Searching For Backdoors From Rogue IT Staff

WHiTe VaMPiRe writes "When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security." Of course the first piece of advice is to basically assume you've been rooted. Ouch.

the work involved..

[Nick]

to audit your system under the assumption you've been rooted should happen once a year at a minimum anyway, not just when you suspect a rogue employee left on bad terms. I've worked at places that never changed passwords and I found former employee logins enabled from months ago..

Re:the work involved..

[bloodhawk]

That would be nice but is in reality completely impractical. The time and money to do such an audit properly would be more expensive than just rebuilding your entire environment from the ground up. I could effectively hide a rooted box or backdoor on windows or *nix systems I look after that unless you are going to strip the boxes and mount the drives on seperate boxes to check the binaries you are simply not going to find the holes.

The ONLY way to handle a suspected rooting is a rebuild, anything less is always an assumption that your smarter at finding the exploit than they are at hiding it.

Three words

[pjt33]

Dead man's switch.

Re:Three words

[CharlyFoxtrot]

But really, the best thing to do is to treat your IT staff properly in the first place.

This. I don't understand why it's so hard to grasp for some organizations. Pissing off IT is like telling your mechanic he's an asshole while he's working on your brakes. Sure most are consummate professionals but sooner or later you'll hit on one that isn't and then there'll be hell to pay.

Re:Three words

This.

I've worked in a highly stressful environment before where I didn't know if I was going to still have a job the next day or not. I had everything set up sufficiently complex but still for good reasons, that if they had fired me getting someone else to fix it would have been a nightmare and cost them a fortune, which they would find out as soon as they tried to get someone else to go in and fix it.

Since I left on good terms I overhauled everything before I left and took out most of the non bog standard bits I had implemented. They ended up with a slightly worse but fixable in a pinch system.

Had the work environment been less stressful I wouldn't have felt it necessary to go through all of the trouble, but they decided to make it that way, so I decided to build some security into my job that was otherwise nonexistant.

This is still an extremely unprofessional thing to do. What if it breaks while you are on vacation? What if something happens to you? What if you get mono and can't work for three months? What if you get in a car accident and are in the hospital for months? What if your code gets audited and you get called out for writing shit code?

Re:Three words

[drsmithy]

I don't understand why it's so hard to grasp for some organizations.

Because even after multiple demonstrations otherwise, upper and executive management cling tightly to the fantasy that experienced mid-level+ IT (and other) staff are generic and can be disposed of and replaced at will, with essentially no loss to productivity.

Re:Three words

[PitaBred]

If they cared about that shit happening to him, they would have treated him better. What goes around, comes around. They aren't treating him well enough to care.

Re:Three words

[Evil+Shabazz]

Indeed. In my experience, the folks who talk about making systems "so complex only they know how to fix them" don't actually really know what they're doing anyway. The real truth is usually that they've got things set up so batshit crazy trying to hide their mediocrity in this "you can't fire me now!" excuse.

Re:Three words

[helixcode123]

If you are that paranoid about keeping your job, find another job. Life is too short.

Besides, it's exactly the opposite approach to being a successful consultant. Any decent consultant provides their client with a "here's how you fire me" file with all of the information they need to access and maintain the system(s) you've built. The idea here is to do such a good job for your client that they want more, not less, of you. If you can't do this you have no business being a consultant (or general employee, for that matter).

Re:Three words

[kiwimate]

Wow...

I've worked in a highly stressful environment before where I didn't know if I was going to still have a job the next day or not.

Life is too short to put up with that amount of stress. You should've been job hunting.

I had everything set up sufficiently complex but still for good reasons, that if they had fired me getting someone else to fix it would have been a nightmare and cost them a fortune, which they would find out as soon as they tried to get someone else to go in and fix it.

Wow, again. So the client is really screwed if you end up in hospital with pneumonia for two weeks (I pick that example because it happened unexpectedly with one of our developers within the past 12 months). A professional sets things up so they are easy to maintain and trusts in his ability and skill to get jobs, based partly on that.

Since I left on good terms I overhauled everything before I left and took out most of the non bog standard bits I had implemented. They ended up with a slightly worse but fixable in a pinch system.

