Slashdot Mirror
Former Sysadmin Accused of Planting 'Time Bomb' In Company's Database (bleepingcomputer.com)
An anonymous reader writes: Allegro MicroSystems LLC is suing a former IT employee for sabotaging its database using a "time bomb" that deleted crucial financial data in the first week of the new fiscal year. According to court documents, after resigning from his job, a former sysadmin kept one of two laptops. On January 31, Patel entered the grounds of the Allegro headquarters in Worcester, Massachusetts, just enough to be in range of the factory's Wi-Fi network. Allegro says that Patel used the second business-use laptop to connect to the company's network using the credentials of another employee. While connected to the factory's network on January 31, Allegro claims Patel, who was one of the two people in charge of Oracle programming, uploaded a "time bomb" to the company's Oracle finance module. The code was designed to execute a few months later, on April 1, 2016, the first week of the new fiscal year, and was meant to "copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless." The company says that "defendant Patel knew that his sabotage of the finance module on the first week of the new fiscal year had the maximum potential to cause Allegro to suffer damages because it would prevent Allegro from completing the prior year's fiscal year-end accounting reconciliation and financial reports."
Seriously, why would it even be an issue? Critical code and data, but not backed up?
They're using Oracle.
.....and, backups??! But of course, that's a silly question.
"Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint.""
Translation: Someone with a functioning braincell in the IT department googled about MAC addresses and thought maybe they should check the wifi router logs and look for unauthorised access by company issue laptops.
and this is the only one to be made public
One more stupid question:
Have you ever worked anywhere before?
Who in the heck was monitoring for changes to Oracle's software? Too many unanswered questions.
Something tells me the company didn't care what sort of damage they did to Patel's year end financials when they canned him. Turnabout and all that. Maybe next time the company will consider using something as simple as two factor authentication to make something like significantly more difficult.
1. All passwords should be reset every 90 days so an ex-employee cant login months later.
2. Hardware audits should be done regularly (every 6 months or so). If a laptop goes missing it's MAC address should be removed from the "okay to connect to our wifi" list.
3. Files this important should be backed up like crazy so that one attacker cant possibly get every copy short of dropping nukes at multiple locations.
Am I missing anything?
Allegro's IT staff discovered the sabotaged Oracle finance module on April 14, 2016. Ten days later, on April 24, the IT staffers found Patel's malicious code after comparing the current database with a copy from older backups.
I am sure a big company like Allegro will have all the critical information replicated in multiple locations. I am sure they restored all the data in a few seconds and laughed at the stupid sys admin. Right? That is how the story should have ended
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
is there a file anywhere with usernames and passwords? Is that jut mis-understanding and he cracked the hashes, or do these guys actually have everyone's password written down somewhere?
An yea these days, if your shit matters, you need 2FA of some sort.
Also, apparently, you need the guy who checks in the returned laptops to check serial & model numbers...
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
That said, how do they know it was said person? This is an accusation, not a proven fact.
More likely one of the senior execs deleted the files to cover up some theft on their part.
Never assume.
-- Tigger warning: This post may contain tiggers! --
Guy has a Passwords file of end user logins. Sounds like your financials have no validity right there. Damage done.
To make this stick you need the following:
1: Picture of the guys car and his face in the car near the AP being used.
2: Proove it's the laptop. If you need a WAP Certificate, Client Certificate, MAC, that's reasonable.
3: You now need to track the connections from the WAP to the oracle server. Every single flow session.
4: You need to associate the server connection to the user account.
5: You need to associate the changes to the user account.
I doubt they'll be able to do that via logs if he was half smart.
For all they know, he could've sold the laptop to a competitor and they planted the bomb. Perfectly legal to sell corporate secrets to a competitor for any amount of money in the US, by the way.
How does one calculate the damages a company suffered by being rendered unable to generate financial reports?
Unless their business is generating financial reports, that does not seem like that would get in the way of producing whatever it is they produce. And if they do not know how much money they have, how can they ever estimate how much they lost?
Troll is not a replacement for I disagree.
So the best evidence they have is the MAC address of the wifi adapter of the business laptop that wasn't returned. We all know how immutable that is.
