Former Sysadmin Accused of Planting 'Time Bomb' In Company's Database (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Former Sysadmin Accused of Planting 'Time Bomb' In Company's Database (bleepingcomputer.com)

Posted by BeauHD on Thursday April 13, 2017 @08:40AM from the tick-tock dept.

An anonymous reader writes: Allegro MicroSystems LLC is suing a former IT employee for sabotaging its database using a "time bomb" that deleted crucial financial data in the first week of the new fiscal year. According to court documents, after resigning from his job, a former sysadmin kept one of two laptops. On January 31, Patel entered the grounds of the Allegro headquarters in Worcester, Massachusetts, just enough to be in range of the factory's Wi-Fi network. Allegro says that Patel used the second business-use laptop to connect to the company's network using the credentials of another employee. While connected to the factory's network on January 31, Allegro claims Patel, who was one of the two people in charge of Oracle programming, uploaded a "time bomb" to the company's Oracle finance module. The code was designed to execute a few months later, on April 1, 2016, the first week of the new fiscal year, and was meant to "copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless." The company says that "defendant Patel knew that his sabotage of the finance module on the first week of the new fiscal year had the maximum potential to cause Allegro to suffer damages because it would prevent Allegro from completing the prior year's fiscal year-end accounting reconciliation and financial reports."

30 of 143 comments (clear)

Min score:

Reason:

Sort:

Backup, anyone? by Anonymous Coward · 2017-04-13 08:44 · Score: 3, Insightful

Seriously, why would it even be an issue? Critical code and data, but not backed up?
1. Re:Backup, anyone? by Anonymous Coward · 2017-04-13 09:08 · Score: 5, Insightful
  
  You think a malicious sysadmin wouldn't know to target the backups as well?
2. Re:Backup, anyone? by roc97007 · 2017-04-13 09:50 · Score: 2
  
  Or at least, have the code delete itself.
  
  --
  Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
3. Re:Backup, anyone? by TechyImmigrant · 2017-04-13 17:47 · Score: 2
  
  A good sysadmin would have a job.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Pretty Obvious What the Timebomb Is... by segedunum · 2017-04-13 08:50 · Score: 5, Insightful

They're using Oracle.

.....and, backups??! But of course, that's a silly question.
1. Re:Pretty Obvious What the Timebomb Is... by Anonymous Coward · 2017-04-13 09:21 · Score: 3, Interesting
  
  Of all the knocks on Oracle I have seen on Slashdot (most of which are completely valid), I have never seen an insinuation that their products are not reliable. I do not believe that is one of their weaknesses.
  Oh, it's reliable alright.
  You can count on being reliably fucked as as customer at any given time.
  And that's just dealing with the software audit mafia. Forget actually patching the fucking thing and not breaking all kinds of shit in the process.
2. Re:Pretty Obvious What the Timebomb Is... by Thelasko · 2017-04-13 09:35 · Score: 5, Funny
  
  They're using Oracle.
  Seriously. If they were using SAP he would have never figured out how to sabotage it.
  
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
3. Re:Pretty Obvious What the Timebomb Is... by gravewax · 2017-04-13 18:20 · Score: 2
  
  SAP is actually the easiest of all to sabotage, just hire a SAP consultant.
Eletronic fingerprint? by Viol8 · 2017-04-13 08:54 · Score: 5, Insightful

"Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint.""
Translation: Someone with a functioning braincell in the IT department googled about MAC addresses and thought maybe they should check the wifi router logs and look for unauthorised access by company issue laptops.
1. Re:Eletronic fingerprint? by AndroidCat · 2017-04-13 09:07 · Score: 4, Informative
  
  "return the second laptop because the device was capable of accessing Allegro's IT network"
  It sounds like they depend on the MAC address for access security, and not-a-one-of-them has ever heard of MAC spoofing. (Or a Pingles can for extending WiFi range to off of company property.)
  
