Slashdot Mirror

← Back to Stories (view on slashdot.org)

Company's Former IT Admin Accused of Accessing Backdoor Account 700+ Times (bleepingcomputer.com)

Posted by EditorDavid on from the network-no-no's dept.

An anonymous reader writes: "An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer," reports BleepingComputer. Court papers reveal the IT admin left to be the CTO at one of the sportswear company's IT suppliers after working for 14 years at his previous employer. For more than two years, he's [allegedly] been using an account he created before he left to access his former colleagues' emails and gather information about the IT services they might need in the future. The IT admin was fired from his CTO job after his new employer found out what he was doing.
One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...

34 of 63 comments (clear)

  1. Poor Governance by jeauxkewl · · Score: 3, Insightful

    This is why you need all accounts backed by an HR system. The employee record changes to anything but active, all access is automatically revoked. It amazes me in this day and time that there are still rogue accounts in large enterprises. This is also a great case for single sign-on where you kill all access in one place.

    1. Re:Poor Governance by chmod+a+x+mojo · · Score: 5, Informative

      Yeah... because the guy setting up that system wouldn't be able to hide anything he wants outside of the system on those servers. You know, like hiding a backdoor, I mean it's not like he was the ADMINISTRATOR, and had full unlimited access to the servers for a long time or anything....

      You can make all the damn rules and regulations you want, but in the end you are bound to having to trust the people who have full access to the systems to implement those rules properly. There will always be someone somewhere in the setup chain that will not be bound to those rules yet, as the settings and rules won't exist on the servers yet.

      --
      To err is human; effective mayhem requires the root password!
    2. Re:Poor Governance by jeauxkewl · · Score: 2

      Not disagreeing with you at all, just saying proper governance minimizes the risk. Their governance was shit.

    3. Re:Poor Governance by rickb928 · · Score: 4, Insightful

      Security based on access control alone is inadequate. It must be supported by auditing and reporting.

      Then you can audit enabling and use of services and access, justification and documentation of users and their accesses, and confirmation of declined/terminated access.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    4. Re:Poor Governance by Joe_Dragon · · Score: 1

      And that brakes some automated system or dumb HR system has IT admin = ROOT and blocking root shuts down the system in full.

    5. Re:Poor Governance by quonset · · Score: 1

      And that brakes some automated system or dumb HR system has IT admin = ROOT and blocking root shuts down the system in full.

      It would shut the system down, but only after the brakes are applied for a sufficient amount of time to bring everything to a halt.

    6. Re:Poor Governance by mindwhip · · Score: 4, Insightful

      He didn't access his own account. He set up a "fake" account for a 'fake' employee that didn't exist which could be done even using the HR link if he he had access to add records to that database. Or he could have set up additional access on some other employee (say a driver) who rarely used the wider computer systems and wouldn't notice the extra access.

      But HR links like that don't really work in the real world anyway. It doesn't allow for most large corporate set-ups where mainframe needs to talk to linux box that needs to talk to an oracleDB that needs to be accessible by a java batch job that needs to write output to the windows domain server file system so a human can check it before uploading it to an SFTP gateway box for an external customer to collect.

      You don't just have accounts that are pure user accounts. You need mechanisms and accounts to allow system to system communications and logins for moving data between automated systems and for a large company it would be easy for an admin with sufficient privileges to hide a back-door amongst all these inter-system communication accounts (or even just hijack one or two legitimate ones, having copied passwords and other keys).

      --
      [The Universe] has gone offline.
    7. Re:Poor Governance by apparently · · Score: 1

      Yeah... because the guy setting up that system wouldn't be able to hide anything he wants outside of the system on those servers. You know, like hiding a backdoor, I mean it's not like he was the ADMINISTRATOR, and had full unlimited access to the servers for a long time or anything....

      You can make all the damn rules and regulations you want, but in the end you are bound to having to trust the people who have full access to the systems to implement those rules properly. There will always be someone somewhere in the setup chain that will not be bound to those rules yet, as the settings and rules won't exist on the servers yet.

