Slashdot Mirror

← Back to Stories (view on slashdot.org)

Searching For Backdoors From Rogue IT Staff

Posted by CmdrTaco on from the i-left-you-a-present dept.

WHiTe VaMPiRe writes "When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security." Of course the first piece of advice is to basically assume you've been rooted. Ouch.

8 of 328 comments (clear)

  1. the work involved.. by Nick · · Score: 5, Insightful

    to audit your system under the assumption you've been rooted should happen once a year at a minimum anyway, not just when you suspect a rogue employee left on bad terms. I've worked at places that never changed passwords and I found former employee logins enabled from months ago..

    --
    Fuck Ajit Pai
    1. Re:the work involved.. by arth1 · · Score: 5, Interesting

      It's fairly impossible to audit all systems to the extent needed. You can easily burn enormous amounts of money and time doing that, and the remedies can disrupt production more than the damage the disgruntled employee would do.

      There are so many ways to hide what you're doing that even rebuilding all systems isn't enough. Dangers can hide not only in backdoors, but dead man switches built in to compilers, stored procedures in databases, backups, or the Boss' PC, for that matter.

      So instead of sending good money after bad, it can be immensely sensible to let things be and instead try to ensure that the employees don't leave disgruntled.

  2. Re:Three words by CharlyFoxtrot · · Score: 5, Insightful

    But really, the best thing to do is to treat your IT staff properly in the first place.

    This. I don't understand why it's so hard to grasp for some organizations. Pissing off IT is like telling your mechanic he's an asshole while he's working on your brakes. Sure most are consummate professionals but sooner or later you'll hit on one that isn't and then there'll be hell to pay.

    --
    If all else fails, immortality can always be assured by spectacular error.
  3. Has to be said by Dunbal · · Score: 5, Insightful

    You get what you pay for. You hire for the lowest possible salary and treat your professionals like unskilled laborers, well, don't be surprised. A professional would never dream of doing something like this - but then again a professional would not work for peanuts either.

    --
    Seven puppies were harmed during the making of this post.
  4. Re:logic bombs on a timer by twebb72 · · Score: 5, Funny

    The worst logic bomb I had to deal with was written similarly by an underpaid (debatable) programmer. He set it up so that when money was exchanged between accounts the program would then truncate the remainder. This, in fact, was only a fraction of a cent. Then he took that remainder (once it had accumulated a bit) and transfer it out into a bank account of his own. As it turns out, it was relatively easy to install.

    We were so far behind for the Y2K updates, most people simply didn't notice. A couple days later the building burned down.

  5. Re:Three words by Anonymous Coward · · Score: 5, Insightful

    This.

    I've worked in a highly stressful environment before where I didn't know if I was going to still have a job the next day or not. I had everything set up sufficiently complex but still for good reasons, that if they had fired me getting someone else to fix it would have been a nightmare and cost them a fortune, which they would find out as soon as they tried to get someone else to go in and fix it.

    Since I left on good terms I overhauled everything before I left and took out most of the non bog standard bits I had implemented. They ended up with a slightly worse but fixable in a pinch system.

    Had the work environment been less stressful I wouldn't have felt it necessary to go through all of the trouble, but they decided to make it that way, so I decided to build some security into my job that was otherwise nonexistant.

    This is still an extremely unprofessional thing to do. What if it breaks while you are on vacation? What if something happens to you? What if you get mono and can't work for three months? What if you get in a car accident and are in the hospital for months? What if your code gets audited and you get called out for writing shit code?

  6. Re:Three words by Cramer · · Score: 5, Informative

    I'm sorry, but that's the a**hole way of running a network... make the place unnecessarily complex so you're the only one who knows how any of it works so "they don't dare fire me." That rarely works out well -- and often encourages firings. Having been the replacement and consultant called in to sort it all out, I support the death penalty for such people.

  7. Re:Three words by tsm_sf · · Score: 5, Insightful

    If you can't do this you have no business being a consultant (or general employee, for that matter).

    That's a best-case scenario, and you should know it. There are plenty of jobs or projects out there where you will never be given the time it takes to "do it right." If you're the kind of person who's willing to spend their own time documenting systems then more power to you, but most of us don't want to work for free.

    Look, just ask yourself if the unbillable time you're spending is making someone else money. That's the metric you need to keep in your head all the time.

    --
    Literalism isn't a form of humor, it's you being irritating.