So out of the generosity of your heart, and because you left on good terms, you decided to magnaminously grant them a bad system rather than an utterly broken one. Wow...yet again.

Had the work environment been less stressful I wouldn't have felt it necessary to go through all of the trouble, but they decided to make it that way, so I decided to build some security into my job that was otherwise nonexistant.

Next time, don't go through all that trouble to sabotage a client's systems. If it's that bad, just do your job properly and take "all that trouble" to instead look for another job. And try building some security into your job by being professional and really good at what you do.

You are the kind of consultant who gives consultants a bad name. Thanks for nothing.

Re:Three words

[lrichardson]

Yes and no. I've done so flashing-star, how-the-heck-did-you-get-that programming, mostly because of a unique position that straddled various corporate silos.

Two killers, i.e. 'making them so complex only ...'

1/ Not having the time to clean stuff up. If it works, management generally wants you to move on to the next fire.

2/ Documentation oversights and assumptions. "Check the syslog for errors" doesn't cover what to do when errors arise. I'd reached the point of coding the automated sending of e-mails on errors - with the fix included - to the person running a job, on dozens of issues. Things that one just assumes after years of experience are complete show-stoppers to someone who doesn't have that same experience. And it only shows up when someone else does try and run something, per the documentation.

&, of course, 1.5, not having the time to do any documentation ...

I like automating the heck out of stuff, handing it off to some poor schlub to run as needed/scheduled, and moving on to the next problem. But I also recognize that it's done me out of a job a couple of times. Which really, truly sucks.

The best advice I received from a friend was "Don't make yourself indispensible. You won't get vacations."

It's a trade-off. I think I prefer being viewed as a valuable asset, getting new challenges, rather than the only guy who knows how to fix something.

Re:Three words

[tsm_sf]

If you can't do this you have no business being a consultant (or general employee, for that matter).

That's a best-case scenario, and you should know it. There are plenty of jobs or projects out there where you will never be given the time it takes to "do it right." If you're the kind of person who's willing to spend their own time documenting systems then more power to you, but most of us don't want to work for free.

Look, just ask yourself if the unbillable time you're spending is making someone else money. That's the metric you need to keep in your head all the time.

Re:Three words

[Antique+Geekmeister]

You've left out number 3:

Being completely forbidden by your manager, or the client, from doing it the faster, cheaper, and simpler way in favor of some approach they're more familiar with, and having to work around the crazy in-house architecture they've already deployed and lack willingness or political capital to throw out.

Re:Three words

[CrashandDie]

Look, just ask yourself if the unbillable time you're spending is making someone else money.

Sure it is, but if you've worked out a good relationship with your boss, or if you negotiated your package right, all that should swing back in your bucket. That's how my previous gig was (infosec consultant); I would work insane weeks, over 90 hours a week in the worst cases, but I either got it back in double as holidays, or healthy financial bonuses.

My bonuses equaled my salary at the end of the first year, at the end of the second year, my bonus were 3 times as high as my salary.

There's working like an idiot, and then there's knowing how much your work is worth.

Re:Three words

You have clearly never worked for someone who wants everything for free and doesn't negotiate.

Extra hours? 'You're on a salary, it's expected'

On Call? 'It goes with the territory'

Call out? 'If we paid you call out then we would have to pay everyone call out'

Pay rise? 'Given the current financial conditions I'm afraid there is no pay this year/last year/next year'

I no longer work over time, answer my phone to my boss outside of the hours I was contacted for etc etc.

I still do a good, professional job when I am there - just don't see why I should go above and beyond anymore...

Re:Three words

[Krneki]

Exactly, if you don't give a shit about your employers, don't expect any love in return.

Re:Three words

[ultranova]

This is still an extremely unprofessional thing to do.

Professionalism goes both ways. If you keep your employees guessing whether they'll still have a job tomorrow, they'll keep you guessing whether you still have a system tomorrow. Why would you expect to get more than you give?

Re:Three words

[TheRaven64]

Even if it keeps you in a job, it also has the effect of keeping you in the same job that you're currently doing. When management is looking for someone to promote, they're not going to promote the person who is indispensable in his current job...

I'd say treat it like a DR drill

[BobMcD]

If you're seriously considering this as a possibility, I'd say treat it like a DR drill. Burn everything down to bare metal and restore only the data. It's the only way to be sure...

