Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rogue System Administrator Faces 10 Years In Prison For Shutting Down Servers, Deleting Core Files On the Day He Was Fired (techspot.com)

Posted by BeauHD on from the bad-day dept.

Joe Venzor, a former employee at boot manufacturer Lucchese, had a near total meltdown after he got fired from his IT system administrator position. According to TechSpot, he shut down the company's email and application servers and deleted the core system files. Venzor now faces up to 10 years in prison and a $250,000 fine. From the report: Venzor was let go from his position at the company's help desk and immediately turned volatile. He left the building at 10:30AM and by 11:30, the company's email and application servers had been shut down. Because of this, all activities ground to a halt at the factory and employees had to be sent home. When the remaining IT staff tried to restart them, they discovered the core system files had been deleted and their account permissions had been demoted. Eventually the company was forced to hire a contractor to clean up all of the damage, but this resulted in weeks of backlog and lost orders. While recovering from the attack was difficult, finding out who did it was simple. Venzor was clearly the prime suspect given the timing of the incident, so they checked his account history. They discovered he had collected usernames and passwords of his IT colleagues, created a backdoor account disguised as an office printer, and used that account from his official work computer.

41 of 237 comments (clear)

  1. At a boot manufacturing facility? by xevioso · · Score: 5, Funny

    I guess he did not like getting the boot.

    1. Re:At a boot manufacturing facility? by K.+S.+Kyosuke · · Score: 3, Funny

      When the remaining IT staff tried to restart them, they discovered the core system files had been deleted and their account permissions had been demoted.

      I don't understand what kind of boot manufacturing facility cannot boot their servers. Surely not one that I would buy my boots from!

      --
      Ezekiel 23:20
  2. at the boot factory by OutOnARock · · Score: 2

    .....find someone to fill your shoes...

    I see what you did there

  3. Disguised as an office printer by PPH · · Score: 5, Funny

    It all happened so fast, officer. He ran that way. He was short, beige and had a tattoo that said Lexmark.

    --
    Have gnu, will travel.
  4. Probably stale by somenickname · · Score: 2

    Those core files were probably stale anyway.

  5. Re:this is why you need two factor auth by MichaelSmith · · Score: 3, Insightful

    An admin can still override authentication. Whats needs is to bring the new admin in before you sack the old one. He removes admin privileges from the guy being sacked. That, or isolate the system from the outside world for a while but in this day and age that may be impossible from a business perspective.

    --
    http://michaelsmith.id.au
  6. I don't quite get it by 93+Escort+Wagon · · Score: 5, Informative

    Are we supposed to be outraged or something? It sure sounds like the guy deserved to be fired - and, based on the actions he took after being fired, he deserves prison time and a significant financial penalty.

    --
    #DeleteChrome
  7. Re:this is why you need two factor auth by Anonymous Coward · · Score: 2, Insightful

    in this case, they did remove admin privileges from the guy being sacked, he used other people's accounts to access things remotely.

    Two Factor authentication could have blocked that by preventing him from impersonating other admins.

  8. Backups? by sokk · · Score: 2

    It's 2017. Everything should be running in VMs, and snapshots of those VMs should've been backed up. Guess the IT department wasn't up to scratch.

    1. Re:Backups? by rtb61 · · Score: 2

      Whoops forgot the required car analogy. It was like the help desk guy cut them off and as a result of really poor management all four wheels fell of the car when they swerved due to no lug nuts, the front of the car dug into the road, the car then flipped and went off a cliff. Dude just cut them off, the wheels should never have fallen off.

      --
      Chaos - everything, everywhere, everywhen
  9. I always delete core files by ooloorie · · Score: 4, Funny

    They are a bloody nuisance and just take up disk space.

  10. More info by bobthesungeek76036 · · Score: 2

    http://www.kvia.com/crime/fbi-...

    --
    Karma: Bad
  11. Sloppy. by Gravis+Zero · · Score: 5, Informative

    Come on, people, if you are going to get revenge on the company that canned you, you're supposed to set up a daemon on day one that checks to see if you have logged in the last month and then begins corrupting backups as they are made for the next 5 months, at which time it will execute a total system meltdown that results in total data loss! I swear, you youngin's know nothin' about properly destroying the lives of those who have wronged you! ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Sloppy. by onepoint · · Score: 4, Interesting

      And while I know you are sarcastic, it's people that think in this manner that ruin people's lives for years. I Almost lost my company if it was not for my backup policy. I would do back-ups monthly myself on Saturday morning and retrieve the cassettes Sunday afternoon, take them home and store. an employee that I fired for doing something real bad did a time bomb on the payroll system and sent a system-wide delete. well long story short, 3 days of employee's working part time with note pads I got a basic restore done, then one system at a time did re-installs ... 2 weeks later we were back in business.

      to this day I keep backup's of data, spare computer laptops just in case, and 1 month payroll and 1 month of expenses LOL never again I hope

      if the business would have failed, it would have cost 38 people's employment and my business ruined.

      safe to say, that I never let only 1 person handle backing up the systems ever

      --
      if you see me, smile and say hello.
    2. Re:Sloppy. by buss_error · · Score: 2

      I was accused of doing this at a former employer. I was fired for "job abandonment" and later that day some of their systems went down. Fortunately, it was easy to prove I wasn't responsible. There's no internet in the intensive care unit. (Which was why I didn't show up for work or call in sick.)

