Security

Fired IT worker arrested for "hacking" hospital network

An IT worker is accused of hacking his former employer--a Manhattan hospital. Bill Detwiler outlines fives ways IT can prevent similar incidents.

The New York Post reported Tuesday that a former IT worker from a Manhattan hospital was arrested last Friday and charged with computer trespass, unauthorized use of a computer, and fourth-degree computer tampering.

According to the article, Jason Wang "wreaked havoc with the computer system at North General Hospital in Harlem after he was fired by official there in September 2009..." The report doesn't specify what kind of "havoc" Wang is accused of wreaking, but it does indicate that authorities believe Wang used "a doctor's password and credentials to send a scathing e-mail to other hospital staffers, accusing Michele Prisco, North General's vice president and chief information officer, of being a racist."

Whether Wang is eventually convicted of these charges or not, the situation demonstrates the importance of strong internal IT security procedures.

In the October 10th, 2008 episode of TR Dojo, I discussed the following five security practices designed to prevent the situation outlined above:

  1. Follow the rule of least privilege
  2. Not all IT staff should be domain admins
  3. Monitor additions to admin-level groups
  4. Log all administrative activity
  5. Immediately revoke admin rights for terminated IT staff

For additional help developing strong internal, IT security procedures, check out the following TechRepublic resources:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

58 comments
jdriggers
jdriggers

First off, the guy was a New Yorker, the hospital should have known better than to fire him. LOL Reading all the comments has been entertaining to say the least. There seems to be some anger out there. ? Yeah, the guy needs to do time for the crime, but the CIO should be looking for another job for giving him the opportunity. Appearently the swiss cheese analogy is correct. Down here we don?t smack you around and then turn our back to you. You can?t expect someone to walk away smiling if you kicked their a$$ to the door. How does that saying go? ?Do unto others as you would have them do unto you.? Yeah I know, corporate philosophy, ?do it to them before they do it to us.?

oldbaritone
oldbaritone

Sad but true, many IT organizations use "Generic" ID's for some tasks, like re-installing images on user machines. In fact, these ID's often have a significant amount of authority on the network. If those ID's exist in the organization, they should also have passwords changed immediately if an IT employee leaves or is terminated. And they should be restricted to in-house use only. And of course, that's IN ADDITION to routine password changes.

Friend_of Jason_Wang
Friend_of Jason_Wang

I have to set the record straight on behalf of Mr. Wang Firstly the claim that Jason wreaked havoc on the network system is not true.Nothing was damaged no folders were compromised,no money was stolen...no measurable harm done except to embarrass the Hospital. And from what I understand the security is a joke A.K.A Swiss cheese. IT controls a lax FULL ADMIN RIGHTS ARE GIVEN TO EVERYONE IN THEIR IT DEPT INCLUDING LEVEL 1 SUPPORT. I am privy to the police report and it clearly states that the gateway was changed on a old 3COM switch along with the admin password. Second, it states that he and he alone had access to user//password of account used to disseminate the alleged email accusing Ms.Prisco of racism...not true 7 other IT personnel have access as well. My understanding of the case is that ultimately it amounts to the equivalent of walking into your neighbors yard uninvited, scribbling some graffiti,changing a padlock, and then turning the exit sign to the left instead of the right as it should. Should it be a felony? I think not

reisen55
reisen55

I supported a team effort for 11,000 systems at Roosevelt, St. Lukes and Beth Israel Hospitals in Manhattan. WHERE TO BEGIN? Virus, malware and porn were RAMPANT across the network. We would image a system and week later it all came back in again. Doctors could not get to patient data in PRISM because of these problems. 30 Computers were STOLEN FROM ROOM 617 at St. Lukes. First Consulting Group just adjusted the inventory to hide the theft. A system was stolen from the Pastor's office in St. Lukes and one from the Roosevelt Cafeteria commons area. GONE. First Consulting had low staff,overworked technicians and zero controls in place, JUST NONE. They were bought by Computer Sciences. THIS WAS ONE JOB I WAS GLAD TO LEAVE!!! TOTAL STRESS.