  --
  One line blog. I hear that they're called Twitters now.
2. Re:Eletronic fingerprint? by duke_cheetah2003 · 2017-04-13 11:13 · Score: 3, Insightful
  
  Once again proving that those that do evil deed are typically pretty stupid and leave obvious clues.
  Na, just proves the stupid evil doers are still stupid. We never hear about the smart evil doers. If there is such a thing. :D We'll never know, if they're smart enough.
3. Re:Eletronic fingerprint? by aaarrrgggh · 2017-04-13 11:20 · Score: 2
  
  X.509 could also explain it.
4. Re:Eletronic fingerprint? by Stealthey · 2017-04-13 13:08 · Score: 5, Interesting
  
  Second translation: DB admins are pretty inept at IT. It's trivial to change the Mac address.
  Once again proving that those that do evil deed are typically pretty stupid and leave obvious clues.
  You missed the key point too.
  The anon poster before you had the right idea.
  
  He wouldn't need to keep the laptop if all he had to do was spoof the MAC address.>
  If all he needed was the mac address, then he didn't even need the laptop. He could have spoofed the Mac Address. Most likely there was additional network security which is why he needed the laptop. It could be a cert/key etc. too that was on the laptop which he couldn't spoof.
  
  --
  I am at loss with words...
Re:So many stupid questions by Anonymous Coward · 2017-04-13 08:55 · Score: 5, Funny

One more stupid question:
Have you ever worked anywhere before?
Of course Allegro had Backups? by BoRegardless · 2017-04-13 08:55 · Score: 4, Interesting

Who in the heck was monitoring for changes to Oracle's software? Too many unanswered questions.
RTFA, anyone? by tomhath · 2017-04-13 09:06 · Score: 5, Informative

FTFA:

Allegro's IT staff discovered the sabotaged Oracle finance module on April 14, 2016. Ten days later, on April 24, the IT staffers found Patel's malicious code after comparing the current database with a copy from older backups.
They had backups right? by 140Mandak262Jamuna · 2017-04-13 09:06 · Score: 4, Funny

I am sure a big company like Allegro will have all the critical information replicated in multiple locations. I am sure they restored all the data in a few seconds and laughed at the stupid sys admin. Right? That is how the story should have ended

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:They had backups right? by AmiMoJo · 2017-04-13 09:37 · Score: 5, Insightful
  
  It's not worth posting stories about these amateurs. Everyone knows you don't just delete random stuff, you introduce subtle errors that can be passed off as genuine mistakes, and which take years to fully manifest, way beyond the point where backups can help.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:They had backups right? by sinij · 2017-04-13 11:27 · Score: 2
  
  AmiMoJo, I am pleasantly surprised that you are not entirely zen-like.
3. Re:They had backups right? by Anonymous Coward · 2017-04-13 11:36 · Score: 2, Interesting
  
  An effective (and legal) way of screwing over an employer would be not to automate certain infrequent but mission-critical tasks. Just document what needs to be done (and when) in your well-written and exhaustive handover notes. If you're feeling unkind don't explicitly state why or how to perform such a task (e.g. "purge old logs from the database server instance weekly"). Bonus points if before you leave you pitch a project to automate essential maintenance tasks to your boss, and they shoot it down as a waste of time*.
  When the intern/son of VP/HB1 they decided was a suitable replacement for an experienced sysadmin invariably hasn't followed the handover docs, the server will fill up, run out of space, and shit its pants. And they have nobody to blame but themselves. If they try to pin it on you, just send them the handover doc with the appropriate passage highlighted, and a copy of your consultancy rates if they'd like you to help sort it out.
  I've never done this on purpose, but I know it would work, because every single place I've left has called up a few months later with some dire emergency that could have been easily avoided if they'd just read my handover notes.
  *: this actually happened at a company I was leaving. I'd got a lot of vacation days accrued, and they wanted me to take them during my notice period rather than do the automation project I knew they needed, saving themselves two weeks of pay that they'd otherwise have to tack on to my final cheque. In the end they asked me back a few months after I'd quit, and paid me the equivalent of two months salary to do the project, which was basically just refactoring and gluing together the various crappy shell scripts I'd written over the years and setting up a traffic light status monitor so they could see when things needed looking at. I felt kind of bad for them, but then I remembered the reason I left is that they wouldn't take my advice...
Not very good at covering tracks. by nuckfuts · 2017-04-13 09:36 · Score: 3, Informative