      Now my medical alarm has a Pi attached that will tweet my family...and my employer.

      They didn't offer to re-instate me either. Cool beans. I was about to quit anyway because they were not nice people. Always, but always, find someone that used to work somewhere and get the low down before you accept a job.

      --
      Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  12. Re:this is why you need two factor auth by aaarrrgggh · · Score: 2

    Hell, if you want to be vengeful, you don't do it from a computer, you do it from a IoT device on the network. You can even make it a canary to take action when your account is disabled or something. But for gods' sake, do it in parts over a longer period of time... and give yourself a way to clear your mind and stop it!!

    It is scary just how hard it can be to detect a rogue employee trying to sabotage you. There are only a few things you can actually do to limit impact to a reasonable level.

  13. Re:this is why you need two factor auth by Zontar+The+Mindless · · Score: 3, Insightful

    You're spelling it g-o-o-d but pronouncing it "evil and incompetent".

    It's not your system--it's your employer's. If you feel that you have to make yourself "indispensable" in such a fashion, you're doing it wrong.

    --
    Il n'y a pas de Planet B.
  14. Re:this is why you need two factor auth by Anonymous Coward · · Score: 3, Insightful

    If you want to be vengeful, thank your former employer for the job on the way out the door and ask for a letter of reference. Then go get a similar job at another company at a higher wage knowing you would never have gotten such a raise at your former employer's.

  15. 10 years in prison? by Anonymous Coward · · Score: 4, Insightful

    Don't get me wrong, this guy certainly deserves punishment if guilty, but 10 years? Did any CEOs or politicians get 1 day of jail time for the 2008 financial crisis?

    1. Re:10 years in prison? by gweihir · · Score: 2

      CEOs and politicians are not accountable for their actions these days. Their crimes are "to big to be punished".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. Help Desk?!? by GoChickenFat · · Score: 2

    This guy had that kind of access, and knowledge for that matter, as a help desk employee? The article is confusing but who puts a sys admin on the help desk with any ability to access all company servers in the first place?

    ...and I found my answer...a company that is dumb enough to run it's entire business applications from a single server. http://www.kvia.com/crime/fbi-... "Investigators learned that the server controlled the company's production line, warehouse, distribution center and its ability to take orders."

    1. Re:Help Desk?!? by dbIII · · Score: 4, Interesting

      a company that is dumb enough

      The answer is "small" not dumb. If there isn't a lot to do a single server can get the job done.
      If I was in that situation I'd want to keep the server hardware up to date and have a working older server ready to turn on when something goes wrong, but I don't see that a single server was the problem here.

    2. Re:Help Desk?!? by AK+Marc · · Score: 2

      I've worked at places where the CIO was the only IT employee. A biased article looking to vilify could call him the "help desk guy".

      --
      Learn to love Alaska
  17. Re:this is why you need two factor auth by MichaelSmith · · Score: 2

    Realistically you can't keep him out. He could have created a fallback account to use.

    --
    http://michaelsmith.id.au
  18. Re:this is why you need two factor auth by pnutjam · · Score: 2

    That's not just a problem in IT. Ask the CEO who's company it is. Usually they don't own it, but they act like they do.

    --
    Cheap storage VM.
  19. Nope by s.petry · · Score: 2

    We should mostly agree that 'don't be stupid' is a good rule to follow. Though we man rant about having similar feelings about past employers, just not enough to take any such actions.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  20. Re:this is why you need two factor auth by gravewax · · Score: 2

    He was an admin, and he obviously had little to zero ethics or morals. had they had an MFA solution I am sure he would have just disabled it for a few accounts or simply registered an MFA token to one of those accounts that he could have taken with him. MFA does not solve the rogue administrator problem completely

  21. Ten years? Less time if he'd punched out his boss by dbIII · · Score: 2

    It seems the hype and hysteria over computer issues is still ongoing.

  22. Remote access by dbIII · · Score: 2

    Realistically you can't keep him out

    You can, I've been there and done that during a layoff in a place I'd never been to before. You disable all remote access until you are certain what is at the other end of each remote access method. One time the former sysadmins had VPNs to their home machines (in 2002 so not as common as today), which was totally legit when they had a job but completely undocumented, yet it still wasn't hard to stop until it was clear where everything was going.

