Slashdot Mirror
Searching For Backdoors From Rogue IT Staff
WHiTe VaMPiRe writes "When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security." Of course the first piece of advice is to basically assume you've been rooted. Ouch.
Seems like it would make sense to simply terminate "with extreme prejudice" when getting rid of potential security threats....
to audit your system under the assumption you've been rooted should happen once a year at a minimum anyway, not just when you suspect a rogue employee left on bad terms. I've worked at places that never changed passwords and I found former employee logins enabled from months ago..
Fuck Ajit Pai
Considering many IT staff have full control over your infrastructure, it's good to take the cautious route of assuming they've planted a back door or some other problem. After all, they likely had the root passwords to your systems. Better get those changed ASAP!
Bite my shiny metal ass!
Dead man's switch.
If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...
However, before taking my advice, I'd suggest you get your boss to sign off on it, whichever way. Present a list of options from 'ignore it' to 'burn everything' and have them pick. This way, whatever happens, you're covered.
One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.
Why not give similar parachutes to IT admins to follow these unwritten practices? If the CEOs are the frontmens, ITs are the infrastructure of the organization. Treat them like gatekeepers instead of disposable footmen. They have the keys to the castle. And all the secret entrances.
I usually put in multiple backdoors. Not out of malicious intent but because I support customers who are so far away that I don't want to drive out there all the time. Now this might include software or even out of band management, VPN, etc. Basically, if you put yourself in a position where you have to fire your IT staff then you are a moron. Always do background checks because you are going to be giving these people the keys to the city.
Of course the first piece of advice is to basically assume you've been rooted. Ouch.
That's only painful if you didn't have well thought out policies in place beforehand.*
*for everything but the edge cases, of course.
who doesn't have a clue what you're telling him and watch him veto this because his budget would take a hit. Make notes of what you discussed save emails etc for evidence when said evil admin hacks in and trashes your servers, domain etc. In other words cover your ass.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
It should be pretty easy to find and explore their backdoors.
Alot of software opens holds due to poor coding as well.
And look at printers and Vender pc's running RIP software likely on a os that lagging behind on updates but the Vender does let you / says we will void the printer contract over messing with the software / os on the RIP PC.
2. ???
3. Profit
If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...
To elaborate on this idea I would emphasize that the existing and working hardware is not touched, ideally at least. Use a new/different system (your backup/spare hardware - which should be tested anyway and isn't this a good test?) or maybe a new virtual machine. Once the OS and apps are restored from trusted sources, the data is restored, and its verified that all is well then replace the original hardware. Maybe the original hardware now becomes the back/spare for the next machine to go through this process.
Non evil stuff may look like logic bombs and if you don't keep track of all of it. How knows what hacks and work around that you will fine and taking them out may just lead to have to call old guy back just to find out how some of the stuff works.
how meny times do you have have the old come back at X2 X3 X4 times the pay to just to work out stuff that only the people who got layed off know about?
Prison sentence.
Seriously trying to do something like install a dead man switch to fuck over your employer would be the height of stupidity. Wonderful way to end up with a sentence that make the Child's thing look lenient. While I realize that pedantic geeks think they could cover their tracks that isn't the case. They don't have to prove it was you beyond any and all doubt, they just have to prove it was you beyond a reasonable doubt. If they can show means, motive, and opportunity, they've gone a long way to that.
Sounds like the real answer if for companies to get rid of egomaniac assholes in IT before they are in a position to cause trouble.
Why assume that the employee is a criminal? Many people get terminated because of bad relationships with their managers every single day. Very few of those people resort to criminal activities against their previous employers, even if they have the ability to do so. I suppose everyone should suspect secretaries of publishing address books, bank statements, inventories, employee social security numbers, etc., all over the internet because they had access to that information all along. How about janitors? They go through garbage. How many things dont get shredded? Perhaps every business should conduct documentation accounting practices because who knows what the janitor might know.