FTA:

Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint."
By "electronic fingerprint", I suspect they're referring to the MAC address of the laptop's WiFi adapter, in which case the guy is a bit of a noob for not spoofing it.
Re:Turnabout is fair play by XXongo · 2017-04-13 09:36 · Score: 4, Insightful

The article said he resigned.
In most cases of IT staff leaving a company, the word "resigned" is a euphemism, and should be written in quotes.
Not how it's done ... by CaptainDork · 2017-04-13 09:36 · Score: 3, Insightful

... for a sysadmin.
Know where the logs are and erase the goddam things.

--
It little behooves the best of us to comment on the rest of us.
Re:Turnabout is fair play by Cajun+Hell · 2017-04-13 10:15 · Score: 5, Funny

I want to know why the fuck he chose to attack a company he voluntarily resigned from.
To this day (wow, has it really been 50 years?), I still don't know why Number Six resigned. Perhaps the reason he was kidnapped and taken to The Village, was that the government had serious concerns about what he was going to do next. Until you know why he resigned, it's really hard to guess anything else.

--
"Believe me!" -- Donald Trump
Re:Turnabout is fair play by molarmass192 · 2017-04-13 10:42 · Score: 2

Not disagreeing with you, but I've seen a few people "rage quit". This incident would seem to fit that pattern. On the bright side, at least he didn't walk in with a machine gun.

--

Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
Re:an administrator leaves a company by roc97007 · 2017-04-13 10:56 · Score: 5, Interesting

"This could also happen if they forgot to renew the software."
Absolutely. The biggest time bomb of all might be simply to decline to share the file of license renewals. The company starts to feel the results of *that* after the admin is long gone. And all the warning messages go to the admin's closed account, or to a service account that nobody checks since he left.
The problem is, the results are indistinguishable from the case where the admin passed the information to "transition management" prior to being outsourced, only to have them lose it, so he gives them his spare copy, and they lose that also, and then a few months down the road when appliances and software suddenly stop working, offshore management blames the former admins for the debacle(s).
Don't ask me how I know this.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Re:So many stupid questions by SharpFang · 2017-04-13 11:06 · Score: 4, Insightful

The other anon is right: in the real world, unless your employer is NSA or something of comparable caliber, as an admin you have access to everything - whatever you don't have access to, you can obtain, without the employer's knowledge.
The only defenses against rogue admins companies really have is to have more loyal admins, and not to piss admins off. Plus threat of lawsuit if the admin fails to cover his traces after going rogue. Essentially, you can only try to reduce damage after the attack, you can't prevent the attack.
And to have anything "better", you have to spend so much on security, that unless security is your *product*, you'll be creating losses.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Re:an administrator leaves a company by WillAffleckUW · 2017-04-13 11:18 · Score: 2

Probably for the same reason I know that.
Sigh.

--
-- Tigger warning: This post may contain tiggers! --
Re:Turnabout is fair play by hokeyru · 2017-04-13 12:36 · Score: 2

Whatever the circumstances, professionals do not sabotage their former employers (or current employers, for that matter).
Besides compromising your professional integrity, and risking criminal charges, it's just not work your time. Move on and live your life.
Found his profile by AnthonywC · 2017-04-13 16:49 · Score: 2

https://www.linkedin.com/in/ni... Although I'd consider that there is a possible chance that they were actually hacked instead.