI before he could even collect his passport….but perhaps if he did this from lets say Yugoslavia and got the cash tranferred to some bank account in China using proxies in Nigeria, India, Iran, Turkey, Vietnam, Canada and Venezuela, maybe it’d be some time before the FBI tracked him down…..hmmmm….I got a great idea….honey, pack up your bags!!

  26. Morgan Storey August 3, 2008 at 1:12 am #

    @Zukakomputer and Navin: I was doing the work on a Friday before a long weekend, that was the point, we could have hopped a plane Saturday and no one would have known until Tuesday. Fortunately though we don’t have FBI here, only Federal Police. I reacon I could have got away with it, but I couldn’t do that, I think how many people may have lost their job if I had, or the damage done to the consulting firm I was working with at the time.
    It was funny to joke about though.
    Maybe internal attack vectors will be more subtle in the future, it isn’t that hard to write/buy some custom piece of malware, roll it into an update or into the soe and push it out to the company. Years later it is still sending data your way, and you can use it for what you will. I am sure this is being done, and it is rather hard to defend against.

  27. Navin August 3, 2008 at 1:25 pm #

    Ya, there was this article I’d read a long time back about how malware was recognised as legitimate Windows updates and got installed on PC’s of guys who’d stumbled onto malware infected sites and had automatic windows updates turned on!! Since tht day, my Windows Update (automatic) has been turned off :)

  28. Morgan Storey August 4, 2008 at 1:36 am #

    @Navin: I can’t believe there hasn’t been a MITM attack yet with windows update. How hard would it be, as there is no ssl. Simply just redirect the domain, and mirrors, and publish a few security updates malformed via a wsus server or own custom build.

  29. Morgan Storey August 4, 2008 at 5:44 am #

    @Darknet: see some spammers get through. Suprisingly few though. COUGH Nagios….
    Ahhh irony, the WP spam blocker blocked this message several times.

  30. Navin August 4, 2008 at 2:09 pm #

    @ morgan hehehehehe (tht’s for the last comment)

    For the one before tht, yeah, it’d be comparably easy to even pair up rootkits with Windows updates and get thousands/millions of users affected. That was was many had expected had happened when one of the MS sites was hacked a few yrs ago (MS-Europe if I remember right)…but of course tht was a hoax.

  31. Morgan Storey August 6, 2008 at 11:12 am #

    @Navin: I read an article about a guy who using the playstation3’s FPU managed to on the fly, inject data in to bittorrent chunk, using the PS3 to manipulate the packet so that its MD5 would match and therefore the reciever and their software would be none the wiser. This is another similar vector for attack. Imagine downloading the latest copy of some linux distro, power it up and it installs some unknown binary that phones home and pops open a port.
    There is no single solution, security is a process not a product (to quote Schnier).