      Oh noes! He was the ADMINISTRATOR? In ALL CAPS? It's almost as if after the shitbird was shitcanned, the OTHER ALL CAPS ADMINISTRATORS should have been auditing service accounts and user accounts. These were deeply hidden "backdoors".

    8. Re:Poor Governance by Anon-Admin · · Score: 3, Informative

      That sounds easier than it really is.

      I once found a root cron job that ran a script that was about 100 lines long. That script called another script that was close to 1000 lines long. The admin hid a call in that script to call a third script. That third script would check the time and the accounts, if it was between 00:00 and 02:00 GMT and his account was not in the system it would add the account with root privileges. When 02:00 came around it would delete the account from the system.

      So basicly between 00:00 and 02:00 GMT he could access the system with admin privileges and do whatever he wanted. I only noticed it because I saw a login at 00:30 by an account that did not exist. I almost missed it because it was called deamon and when scanning the logs you can dismiss it as the daemon account. It took me days to find where the add and delete user account commands were hidden.

    9. Re:Poor Governance by TheCarp · · Score: 1

      > It amazes me in this day and time that there are still rogue accounts in large enterprises

      I would like to be shocked but, I got over that years ago. I actually got called to a desktop support case once that turned out to be "someone broke in". Did some random damage to equipment that didn't make sense (looked like they had a go at the floppy drive of an old laptop with a screwdriver, in a rather rude way)

      Before I updated my ticket and left it up to security to deal with though.... I did think to check who the last logon was on the PC. My jaw hit the floor when I saw the name was clearly a test account. In a slight rage I typed the name of the test account in as the password and it logged me in.

      Right there from the users desk I looked up the name of someone in the domain admin group and called them up to confirm.... the new production domain.... the new one that was going to banish all the shared accounts with bad passwords.... had well known test accounts with obvious names and passwords.

      --
      "I opened my eyes, and everything went dark again"
  2. Re:Columbia needs auditing by TechyImmigrant · · Score: 1

    We get a current employee list from HR quarterly, and all employee changes immediately. Any account, including service accounts, that don't have a clear owner and purpose are disabled. There's no way an invalid user should have been in place for years.

    Columbia make overpriced clothing, not overpriced software. Maybe they aren't so focused on IT security.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Re:Referer Scam? by Calydor · · Score: 1

    Hovering over the only link in the summary the only thing I see is ... a clean link with no referral tags. What are you seeing?

    --
    -=This sig has nothing to do with my comment. Move along now=-
  4. Don't help out previous employers either. by Anonymous Coward · · Score: 3, Insightful

    IT people usually have all the keys to the kingdom, and when they leave, anything that might go wrong they will be scapegoated and blamed for by current management. For people who actually want to run a reasonable business that isn't full of a bunch of sociopaths playing masturbatory politics, whenever a manager blames the last person in a position, they are really doing is eliminating their own ability to learn and grow. Depending on the enterprise, that can lead to legal shenanigans as well.

    Once you're out the door, you're out. Don't even leave yourself the ability to VPN into work or access systems, don't try, don't even ping the external IP's. If management needs you after that, you charge contractor rates, 50% upfront, 50% at time of delivery, all in writing, and watch for bankruptcy filings so you can get yours in first.

    With that said, guy obviously did not have the slightest clue on IT security or he'd figure out how not to get caught.

    1. Re:Don't help out previous employers either. by rl117 · · Score: 1

      Exactly. If you're ethical, you won't leave any access possible, so there's no doubt as to your integrity. When I left my previous employer, a small business where I had full admin rights (I set most of it up), I made sure to wipe all my ssh keys, lock and delete my accounts so that the company directors could be sure I no longer had any access, remote or otherwise. No cron jobs, no source code, no customer information. A few months later they asked me if I could look into a problem that cropped up, and had to tell them it was impossible since I had no means to log in, but I could visit in person to briefly talk to their new staff. Mutual respect, and no possibility of any suspect practices due to being completely transparent about the leaving process. It's idiots like in TFA that give all of us a bad reputation, or at least cast a shadow of doubt upon our professionalism. Unfortunately, it's all too easy to do that if you don't want to act in good faith, particularly when you are entrusted with privileged access to a companies systems and processes.