kevaburg
kevaburg

Mr McKinnon did not cause any damage to systems he hacked into (more on that in a moment) but Mr Wang did. Nobody is sure whether or not Mr Wang will be charged with his misconduct, but Mr McKinnon faces over 70 years in jail. Mr Wang used another persons password maliciously but Mr McKinnon used default administrator passwords because administrators didn't change them from the defaults. And finally, Mr McKinnon has been diagnosed with the compulsive disorder Aspergers Syndrome (something that drove him in his search for ET life) but Mr Wang is just a nasty bas****. Does anyone else think the US approach on this is a little off-track?

-NaturaTek-
-NaturaTek-

I read the NY article, why did they wait 9 months to arrest? I find that odd.

Jaqui
Jaqui

and the prosecution should go for the death penalty! drive the point home that actions like this are criminal. make it a scary thought to crack the security of a network.

NexS
NexS

"The attacks on the hospital's information system and the e-mail ripping Prisco occurred just days after Wang was canned by North General on Sept. 11, 2009." So why do we here about it today? Surely, if they thought it was bad enough to have him charged with "computer trespass, unauthorized use of a computer, and fourth-degree computer tampering" (by the way: 'Computer tampering'??? Are you SERIOUS!?), then surely it would have been worth straight away. I could even believe a month or so later. But 9 months later? I don't think so.

Tony Hopkinson
Tony Hopkinson

An idiot employed by idiots, becomes an idiot no longer emloyed by idiots....

y0shi
y0shi

There are a lot of precautions that are in place to prevent things of this nature from happening, but ultimately it comes down to hiring the right personality. Whenever someone in IT Infrastructure leaves we change all the account passwords (service & administrative) and disable their account before they leave the building. In the case of the Hospital incident, Jason could have remembered the Doctors account information (ID and Password) composed the e-mail and sent it to an all company distribution list e-mail address using the doctors credentials. All without even accessing the Hospitals network. He could have used ANY e-mail address as the sender for that matter - unless there are security rules for DL list senders. That's the proven e-mail, as for the havoc and hacking into the network, well we don't know enough details to identify what should have been to thwart him. The tips in the Article are a good start. Work closely with the HR department and have a solid and quick process for new and terminating employees. I worked for a hospital about a decade ago. Given what I remember about the infrastructure, I am sure I could use a little social engineering on one of the 4000 employees and have access to the network in no time. Good thing I have ethics.

famigorena
famigorena

According to this article, this rogue IT worker used "a doctor?s password and credentials" to logon to North General Hospital network. Based on a quick Google search, I can reasonably assume it is a Windows-based network. This incident underlines the fact that Windows lacks the fundamental and classic login session controls found in other environment like mainframe and midrange systems, UNIX and Netware. Windows indeed lacks: - Concurrent logon control - Logon/logoff reporting - Logon session monitoring - Remote logoff of workstation logon sessions - Logon time restrictions by group - Workstation restrictions by group - Forcible logoff when allowed logon time expires - Previous logon time and computer display when user logs on Such session controls would have probably prevented Jason Wang from "wreaking havok with the computer system" ... More about holes in Windows login controls here: http://www.isdecisions.com/en/software/userlock/eight-holes-in-windows-login-controls.htm

cperry
cperry

I'm the sole IT Administrator at my work. In a corporate environment, it's sheer stupidity to not revoke admin rights once an employee is terminated but I don't know what a small/mid-size company would do if they had to fire their only IT guy and he/she was disgruntled enough to do something stupid like this.

