When Sysadmins Go Bad

An anonymous reader writes "Here is a story about what can happen when you think you're being oh so clever. This sysadmin planted so-called logic bombs on the systems he was responsible for and then quit. He also tried to game the stock market, buying put options on his former company, hoping to cash in when the disaster he engineered struck. Who can companies trust if they're afraid that this kind of thing can happen? How can they prevent it?"

Sheesh!

[tigress]

Obviously, in the sake of security, you should NEVER provide system administrators with dangerous tools such as root passwords!

Seriously though, security is a very delicate matter which is entirely built on trust.

Ways to improve security is to limit access to only what you actually need to use. In the case of system administrators and the like, it's not quite as easy as they obviously need a high level of access.

One solution would be to have third party audits of the systems, perhaps with read-only access in order to prevent tampering, but even then you need to trust the integrity and skill of the auditors.

Another thing to remember is to have a solid disaster recovery plan, but that's only good AFTER something happens and the person designing and implementing this plan will likely be the person that has the most access.

There's no universal answer to this problem. If I knew of one, I'd be rich as heck from selling it to companies.

Re:Sheesh!

[arivanov]

No comments on the company as it happens to handle the stock options of one of my previous employers...

One comment on the sysadmin - cretinous moron. If he wanted make money on the options he should have been much more subtle. A sudden surge of damage makes everyone go to the backup tape rack. Everything is restored to pristine state in a day or so and the perpetrator is easily caught.

Compared to this slow corruption and small logical errors in the nth sign after the decimal are much harder to pinpoint and deal with. A similar case in germanyt a while ago operated for more then 5 years before negotiating a settlement. He did not even get caught.

Overall - what a greedy cretinous idiot. They should have fired him earlier for stupidity.

Re:Sheesh!

[void*]

Now wait a minute

Examples of good procedures could be. *Systems provide automated roll back.

This isn't a procedure. This is a potential feature of the system itself. When I was a unix admin, I versioned config files, because unix doesn't provide automatic versioning of files, allowing rollback of config changes. However, as the person who set up the versioning system, if I had gone bad I would have been able to sabotage the files under revision control as well. Unless the system itself enforces this (i.e, the system keeps all versions of all files and does not allow an admin to change, in any manner, old versions), this sort of precaution can be bypassed.

*Changes can only be applied through a script that is run by xyz and required GOD access (say knowlage of a password that changes daily)

This, also, sounds good. However, on some Unix systems, at least, there have been issues with setuid scripts related to how the system loads and executes them, allowing race conditions that can lead to root access. Note that the issue I'm talking about is -not- a bug in the script, but rather a side effect of how #! loading is handled by some systems. A large percentage of the Unix S.A.s I know rightly disallow the use of setuid scripts for this reason, and the fact that it's easy to write a script that allows things like /tmp races and other bugs that lead to root access and/or clobbering of files.

*System should be configured to audit any changes that take place.

Again, not a procedure, but a potential feature of the system. If the system doesn't allow this directly, how do you propose to implement it?

*A review process, where by any changes are reviewed by another member of staff

"Hey Dave, I'm sabotaging the system -- Can you review my change for me? Thanks!" - Do you really think someone's going to let a change like that get into the queue for a review process? Are you advocating a line-by-line code/config review of -everything- every single time a change is made, and do you realize how impractical that is, especially if the deployed system is complex or the number of deployed machines is large? Do you understand that it is possible to make a change that cannot be reviewed?

You can do things to attempt to prevent this sort of thing, but you have to understand that there is no procedural solution for this problem -> the best you can do is reduce the odds that someone can do this and not get caught. This is a laudable goal, but, while in pursuit of this goal, the practical limitations need to be kept in sight.

The moral of the story is, it's very easy to post on Slashdot saying 'x, y, and z would have prevented this', with x, y, and z being impractical/impossible to implement, and through some twist of logic, come to a conclusion such as:

the sysadmin was bad the company was useless, I'm not supprised he quit and tried to take the company down.

Re:Sheesh!

[Arandir]

Are you advocating a line-by-line code/config review of -everything- every single time a change is made, and do you realize how impractical that is

Departments do this all the time, with much more complex code. Those departments are collectively called "Software Engineering". It may be impossible to grasp by IT departments, but it is possible, and desired, to review every line of code making its way into the system.

To be fair though, IT has different requirements. When the system is down, you don't have time for a review. But that's no reason not to do a post-fix review.

Re:Sheesh!

[SectoidRandom]

There is one option that far too many companies almost refuse to consider. That is; Treat employee's nice. Yes it's a hard one, and for most companies (and many people) it's easier to rebuild the entire network after every sysadmin change!

Sad but true all too often.

I had a friend who after being with a company for three years was the victim of a whole lot of drummed up charges, it was clear that the real motive was cut backs, I guess HR and many others didnt like the fact that he earned more than all of the rest of the administrators combined. So one day he was escorted out of the building, after which they literally unplugged the network, the whole Australian network (3000+ users) was offline for three days while the rest of the admins rebuilt every server!