The article seems merely to be parroting the court documents that were filed by Oracle, leading to a one sided story. Just as likely Patel is being being thrown under the bus for someone else' screwup, or perhaps a case of industrial sabotage. Excuse me if I don't assume anything Oracle is alleging as true.
Isn't this illegal hacking? Call the FBI.
Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint."
By "electronic fingerprint", I suspect they're referring to the MAC address of the laptop's WiFi adapter, in which case the guy is a bit of a noob for not spoofing it.
... for a sysadmin.
Know where the logs are and erase the goddam things.
It little behooves the best of us to comment on the rest of us.
So, they canned a SYSADMIN/DBA and didn't change any of the "root" p/w afterwards?
idiots.
I know Oracle Apps rely on WAY too much "root" access to work properly and makes it a nightmare to change those kinds of p/w, but the DB?
How did they NOT recover company property (the 2nd laptop) or kill the remote access tokens when this guy left? (unless that was HIS JOB.)
still, idiots.
Judging by his name it's pretty clear this guy was a foreign worker. Getting all their data deleted is exactly what this company deserved for hiring H1-B immigrants. It's obvious these unprofessional individuals are likely to resort to these sort of time-bomb tricks after they resign or are laid off.
Of course, a professional, all-american, disgruntled IT worker would do the right thing and just break into the premises with an assault rifle instead.
The nice thing about Oracle trans/redo logs offer ability to restore previous version of the database to any time in the past so long as your logs are backed up properly.
Regardless of whether this was incompetence or malice it shouldn't cost 100k to recover unless your IT is grossly incompetent anyway.
An administrator leaves a company. A few weeks or months later, things start to fall apart. This tends to happen even if there's no malicious code involved.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
is "dead man switch".
Hello, jail time. Or prison time, perhaps. Either way it sounds like they have this clown dead to rights.
Just cruising through this digital world at 33 1/3 rpm...
Someone realized they might still have the old MAC address in their logs just as management was breathing down their necks about those vaunted backups they just never bothered with.
The other anon is right: in the real world, unless your employer is NSA or something of comparable caliber, as an admin you have access to everything - whatever you don't have access to, you can obtain, without the employer's knowledge.
The only defenses against rogue admins companies really have is to have more loyal admins, and not to piss admins off. Plus threat of lawsuit if the admin fails to cover his traces after going rogue. Essentially, you can only try to reduce damage after the attack, you can't prevent the attack.
And to have anything "better", you have to spend so much on security, that unless security is your *product*, you'll be creating losses.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Technical mistakes aside, revenge plan itself is highly flawed. Why is such rush? Set the time bomb for 2018. Even better, make it gradual - where it erases one entry very periodically and randomly. IRS is a lot more dangerous than any data loss. Make it look like it was done by CFO for added complications. Also, instead of accessing it after the fact, having it trigger after keep alive failed. This way you don't actually have to do anything but not be there.
I provided an encrypted file (TC, old now but whatev) on a restricted share point. I notified HR and the CEO that anything I/IT was not supposed to have access to should go there. Medical, tax, HR docs go there.
HR set the password and the CEO got a copy on paper from HR. I have documentation saying I can't fix, recover or reset that password if it is lost.
Last year they added space since it was getting bigger.
This is one of those cases where people really need to learn to let their anger go. I'm sure this guy thought he was smart; that he could take precautions. Maybe he even avoided all the security cameras. Maybe it was one ticket sitting in a provisioning system that said that laptop was last on his desk. No matter how well you think you've covered your tracks, in companies that big, there will be a record.
I'm reminded of the kid who sent a bomb threat via Tor to get out of something at his University. They didn't trace the message back to him. They noticed he was the only one on campus using Tor at that time.
If you want to fight injustice; talk to some reporters; blow some whistles -- that's one thing. Maybe you could even help people that way. But revenge isn't wroth it. Even if you think you can get away with it. Just take a deep breath, remember humanity will all be extinct one day and that life goes on. People who are full of hate will lead miserable lives.
who pissed in his cornflakes?
Is it real? If so why not criminal charges?
It really looks a lot like trying to blame an ex-employee for a fuckup If this was real there is a long list of law enforcement types that would be very interested.
https://www.linkedin.com/in/ni... Although I'd consider that there is a possible chance that they were actually hacked instead.
