When Sysadmins Go Bad

An anonymous reader writes "Here is a story about what can happen when you think you're being oh so clever. This sysadmin planted so-called logic bombs on the systems he was responsible for and then quit. He also tried to game the stock market, buying put options on his former company, hoping to cash in when the disaster he engineered struck. Who can companies trust if they're afraid that this kind of thing can happen? How can they prevent it?"

Sheesh!

[tigress]

Obviously, in the sake of security, you should NEVER provide system administrators with dangerous tools such as root passwords!

Seriously though, security is a very delicate matter which is entirely built on trust.

Ways to improve security is to limit access to only what you actually need to use. In the case of system administrators and the like, it's not quite as easy as they obviously need a high level of access.

One solution would be to have third party audits of the systems, perhaps with read-only access in order to prevent tampering, but even then you need to trust the integrity and skill of the auditors.

Another thing to remember is to have a solid disaster recovery plan, but that's only good AFTER something happens and the person designing and implementing this plan will likely be the person that has the most access.

There's no universal answer to this problem. If I knew of one, I'd be rich as heck from selling it to companies.

Re:Sheesh!

[arivanov]

No comments on the company as it happens to handle the stock options of one of my previous employers...

One comment on the sysadmin - cretinous moron. If he wanted make money on the options he should have been much more subtle. A sudden surge of damage makes everyone go to the backup tape rack. Everything is restored to pristine state in a day or so and the perpetrator is easily caught.

Compared to this slow corruption and small logical errors in the nth sign after the decimal are much harder to pinpoint and deal with. A similar case in germanyt a while ago operated for more then 5 years before negotiating a settlement. He did not even get caught.

Overall - what a greedy cretinous idiot. They should have fired him earlier for stupidity.

Re:Sheesh!

[void*]

Now wait a minute

Examples of good procedures could be. *Systems provide automated roll back.

This isn't a procedure. This is a potential feature of the system itself. When I was a unix admin, I versioned config files, because unix doesn't provide automatic versioning of files, allowing rollback of config changes. However, as the person who set up the versioning system, if I had gone bad I would have been able to sabotage the files under revision control as well. Unless the system itself enforces this (i.e, the system keeps all versions of all files and does not allow an admin to change, in any manner, old versions), this sort of precaution can be bypassed.

*Changes can only be applied through a script that is run by xyz and required GOD access (say knowlage of a password that changes daily)

This, also, sounds good. However, on some Unix systems, at least, there have been issues with setuid scripts related to how the system loads and executes them, allowing race conditions that can lead to root access. Note that the issue I'm talking about is -not- a bug in the script, but rather a side effect of how #! loading is handled by some systems. A large percentage of the Unix S.A.s I know rightly disallow the use of setuid scripts for this reason, and the fact that it's easy to write a script that allows things like /tmp races and other bugs that lead to root access and/or clobbering of files.

*System should be configured to audit any changes that take place.

Again, not a procedure, but a potential feature of the system. If the system doesn't allow this directly, how do you propose to implement it?

*A review process, where by any changes are reviewed by another member of staff

"Hey Dave, I'm sabotaging the system -- Can you review my change for me? Thanks!" - Do you really think someone's going to let a change like that get into the queue for a review process? Are you advocating a line-by-line code/config review of -everything- every single time a change is made, and do you realize how impractical that is, especially if the deployed system is complex or the number of deployed machines is large? Do you understand that it is possible to make a change that cannot be reviewed?

You can do things to attempt to prevent this sort of thing, but you have to understand that there is no procedural solution for this problem -> the best you can do is reduce the odds that someone can do this and not get caught. This is a laudable goal, but, while in pursuit of this goal, the practical limitations need to be kept in sight.

The moral of the story is, it's very easy to post on Slashdot saying 'x, y, and z would have prevented this', with x, y, and z being impractical/impossible to implement, and through some twist of logic, come to a conclusion such as:

the sysadmin was bad the company was useless, I'm not supprised he quit and tried to take the company down.

Re:Sheesh!

[SectoidRandom]

There is one option that far too many companies almost refuse to consider. That is; Treat employee's nice. Yes it's a hard one, and for most companies (and many people) it's easier to rebuild the entire network after every sysadmin change!

Sad but true all too often.

