Slashdot Mirror

← Back to Stories (view on slashdot.org)

Searching For Backdoors From Rogue IT Staff

Posted by CmdrTaco on from the i-left-you-a-present dept.

WHiTe VaMPiRe writes "When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security." Of course the first piece of advice is to basically assume you've been rooted. Ouch.

22 of 328 comments (clear)

  1. the work involved.. by Nick · · Score: 5, Insightful

    to audit your system under the assumption you've been rooted should happen once a year at a minimum anyway, not just when you suspect a rogue employee left on bad terms. I've worked at places that never changed passwords and I found former employee logins enabled from months ago..

    --
    Fuck Ajit Pai
    1. Re:the work involved.. by arth1 · · Score: 5, Interesting

      It's fairly impossible to audit all systems to the extent needed. You can easily burn enormous amounts of money and time doing that, and the remedies can disrupt production more than the damage the disgruntled employee would do.

      There are so many ways to hide what you're doing that even rebuilding all systems isn't enough. Dangers can hide not only in backdoors, but dead man switches built in to compilers, stored procedures in databases, backups, or the Boss' PC, for that matter.

      So instead of sending good money after bad, it can be immensely sensible to let things be and instead try to ensure that the employees don't leave disgruntled.

    2. Re:the work involved.. by techno-vampire · · Score: 4, Interesting
      It's fairly impossible to audit all systems to the extent needed.

      If the back door is as well hidden as the one Ken Thompson hid in an early version of Unix, a complete audit of the source code and complete recompile of everything won't be enough to get rid of it. Of course, not many people are capable of pulling that kind of stunt off.

      --
      Good, inexpensive web hosting
  2. Three words by pjt33 · · Score: 4, Insightful

    Dead man's switch.

    1. Re:Three words by CharlyFoxtrot · · Score: 5, Insightful

      But really, the best thing to do is to treat your IT staff properly in the first place.

      This. I don't understand why it's so hard to grasp for some organizations. Pissing off IT is like telling your mechanic he's an asshole while he's working on your brakes. Sure most are consummate professionals but sooner or later you'll hit on one that isn't and then there'll be hell to pay.

      --
      If all else fails, immortality can always be assured by spectacular error.
    2. Re:Three words by Anonymous Coward · · Score: 5, Insightful

      This.

      I've worked in a highly stressful environment before where I didn't know if I was going to still have a job the next day or not. I had everything set up sufficiently complex but still for good reasons, that if they had fired me getting someone else to fix it would have been a nightmare and cost them a fortune, which they would find out as soon as they tried to get someone else to go in and fix it.

      Since I left on good terms I overhauled everything before I left and took out most of the non bog standard bits I had implemented. They ended up with a slightly worse but fixable in a pinch system.

      Had the work environment been less stressful I wouldn't have felt it necessary to go through all of the trouble, but they decided to make it that way, so I decided to build some security into my job that was otherwise nonexistant.

      This is still an extremely unprofessional thing to do. What if it breaks while you are on vacation? What if something happens to you? What if you get mono and can't work for three months? What if you get in a car accident and are in the hospital for months? What if your code gets audited and you get called out for writing shit code?

    3. Re:Three words by Cramer · · Score: 5, Informative

      I'm sorry, but that's the a**hole way of running a network... make the place unnecessarily complex so you're the only one who knows how any of it works so "they don't dare fire me." That rarely works out well -- and often encourages firings. Having been the replacement and consultant called in to sort it all out, I support the death penalty for such people.

    4. Re:Three words by PitaBred · · Score: 4, Insightful

      If they cared about that shit happening to him, they would have treated him better. What goes around, comes around. They aren't treating him well enough to care.

      --
      My blog. Good stuff (when I remember to update it). Read it.
    5. Re:Three words by Evil+Shabazz · · Score: 4, Insightful

      Indeed. In my experience, the folks who talk about making systems "so complex only they know how to fix them" don't actually really know what they're doing anyway. The real truth is usually that they've got things set up so batshit crazy trying to hide their mediocrity in this "you can't fire me now!" excuse.