  5. Re:Columbia needs auditing by v1 · · Score: 5, Informative

    One of the two accounts he was using was a "service account". You probably have a few of those on your system also, that were not created by any system linked into your HR. The manning account probably should have been automatically disabled however.

    Seeing as he had IT level access, no automated steps are going to be very effective. If he created the manning account manually and there never WAS a mannning user, any automated HR system that removes employees on departure will never trigger on it since it was never in HR to begin with. If your HR system does whitelist filtering instead of blacklist, it has to know which internal and service accounts to skip. (or chaos insues!) An intelligent IT person will simply flip the necessary switches to make the account not show up in the pool that's being whitelist-checked. There's probably an "Employee" checkbox in the account list, and he just unchecks that, and now the HR script ignores him.

    dscl . -list /Users | wc -l
    shows there are 103 accounts on my laptop, only four of which are actual interactive users, the rest are system users like sandbox, daemon, windowserver, etc. A marauding system admin can pretty easily sneak in another plausible looking system account into the list of users that don't show up in most userlists.

    tl;dr: it's not so easy to detect when someone in a privileged position like IT (or your IT admin) has installed a back door. Hiring someone to come in and do an audit (or hiring a competent replacement that does the same) is your best response to an IT departure, and is really a NECESSARY response to any departure of upper IT, even if the departure was on good terms.

    --
    I work for the Department of Redundancy Department.
  6. Even IT professionals have Crooks by Anonymous Coward · · Score: 1

    This is just a plain and simple dishonest individual. Too bad they have to give IT professionals a bad name. He needs to be in jail.

  7. Re:Columbia needs auditing by sjames · · Score: 4, Informative

    Another popular trick is to give one of those service accounts a shell and password so they can double as logon accounts.

  8. Re:Columbia needs auditing by lucm · · Score: 1

    Columbia make overpriced clothing

    Overpriced and also not wrinkle-resistant, as we can see in this video showing that IT guy himself on a lame EMC storage panel.

    https://www.youtube.com/watch?...

    --
    lucm, indeed.
  9. Say the name by sjbe · · Score: 2

    An Oregon sportswear company...

    Why the generic descriptor? Say the name of the company - Columbia in this case. It's not as if no one has ever heard of them or they need their identity protected. Plus the company is named in the article.

    1. Re:Say the name by 110010001000 · · Score: 3, Insightful

      Clickbait tactic. People were probably thinking "Nike".

  10. Hey, it's only fair by Opportunist · · Score: 1

    If you fail to pay severance benefits, one has to help oneself!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:Columbia needs auditing by 110010001000 · · Score: 1

    If you get all employee changes immediately, why do you need a current employee list quarterly? Isn't everything perfect in your world?

  12. Chain of actual authority by raymorris · · Score: 2

    Indeed here's the ranking of who has the power to decide how things actually work in a modern company, from least powerful to most powerful:

    Line workers
    Line supervisors
    Mid management
    Directors / VPs
    C*O
    Board of directors
    System administrator

    If the system administrator wants all of the CEO's documents to disappear, they can make that happen, during their employment or even after they are no longer employed. A company should be careful who they have doing system admin, because the admins can read all of your email, change your files, etc. That's one reason it's a *brilliant* idea to outsource this work to people you've never met, and who are in the other side of world, untouchable by your country's law enforcement.

    1. Re: Chain of actual authority by DeSigna · · Score: 1

      The vast majority of companies in the world, even the developed world, are small enterprises who don't warrant a single IT guy, let alone 3+ to ensure no single person can wander off with the keys to the kingdom. Unless you have a truly poorly-maintained system or utterly helpless desktop users, organisations under 50 seats generally want to outsource to a trusted partner. These will scale from one-man bands with a few sites under their belts up to large multinational IT providers, depending on requirements. Beyond that (rough) point, organisations will start to move chunks of IT responsibility in-house.