I had a friend who after being with a company for three years was the victim of a whole lot of drummed up charges, it was clear that the real motive was cut backs, I guess HR and many others didnt like the fact that he earned more than all of the rest of the administrators combined. So one day he was escorted out of the building, after which they literally unplugged the network, the whole Australian network (3000+ users) was offline for three days while the rest of the admins rebuilt every server!

Did it do any good? No, of course not. A typical simple minded HR view, after spending probably many thousands of dollars in time (and consultants) rebuilding the network not only was he still able to gain access, but he won a big unfair dismissal payout!

Sounded cruel at the time.

[FTL]

Many years ago one of our staff left at the end of the summer. Our boss said "Thank you very much for working for us ... [pause as the door closed, then turned to a coworker] ... delete his account."

Re:Sounded cruel at the time.

Never ever delete an account before you're damn sure you won't need it (say one to five years after last use, no kidding). Just disable it, backup the home directory and log any access attempts.

Re:Sounded cruel at the time.

[ergo98]

How is that cruel? That is absolutely, completely normal administration, and anything less is gross negligence. Indeed, it should be common practice to reset any administrative password that a former employee might have had, and any coworkers password that they may have known: It has nothing to do with trust of mistrust, and even if it was the Pope who just left your employ that is standard protocol.

Re:Sounded cruel at the time.

[$rtbl_this]

Gets my vote. I saw this blow up at my current workplace when a former IT drone's account was deleted (not suspended) as soon as she left the building, without anyone realising it was used as the service account for many things, including the backup server. It took many hours to track down all the things it was used for and to furnish them with saner accounts. I think this probably counts as an accidental logic bomb.

The really sad part of this is tale that it took over a fortnight for anyone to notice in the first place. Weep.

(I'm not part of the local IT department, so I'm blameless with respect to this particular fuck-up. I commit enough fuck-ups of my own without claiming responsibility for anyone else's!)

Re:Sounded cruel at the time.

Never ever delete an account before you're damn sure you won't need it (say one to five years after last use, no kidding). Just disable it, backup the home directory and log any access attempts.

Please, please, please take his advice!
I would be extremely disappointed if my cron jobs that sabotage the company did not run after I left!

Re:Sounded cruel at the time.

[Courageous]

At my place of work, if you are given a termination notice, you continue to be paid for a month, and have access to your office and electronic accounts the entire time. You aren't expected to conduct company work during this time. Instead, you have free use of your office to hunt for another job.

C//

Staff your IT department

When you have reasonable salaries, reasonable work hours, and no one that runs everything.

First of all you'd have less disgruntled employees.

Second, you'd have less disgruntled employees.

Third, you wouldn't need to trust anyone 100%. Most egos of sysadmins wouldn't let them let someone else compromise their system. If you have 2 or more admins 100% responsible for the integrity of a system, and each performing checks on each other, you would reduce the occurences of these types of attacks.

Damn

[Sandman1971]

I was disappointed to find that this was an article, and not a new show on Fox.

What can be done?

[perfects]

> Who can companies trust if they're afraid that
> this kind of thing can happen?

Nobody.

> How can they prevent it?

They can't.

Employee misbehavior spans an entire spectrum of seriousness, from stealing paper clips to embezzling billions. You can't prevent a determined and dishonest sysadmin from sabotaging a system any more than you can prevent an accountant from diverting funds or an after-hours custodian from taking things off peoples' desks.

There is no panacea, technological or otherwise.

Preventing employee misbehavior has several parallels with Copy Protection. No affordable and practical scheme is bulletproof if the person is determined enough, so the best method is to remove the motivation. The same rules apply to all employees: treat and compensate people fairly and they will be less likely to want to hurt you.

But even that doesn't work in all cases. If your staff is large enough there will always be people who feel that you are mistreating them, or underpaying them, and who will feel compelled to get what is "rightfully theirs" in other ways, large and small. And many people steal/etc. without regard to the harm it causes the company or other employees; their motivation is purely selfish, so it doesn't matter how well they are treated and paid.

So even if you treat and compensate people fairly, and trust everybody you hire, you must monitor people's activity, investigate suspicious behavior, and, when necessary, prosecute wrongdoers to the fullest extent of the law.