However, before taking my advice, I'd suggest you get your boss to sign off on it, whichever way. Present a list of options from 'ignore it' to 'burn everything' and have them pick. This way, whatever happens, you're covered.

little OT....

One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.

Why not give similar parachutes to IT admins to follow these unwritten practices? If the CEOs are the frontmens, ITs are the infrastructure of the organization. Treat them like gatekeepers instead of disposable footmen. They have the keys to the castle. And all the secret entrances.

Re:little OT....

[CharlyFoxtrot]

One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.

Why not give similar parachutes to IT admins to follow these unwritten practices? If the CEOs are the frontmens, ITs are the infrastructure of the organization. Treat them like gatekeepers instead of disposable footmen. They have the keys to the castle. And all the secret entrances.

The janitor has all the keys to the building and the cook could poison everyone if he wanted but those people aren't afforded the respect they deserve either. CEO's are given golden parachutes by their buddies who they'll see at the golf club and who they can maybe return the favor later on the board of some other company. We're just staff and staff don't get golden parachutes, they get concrete shoes.

Well...

Of course the first piece of advice is to basically assume you've been rooted. Ouch.

That's only painful if you didn't have well thought out policies in place beforehand.*

*for everything but the edge cases, of course.

Make your list prresent it to your stupid boss

[shoehornjob]

who doesn't have a clue what you're telling him and watch him veto this because his budget would take a hit. Make notes of what you discussed save emails etc for evidence when said evil admin hacks in and trashes your servers, domain etc. In other words cover your ass.

Re:terminated under duress

[arth1]

Yeah, that will really solve the problem of time bombs and dead man's switches...

How about not disgruntling the employee in the first place?

Two words

[Sycraft-fu]

Prison sentence.

Seriously trying to do something like install a dead man switch to fuck over your employer would be the height of stupidity. Wonderful way to end up with a sentence that make the Child's thing look lenient. While I realize that pedantic geeks think they could cover their tracks that isn't the case. They don't have to prove it was you beyond any and all doubt, they just have to prove it was you beyond a reasonable doubt. If they can show means, motive, and opportunity, they've gone a long way to that.

Sounds like the real answer if for companies to get rid of egomaniac assholes in IT before they are in a position to cause trouble.

Re:Two words

You are seriously delusional if you believe you can.....

A) Find it. Before or after activation.
B) Atribute it to a specific employee.
C) Even recognize that it was malicious and not just a bug, glitch, human error or outside attack when done properly.

You lack imagination.

Re:Two words

[Peach+Rings]

You could easily just badly document or fail to document passwords and configuration info and stuff. As long as you're around and working with the systems daily, everything runs smoothly. If you get fired, there's confusion with the new guy and your memory fades... it's not like they can really tell exactly what isn't a matter of the new guy not being up to speed for weeks. And you're not responsible for giving them consulting services for free after they fire you. If they can't figure out the non-standard port numbers you used, then that's their problem.

Childs took an idiotic stand where he admitted he knew the passwords and refused to hand them over. That's not the most lenient case, that's the worst case I can think of other than destroying data.

Re:Two words

[Requiem18th]

Did you hear *woosh* over your head? That's the sound of missing that he was proposing revenge for being terminated with extreme prejudice. If you are dead, you don't have to worry about being jailed.

If they fire you without firing AT you, that's good reason to kindly warn them to remove the DMS.
All of this of course, as a joke.

Re:Two words

[X0563511]

You know what a dead-man's switch is, right? The joke he was replying to was that it was better to kill the employee than to fire.

The response was to build a dead-man's switch.

Hard to go to prison after a 9mm to the brainstem...

Re:Multiple Backdoors

[Kozar_The_Malignant]

Basically, if you put yourself in a position where you have to fire your IT staff then you are a moron. Always do background checks because you are going to be giving these people the keys to the city.

• Not every problem employee comes with "Crazy MF With Drug Habit" tattooed on his forehead.
• Sometimes people lie when you do background checks. They want their problem to become your problem.
• Your IT guy might be just fine until his wife leaves him for a younger woman who also works for your company.
• Or, like my experience, the first thing you have to do in your new job is fire the sadistic moron that your predecessor tolerated for years.