Seriously. This is a bit over exaggerated. Most IT professionals have invested tens of thousands of dollars in their education and training, as well as years into a profession that doesnt really have any value outside of their relevant field. Treating every employee who gets fired as a potential criminal is stupid, and is a good sign that you do not want to work for that business. Everyone who ever works for a company has potential to cause damage to some degree... some employees more than others. But to treat your network as if that person has "rooted and back doored" it is just bad business (fairly disruptive too, considering in many cases its best to take some systems off line if you believe they've been compromised).
But to each their own.
20th century Marxism is not progress...
The worst timed logic bomb I have had to deal with was by an intern who was looking for more pay. He had written a statistical analysis program that would have started to introduce subtle errors several weeks after he had left. If I had not found it then our stats would have become useless after a few months of that mangling. I assume he was hoping we would notice data errors, panic and re-hire him to fix it without realizing that he had caused the errors. I became suspicious when the timestamp on the Java source was newer than the class file so I did some reverse engineering. He had edited the logic bomb out of the source after compiling.
Seriously, it takes a rather large amount of egomania and lack of respect for others to consider doing something like that. Most non-sociopathic types just wouldn't do it. They wouldn't rig up something to damage their employer just on the off chance they ever got mad. Anyone who seems to be that kind of person, well show them the door before they have the ability to cause trouble.
While I fully agree employers should be nice to their employees treating it like a hostage situation where you can never do anything to disgruntle them, which in some cases means let them do whatever the fuck they want, isn't realistic.
Reflections on Trusting Trust http://cm.bell-labs.com/who/ken/trust.html
One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.
Why not give similar parachutes to IT admins to follow these unwritten practices?
Since golden parachutes have been a source of abuse and unintended consequences maybe the concept should not be more widely used?
FWIW golden parachutes are not really about keeping quiet regarding trade secrets, contracts and other material non-public information. Contracts, non-disclosure agreements and other legal tools already cover this area.
I haven't seen any reason to think that IT staff would be more likely to do such harm than anyone else. Sure, maybe they have easier means to effect harm than your average employee, but they have no more motivation nor mind to do so.
Am I part of the core demographic for Swedish Fish?
I had to administer a system when the vendor's software would fail on the rollover for the day. So it would fail at 5 am, and I would have to be the one to come in to fix it. As it happens at least once every two weeks I started to SSH in to fix it rather than rush to work and have to work an extra three hours that day (and not be compensated for it). The policy that I fought to implement at work was to do a quick audit, change any passwords/keys for any remote entry and to actually create passwords for many of the accounts that did not have passwords. So done and done I thought.
To continue: I had many problems with upper management, one of which was their wanting me to 'tweak' time sheet accounting so that new entry level minimum wage employees were paid for as little as 75% of their legitimate hours worked. I thought this was particularly dickish as they fired employees on a project basis and anyone was usually fired within two weeks. So I quit and tried to get myself as good as a parachute as I could.
Well two weeks after I left I found out the newbie replacement didn't perform the audit when I accidentally clicked on a bookmark at home (Putty) and I was suddenly in a server from my old job. I logged out and didn't feel particularly compelled to tell them that my keys were still trusted. About a month later I made the same mistake. The hole was no longer there. I thought to myself, "Good for him. I guess he's not so incompetent at all."
But curiousity a la Facebook and Twitter revealed that a server had actually gone down that day. Apparently there was a 'rm -rf' oopsy!!!
The story continues, but the end result is that he managed to destroy three servers within a month of my leaving. If I had been malicious I don't think I could have caused that much destruction...
Don't so this if you work IT for the City of San Fransisco. They will seem to want to prosecute you for this.
... but if you go around assuming you've been rooted by everyone your company has let go, pretty soon your cycles will be consumed by constant self-evaluation. The result would likely be catastrophic money and time loss, akin to the South Park episode where San Francisco disappeared entirely up its own asshole.