AnsuGisalas
AnsuGisalas

It just is.The potential for harm is that big. Your yard-parable is insufficient. If one gets into someones system unlawfully, it's more akin to breaking into their home. You have to do something to get in, be it by way of a pilfered key or whatever, it's still breaking and entering. If you change a password it's a problem for potentially large numbers of people (it's not relevant if it actually was). If you change a padlock, it's a problem for your neighbour, and only till he can get his bolt cutters.

Friend_of Jason_Wang
Friend_of Jason_Wang

Lets just say you and I have worked in a similar environment. I'll do one better: HR master list of employee social security numbers, date of birth, and home address...IN A UNSECURED PUBLIC FOLDER!!!!

BuddingLeader
BuddingLeader

The difference between those two is who the crime was perpatrated against. Look at it this way, if you cut off another car, you might get a honk, a middle finger, and thats all... if that other car is a police car, you wil get as many fines as he can think of giving you... and he might haul you off to jail. Same action, different results... its really not surprising.

Bill Detwiler
Bill Detwiler

Collecting enough evidence to get an arrest warrant can take days, weeks, months, even years.

NexS
NexS

It also proves a point that users that refuse to change their password regularly puts data belonging to, not just themselves, but everyone else(and in this situation, a whole city-worth of patients) at risk. Security is there for a reason and if criminal's didn't constantly try to break through, there would be great lapses and/or a Big Fail in the data security market/procedures.

Bill Detwiler
Bill Detwiler

Remember that collecting enough evidence to bring charges and make an arrest can take days, weeks, months, even years.

-NaturaTek-
-NaturaTek-

I agree. Something else is going on here. Maybe that guy kept harassing on a weekly basis? Maybe the CIO kept getting pressure? I kinda doubt an experience tech would leave trails, maybe this tech wasn't so 'techish' Their had to be some political pressure, maybe the police just gave in and charged him with 'tampering'. I would like to see the outcome of this case.

AnsuGisalas
AnsuGisalas

Wait, is that somehow wrong? Perverse, you say? Oh my... ]:)

allanscott14
allanscott14

I disagree. First, I'm not in favor of one system over another, each has their place in the business world. However, I need to point out that all of the things you listed are possible in a Windows network with a combination of Active Directory, logon scripts and some well known tools. An average Windows Domain Admin can control all of these things. However, NON of these controls would have prevented this hack, I'd bet money on it. Without having read any other articles on this story, I'll guess that the doctor gave the IT guy his password so that he could fix some issue the MD was having. Second, the IT guy probably accessed the MD's email from the company's external webmail app, thus rendering any of these controls useless. A hospital is 24/7 and the computers are a critical part of patient care these days. An IT leader in healtchare has to be very careful how they restrict Nurse and Doctor access to the very systems that are vital to treating the patients. This MD should not have given anyone his password, that is the real nature of the problem that should be addressed.

y0shi
y0shi

I can make all eight of your bullet points happen on a Windows domain. I started writing how to achieve each bullet point using the features native in windows and some solutions required resource kit applications, but then I realized your marketing the UserLock software your company sells.

NotSoChiGuy
NotSoChiGuy

I was on the fence, but did a Google search, and there is a famigorena working at the company referenced by the link.

Realvdude
Realvdude

Typical news tactic to alarm the public; but at least it can spark a contructive conversation on the topic of IT security. There was no details about the "hacking" activity, though it does say he got into the internal network that has the patient records. As for using the doctor's email credentials, that seems indicates that policies allowed for the IT staff to have those passwords. I would have expected a "change at next login" policy to be enforced whenever the password is set by the IT staff, particularly at a large entity like the hospital. It would also seem that they did disable his credentials, since he had to use the doctor's, at the very least for sending the email. I also am the sole IT guy for our company. I'd like to through out the topic of security for hosted, cloud based or colocated IT systems for discussion. Has anyone dealt with security policy and procedures for these scenarios. As an example, we are considering colocating our servers with a local data center. Let's assume that myself and the company owner have physical access clearance; would anyone have the foresight to block my access upon termination? Or even worse, I alone have clearance because I setup the colocation service. What would it take for the company to block my access and establish access for someone else. I consider myself above reproach and would not attack/exploit the system I maintain if I were terminated. I also consider it foolish to open myself up to any legal action. I would consider charging a heavy consulting fee to assist in transferring the system to another administrator though.

otaku_lord
otaku_lord

I am the only IT person at my current position. There is a Director of MIS but he has other responsibilities outside the scope of my job. We had a hellova time getting everything ironed out when I got here because the person I replaced walked out the week before I was supposed to start.