The point being, you don't always "put yourself" in that position. Sometimes shit happens.

Re:Multiple Backdoors

[greenbird]

All of those problems could be handled in a variety of ways with a competant HR department.

Isn't that an oxymoron, even if it was spelled correctly.

Re:More like not keeping people who'd do that

[cjb658]

As an (ex-)employee, it would be to your advantage to maintain good relations with your previous employer anyway, unless you don't plan on ever using them as a reference.

Re:logic bombs on a timer

[jjohnson]

That's a really good catch. Well done.

Re:logic bombs on a timer

[grahamsaa]

He knew how to program a logic bomb and how to cover his tracks by removing it from the source, but he didn't have the smarts to change the source file's time stamp? Sounds like an obvious step to take -- not that I'd ever do anything like that, but seriously, changing a time stamp isn't rocket science.

Has to be said

[Dunbal]

You get what you pay for. You hire for the lowest possible salary and treat your professionals like unskilled laborers, well, don't be surprised. A professional would never dream of doing something like this - but then again a professional would not work for peanuts either.

Treat people humanely?

[happyhamster]

How about a radical idea of treating employees as people, with respect and dignity, and they will treat you likewise in return? I know I'm stepping a little above the topic, as you asked what to do when you do fire people suddenly without a cause. Please bear with me and don't "escort me out" yet. The way employees are treated in the U.S nowadays is despicable. It would be unacceptable just a few decades ago in this very country, and it is still unacceptable in many parts of the world. An executive firing employees without good cause would and should be roughed up good after work to freshen their understanding of "immoral". American society should make it socially unacceptable, with after-work consequences, to fire people without a good cause, regardless of "laws' bought by corporations in the last decades.

Re:Treat people humanely?

[Fulcrum+of+Evil]

Good reason in this instance could mean 'we can get the remaining people to do the same work and look good for the quarter' while ignoring the whole 'dead company in 5 years' part.

grow up

[luis_a_espinal]

Yeah, that will really solve the problem of time bombs and dead man's switches...

How about not disgruntling the employee in the first place?

Oh, grow the hell up and welcome the nature of life.

Though there are work places that indeed are festering, pedantic shit holes, my experience has been that people who are disgruntled enough to commit a stupidity don't necessarily work in a place causing them to be so disgruntled in the first place. They are simply stupid assholes who either have a sense of victim-hood or are too arrogant and socially incompetent so as to pop a vein at the slightest work-related discomfort.

Work is work, it's not supposed to be pleasant all the time. We get paid to do work that has a certain level of difficulty, both technological and sociological. It has always been so, it will always be so. Half of the time the fault of being disgruntled is in you. How you handle that shit is ultimately one's responsibility.

If you are a mature person with a sense of, oh I dunno, fucking professionalism, you will never get *that* disgruntled no matter the working conditions. If you are not a mature professional and you cannot tell professionalism from shit flinging monkey riding a banana-shaped tricycle, then you'll inevitably construe any slightest difficulty into an affront, building each one of this up, turning you into an arrogant, festering boil of disgruntled human suckage and social incompetence.

And for those who truly voted that post as insightful, man, grow up, really.

Re:So what is the advice

[mysidia]

I wonder, that... if you had no way of getting back through the firewall... I wonder how you could know the credentials weren't deleted? :)

Re:Multiple Backdoors

[hedwards]

Not really, HR is generally highly competent, just not at what you think they're there for. Most companies have HR employees specifically so that they can be useless and make it as hard as possible for employees to get there benefits, preferably quitting before they're eligible. Sure it's a dumb way to run a business, but it happens. Usually if there's any corruption in a company it's found in HR first and spreads elsewhere.

WHy don't you grow up

[Viol8]

"f you are a mature person with a sense of, oh I dunno, fucking professionalism, you will never get *that* disgruntled no matter the working conditions."

Oh please, and you're telling OTHER people to grow up? Sounds to me like you've hardly had any work experience in the real world. It doesn't matter how professional you are - everyone has certain buttons that can be pushed and in a long working career believe me , someone WILL push them eventually.

Also you might disguise your young age a bit better if you didn't swear every paragraph.