Slashdot Mirror
Company's Former IT Admin Accused of Accessing Backdoor Account 700+ Times (bleepingcomputer.com)
An anonymous reader writes:
"An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer," reports BleepingComputer. Court papers reveal the IT admin left to be the CTO at one of the sportswear company's IT suppliers after working for 14 years at his previous employer. For more than two years, he's [allegedly] been using an account he created before he left to access his former colleagues' emails and gather information about the IT services they might need in the future. The IT admin was fired from his CTO job after his new employer found out what he was doing.
One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...
One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...
This is why you need all accounts backed by an HR system. The employee record changes to anything but active, all access is automatically revoked. It amazes me in this day and time that there are still rogue accounts in large enterprises. This is also a great case for single sign-on where you kill all access in one place.
Fuck you slashdot. I've clicked on the link, but only with a referer-blocker, so no money for you...
An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer.
According to court documents, Michael Leeper worked for Columbia Sportswear between 2000 and 2014, going through several positions up to senior director of technology infrastructure.
In March 2014, Leeper left Columbia Sportswear to become the CTO at Denali Advanced Integration, a company that sold IT products and provided various consulting services.
During his tenure at Columbia, Leeper had interacted with Denali several times, as Denali was one of the many companies from where Columbia bought hardware and software for its business that spanned several states.
Leeper left two backdoors on Columbia's network
In court documents filed by Columbia on March 1, the company alleges that days before he left, Leeper installed two backdoors on their network.
The backdoors included an account named "jmanning" for a non-existent employee named Jeff Manning, which granted Leeper access to Columbia's network via VPN (Virtual Private Network) and VDI (Virtual Desktop Interface) connections.
The second backdoor was an account named "svcmon," which already existed on the company's network, and which Columbia's IT admins used to monitor network activity.
Columbia said the account had been discontinued in 2007, as they've moved to another monitoring system that didn't need that account. Furthermore, they say that before he left, Leeper also assigned extra permissions to the svcmon account.
Leeper used accounts to get insight in Columbia's business decisions
Columbia claims Leeper used these two accounts (mainly the jmanning account) on more than 700 different occasions to access its network and then to access the email accounts of various Columbia employeesm from where he gained insight into the company's upcoming business decisions, especially those related to its IT infrastructure.
This information allowed Leeper to gain a competitive advantage in his dealings as Denali CTO with his former employer. The legal complaint gives the following example:
In at least one case, Leeper specifically targeted an email concerning a transaction in which Denali had a potential business interest. As of approximately 3:47 p.m. on July 27, 2016, Leeper had logged into the two IT employees’ email accounts and was accessing messages in one of the employees’ “Sent Items” folder.
At 3:47:26, a message with the subject line “Pure Storage Partner Discussion” arrived in the other employee’s inbox. Within the same second—i.e., at 3:47:26—Leeper switched into the recipient’s email account and accessed the new message. He then returned to and continued accessing the “Sent Items” folder of the first employee. Pure Storage, Inc. is a well-known provider of computer equipment with whom Columbia was exploring a potential transaction. Though Denali resells equipment of the type that Pure Storage manufactures, Denali was not at that time an approved reseller for Pure Storage. As a result, Denali would not have been eligible to participate as a reseller in that transaction. However, during the summer or early fall of 2016, Columbia learned that Denali had become an “approved” Pure Storage reseller.
Hack discovered in the summer of 2016
Columbia said it discovered the intrusion in the summer of 2016, during an upgrade to its email system. The FBI was called in to investigate, and the sportswear maker also allocated financial resources to investigate and deal with the hack.
"Columbia brings this lawsuit to recover damages associated with Defendants’ unlawful intrusions into its private computer network, to secure the return of whatever unlawfully accessed Columbia information th
We get a current employee list from HR quarterly, and all employee changes immediately. Any account, including service accounts, that don't have a clear owner and purpose are disabled. There's no way an invalid user should have been in place for years.