Did it do any good? No, of course not. A typical simple minded HR view, after spending probably many thousands of dollars in time (and consultants) rebuilding the network not only was he still able to gain access, but he won a big unfair dismissal payout!

Sounded cruel at the time.

[FTL]

Many years ago one of our staff left at the end of the summer. Our boss said "Thank you very much for working for us ... [pause as the door closed, then turned to a coworker] ... delete his account."

Re:Sounded cruel at the time.

Never ever delete an account before you're damn sure you won't need it (say one to five years after last use, no kidding). Just disable it, backup the home directory and log any access attempts.

You *could*...

[veddermatic]

Have two sysadmins, who work in different areas, and who a la "missle key firing system" both have to approve additions to important code bases.

Obviously, you could get two bad apples and have the same thing happen, but odds are slim.

Problem is, it tough to find ONE good admin, much less two, esp. with tough times for business... having to dole out twice the budget to protect yourself "just in case". Then again, it would double the job market =)

OR mabye CVS everything, and look through all changes an employee made after they quit... then again, the clever get around this, etc.....

*sigh* People just suck sometimes.

Re:You *could*...

[afidel]

You must be a student.
No one who has ever worked in the real world would come up with such a thing! I'm just a lowly tech and I need root on the workstations I work on on a several time per day basis. If every time I wanted to do something I had to track down another person and have them be in the same physical place as me it would be insane. Now think of the sysadmins out there who get paged at 3am when something blows up. Now not only do they have to get up but so does someone else and they both have to believe that the other person will show up. The reality is you screen applicants, make sure you have some kind of regular contact with your employees, and finally have some system for angry people to vent without fear of reprisal. On my team I established an email list for bitching and complaining and made sure that no managers were on the list but also made sure management was aware of the lists existance.

Staff your IT department

When you have reasonable salaries, reasonable work hours, and no one that runs everything.

First of all you'd have less disgruntled employees.

Second, you'd have less disgruntled employees.

Third, you wouldn't need to trust anyone 100%. Most egos of sysadmins wouldn't let them let someone else compromise their system. If you have 2 or more admins 100% responsible for the integrity of a system, and each performing checks on each other, you would reduce the occurences of these types of attacks.

What can be done?

[perfects]

> Who can companies trust if they're afraid that
> this kind of thing can happen?

Nobody.

> How can they prevent it?

They can't.

Employee misbehavior spans an entire spectrum of seriousness, from stealing paper clips to embezzling billions. You can't prevent a determined and dishonest sysadmin from sabotaging a system any more than you can prevent an accountant from diverting funds or an after-hours custodian from taking things off peoples' desks.

There is no panacea, technological or otherwise.

Preventing employee misbehavior has several parallels with Copy Protection. No affordable and practical scheme is bulletproof if the person is determined enough, so the best method is to remove the motivation. The same rules apply to all employees: treat and compensate people fairly and they will be less likely to want to hurt you.

But even that doesn't work in all cases. If your staff is large enough there will always be people who feel that you are mistreating them, or underpaying them, and who will feel compelled to get what is "rightfully theirs" in other ways, large and small. And many people steal/etc. without regard to the harm it causes the company or other employees; their motivation is purely selfish, so it doesn't matter how well they are treated and paid.

So even if you treat and compensate people fairly, and trust everybody you hire, you must monitor people's activity, investigate suspicious behavior, and, when necessary, prosecute wrongdoers to the fullest extent of the law.

I probably sound cynical, but I speak from experience.

Re:What can be done?

[Twylite]

For some reason technical people tend to ignore many years of experience of similar problems in other domains. Quite simply, there are several effective mechanisms for preventing this type of abuse, but very few people which sufficient know-how to implement them.

The business rules for prevention of white collar crime are division of responsibilities, and cross checking (or auditing). The rules do not change just because you are working with computers.

The first thing to realise is that on most "enterprise" operating systems other than standard unix, the system administrator is NOT god. On NT, 2000, Novell and Trusted Solaris (amongst others) there is provision for delegating administrative privlidges and locking out the original administrator in an irrevocable manner. On most other Unix systems you can use "sudo" (or an equivalent) to selectively grant privlidges, and lock down root logon or "su" to the console only. Coupled with dual-key physical access control, this prevents any single person from becoming god ((s)he can't even modify hardware or reinstall because of physical controls). This scenario presumes procedures/rules (never leave just one admin in the room, watch and verify all operations, etc).

Many admins baulk at this idea, but if you're serious about security, there has to be a physical barrier preventing complete power over the system. In the absence of computer systems designed for dual authentication for privledged operations, physical controls (and associated procedures) must be used.

When responsibilities are divided, there needs to be an analysis of which privledges can interoperate, and which should not (because they could cause a security risk). The privledge of clearing log files should be limited to "god" - i.e. physical access to the console, which requires two people. Backups should be encrypted, if possible in such a manner that the key for recovery is split between two people (there is software to handle this sort of thing).

Auditing is also essential. Every so often, external experts should be brought in and allowed to inspect the system, under the supervision of one or more of the administrators. It is likewise important that administrators be forced to take time off (instead of infinitely accuring annual leave) -- this is when fraudulent activity is usually stumbled upon.