      --
      Down with the career politician! SUPPORT TERM LIMITS
    6. Re:Three words by tsm_sf · · Score: 5, Insightful

      If you can't do this you have no business being a consultant (or general employee, for that matter).

      That's a best-case scenario, and you should know it. There are plenty of jobs or projects out there where you will never be given the time it takes to "do it right." If you're the kind of person who's willing to spend their own time documenting systems then more power to you, but most of us don't want to work for free.

      Look, just ask yourself if the unbillable time you're spending is making someone else money. That's the metric you need to keep in your head all the time.

      --
      Literalism isn't a form of humor, it's you being irritating.
    7. Re:Three words by Antique+Geekmeister · · Score: 4, Insightful

      You've left out number 3:

      Being completely forbidden by your manager, or the client, from doing it the faster, cheaper, and simpler way in favor of some approach they're more familiar with, and having to work around the crazy in-house architecture they've already deployed and lack willingness or political capital to throw out.

    8. Re:Three words by CrashandDie · · Score: 4, Insightful

      Look, just ask yourself if the unbillable time you're spending is making someone else money.

      Sure it is, but if you've worked out a good relationship with your boss, or if you negotiated your package right, all that should swing back in your bucket. That's how my previous gig was (infosec consultant); I would work insane weeks, over 90 hours a week in the worst cases, but I either got it back in double as holidays, or healthy financial bonuses.

      My bonuses equaled my salary at the end of the first year, at the end of the second year, my bonus were 3 times as high as my salary.

      There's working like an idiot, and then there's knowing how much your work is worth.

  3. Multiple Backdoors by Bryansix · · Score: 4, Interesting

    I usually put in multiple backdoors. Not out of malicious intent but because I support customers who are so far away that I don't want to drive out there all the time. Now this might include software or even out of band management, VPN, etc. Basically, if you put yourself in a position where you have to fire your IT staff then you are a moron. Always do background checks because you are going to be giving these people the keys to the city.

  4. logic bombs on a timer by ei4anb · · Score: 4, Interesting

    The worst timed logic bomb I have had to deal with was by an intern who was looking for more pay. He had written a statistical analysis program that would have started to introduce subtle errors several weeks after he had left. If I had not found it then our stats would have become useless after a few months of that mangling. I assume he was hoping we would notice data errors, panic and re-hire him to fix it without realizing that he had caused the errors. I became suspicious when the timestamp on the Java source was newer than the class file so I did some reverse engineering. He had edited the logic bomb out of the source after compiling.

    1. Re:logic bombs on a timer by twebb72 · · Score: 5, Funny

      The worst logic bomb I had to deal with was written similarly by an underpaid (debatable) programmer. He set it up so that when money was exchanged between accounts the program would then truncate the remainder. This, in fact, was only a fraction of a cent. Then he took that remainder (once it had accumulated a bit) and transfer it out into a bank account of his own. As it turns out, it was relatively easy to install.

      We were so far behind for the Y2K updates, most people simply didn't notice. A couple days later the building burned down.

  5. Re:little OT.... by CharlyFoxtrot · · Score: 4, Insightful

    One of many reasons CEOs are given golden parachutes are to keep them quiet about trade secrets and certain contacts. Whether or not that happens is debatable, but discretion is basically paid for.

    Why not give similar parachutes to IT admins to follow these unwritten practices? If the CEOs are the frontmens, ITs are the infrastructure of the organization. Treat them like gatekeepers instead of disposable footmen. They have the keys to the castle. And all the secret entrances.

    The janitor has all the keys to the building and the cook could poison everyone if he wanted but those people aren't afforded the respect they deserve either. CEO's are given golden parachutes by their buddies who they'll see at the golf club and who they can maybe return the favor later on the board of some other company. We're just staff and staff don't get golden parachutes, they get concrete shoes.