      Even with 3+ support staff, usually there's going to be someone who's "more senior" (especially if they've been there 14 years) with not only greater levels of knowledge and access, but a much deeper level of trust from the rest of the team and other parts of the business.

      At some point, you have to trust the people who work for you. Perfectly foreseeable that this would happen if the business focus isn't on securing and silo'ing data from their own staff. If it was, they would have business justification for a larger team and much more oversight from management, even a budget for external audits.

      No sane organisation without such requirements is going to drop 100k+ per FTE on people who spend an idle 70% of work hours just checking each other's actions in case one of them quit. They're very likely to quit from boredom and working conditions, too.

  13. Re:Islam is a cancer by HornWumpus · · Score: 1

    Ask your kids, they're at least half American. It spreads via TV.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  14. Identity Access Management by SethJohnson · · Score: 2

    It must be supported by auditing and reporting.

    This is totally true and feasible in the enterprise. I work for a company that sells a product that aggregates all existing accounts, and then periodically sends out emails to managers saying, "Here's a list of accounts belonging to your team." The manager has to approve each one or revoke them. That way, there is accountability down the road if it turns out there were lingering accounts that shouldn't have been accessible or exploitable. Can also be used to certify the accounts on each remote application by the application "owner" or administrator.

    These certifications are then reviewed by third-party auditors to validate their completeness. Several other vendors offer similar variations of this functionality.

    --
    $5 / month hosted VPS on linux = awesome!
    1. Re:Identity Access Management by Anonymous Coward · · Score: 1

      We have something similar... They have a choice of tasking themselves or their employees to track down accounts, disabling accounts that they don't think are necessary and risk breaking something, or just saying the account is still necessary and moving on. What do you think most managers do?

  15. Illuminati Online "Hardened" Network Services by pepsikid · · Score: 4, Informative

    I'll just leave this here:
    http://io.fondoo.net/

    "Fun fact: you could telnet to password.io.com from anywhere in the world, and log on as guest. Lynx, a text-only web browser, was configured as the shell, and you would then be presented with a sparse version of the web-based customer account tools found at http://password.io.com/. This was so customers could reset their own password, update their address, set their PLAN file, etc.

    IO forgot to disable browsing the filesystem (press g, period, enter). Also, IO never enforced uniform file and directory permissions or audited active accounts. As a result, through 2004, after IO was taken over by Prismnet (or later), you could roam around and directly view many customer's private files, email, and IO's sensitive system areas. You could also open the Lynx config to define a custom "editor" and thus actually edit files, or run executables. This was a direct back-door into everything! This continued a full two years after IOCOM "hardened" their network to sell network security services."

  16. Who sets up the backups, in most companies by raymorris · · Score: 2

    In most companies, high-ranking technical personnel, such as this CIO, either have access to the backups or can get such access. At least that's my experience. Even when backups are handled by an external company, an IT person can call Iron Mountain and cancel the backup service (just before wiping the primary mail server).

  17. Company should have been watching more by ErichTheRed · · Score: 2

    Even in large companies, many sysadmins have full access to everything, especially those involved in any sort of identity management. In most WIndows environments and projects I've worked on, I've either had or had the ability to gain domain admin access, which is basically as good as having full access. Since we're not licensed professionals, most of us don't learn anything about ethics or the way to responsibly manage your access. I do want to keep my reputation somewhat intact, so whenever I leave an employer or get assigned to another project where I don't need the access, I'm very careful to give it up completely. I take the time to ensure everyone involved knows I've disabled accounts and handed access over to the next person. I've had a couple times where an employer has asked me to come back and help the new guy for a couple hours, and I make sure they create new accounts and remove them immediately. It makes sense -- you wouldn't let an employee you fired keep his badge and keys regardless of the situation.