Does this offer complete protection? No. It won't work in organisations where there is only one admin (unless another technically savvy person can hold the second key for physical access), and it breaks down when two admins cooperate in the fraud. But it provides a whole lot more protection than the current practices, and in time can be improved (by drawing on other business and accounting practices).

Re:What can be done?

[Lumpy]

BINGO!

you hit it on the head.... A "bad" sysadmin is far less dangerous than your "bad" accountant..

many MANY companies were robbed blind by a bad accountant embezzling money yes you dont hear this sensationalized like this article. it doesnt matter, from the janitor to the CEO EVERY EMPLOYEE has the ability to completely ruin your company.. anyone that is paranoid about it means they know they are screwing their employees and are sure they are disgruntled and TRYING to get back at them.

if you want to reduce the risk of having disgruntled employees screwing your company there are 2 things you need...

1 - Pay them fairly and treat them well. this is the MOST important thing. they will NOT respect you or your company if you don't respect them.

2 - critical parts of your company need redundancy.. if you have 15 computers and 1 sysadmin... HIRE AN ASSISTANT FOR THE SYSADMIN. less sneaky stuff happens when someone has a shadow. same as Accounting... have your books audited by someone else on a regular basis.. wow now is a good time to actually LEARN how to run your business instead of playing golf or having your Mercedes detailed.

99% of all bad things that happen in a business is the managemet's fault. their inattentiveness or apathy coupled with ignorance and sometimes just being a plain old asshole to their employees.

they can never prevent this happen

[z01d]

SysAdmin, as the word says, it's the Administrator of the System.

there's no technical way to restrict their actions, or we should restrict the computer's capacity.

people do bad things for money, that's all, how could we prevent this happen? how could we prevent crime? how could we prevent people shoot each other? these are analog.

it's political or human issue. not technical.

How to avoid this problem

[puppetluva]

Don't keep disgruntled employees or employees that you keep hidden away in a back room and ignore. Management that keeps good relationships with its employees don't have as many problems with this sort of thing.

This means:
1) Help work to keep employees happily employed (not with bribes - with real career paths, personal interest, etc.). If you keep wage-slaves, expect mutiny.
2) Actively replace employees who can't be kept happily employed. Get others who are competent and glad to have the spot (which shouldn't be too hard in this economy). Keeping people around who don't want the position isn't doing them any favors. If no one who would be qualified would also be glad to have the spot, rethink the position.

"Management" should be helping manage situations like this. If this guy had been disgruntled for a long time, it seems to be their fault for keeping him (and keeping him unhappy and ultimately vengeful). Sounds like someone did a bad job at people-management . . . sounds like the type of willfull neglect that is inexcusable but all too common. Many people think that "management" is watching the bottom line -- that is a lazy, oversimplified way of looking at an important job.

Re:Sysadmins?

[Iamthefallen]

yeah, but the difference is, the sysadmin is a criminal, a CEO that's stealing is just unethical...

What can be done?

[Confused]

>> How can they prevent it?

> They can't.

They can at least reduce the chance a lot with redundency.

If you have a team of sys-admins, you have a good chance that the other might catch the bad one before it's too late. And if they feel treated well by the company and don't share the sentiment of the saboteur, the damage is usually contained.

Another policy I've seen in some banks is that all employees have to take 2 continuous weeks paid vacation each year (the rest of the paid vacation time can be distributed at will). This promotes cross-training and redundancy.

Prevention is not all that hard

• Reasonable salaries, benefits, and work hours
  
• If someone is to be canned, you provide reasonable severance pay, and immediately lock them out of everything (including the physical building itself). Give them a month's pay, one week at a time, with the understanding that professional behavior is expected and they are to answer whatever questions might arise during this one month period.
  
• Maintain some level of operational redundancy. Relying 100% on a single sysadmin is asking for trouble. They might be dishonest, or they might die in a car crash.
  

All of this costs money, but think of it as cheap insurance, compared to the cost of rogue sysadmin. Is it worth penny-pinching on salaries and benefits, while maxing out the workload if that results in disgruntled employees who timebomb your systems as they head for a new job?

If you paid the sysadmins $1 million per year, there would be zero theft, zero funny business, and zero turnover. Of course, nobody can do that and stay in business. At some level less than $1 million and higher than fast-food wages, you can retain decent people and discourage malicious tactics. The key to avoiding a technological meltdown is to treat people well enough so that your recruiting process lets you avoid the marginal candidates. Once hired, a properly compensated person should feel as if the "have something to lose", and therefore you can expect such a person to act as a professional. Paying hamburger wages and putting a person in the sysadmin seat would be like staffing a nuclear power plant control room with random selections from the phone book.

This is a very interesting topic, especially right now. We are in a down market, and there is an irresistable temptation for some employers to make lowball offers to currently-unemployed candidates. This allows the employer to cheaply refill vacancies (or exert leverage against current employees). Those employers who are gung-ho about bottom-feeding are setting the stage for big trouble later. Employee turnover is just the tip of the iceberg.