Slashdot Mirror
Former Sysadmin Accused of Planting 'Time Bomb' In Company's Database (bleepingcomputer.com)
An anonymous reader writes: Allegro MicroSystems LLC is suing a former IT employee for sabotaging its database using a "time bomb" that deleted crucial financial data in the first week of the new fiscal year. According to court documents, after resigning from his job, a former sysadmin kept one of two laptops. On January 31, Patel entered the grounds of the Allegro headquarters in Worcester, Massachusetts, just enough to be in range of the factory's Wi-Fi network. Allegro says that Patel used the second business-use laptop to connect to the company's network using the credentials of another employee. While connected to the factory's network on January 31, Allegro claims Patel, who was one of the two people in charge of Oracle programming, uploaded a "time bomb" to the company's Oracle finance module. The code was designed to execute a few months later, on April 1, 2016, the first week of the new fiscal year, and was meant to "copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless." The company says that "defendant Patel knew that his sabotage of the finance module on the first week of the new fiscal year had the maximum potential to cause Allegro to suffer damages because it would prevent Allegro from completing the prior year's fiscal year-end accounting reconciliation and financial reports."
Seriously, why would it even be an issue? Critical code and data, but not backed up?
They're using Oracle.
.....and, backups??! But of course, that's a silly question.
"Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint.""
Translation: Someone with a functioning braincell in the IT department googled about MAC addresses and thought maybe they should check the wifi router logs and look for unauthorised access by company issue laptops.
and this is the only one to be made public
One more stupid question:
Have you ever worked anywhere before?
Who in the heck was monitoring for changes to Oracle's software? Too many unanswered questions.
service accounts passwords can be hard to change and in some cases need downtime to change. Also some apps have DB passwords in plain text in the config files.
The article said he resigned.
Allegro's IT staff discovered the sabotaged Oracle finance module on April 14, 2016. Ten days later, on April 24, the IT staffers found Patel's malicious code after comparing the current database with a copy from older backups.
I am sure a big company like Allegro will have all the critical information replicated in multiple locations. I am sure they restored all the data in a few seconds and laughed at the stupid sys admin. Right? That is how the story should have ended
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
He didn't log in months later. He left a time bomb that went off months later.
is there a file anywhere with usernames and passwords? Is that jut mis-understanding and he cracked the hashes, or do these guys actually have everyone's password written down somewhere?
An yea these days, if your shit matters, you need 2FA of some sort.
Also, apparently, you need the guy who checks in the returned laptops to check serial & model numbers...
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
That said, how do they know it was said person? This is an accusation, not a proven fact.
More likely one of the senior execs deleted the files to cover up some theft on their part.
Never assume.
-- Tigger warning: This post may contain tiggers! --
RTFA? "Canned him"? There's a pretty big blue paragraph heading stating he resigned. No evidence they canned him.
Also all apps have DB passwords in plain text in the config files.
FTFY.
Though it's been a weakness for so long you would think someone would have created a means of encrypting connection data like you would sign a certificate signing request for an SSL cert. At least add another hoop to jump through in case site performance wasn't dismal enough.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
How does one calculate the damages a company suffered by being rendered unable to generate financial reports?
Unless their business is generating financial reports, that does not seem like that would get in the way of producing whatever it is they produce. And if they do not know how much money they have, how can they ever estimate how much they lost?
Troll is not a replacement for I disagree.
So the best evidence they have is the MAC address of the wifi adapter of the business laptop that wasn't returned. We all know how immutable that is.
The article seems merely to be parroting the court documents that were filed by Oracle, leading to a one sided story. Just as likely Patel is being being thrown under the bus for someone else' screwup, or perhaps a case of industrial sabotage. Excuse me if I don't assume anything Oracle is alleging as true.
Isn't this illegal hacking? Call the FBI.
Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint."
By "electronic fingerprint", I suspect they're referring to the MAC address of the laptop's WiFi adapter, in which case the guy is a bit of a noob for not spoofing it.
The article said he resigned.
In most cases of IT staff leaving a company, the word "resigned" is a euphemism, and should be written in quotes.
... for a sysadmin.
Know where the logs are and erase the goddam things.
It little behooves the best of us to comment on the rest of us.
An administrator leaves a company. A few weeks or months later, things start to fall apart. This tends to happen even if there's no malicious code involved.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Am I missing anything?
Jackasses like this are why:
4. Anyone who gives notice to quit is immediately escorted (dragged?) out by security while an HR droid packs up their desk of personal items and mails it to them.
To this day (wow, has it really been 50 years?), I still don't know why Number Six resigned. Perhaps the reason he was kidnapped and taken to The Village, was that the government had serious concerns about what he was going to do next. Until you know why he resigned, it's really hard to guess anything else.
"Believe me!" -- Donald Trump
At work we just recently had Oracle come in and do a security analysis, and plain text passwords in files was one of their findings, (some, not all files); they have a method to remediate that, as they pointed it out.
Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
Hello, jail time. Or prison time, perhaps. Either way it sounds like they have this clown dead to rights.
Just cruising through this digital world at 33 1/3 rpm...
eyaml works very nicely for this
Fully licensed blockchain psychiatrist
As far as DevOps or infrastructure as code stuff goes passwords can be obfuscated through the use of encrypted data bags but ultimately the password is going to be in a plain text password file on the storage mechanism of the server like Wordpress or Drupal, etc.
I am referring to requiring the use of encrypted config files.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Not disagreeing with you, but I've seen a few people "rage quit". This incident would seem to fit that pattern. On the bright side, at least he didn't walk in with a machine gun.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
A few years ago I worked for a large S/W development company that was in the process of being aquired. As part of the due diligence they needed to do an audit of all their PCs. They couldn't account for roughly 25,000 machines.