IT people usually have all the keys to the kingdom, and when they leave, anything that might go wrong they will be scapegoated and blamed for by current management. For people who actually want to run a reasonable business that isn't full of a bunch of sociopaths playing masturbatory politics, whenever a manager blames the last person in a position, they are really doing is eliminating their own ability to learn and grow. Depending on the enterprise, that can lead to legal shenanigans as well.
Once you're out the door, you're out. Don't even leave yourself the ability to VPN into work or access systems, don't try, don't even ping the external IP's. If management needs you after that, you charge contractor rates, 50% upfront, 50% at time of delivery, all in writing, and watch for bankruptcy filings so you can get yours in first.
With that said, guy obviously did not have the slightest clue on IT security or he'd figure out how not to get caught.
This is just a plain and simple dishonest individual. Too bad they have to give IT professionals a bad name. He needs to be in jail.
"Larry O'Reilly", just didn't look right. So he went with "Jeff Manning".
An Oregon sportswear company...
Why the generic descriptor? Say the name of the company - Columbia in this case. It's not as if no one has ever heard of them or they need their identity protected. Plus the company is named in the article.
And what, pray tell, is American Culture? Oops...
If you fail to pay severance benefits, one has to help oneself!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Indeed here's the ranking of who has the power to decide how things actually work in a modern company, from least powerful to most powerful:
Line workers
Line supervisors
Mid management
Directors / VPs
C*O
Board of directors
System administrator
If the system administrator wants all of the CEO's documents to disappear, they can make that happen, during their employment or even after they are no longer employed. A company should be careful who they have doing system admin, because the admins can read all of your email, change your files, etc. That's one reason it's a *brilliant* idea to outsource this work to people you've never met, and who are in the other side of world, untouchable by your country's law enforcement.
Don't you mean Jeff Manming?
Ask your kids, they're at least half American. It spreads via TV.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
This is totally true and feasible in the enterprise. I work for a company that sells a product that aggregates all existing accounts, and then periodically sends out emails to managers saying, "Here's a list of accounts belonging to your team." The manager has to approve each one or revoke them. That way, there is accountability down the road if it turns out there were lingering accounts that shouldn't have been accessible or exploitable. Can also be used to certify the accounts on each remote application by the application "owner" or administrator.
These certifications are then reviewed by third-party auditors to validate their completeness. Several other vendors offer similar variations of this functionality.
$5 / month hosted VPS on linux = awesome!
I'll just leave this here:
http://io.fondoo.net/
"Fun fact: you could telnet to password.io.com from anywhere in the world, and log on as guest. Lynx, a text-only web browser, was configured as the shell, and you would then be presented with a sparse version of the web-based customer account tools found at http://password.io.com/. This was so customers could reset their own password, update their address, set their PLAN file, etc.
IO forgot to disable browsing the filesystem (press g, period, enter). Also, IO never enforced uniform file and directory permissions or audited active accounts. As a result, through 2004, after IO was taken over by Prismnet (or later), you could roam around and directly view many customer's private files, email, and IO's sensitive system areas. You could also open the Lynx config to define a custom "editor" and thus actually edit files, or run executables. This was a direct back-door into everything! This continued a full two years after IOCOM "hardened" their network to sell network security services."
In most companies, high-ranking technical personnel, such as this CIO, either have access to the backups or can get such access. At least that's my experience. Even when backups are handled by an external company, an IT person can call Iron Mountain and cancel the backup service (just before wiping the primary mail server).
Even in large companies, many sysadmins have full access to everything, especially those involved in any sort of identity management. In most WIndows environments and projects I've worked on, I've either had or had the ability to gain domain admin access, which is basically as good as having full access. Since we're not licensed professionals, most of us don't learn anything about ethics or the way to responsibly manage your access. I do want to keep my reputation somewhat intact, so whenever I leave an employer or get assigned to another project where I don't need the access, I'm very careful to give it up completely. I take the time to ensure everyone involved knows I've disabled accounts and handed access over to the next person. I've had a couple times where an employer has asked me to come back and help the new guy for a couple hours, and I make sure they create new accounts and remove them immediately. It makes sense -- you wouldn't let an employee you fired keep his badge and keys regardless of the situation.