There's a 68.71% chance you're right.
for those that are terminated and have no intention of connecting back in ? After all, if I am let go, the last thing I want is for my old credentials to be used by someone to trash something and have suspicion fall on me.
Nullius in verba
Verify that no keylogger is installed in any computer used to login to other systems
I say if you fire an employee unjustly or lay them off to hire some workers for less money then you deserve punishment. While there are not technological solutions to capitalist exploitation currently (only political solutions exist to my knowledge), in the mean time I hope you IT staff who are unjustly terminated bring the pain and cover your tracks.
I see nothing's changed. I've been on 4chan, Skaldi, Stormfront, and a few other places. you?
it's OK, no problem, just rewrite everything from scratch, guarantees you won't have backdoors from the previous guy.
You can't handle the truth.
Good thinking, I think. Maybe instead of logic bombs, they could just pay you to write the documentation. :D
Alot of software...
http://hyperboleandahalf.blogspot.com/2010/04/alot-is-better-than-you-at-everything.html
;)
I'm not a grammar Nazi, but I think you (and everyone else) can appreciate the humor in the link. "Alot" is actually two words: "a" and "lot".
A good IT department for a sizable company should have some technicians and some administrators. There is rarely - if ever - reason for technicians to have root access to servers and other administrative rights. Your admins should themselves be vetted well enough to not have to worry about them compromising your network after the fact.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
You get what you pay for. You hire for the lowest possible salary and treat your professionals like unskilled laborers, well, don't be surprised. A professional would never dream of doing something like this - but then again a professional would not work for peanuts either.
Seven puppies were harmed during the making of this post.
How about a radical idea of treating employees as people, with respect and dignity, and they will treat you likewise in return? I know I'm stepping a little above the topic, as you asked what to do when you do fire people suddenly without a cause. Please bear with me and don't "escort me out" yet. The way employees are treated in the U.S nowadays is despicable. It would be unacceptable just a few decades ago in this very country, and it is still unacceptable in many parts of the world. An executive firing employees without good cause would and should be roughed up good after work to freshen their understanding of "immoral". American society should make it socially unacceptable, with after-work consequences, to fire people without a good cause, regardless of "laws' bought by corporations in the last decades.
Reading this brings to mind the number of companies I've worked for that had absolutely no procedures for dealing with the dismissal of IT personnel. Of at least a dozen jobs, only one HR department contacted and co-ordinated with IT around terminations. And yes... they even removed IT decision makers without variance.
Centralized authentication and authorization for all internal applications that handled sales/inventory/hr/etc made it easy to suspend access to all systems by changing the user's password... which was then given to their supervisor who had a limited amount of time to go through the ex-employees files and email to salvage any of their work if possible.
Nastiness is usually a sign of guilt: "It is human nature to hate those we have wronged [sic]" Tacitus.
If the corp is nasty, it will attract further nasties and have to cope with the results. The nice people leave.
If a nice corp has to fire someone for gross malfeasance and such yet cannot charge them, then perhaps send in a trusted senior specialist to check things out quietly. A big investigative purge will just tell everyone there you don't trust them. Then why should they trust you? Thieves have the best locks. Lots of moves in this chessgame.
So do you really think you are going to find the buffer overflow he injected while compiling that php module running on your servers?
Got Code?
There was no incident. Someone is stirring up shit. Name the person, the time, the date, the charges, the verdict and the sentence. PROVE the damages.
Some asshole hiding behind the name "White Vampire' is building strawmen and talking hypotheticals.
His is shitting on techies, spreading FUD, giving his industry a bad name.
Shame on you white vampire.
Been there, done that. :D
A former employer of mine decided that there were too many problems with our web application (which was in the early stages of being rewritten to compensate for years of changes). They closed down our branch office and hired an external company to develop a version of our software that's more to their liking.