SerrJ215
SerrJ215

I was the sole IT for a building and remodeling company. The biggest securty issue I had was when somone left "fired or outerwise" I was the last to know. I would take a walk around the building and see someone know and the converstation would go something like this. "Who are you?" "Oh I am 'new person' I replaced 'so n so' last week" "How have you been able to work?" "Oh I have been using 'so n so's login the office manager knew there password" No Matter how many times I spoke to our HR department it was impossible for them to tell me when people came and went. Mostly becuase somone would get fired almost every week and the boss had a habit of making Jobs for the members of his family.

Bill Detwiler
Bill Detwiler

Having been the sole IT person for a small research company, I understand this situation all too well. Ultimately, the responsibility falls to the owner or executive leadership to ensure that the organization's entire IT infrastructure isn't reliant on a single individual. Unfortunately, many non-IT people don't understand the risks before it's too late.

Friend_of Jason_Wang
Friend_of Jason_Wang

It's not a parable but an analogy. Given the neighbors yard in which in the very center is the house whereas the most valuable items are stored and secured. The yard on the other hand, specifically the gate with lock, other people are purportedly to have a duplicate key. So the defendant gains entry to the yard with a duplicate key that was given to him, and proceeds to change the lock. Yes probably the home owner used bolt cutters to cut the new lock and installed a better one. Now he alone has the only key to the yard. In regards to the house, only the home owner has the master key to the house which I might add the defendant never compromised (or even tried to from reading the police report). There may have been a million dollars on the kitchen table which could be seen through the window of the house, it was never touched nor was there any attempt to access it through another part of the house. My post merely argues the validity of a Felony charge as opposed to a much lesser charge. Semantics aside, the law is the law. harassment maybe, but to call it terrorism would be a stretch

kevaburg
kevaburg

It just seems to me that the US is out to make a point but is going about it the wrong way. Sure it makes a difference if you use metrics like "what could happen" against "what has happened" but still I feel, like many others, that there are unneccesarily harsh sentences being dished out in one case and then ridiculously lenient sentences being handed down to other perpertrators of similar incidents.

AnsuGisalas
AnsuGisalas

Seriously. If a botnet is trying for a month to crack my password, isn't that an awful amount of effort wasted that could be used finding "admin" and "admin" pairings? Changing passwords is bunk. Not using the same password across different sites, that has virtue. But changing it, just in case a botnet is *this* close to cracking it... that's just ridiculous.

lesko
lesko

From within the network most exchange servers are open relay you can verify it by telneting to the box on port 25. You can even send email through this session using smtp commands. So how did they know for sure that this guy did it. It could have been anyone.

Jaqui
Jaqui

but the twit still needs to be made an example of. to really put out that these type of actions are criminal in nature and can be harshly punished.

AnsuGisalas
AnsuGisalas

Paranoia just hit the fan! Experienced techs make stupid mistakes every fecking day. Just like everybody else. People make mistakes. In this case, writing an email likely to leave trails. I don't know if a nine month police investigation is extraordinary. Maybe it is. Maybe it isn't. Depends on the case and the difficulties involved I guess. And case loads.