    --
    If all else fails, immortality can always be assured by spectacular error.
  6. My accidental SSH backdoor... by Anonymous Coward · · Score: 4, Interesting

    I had to administer a system when the vendor's software would fail on the rollover for the day. So it would fail at 5 am, and I would have to be the one to come in to fix it. As it happens at least once every two weeks I started to SSH in to fix it rather than rush to work and have to work an extra three hours that day (and not be compensated for it). The policy that I fought to implement at work was to do a quick audit, change any passwords/keys for any remote entry and to actually create passwords for many of the accounts that did not have passwords. So done and done I thought.

    To continue: I had many problems with upper management, one of which was their wanting me to 'tweak' time sheet accounting so that new entry level minimum wage employees were paid for as little as 75% of their legitimate hours worked. I thought this was particularly dickish as they fired employees on a project basis and anyone was usually fired within two weeks. So I quit and tried to get myself as good as a parachute as I could.

    Well two weeks after I left I found out the newbie replacement didn't perform the audit when I accidentally clicked on a bookmark at home (Putty) and I was suddenly in a server from my old job. I logged out and didn't feel particularly compelled to tell them that my keys were still trusted. About a month later I made the same mistake. The hole was no longer there. I thought to myself, "Good for him. I guess he's not so incompetent at all."

    But curiousity a la Facebook and Twitter revealed that a server had actually gone down that day. Apparently there was a 'rm -rf' oopsy!!!

    The story continues, but the end result is that he managed to destroy three servers within a month of my leaving. If I had been malicious I don't think I could have caused that much destruction...

  7. So what is the advice by bugs2squash · · Score: 4, Interesting

    for those that are terminated and have no intention of connecting back in ? After all, if I am let go, the last thing I want is for my old credentials to be used by someone to trash something and have suspicion fall on me.

    --
    Nullius in verba
  8. Re:More like not keeping people who'd do that by cjb658 · · Score: 4, Insightful

    As an (ex-)employee, it would be to your advantage to maintain good relations with your previous employer anyway, unless you don't plan on ever using them as a reference.

  9. Re:terminated under duress by bill_mcgonigle · · Score: 4, Interesting

    Relatively current events counterexample A: Terry Childs

    He may have bucked the chain of command, but if his employer had sat him down, said, "look, Terry, we think you'd be better off somewhere else - we're going to keep you on until you find a better opportunity, and we're going to help you do that," he would have probably said, "yeah, but you have nobody else here who can handle this thing. You're going to need to hire a firm to manage this or get some better talent on staff," which seemed to be his motivating concern. And so they probably would have done that, and nobody would have gone to jail.

    Instead it seemed like a "give us the passwords and um, no you don't need to clean out your desk, why?" kind of scenario. I'm not meaning to absolve Childs of incorrect behavior, but a little Golden Rule would have gone a long way there. I think this is what the GP meant by not disgruntling the employees.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  10. Has to be said by Dunbal · · Score: 5, Insightful

    You get what you pay for. You hire for the lowest possible salary and treat your professionals like unskilled laborers, well, don't be surprised. A professional would never dream of doing something like this - but then again a professional would not work for peanuts either.

    --
    Seven puppies were harmed during the making of this post.
  11. Treat people humanely? by happyhamster · · Score: 4, Insightful

    How about a radical idea of treating employees as people, with respect and dignity, and they will treat you likewise in return? I know I'm stepping a little above the topic, as you asked what to do when you do fire people suddenly without a cause. Please bear with me and don't "escort me out" yet. The way employees are treated in the U.S nowadays is despicable. It would be unacceptable just a few decades ago in this very country, and it is still unacceptable in many parts of the world. An executive firing employees without good cause would and should be roughed up good after work to freshen their understanding of "immoral". American society should make it socially unacceptable, with after-work consequences, to fire people without a good cause, regardless of "laws' bought by corporations in the last decades.