    Of course, this situation sounds like the person was planning from the outset to set up his own backdoor and use it. As much as I hate the idea of malpractice insurance, I think it might be time for something similar in the IT world. Computers and access to them are more important than ever and having someone do something like this can damage a company's results and reputation.

  18. backdoor by phorm · · Score: 1

    A lot of employers I've been in don't need a "backdoor", because their access-controls and account-management are so effing terrible there's almost always remnants of old accounts.

    I had an old-old employer of mine for whom some of their sites were still emailing for years after employment with "hey, we miss you, please come back." I've never bothered to see if I still have admin-level access, but I wouldn't be surprised?

    How can this be, you ask? Well they wanted us to use usernames and email addresses that weren't part of the company to hide when we were acquiring various assets so that the users didn't revolt (hey, how come there's all these new admins with @company.com addresses). Hence it wasn't obvious to either the users OR the admins who was a corporate user or not.

    I haven't seen an email about that in a year or two now, but that's also possibly because I blocked most of them or marked them as spam.

  19. I don't think this guy is guilty; read why below. by Anonymous Coward · · Score: 2, Interesting

    Before you hang this guy out to dry, please keep in mind---innocent until proven guilty.

    First, this is not back door access. (Something he could have set up.)
    This is leaving yourself keys to the front door though legitimate accounts regulated by IT and company security.
    Back door access would be installing an unauthorized program that provides remote access without the knowledge of company IT.
    That is to say you cannot claim back door when the user is legitimately logging in through the employee VDI.

    I wish to draw your attention to the sheer volume of logins as an indication of reoccurring scripting and not malicious intent.
    You would have to be an IT worker to understand this but there is no damn reason to login 700 times to steal data. To make a real life
    comparison, that would be like invading someone's home 700 times to swipe files off of the counter top.

    Speaking of jmanning, that could easily be a user test account for a variety of applications and modification to service
    account could easily be within the scope of work at that site. And frankly, when he is no longer with the company
    he shouldn't be accessing data---and the company should close the account, but it is not unheard of to transition
    an admin gracefully or for the new admin to be unfamiliar / an idiot and the CEO to call up the old one and ask for help.
    And, we certainly don't know the full story.

    While the people here are may be qualified to judge this guy, the court of public opinion really isn't.
    They tend to take IT issues and blow them out of proportion. Every field has criminals.

    Professional ethics are all that stop IT guys from going rogue. Doctors and Lawyers don't discuss secrets.
    News reporters don't give sources. IT guys don't go rogue with data. CEO's make bad decisions and deals.
    There's no movies about IT guys getting fired for applying a patch that disrupted business
    and walking away and handing in his badge and credentials to people who have no idea what happened.

    IT guys are professionals. We are treated like digital janitors with all the shit we deal with but we have a code.
    I would make the case any critical employee can sink a company ship though incompetence or on purpose.
    Your IT guy for the most part does what he is required to do and goes home. That's it.

  20. Re:Columbia needs auditing by TechyImmigrant · · Score: 1

    I wear a Columbia jacket too, but it's not great in the rain because it leaks. It was really designed for snow and excessive cold. I purchased it for a trip to Northern Finland in January.

    However my wife knits me left/right socks and they're bespoke to my feet and use excellent yarn from Ireland since she's the US distributor of that yarn, which makes for nice supplier visits.

    I also live in Oregon and I put up with the wrong Columbia jacket, because it's just water isn't it? Also I'm too cheap to splash out on a new coat.

    Head into their shop near Pioneer square and check out the price of some stretchy lycra bikini like things. They ain't cheap.

    Still, my job in security related things leads to me thinking I could have performed that subterfuge and got away with it. Maybe that's why I'm not an IT manager.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  21. Jeff Manning by klossner · · Score: 1

    "Jeff Manning" is the name of the most famous political reporter in the Portland metro area. He reports for both The Oregonian, the only daily newspaper, and for Oregon Public Radio, the state network of NPR-affiliated public radio stations.