Still, there is no justification for this:
Patel had access to employee credentials because he was one of the company's senior system administrators, and kept a copy of a file with usernames and passwords on his laptop.
Nobody should ever have somebody else's plaintext password. An admin needs to be able to generate and revoke passwords, not know them. And of course much less after leaving the company. This company deserves what happened.
There is a curious tradition: if you have something not so conform to actual norms
an incident may happen ("evidence" got stolen, burned due to electrical accidents,
vandalism, floods like a broken pipe etc).
Of course I do not know NOTHING about that case but one other options is that
the fired guy is only an "excuse" to justify some "delay" o irregular data...
Sorry for my bed English.
How did you know IT didn't keep a keylogger on any of the PCs that accessed it?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
"An admin needs to be able to generate and revoke passwords, not know them."
"Doesn't need" or "Shouldn't" versus "Can't".
If you have control over the process of setting the passwords, you can have the passwords. You shouldn't and you're not supposed to need to, but who's to stop you, and who will ever know?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
... if the Sysadmin sabotaged the back ups, too.
Sorry, stories like this are just ridiculous. A guy who knows his business surely knew that the company has back ups. And a "End of Year" is usually not calculated over the last 365 days, but over the last 11 or 12 "end of month" and the last 1, 3 or 4 or 5 "end of weeks". Depending how and when you make "the end of month".
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Most companies have no problem auditing their accounting teams, they should do the same with their IT teams.
I'm always amused by the importance that people place on having a security clearance from the government, like it's a badge of pride. They seem to have this belief that they've been investigated and found to be super trustworthy people. Like an official certification of worthiness. In reality the whole purpose of a security clearance is to ensure that a person isn't already or likely to be vulnerable to blackmail, paltry bribes, or a bout of guilty conscious. And of course, despite that whole process, people are just people and even the NSA has historically made errors in this area, Snowden being the most obvious example.
The audit will find cases of incompetence or laziness. It would be very hard for it to find cases of actual subversion, especially if the admin has enough time to hide all the evidence off-site. Never mind his "booby traps" blowing up upon discovery by the auditor, and blaming the auditor for breaking the system.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Not sure if he is arrogant or just really stupid.
Don't fuck with your IT people - especially those with any admin/root privileges to your systems.
Case in point one job - set up an admin "backdoor" to the company's Exchange server with some system-sounding name to it, turned off all logging that would possibly implicate me, quit on good terms (even though I hated the place and my narcissistic boss). So I had an ax to grind. Enjoyed reading the CEO's e-mail for several months after I left and even leaked some shit to the local media. CEO left shortly thereafter. That he wasn't indicted was a miracle - but he got the message.
Another job, rotated daily backups through my car's glove compartment since we had nothing off-site. One co-worker who I was fucking on the side blew the whistle to the feds, who sent an FBI agent knocking on my front door a week after I left on their terms (not mine). Handed her the tapes. CEO was gone in a few months and company shut down within a year
Again - don't fuck with your IT people... especially when said IT person has the keys to the kingdom and company leadership airs their dirty laundry on the company's e-mail servers. I walk, I talk.
http://www.marketwatch.com/sto... "I suppose that as the case of the programmer, Rajendrasinh B. Makwana, is brought out into the open we'll discover whether he's just a disgruntled programmer irked at being let go by Fannie Mae in October, or someone with more sinister intentions. It was only a fluke, according to all the reports Friday, that a malicious piece of code was found on the Fannie Mae FNM, -6.82% servers. It was designed to go off Saturday and erase all the data and screw up the company. It was placed there by Makwana, an Indian national and former Fannie Mae contractor, according to a federal indictment. If it was part of some greater scheme, then we can assume that on Jan. 31, the date his program was supposed to kick in, a slew of computer networks will go down. Generally speaking, this sort of thing is more of an inconvenience than a catastrophe."
Well I guess the best thing to do then is nothing. Just know the admin is all powerful and pay him 6 figures.
The right thing is to have competent people perform the hiring, hire a couple competent admins, and treat them well.
They don't go rogue "for teh lulz".
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2