I probably sound cynical, but I speak from experience.

similar story

[KirkH]

Something similar happened to my Dad's business about 15 years ago. Back then, they just trusted the employees. For some reason I can't recall, they decided to fire the sysadmin that was running their billing systems and gave him a months notice. During that month, they let him take time off from work to interview at other places and were generally pretty nice about the whole thing.

A couple weeks after he left, the system started crashing and losing data. Apparently he used a rather well-known bomb because the company they used for support was able to dial in and found it rather quickly. He was charged, arrested, tried, and found guilty. It was a big deal because the state (South Carolina) had just passed some really though computer crime laws at the time, and the Attorney General wanted a "test case" for the law.

My Dad and his partner's requested that the guy not get any jail time since he had a wife and some kids, but he got major probation and a huge fine (something like $60,000, which was a lot back then). Plus he now has a felony charge on his record. Last I heard, he had gotten out of the computer biz and was working in a family business.

Anyway, the short lesson is: if you're a company firing someone with privileges, pay them the two weeks or whatever but don't let them back on site. And if you're the guy getting sacked, don't try to get revenge through sabotage; it's just not worth it.

As an aside: every place I've worked had a policy that whenever someone was fired they were led to their desk with a cardboard box, then escorted out of the building that very moment.

A novel way to pay for retirement...

[constantnormal]

... pull a stupid crime and spend the rest of your life in a state-funded institution.

Configuration Control

[Detritus]

For critical systems, nothing gets changed without an approved change request. All changes must be examined, tested and approved by someone other than the programmer. You can also have a separate group to maintain the source libraries and to do builds.

they can never prevent this happen

[z01d]

SysAdmin, as the word says, it's the Administrator of the System.

there's no technical way to restrict their actions, or we should restrict the computer's capacity.

people do bad things for money, that's all, how could we prevent this happen? how could we prevent crime? how could we prevent people shoot each other? these are analog.

it's political or human issue. not technical.

How to avoid this problem

[puppetluva]

Don't keep disgruntled employees or employees that you keep hidden away in a back room and ignore. Management that keeps good relationships with its employees don't have as many problems with this sort of thing.

This means:
1) Help work to keep employees happily employed (not with bribes - with real career paths, personal interest, etc.). If you keep wage-slaves, expect mutiny.
2) Actively replace employees who can't be kept happily employed. Get others who are competent and glad to have the spot (which shouldn't be too hard in this economy). Keeping people around who don't want the position isn't doing them any favors. If no one who would be qualified would also be glad to have the spot, rethink the position.

"Management" should be helping manage situations like this. If this guy had been disgruntled for a long time, it seems to be their fault for keeping him (and keeping him unhappy and ultimately vengeful). Sounds like someone did a bad job at people-management . . . sounds like the type of willfull neglect that is inexcusable but all too common. Many people think that "management" is watching the bottom line -- that is a lazy, oversimplified way of looking at an important job.

Sysadmins?

[Titusdot+Groan]

Luckily it's only sysadmins that do stuff like this and not traders, accountants or the CEO!

C'mon -- this is really small potatoes ...

Re:Sysadmins?

[Iamthefallen]

yeah, but the difference is, the sysadmin is a criminal, a CEO that's stealing is just unethical...

Easy answer...

[gosand]

Who can companies trust if they're afraid that this kind of thing can happen?

Who can you trust?

Microsoft. Trustworthy computing.

At Microsoft, we make operating systems that administer themselves, so you don't have to hire those untrustworthy and expensive system administrators. Nearly any high-school graduate, or poo-flinging monkey, with the proper brainwa^H^H^H^H^H^H^H training can become a Microsoft-Only Operations Certified Omnipotent Worker. Get your own MOOCOW today, and let us handle your security problems. You shouldn't have to worry about these computer dealies - that's our job.

Microsoft. Trusted Computing since 2002.

Re:This article isn't very good. Neat story though

[Alphix]

Put option quick explaination:

Suppose that the stock of company FooBar is worth $80 today.

I buy the *option* of selling that stock at $80 in one weeks time (this of course cost me something since there is a risk involved for the entity that I buy this option from).

Let's say that priviledge costs me $1 (since everybody considers company FooBars stock prices to be quite stable).

Now, one week later the "bomb" has blown up their computer system and the stock has plunged to $40.

