[ad]
Another disgruntled IT worked causing mayhem, remember the guy that destroyed all the medical records?
He got a pretty hefty sentence, now we have another who has locked everyone out of the new ‘state of the art’ computer network in San Fransisco – he’s on a $5 million dollar bail so I’d say he’s in big trouble too.
A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.
Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.
Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city’s new FiberWAN (Wide Area Network), where records such as officials’ e-mails, city payroll files, confidential law enforcement documents and jail inmates’ bookings are stored.
He was pretty well paid it seems and he must have had top level access to the entire WAN infrastructure as he has managed to lock everyone out. Thankfully the system is still running and there appears to have been no damage so far but that doesn’t mean he doesn’t have some backdoor or logic bomb that can wipe out all the records and data.
I think the Government and the law enforcement guys need to handle this very carefully.
Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn’t work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.
He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.
Childs has worked for the city for about five years. One official with knowledge of the case said he had been disciplined on the job in recent months for poor performance and that his supervisors had tried to fire him.
“They weren’t able to do it – this was kind of his insurance policy,” said the official, speaking on condition of anonymity because the attempted firing was a personnel matter.
Seems like he was trying to play the get out of jail free card…I’m not sure it’ll work though. I’d say he’s heading for big trouble…and however secure it is if they have physical access to the systems it’s only a matter of time before they crack his passwords and regain control of the system.
Then Mr. Childs your power play is finished and you are looking at a few years of having your backdoor cracked..
Source: SFGate
Shall0w says
There’s an interesting take on this story over here:
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html
While he’s definitely in the wrong, if whats wriiten is true it shows a totally different side to the argument.
Bogwitch says
I’m a little confused by this – there must be more to this story.
It sounds as though he was still working for the SF authority at the time of his arrest, therefore any ‘tampering’ must be related to something outside of his remit. After all, he cannot be accused of tampering with what was his job.
As for the failure to release access details, that’s just stupid. It sounds as though he’ll be out of a job anyway so he might as well release the information. That way, any subsequent wrongful dismissal litigation or counter action would have a greater chance of success. By refusing to disclose the information requested he isportraying himself in a bad light where disclosure would present the ‘nothing to hide’ standpoint, unless he was hiding paedo porn in the config files!
zupakomputer says
Wasn’t something similar in the latter part of the Terminator TV series (esp. after reading the article linked in the first reply).
And yet, in real life again, the City charges ahead to automate everything. It probably includes the traffic lights too, just like in the TV series…good plan! Put all the important required services in in such a way that any old terrorist can take them over.
Good thing that Belgium Doesn’t Exist! then managerial types – cause that’s where skynet the website is registered to.
I’m looking forward to when one of these stories comes up – but instead the machines have AI and they also agree with who put them together, and we can watch the idiots buiding a world that depends upon them get “assimilated into the borg”.
Funny, I seem to remember some conspiracy literature saying exactly the same kind of thing happens when manager-types want secret stargates and time machines built for them too. Quick! get the intructions off who built it so you can use it for evil!
How to leave your HAARP in San FranCisco……..
gmckee says
This is certainly an interesting situation. I believe that the article that Shallow referenced helps to expand on what we know about the situation but it almost sounds like it (the article) was trying to justify Childs
Navin says
$5 mil?? I’m just wondering if he actually complied with the cops the first time they interrogated him, by around how much would his sentence be reduced?
I do understand that perhaps he had a “proper reason” for his actions but I still would want to know. As bogwitch pointed out, he
gmckee says
The $5 Million is actually a bond. A bond is money that a defendant is required to deposit with the court in order to get out of jail while they await trial. Some make the distinction at this point and it is called being out on bail but I
razta says
@gmckee
Very informative post! I do agree that he is inocent until proven guilty, however from what ive read id say hes more likely to be guilty.
As for the ultra stong password being stored in a safe, I think this would be a good idea. You, the company owner, would have to be the only person to have access to the safe. Another point is, wouldnt (Childs) need that password from time to time to take care of the network? If not, and he had a seperate admin account on the network, couldnt he just change/crack the password of the companys backdoor admin account?
zupakomputer says
For the record I got more that the article wasn’t saying what he did was ok at all – it does state on more than one occaision it’s not trying to do that. It’s saying how common it is for people that set up networks and the like, especially if they are the only one doing so as was the case here (according to the info), to feel personally caring about them – like it is their child. And also that they do not trust non-technical managerial types to know what they are doing when it comes to their having passwords that can alter the network.