    1. Re:Remote access by MichaelSmith · · Score: 3, Interesting

      In a professional environment yes, but in some places the sysadmin would be most of the IT department, leaving nobody to shut down remote access. Many places these days rely on cloud services for B2B and retail. Shut down the internet and you stop the business. You could shut down remote VPN access but who is to say he hasn't got his own version of a daemon running somewhere?

      --
      http://michaelsmith.id.au
  23. Re:this is why you need two factor auth by dbIII · · Score: 4, Interesting

    That sort of canary happens by accident instead of design when systems grow "organically" with all kind of weird interdependancies, especially on very low budgets. I started work at a place like that once and my initial goal was to remove every little quirk that needed feeding every day so that I would be free to spend time at the beach every now and again.
    I seem to remember some years ago stories of suppose dead man switches and sabotage would come out when the reality was fragile systems carefully looked after by people who never got to train a replacement.

    This story is of course different - but ten years? Corporate crime with consequences of shutting down companies completely doesn't get ten years, serious embezzlement doesn't get ten years - why should this sort of corporate crime get ten years?

  24. Re:this is why you need two factor auth by Szeraax · · Score: 2

    Where I am, IT manager is not king. If I see something out of place, I can go directly to the CEO. I create the audits and then the CIO will audit it. We do this quarterly. We compare all users to a list of current employees from HR to verify that we don't have any "accidental" users not disabled / deleted.

    Perhaps we are unique that we actually do try to take security seriously.

  25. Re:Ten years? Less time if he'd punched out his bo by gravewax · · Score: 2

    He didn't get 10 years, 10 years is the maximum he CAN get under the law. though this arsehole looks like he probably deserves the maximum

  26. Re:this is why you need two factor auth by arth1 · · Score: 3, Interesting

    A good canary won't rely on the owner hand feeding it; but will accept food from authorized automatons.
    If the user's account is closed, the canary will no longer be fed by the golems, and will peck the neener button. But the user going on vacation or to hospital won't cause the account to be closed, and the golems continue feeding the canary.

  27. Re:Exit Interview by arth1 · · Score: 2

    and an account 'disguised' as a printer...

    If they used a really old Unix server, chances is that the lp user account didn't have a password by default.

  28. Re:this is why you need two factor auth by Dr.+Evil · · Score: 2

    Infosec teams often have direct read-only access to equipment and audit logs to central servers, with alerts on use-cases such as turning off logging, modifying account permissions etc. etc. In some circumstances even command history is logged.

    It's hard to imagine why infosec would conspire to hide an account. If it has a good reason to exist, the case can be made to the CIO.

    It might be possible to circumvent this stuff if you have physical access during a network outage, but your card access logs would still be in the system, it just might take a couple years for it to turn up when people investigate "how did the back door get there?" and it may be enough to put you in prison.

  29. Re: huh? by mmdurrant · · Score: 2
    You have to know an existing valid MAC. You have a 1 in 4 billion chance of guessing the right one and if there is any kind of IDS/IPS in place, you're gonna get shot down after a few tries.

    For this use case, they are secure.

    --
    I see my shadow changing, stretching up and over me...
  30. For Starters You Should Delete Old Accounts by onkelonkel · · Score: 2

    I used to work at a $Very Big Transportation Company from 1982 to 1998. They are now clients of our company. Earlier this year Transportation Company needed to give me access to some of their systems. My old username and account, from 1998, were still in their systems.

    --
    None of them can see the clouds; The polished wings don't care.
  31. Re:this is why you need two factor auth by BarbaraHudson · · Score: 2

    How about teaching your users: under no circumstances does anybody else ever need to know your password.

    And the higher-ups who insist that they don't need passwords? Because it's "their" computer. even though it's not? And "passwords are hard".

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  32. What's the benefit of throwing him in jail by rsilvergun · · Score: 2

    to society? If you just want punishment for punishment's sake I guess there's that. He's a first time offender, the damage was minimal. Nobody got hurt, and they just needed a few contractors (read: Cheap Windows guys) to sort it all out. "Core Files" here if you RTFA means he broke the OS. He should get slapped with restitution equal to lost sales and the contractor hours + a little for pain/suffering (very little) and sent on his merry way. Maybe get some court mandated therapy. By the sound of it this was a spur of the moment/rage thing. Throwing him in jail is a waste of everyone's time and money and might unnecessarily destroy his life.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  33. Re:Ten years? Less time if he'd punched out his bo by gweihir · · Score: 2

    It is. People are still exceptionally stupid and this is one thing they understand even less (it that is possible).

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.