The option of selling one stock at $80 is now worth $40 since the stock is currently priced at 40$. I don't even have to own the stock since someone who does can buy the option from me instead.

In total I've made 39$ on an investment of 1$ in one weeks time.

Prevention is not all that hard

• Reasonable salaries, benefits, and work hours
  
• If someone is to be canned, you provide reasonable severance pay, and immediately lock them out of everything (including the physical building itself). Give them a month's pay, one week at a time, with the understanding that professional behavior is expected and they are to answer whatever questions might arise during this one month period.
  
• Maintain some level of operational redundancy. Relying 100% on a single sysadmin is asking for trouble. They might be dishonest, or they might die in a car crash.
  

All of this costs money, but think of it as cheap insurance, compared to the cost of rogue sysadmin. Is it worth penny-pinching on salaries and benefits, while maxing out the workload if that results in disgruntled employees who timebomb your systems as they head for a new job?

If you paid the sysadmins $1 million per year, there would be zero theft, zero funny business, and zero turnover. Of course, nobody can do that and stay in business. At some level less than $1 million and higher than fast-food wages, you can retain decent people and discourage malicious tactics. The key to avoiding a technological meltdown is to treat people well enough so that your recruiting process lets you avoid the marginal candidates. Once hired, a properly compensated person should feel as if the "have something to lose", and therefore you can expect such a person to act as a professional. Paying hamburger wages and putting a person in the sysadmin seat would be like staffing a nuclear power plant control room with random selections from the phone book.

This is a very interesting topic, especially right now. We are in a down market, and there is an irresistable temptation for some employers to make lowball offers to currently-unemployed candidates. This allows the employer to cheaply refill vacancies (or exert leverage against current employees). Those employers who are gung-ho about bottom-feeding are setting the stage for big trouble later. Employee turnover is just the tip of the iceberg.

Oil Strike in Venezuela

Here in Venezuela, when the Oil strike begun some sysadmins blocked and placed logic bombs in the critical computers. It is costing the country an average of US$ 15 million a day. The computers that control the fuel-load process in the tankers where so sabotaged that any try to get the system up would end up spilling fuel on every "island" (the place where the fuel truck loads). The only way to stop the spill would be to activate the emergency system in the plant. Gladly (it's already very known worldwide) the goverment set up a "hackers team" to take over all the sabotaged industry computers. Most of them are running Solaris or Windows NT 4, so it wasn't too hard to break all the systems. If you calculate: US$ 15 Millions * 16 days = 240 Million US$ ... and most of it is because the admins who sabotaged the critical computers.

Re:You *could*...

[vrmlguy]

You must be inexperienced. I've set up systems where no one had root access. You set up sudo (or one of its commercial clones) to give specific people permission to do specific things, then you write a script to change the root password to a very random string and send it to a real printer. As soon as the printer delivers the goods (in the presence of one of more officers), it is folded and placed in an envelope (which everyone signs on the seal) and locked away. Any emergency big enough to require the password needs to be brought to the possessing officer's attention anyway, and anyone can look at the envelope to make sure that it hasn't been tampered with.

Re:On a somewhat related note...

What if the employee is a good guy? What if they have discovered one or more security flaws in the company's systems(s)? [...] How does the employee tell the company without getting in trouble?

He can't. I've had this happen to me one or two times. I've been pushed in to sysadmining (dammit, Jim, I'm a programmer, not a sysadm!) in this small association (about 60 employees, about 60000 members), and initially just assumed the system I took over was OK. After a year or so I discover, quite by accident, the first horrible thing... Every user PC has a small script on it, that contains the root password to the main server in plaintext.

Apparently, no-one knew. I was responsible, even if it was my predecessor (or his) that had written that script. What to do? Go up to the boss and say "Hey Joe! Funny thing, any employee may have had root access to the DB in the last five years! Ain't that funny?". No. Fix it. Shut up.

There were a few almost as horrible things I fixed quietly over the next few months.

I also have to confess that I have did a horrible blunder myself, that has gone undetected. What do you do when you find that a bug in an old program you wrote has lead (over the last six months) to >4% of your members mailing addresses beeing slowly mangled? When membership dues are mostly collected by mail? Which has lead to large losses for the association, and great unhappiness among the members?

Fix the bug, correct the adresses as much as possible, delete the evidence, lie when confronted. That's what you do.