It could effectively mean – there’s no point in your setting up security etc, if someone that has never studied or worked in the area then has the ability to alter what you have done; what if something goes wrong thereafter – who gets the blame? Probably the guy that designed it? even if he took what care he could to ensure that nobody changed or altered anything.
It’s no big secret that in every area, especially politics and so forth, there’s always people in charge of things that they have no actual comprehension of. They make decisions based on figures on paper – not actual reality, not how things work for real.
Also I could be being too sharp here – but my initial reaction to reading this bit:
”
grav says
It’s cases like this in which hacking tools come into use. If another case like this occurs and the authorities aren’t able to get back in and he is unwilling to divulge the password, would black hats be hired to get in?
razta says
@grav
I suppose if they dident have some one “in the know” already working for them, then yes, they would have to hire outside help, maybe not black hats. I bet theres loads of InfoSec compnays on the phone to them trying to sell their services, big money for the company that gets in.
Navin says
I totally agree wid razta
There are loads of security companies (who sometimes employ black hatters) who are generally employed to get the job done. And as razta has pointed out, they charge by the second $$$$!!
gmckee says
Razta, The point I was trying to make with the admin account info locked into a safe was that there would be more than one account with the appropriate access. Useful in case of emergencies but as you rightly pointed out it wouldn
zupakomputer says
Another guy that just showed up and thinks I am another poster here?! looks more to me that ratza thought he was guilty.
I think it’s me you should be directing that at – your issue with the ‘buts’, since it was me who replied about what you wrote about that.
While I do think most anything is 0 or 1, the problem with everything is that you never have the whole picture other than with your own life to be able to fully make that call – 0 or 1. You have to know what people’s real motivations are before you know if they are right or wrong. And that’s one main reason I’d never go into law enforcement or anything of the kind – maybe if I was so super-psychic I knew why anyone really did what they did and how they came to be born on Earth in the first place, then I’d consider it. Some things you know are wrong but those rarely have much to do with any laws; unless it your lucky day.
zupakomputer says
sorry about the typo! razta I meant. i honestly got that wrong and wasn’t being one of those c***s that pretends to get something wrong on purpose.
gmckee says
@zupakomputer
Sorry, I saw my last post as a continuation of a thought concerning the article Shallow cited rather than a response to you specifically. Since Razta had asked a direct question I thought I should answer that first and perhaps that is what caused the confusion.
For the most part I don
zupakomputer says
Mea culpa – someone I worked with many years ago (in an IBM offshoot factory, when there used to be computer jobs here) told me the priest would say that phrase as part of mass, and they’d always do the reply as: “me a cowboy, me a cowboy, me a Mexican cowboy”.
Navin says
@ zupakomp
en.wikipedia.org/wiki/Mea_culpa
http://www.phrases.org.uk/meanings/mea-culpa.html
Meaning
I’m to blame. The literal translation from the Latin is ‘through my own fault’. Even those who don’t speak Latin could probably make a guess that this phrase means ‘I am culpable’, or words to that effect.
It orignates in the Confiteor (part of the catholic mass) where sinners acknowledge their failings before God.
me a cowboy??
Morgan Storey says
We see this time and time again. Unfortunately there are people even in infosec who can’t be trusted. The biggest threat as Schneir said is IT departments. It is the ultimate insider threat, and they are given major power. I think you will see in years to come IT people in each department, then they simply get assistance on high level tech from the main IT department, sure this one person could go bad, but all they can do is take down the one department.
This was just a simple network ownage, get in a handful of decent network eng guys and wipe it and rebuild. I think we will soon see some admin really putting the data to ransom, bulk erase the backups or just encrypt them, then encrypt the file and email servers file systems, set the encrypted partitions or folders to simply dismount after 24hours if the admin’s usb key isn’t present in one of the servers.
Then as he is leaving he takes his usb key, goes home and wipes it.
GAME OVER. He doesn’t give them the passphrase or whatever and all hope is lost.
IT managers must realize they can’t put this kind of company destroying power into one persons hands.
Navin says
++1 Morgan
But its sad that even with such stuff happening right round the block, companies still trust their Infosec employees with admin access to the entire dataserver
Why get robbed? Why don’t you just hand over your money to the thugs? thats all i can say
gmckee says
@Navin
What you say is sad but true. What other choice do companies have though?
Companies can take some actions to try to mitigate the risk associated with having an insider turn on the company but there are never any guarentees. At some point you must simply trust the people you have working for you. I guess that is what offended me so much about this situation. It was a complete violation of trust.
zupakomputer says
Yeah I know – I’ve been to a whole heap of Catholic masses in my time, but in this country they weren’t doing Latin masses anymore by the time I was at school. So I was just saying, what this guy I worked with used to do in reply, with his mates, cause ‘mea culpa’ phonetically sounds like ‘me a cowboy’. I don’t know – maybe you have to be Scottish to hear it with that inflection.