Of course, this situation sounds like the person was planning from the outset to set up his own backdoor and use it. As much as I hate the idea of malpractice insurance, I think it might be time for something similar in the IT world. Computers and access to them are more important than ever and having someone do something like this can damage a company's results and reputation.
A lot of employers I've been in don't need a "backdoor", because their access-controls and account-management are so effing terrible there's almost always remnants of old accounts.
I had an old-old employer of mine for whom some of their sites were still emailing for years after employment with "hey, we miss you, please come back." I've never bothered to see if I still have admin-level access, but I wouldn't be surprised?
How can this be, you ask? Well they wanted us to use usernames and email addresses that weren't part of the company to hide when we were acquiring various assets so that the users didn't revolt (hey, how come there's all these new admins with @company.com addresses). Hence it wasn't obvious to either the users OR the admins who was a corporate user or not.
I haven't seen an email about that in a year or two now, but that's also possibly because I blocked most of them or marked them as spam.
Before you hang this guy out to dry, please keep in mind---innocent until proven guilty.
First, this is not back door access. (Something he could have set up.)
This is leaving yourself keys to the front door though legitimate accounts regulated by IT and company security.
Back door access would be installing an unauthorized program that provides remote access without the knowledge of company IT.
That is to say you cannot claim back door when the user is legitimately logging in through the employee VDI.
I wish to draw your attention to the sheer volume of logins as an indication of reoccurring scripting and not malicious intent.
You would have to be an IT worker to understand this but there is no damn reason to login 700 times to steal data. To make a real life
comparison, that would be like invading someone's home 700 times to swipe files off of the counter top.
Speaking of jmanning, that could easily be a user test account for a variety of applications and modification to service
account could easily be within the scope of work at that site. And frankly, when he is no longer with the company
he shouldn't be accessing data---and the company should close the account, but it is not unheard of to transition
an admin gracefully or for the new admin to be unfamiliar / an idiot and the CEO to call up the old one and ask for help.
And, we certainly don't know the full story.
While the people here are may be qualified to judge this guy, the court of public opinion really isn't.
They tend to take IT issues and blow them out of proportion. Every field has criminals.
Professional ethics are all that stop IT guys from going rogue. Doctors and Lawyers don't discuss secrets.
News reporters don't give sources. IT guys don't go rogue with data. CEO's make bad decisions and deals.
There's no movies about IT guys getting fired for applying a patch that disrupted business
and walking away and handing in his badge and credentials to people who have no idea what happened.
IT guys are professionals. We are treated like digital janitors with all the shit we deal with but we have a code.
I would make the case any critical employee can sink a company ship though incompetence or on purpose.
Your IT guy for the most part does what he is required to do and goes home. That's it.
Fair, innocent until proven guilty.
Now, I have seen it myself that once you need to make numbers or prove yourself, ethics are the first thing to go out of the window. This fellow was a senior executive at a services/hardware company. He was probably keen to impress his new employers and frustrated that his previous employer was probably treating him just like any other vendor (as they should).
You end up at a new place, who have hired you because of your experience and ties. The problem is, once you're out of a specific environment, people's memories are short and no one really helps each other. The reasons and advantages that your new company hired you for disappear in a matter of months, and one gets desperate to keep that BMW, house in the suburbs, kids in summer camp, vacation in the Bahamas, etc.
I have seen a lot of folks take lofty roles that they were ill-suited for and had their illusions of grandeur take the better of them. Before you know it, they are trying to "have a coffee" with everyone and anyone just to get that tidbit of a lead or make sure that the IT manager/director remembers them when they are seeking some new HW or SW contract.
"Jeff Manning" is the name of the most famous political reporter in the Portland metro area. He reports for both The Oregonian, the only daily newspaper, and for Oregon Public Radio, the state network of NPR-affiliated public radio stations.