Long story short: Their new system is already over half a year overdue (with the additional cost that entails), still far from completion and playing freelance troubleshooter for our old system has earned me three times as much as I'd have earned had they not closed our branch. I figure, at their speed the suits' decision will easily make me another sixty grand before their new toy can even enter beta stage.
is to hire lazy employees. None of the sysadmins here could be arsed to install a backdoor (even if they knew how, which is very unlikely). Plus, anyone who has the foresight to make a hole in the security system, and thinks they would have a reason to use one has probably already stashed all the company secrets on thumb drives and DVDs in an unknown location long before they ever get fired.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Yeah, that will really solve the problem of time bombs and dead man's switches...
How about not disgruntling the employee in the first place?
Oh, grow the hell up and welcome the nature of life.
Though there are work places that indeed are festering, pedantic shit holes, my experience has been that people who are disgruntled enough to commit a stupidity don't necessarily work in a place causing them to be so disgruntled in the first place. They are simply stupid assholes who either have a sense of victim-hood or are too arrogant and socially incompetent so as to pop a vein at the slightest work-related discomfort.
Work is work, it's not supposed to be pleasant all the time. We get paid to do work that has a certain level of difficulty, both technological and sociological. It has always been so, it will always be so. Half of the time the fault of being disgruntled is in you. How you handle that shit is ultimately one's responsibility.
If you are a mature person with a sense of, oh I dunno, fucking professionalism, you will never get *that* disgruntled no matter the working conditions. If you are not a mature professional and you cannot tell professionalism from shit flinging monkey riding a banana-shaped tricycle, then you'll inevitably construe any slightest difficulty into an affront, building each one of this up, turning you into an arrogant, festering boil of disgruntled human suckage and social incompetence.
And for those who truly voted that post as insightful, man, grow up, really.
I'd just use the errors I know in the existing system to break in.
thank God the internet isn't a human right.
This is why companies need to have an IT-savvy IT manager and know their employees well, and have multiple IT workers watching each other, much like accountants and finance officers are supposed to watch each other and have separated powers.
Know your employees, their abilities, and their personality. Without knowing the person, it's difficult to assess the risk as to whether or not they might or might not do or attempt to do certain things. And what things are even possible for them to attempt.
The easiest way to avoid running around in circles is to know what they are capable of exactly. If their personality is psychopathic super-programmer, you might have good reason to look for hand-coded hidden kernel drivers, or little binary blobs in a proprietary tampered-with program, containing custom logic bombs, and exploits for bugs in other programs (automated privilege elevation and exploitation).
If not, well, more mundane audits should be fine.
If the person is familiar with scripting, then, well, you'll have to check all the scripts extra carefully. Even if not, they might have found something on the web, and it doesn't take rocket science to cron "rm -rf". Which should not be that much a concern if you have solid frequent backups and take additional precautions to secure those.
(Probably) the worst case scenario is they are conspiring with skilled outside hackers, who are providing expertise and assistance.
Once the outsiders have enough information, they may get the IT admin to "run some code" from somewhere obscure, which will lay the playing field, and then later the outsiders will infiltrate the network.
However, that implies premeditation. If an IT admin is going to forcibly lose their job for serious disciplinary reasons, and anything is suspected to be a risk, they should be escorted by security and not allowed to touch any computers until they are gone for good.
Make them stay on premise during working hours, and have them use pen and paper to fill out some paperwork and answer questions.
This way they will not have a lot of "free time" until all your new IT admins' audits and password changes are established.
I once got in to a missile system useing Joshua as the login. No password needed.
We had a bad bit of this sort of thing, though accidental and on a lower-tech scale, at our high school. One of our student volunteers that helped with basic network administration tasks had asked us to give him temporary privileges to add a mouse driver to all of our dells. As he explained, students were complaining that the 200ish identical machines all had non-working scroll wheels, but that he had a driver that he had tested on our testbed that would solve the issue. We granted him access for the day, and all was good.