It's not as bad as it sounds, mostly they weren't good at recording which machines had died and were parted out or were put on a shelf somewhere but never properly decommissioned.
.
The other anon is right: in the real world, unless your employer is NSA or something of comparable caliber, as an admin you have access to everything - whatever you don't have access to, you can obtain, without the employer's knowledge.
The only defenses against rogue admins companies really have is to have more loyal admins, and not to piss admins off. Plus threat of lawsuit if the admin fails to cover his traces after going rogue. Essentially, you can only try to reduce damage after the attack, you can't prevent the attack.
And to have anything "better", you have to spend so much on security, that unless security is your *product*, you'll be creating losses.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Encrypting client connection data gives little more than a false sense of security. If the client needs to automatically log in then it needs to be able to automatically decrypt the creditials. If the server can do that then most likely so can the sysadmin.
Accounts used for automatic authentication should have their credentials rotated frequently and the minimum privilages practical to do their job. Unfortunately that is a PITA to do so people often don't :/
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
But the user account logged in after his employment ended. Then bad stuff happened. That might be enough.
http://michaelsmith.id.au
This is one of those cases where people really need to learn to let their anger go. I'm sure this guy thought he was smart; that he could take precautions. Maybe he even avoided all the security cameras. Maybe it was one ticket sitting in a provisioning system that said that laptop was last on his desk. No matter how well you think you've covered your tracks, in companies that big, there will be a record.
I'm reminded of the kid who sent a bomb threat via Tor to get out of something at his University. They didn't trace the message back to him. They noticed he was the only one on campus using Tor at that time.
If you want to fight injustice; talk to some reporters; blow some whistles -- that's one thing. Maybe you could even help people that way. But revenge isn't wroth it. Even if you think you can get away with it. Just take a deep breath, remember humanity will all be extinct one day and that life goes on. People who are full of hate will lead miserable lives.
Unfortunately that is a PITA to do so people often don't :/
Chef, Jenkins, Puppet, Thoughtworks GOCD.
There's no excuse.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Whatever the circumstances, professionals do not sabotage their former employers (or current employers, for that matter).
Besides compromising your professional integrity, and risking criminal charges, it's just not work your time. Move on and live your life.
what about apps where you need to restart them to update the DB password and it's hard to get the downtime to do that. Or there you need to change 4-6 apps at the same time as they are all tied to the same DB?
This is what the Change Advisory Board is for. Ever heard of a CAB meeting? Sometimes Downtime is mandatory. If you have other deployments that cannot be handled with a rolling update then piggy back during that deploy.
Also, Since we are most likely dealing with AWS or some other virtualization an entirely new cluster could be rolled out if engineered correctly, and the traffic routed to the new cluster.
ITIL :
http://www.bmc.com/guides/itil...
SAFe:
http://www.scaledagileframewor...
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Is it real? If so why not criminal charges?
It really looks a lot like trying to blame an ex-employee for a fuckup If this was real there is a long list of law enforcement types that would be very interested.
https://www.linkedin.com/in/ni... Although I'd consider that there is a possible chance that they were actually hacked instead.
couldnt the 4-6 apps each use their own user, so they could be updated one at a time?
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
How did you know IT didn't keep a keylogger on any of the PCs that accessed it?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
"An admin needs to be able to generate and revoke passwords, not know them."
"Doesn't need" or "Shouldn't" versus "Can't".
If you have control over the process of setting the passwords, you can have the passwords. You shouldn't and you're not supposed to need to, but who's to stop you, and who will ever know?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
... if the Sysadmin sabotaged the back ups, too.
Sorry, stories like this are just ridiculous. A guy who knows his business surely knew that the company has back ups. And a "End of Year" is usually not calculated over the last 365 days, but over the last 11 or 12 "end of month" and the last 1, 3 or 4 or 5 "end of weeks". Depending how and when you make "the end of month".
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Most companies have no problem auditing their accounting teams, they should do the same with their IT teams.
I'm always amused by the importance that people place on having a security clearance from the government, like it's a badge of pride. They seem to have this belief that they've been investigated and found to be super trustworthy people. Like an official certification of worthiness. In reality the whole purpose of a security clearance is to ensure that a person isn't already or likely to be vulnerable to blackmail, paltry bribes, or a bout of guilty conscious. And of course, despite that whole process, people are just people and even the NSA has historically made errors in this area, Snowden being the most obvious example.
The audit will find cases of incompetence or laziness. It would be very hard for it to find cases of actual subversion, especially if the admin has enough time to hide all the evidence off-site. Never mind his "booby traps" blowing up upon discovery by the auditor, and blaming the auditor for breaking the system.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
He resigned, because he found out what was happening to people who resigned. He was outraged; he wanted to do something about it; and he figured the best way to stop it was to crack it from the inside.
http://www.marketwatch.com/sto... "I suppose that as the case of the programmer, Rajendrasinh B. Makwana, is brought out into the open we'll discover whether he's just a disgruntled programmer irked at being let go by Fannie Mae in October, or someone with more sinister intentions. It was only a fluke, according to all the reports Friday, that a malicious piece of code was found on the Fannie Mae FNM, -6.82% servers. It was designed to go off Saturday and erase all the data and screw up the company. It was placed there by Makwana, an Indian national and former Fannie Mae contractor, according to a federal indictment. If it was part of some greater scheme, then we can assume that on Jan. 31, the date his program was supposed to kick in, a slew of computer networks will go down. Generally speaking, this sort of thing is more of an inconvenience than a catastrophe."
Well I guess the best thing to do then is nothing. Just know the admin is all powerful and pay him 6 figures.
The right thing is to have competent people perform the hiring, hire a couple competent admins, and treat them well.
They don't go rogue "for teh lulz".
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2