famigorena
famigorena

... Allan! 1) "All of the things you listed are possible in a Windows network with a combination of Active Directory, logon scripts and some well known tools." I am afraid you are wrong, that is if you are really serious securing access to your Windows networks. Logon scripts-based solutions, just to take an example, present far too many drawbacks and weaknesses to suit large IT infrastructures' security requirements. In fact, such solutions generally raise more IT security problems than they solve ... I am at your disposal to provide you with detailed info about this if that may be of interest to you. 2) "None of these controls would have prevented this hack." You might have a point here, as we don't exactly know how it really happened and, anyway, no solution can ensure 100% security. But there is a good probability that, if the hospital's Windows infrastructure have been protected using UserLock, the threat posed by such a rogue IT guy would have been significantly mitigated. Just my 2 cents ... Best, Fran?ois

famigorena
famigorena

Dear y0shi, If you can achieve each bullet point using native features of Windows and/or Resource Kit applications, I promise I'll have you sent a crate of the finest French champagne. If you are interested in this bet, please contact me via my LinkedIn profile: http://fr.linkedin.com/in/famigorena Looking forward hearing from you soon. Best, Fran?ois

famigorena
famigorena

Dear NotSoChiGuy, I didn't hide myself behind a nickname, used my real Email address and had absolutely no intention to be deceptive. I am indeed the founder and CEO of IS Decisions and I contributed to write the whitepaper mentioned in my last post. And IMHO, there is no shame in doing so ... Best, Fran?ois

QAonCall
QAonCall

And it applies here. In a single (single being a sole administrator or small family owned business) one of the responsibilities is to have a Disaster recovery program. Real life disasters are things like: 1) hurricanes 2) Floods 3) Fire 4) Security Breeches/data loss/corruption 5) Firings/loss of key employees etc You can look at this as a Disaster Recovery/Risk Mitigation plan. I get (being a small business) the limitations that exist, but still the 5 P's work. Proper Planning Prevents Poor Performance. Once these comprehensive plans are written, a monthly review gives the organization a great tool for discussing new security and other threats. It also helps IT get a better view of business threats as well as physical/virtual threats and can help them deliver services better and faster. This methodology works in large or small companies. Larger companies just require more meetings! ;)

jdclyde
jdclyde

people don't realize just how different the rules are in a family business vs a big corporation. It is impossible to enforce rules against family members, and trying to will only result in YOU being shown the door. When I was in that situation I would inform my boss via email of potential problems and if they decided it wasn't an issue I was covered. I kept all of the emails. Sometimes all you can do is CYA.

taylorstan
taylorstan

I am the only IT person in our small company also. I've harped on them about passwords, account permissions, internet access, and a plethora of other issues. None change because I have a superior(no IT training) who thinks that because he wired a network and build a website he knows it all about computers and networking. This is the danger in the SMB's. Not the fault of the lone IT guy, but the person over them that does not listen.

QAonCall
QAonCall

Bring in a security analyst to facilitate the procedures to remove old admin and replace with new interim or long term solution. Especially if your business demands one person IT/admin. Additionally, month DR practices can ensure that the owner is aware of what needs to be done with a single point of failure. If you are setting up a shop or working in one like that, although it does not serve your own best interest, it is incumbent on you to educate the owner to this. Have your clients implement a monthly DR routine where they take over as the admin with a master admin password (that is renewed at that point) and then placed in a secure location. If you are a small business owner you should be doing this to protect your business.

AnsuGisalas
AnsuGisalas

But in that kind of case it should be standard procedures... slightly different type of consultant of course.

AnsuGisalas
AnsuGisalas

If you trespass on an airport runway it's a whole other ballpark than if you trespass on a lawn (unless it's the lawn of 1600 Pennsylvania Avenue, Washington DC). You have to keep your agenda clear. If you want to argue that the wrong legal statute is being used, I think you're wrong. If you want to argue that the law should be different, you're not going about it right. Pick a stool.