Until about 2 months later, when the machines started letting the smoke out 1 after another due to graphics card failures, until winter came along and they started to get a "second wind" and our failure rates plummeted. We contacted our buyer about the issue, but we were informed that none of the other schools had been having issues.
We finally discovered that our enterprising student had also taken the liberty of upgrading the graphics drivers while doing the mice. In doing so, he had broken the fan controls on the cards, which were locked in at 5% duty cycle.
We ended up replacing them with another series with integrated graphics (the original purchase decision certainly wasn't our idea) but it made for a very interesting 8 months.
We paid a police officer to be present as security when we tossed out the two people who made up our IT department one who was a co-owner of the computer repair department and his employee who also maintained our PCs at a company I worked at. With permission I'd already gotten all of their passwords, subverted the network and database system so running a command from any computer I was logged into removed their access and made me administrator. At the same time it locked every user out of the system. My boss knew they'd embezzled 100 grand and had proof we just wanted them to take action with witnesses when they tried to damage the system. The one auspie geek actually tried to nuke the system after he was told he could not touch a computer. They were allowed to remove some things and he jumped on a computer. The cop cuffed him and made him sit till the other person was done. They were escorted to the door. The police officer wrote up a report and gave it to my boss. He submitted that and all of the book keeping information we could recover. The local prosecutor charged them and took a plea. The co-owner took the brunt of it. We only say a fraction of what he stole but he does have a felony conviction. The auspie geek wasn't charged and went on to embezzle money from a local ISP and did get caught after new owners did an audit.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
I was CIO for a fairly large company. I reported to the CFO. The first few years were great. Then the good CFO retires and is replaced by the bad CFO. This guy was looking for excuses to get rid of me from day one. It took him several years, but eventually he fired me.
It seems he hired some type of security consultant to lock down the place just before I was fired. Some of my staff members were forced into cooperating with this little adventure. Evidently, the bad CFO thought I would launch some kind of high-tech retaliation. This was actually a fair prediction, based on how I was treated. If you treat people badly, you should EXPECT trouble.
While I am in the process of getting the bad news from HR, it occurs to me that I really want revenge. But a high tech attack would be illegal, unethical, and they're probably expecting it. Therefore I will NEVER attempt anything related to IT. I'm not sure exactly how to proceed, but I decide to wait and give it some thought. My staff members knew from day one that I would do something and whatever it was, it was going to be big. The funny part is that the company's security consultant did everything recommended in TFA and then some. And yet he STILL left a gaping hole that I helpfully reported to the company after the fact. So much for the security audit.
Good things come to those who wait. I stumbled across an idea that had nothing to do with IT. I REALLY REALLY want to write about what I did, but details of the operation must remain classified. Everything was 100% legal and ethical. The results were absolutely spectacular. I might turn this into a movie script someday. It was that good. The amount of pain I inflicted exceeds anything that I could have done with computers.
Three important lessons here: (1) Security audits are seldom 100% effective and a determined opponent is going to get in anyway. (2) A really determined foe is not limited to computers. (3) Treating people poorly leads to unintended consequences; see (1) and (2).
The assumption should be that you have been rooted by somebody who knows exactly what things are logged in your systems, possibly with continuous influence on what is being logged and how long, maybe even with the power to alter log files. IMHO one of the important things is to use several servers just for logs, to whom only a single admin has access. If one of them is going in a bad way, then you have at least the logs on the other machine. If you are paranoid, transfer the md5 checksums of the files on your servers to these machines and use git on the etc directory, backing the etc directories up on these machines. and force the it staff to make builds of custom SW automated.
This means you have
a) logs of what has happened (at least you know what you know)
b) a possibility to determine which files changed
c) a documentation about which configuration changes have been done for which purpose.
d) a backup of the configuration, enabling you to reinstall the machine
e) a way to rebuild programs added to the system easily.
Let me add there's no need to intentionally make things more complicated and failure prone than they already are naturally. If they really needed a position filled, and don't replace an employee they just fired, they'll learn that the next time they need some work done or a fire starts, and there's no one around who can do the job or put out the fire. That can happen sooner than you might imagine.