The best one for me was being in a Genova cathedral and the priest came out and sang in Italian, “we’re closing” to get people to leave.
Morgan: that would be the sensible way to do it though, have it decentralised like the internet itself. But if it’s not done right, then it’s still open to being poisoned.
Morgan Storey says
@zukakomputer: very true, a chain is only as strong as it’s weakest link. I guess it would limit damage, but is also limits knowledge, and limits the work that one of these people has to do, which would also limit experience. There is no answer I can think of, short of very granular control and an IT literate upper manager. This is where CIO/CSO’s who are IT literate enough to control the admin passwords would be useful; they could simply be very granular in the control they give to one person, and have backup accounts.
It still doesn’t stop my attack vector, the only thing that could do that is the same upper manager monitoring key systems, and they don’t really have time for that.
I don’t know. Maybe having a code of ethics, and or Psych-reviews like the armed services. I myself believe I have a high level of ethics, I have had access to a corporate bank account user/pass that had access to a few million dollars (unlimited transfer too), I did nothing but my job and used these details to setup, test and deploy the system. I then encouraged the user to change their password, and went on about my day. That didn’t stop the jokes from colleagues; “cmon just hit transfer and next week we can both be on a beach in spain drinking margaritas”.
@navin & Darknet: I spoke too soon, I tried to post the above and got the WP error again.
zupakomputer says
But realistically though if you’d transfered that money to yourself they’d have known it was you, and you’d have been easily caught anyway (unless – you happen to be a master of disguise and hold an array of fake passports?! private planes, etc; in which case you wouldn’t have been working a job!).
gmckee says
:) ‘me a cowboy’ I did get it. Perhaps it was my Scottish half speaking to me down the ages. Of course the Irish side was slowing things down a bit…
Navin says
Oh yeah….. morgan’d prolly be surrounded by a battalion of the FBI before he could even collect his passport….but perhaps if he did this from lets say Yugoslavia and got the cash tranferred to some bank account in China using proxies in Nigeria, India, Iran, Turkey, Vietnam, Canada and Venezuela, maybe it’d be some time before the FBI tracked him down…..hmmmm….I got a great idea….honey, pack up your bags!!
Morgan Storey says
@Zukakomputer and Navin: I was doing the work on a Friday before a long weekend, that was the point, we could have hopped a plane Saturday and no one would have known until Tuesday. Fortunately though we don’t have FBI here, only Federal Police. I reacon I could have got away with it, but I couldn’t do that, I think how many people may have lost their job if I had, or the damage done to the consulting firm I was working with at the time.
It was funny to joke about though.
Maybe internal attack vectors will be more subtle in the future, it isn’t that hard to write/buy some custom piece of malware, roll it into an update or into the soe and push it out to the company. Years later it is still sending data your way, and you can use it for what you will. I am sure this is being done, and it is rather hard to defend against.
Navin says
Ya, there was this article I’d read a long time back about how malware was recognised as legitimate Windows updates and got installed on PC’s of guys who’d stumbled onto malware infected sites and had automatic windows updates turned on!! Since tht day, my Windows Update (automatic) has been turned off :)
Morgan Storey says
@Navin: I can’t believe there hasn’t been a MITM attack yet with windows update. How hard would it be, as there is no ssl. Simply just redirect the domain, and mirrors, and publish a few security updates malformed via a wsus server or own custom build.
Morgan Storey says
@Darknet: see some spammers get through. Suprisingly few though. COUGH Nagios….
Ahhh irony, the WP spam blocker blocked this message several times.
Navin says
@ morgan hehehehehe (tht’s for the last comment)
For the one before tht, yeah, it’d be comparably easy to even pair up rootkits with Windows updates and get thousands/millions of users affected. That was was many had expected had happened when one of the MS sites was hacked a few yrs ago (MS-Europe if I remember right)…but of course tht was a hoax.
Morgan Storey says
@Navin: I read an article about a guy who using the playstation3’s FPU managed to on the fly, inject data in to bittorrent chunk, using the PS3 to manipulate the packet so that its MD5 would match and therefore the reciever and their software would be none the wiser. This is another similar vector for attack. Imagine downloading the latest copy of some linux distro, power it up and it installs some unknown binary that phones home and pops open a port.
There is no single solution, security is a process not a product (to quote Schnier).