AnsuGisalas
AnsuGisalas

There is no equation of land and network. So you analogy doesn't apply. The law is the law, so the crime can only be assessed by the definitions given in the law. If unlawful entry into a network is a felony, then this was a felony. If changing a password is Computer Tampering in the eyes of the law, then it's that too. A court of law will assess guilt and arbitrate the charges. If you want the law changed, then say that. If you argue well, I might agree.

Darryl~
Darryl~

sour grapes to me. Why did he not inform them of the lack of security while he was employed with them? Sounds like it was an intentional attack to me.

Friend_of Jason_Wang
Friend_of Jason_Wang

Ok so I will change my analogy from residential house to corporate compound whereas there is barbwire fencing, gates, and padlocks. The fact remains the same, main build not compromised, alleged vandalism, and inconvenience plus extra money spent from company to shore up security so the next time if a similar alleged incident should occur with more dire consequences....then they will be prepared.

Friend_of Jason_Wang
Friend_of Jason_Wang

Well everyone is entitled to their opinion. From what I understand, no monetary damage was claimed in the complaint. Were talking about a switch not a firewall with NAT,ACL,and routes sabotaged. In my experience, pinpointing why packets weren't traversing the switch would have been a 2 minute effort...no money involved if a competent IT person was tasked. As for the enterprise spending money AFTER the incident that's their problem, in fact, he did them a favor so as not to be so complacent the next time around.

-NaturaTek-
-NaturaTek-

I agree this country easily uses the word 'terrorism' on everything. However that analogy you used simply sucks. Even if you just spray painted and changed locks you caused harm to that environment. Apply that analogy to a enterprise network and you caused a lot of headaches. They probably spent tons of money in find what the problem was, money on hiring consultants to add extra security, downtime for the whole hospital, etc. Here in New Jersey, anything involving a loss over $1,000 (last I remember, might be wrong on figures) constitutes a felony. If you were to enter my yard and spray paint my property and attempt to manipulate my locks, you wouldnt have to worry about police. Worry about getting shot if you enter or my shoe being polished in your arse. It looks like that CIO is trying to give you a digital equivalent.

AnsuGisalas
AnsuGisalas

If the password change has to do with IT ex-colleagues going postal upon termination then the once-a-month/week/whatever is equally pointless. Just force a password change whenever someone gets the boot in IT. If the problem is that someone might learn the password through a security flaw (social engineering, dumpster diving, whatever), then murphys law tells us that it's going to happen to a new password with plenty of lifespan. If that's not it, then what? What on earth makes a mandatory regular password change relevant? It's like the preprogrammed obsolescence of Bladerunner skinjobs, it's a hack solution.

jdriggers
jdriggers

glad to see someone else understands how it all works. no one shuts down port 25, so any knowledgeable tech will get there if he wants. Did anyone ever thing he setup a back door username? We are only as safe as people are willing to let us be. Laws, rules, locks are only for for the preservation of honesty.

NexS
NexS

But I do not believe in making an example of people. Everyone should be treated fairly from within the law. I don't think it's fair that someone gets treated more harshly than the next duly on factor that the court wants to make an example of his wrongness. Sure, let the media make an example of his actions(as it already has) but let the law be fair and just. Hence, Justice.

AnsuGisalas
AnsuGisalas

That your software company can buy commercial space on TR... why should you get it for free? It's spam. You're not trollish about it, and that's a nice. You also keep your frequency down and limit yourself to relevant posts, and that's nice too. That said, it's still something to be frowned upon, and you know that too.

famigorena
famigorena

... and if I were an IT Department Manager too, I'll do exactly the same ...;-) But thing is, I run a software company and have faith in our solutions ... Warm regards, Fran?ois

Darryl~
Darryl~

and I also don't put hyperlinks to a product I'm selling on every single post I've made on TechRepublic....nor do I start discussions or ask questions trying to generate business here. You're pretty sneaky about it....but it's still spam. ;)

Darryl~
Darryl~

and keep a copy of it. My rules exactly...nobody else is going to CYA....you have to do it yourself.

Editor's Picks