They may even try to rehire the ex-employee. I've seen that happen. Manager A is an idiot who fires people for no good reason, just enjoys the power trip and takes irrational dislikes to random people, but manager B has more sense. But if you've burned your bridge, manager B won't touch you with a 10 foot pole. If they're all fools, and they probably are if they just up and fire people they really need, the last thing a former employee needs is to leave behind a smoking gun that in any way justifies any part of their warped thinking, hands them an excuse to blame everything they can get away with on the former employee. Move on, and let them go down in flames all by themselves. If they're that bad, they will.
On the other hand, if the position wasn't necessary after all, well, I for one would rather not occupy it.
The real problem is that getting another job is such a miserable endeavor, dealing with rejection after rejection. If it wasn't so hard to get another decent job, employees wouldn't feel so desperate about losing one, wouldn't feel that they have little to lose and be tempted to get revenge, wouldn't take it all so personally and hard no matter how viciously the company handled the parting of ways. All this advancement and progress we've had, particularly in the last 200 years, seems to have largely passed by employment relations. Most companies are still run in very autocratic and harsh ways, and get away with appalling behavior. It's even justified by the nasty thinking that employees as a rule are lazy slackers who must be forced to work, and wouldn't if not for fear of being fired. I hear the entire game software industry is all ugly sweatshops. The 40 hour work week seems to have become 45 (lunch somehow became employee time-- whatever happened to "9 to 5"?) and that is a floor, not an average. And vacation is for losers and crybabies. Most of all I can't understand why departments that handle these matters sometime in the 1970s or 80s took the name Human Resources, as if employees are like coal mines, to be worked until they're played out and exhausted. It used to be called Personnel, what was wrong with that name?
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Based on my experiences and the experiences related in Clients From Hell, every freelancer ought to leave a hidden timebomb to be deactivated only when the client pays up. Cheapskates deserve every minute of downtime and every dollar extracted from them by cleanup crews.
i.e. They are failsafe management interfaces. Not backdoors.
I believe, I have expressed a more popular than usual (for my posts) opinion in this.
Contrary to the popular belief, there indeed is no God.
But really, the best thing to do is to treat your IT staff properly in the first place.
The golden rule. It got that name with good reason.
Build your own energy sources from scratch. http://otherpower.com/
Poor you, really.
Designing things to be shitty is bad style, anti-social and a heap of other things. I just hope you will get job after job fixing the crap other people like you pulled off. Again under high stress. Hopefully you people just keep on fixing each other's crap and stay out of the way of the rest of us.
The professionals amongst us strive to make things easier for ourselves and each other.
The childish, spine-less power-trippers act like you did.
"f you are a mature person with a sense of, oh I dunno, fucking professionalism, you will never get *that* disgruntled no matter the working conditions."
Oh please, and you're telling OTHER people to grow up? Sounds to me like you've hardly had any work experience in the real world. It doesn't matter how professional you are - everyone has certain buttons that can be pushed and in a long working career believe me , someone WILL push them eventually.
Also you might disguise your young age a bit better if you didn't swear every paragraph.
I hope you get fired soon (if you even have a job) and that they burn your ass in terminating you, so that you get to see how well a big talking little pud whacker like you feels when you get the high hard one right up your ass.
It's 2 L8 we r in ur interwebz.
I'm talking about analingus and anal fisting. That's the scuttlebutt around the office, anyway.
Let me guess, you founded a new company that outcompeted your old one and drove them out of business? Or you married his ex-wife after the messy divorce, after she got all the money?
Dang, I could have a lot of fun with this.
---dragoness
Neither, although I would not have passed up those opportunities if they existed. If I told you, your chin would hit the floor. Someday, the operation will be declassified; you might just see it in a movie.
No, although I would not have passed up your ideas if they were practical for me to implement. If I told you, your chin would hit the floor.