Discussion on:

See how one new user became a security nightmare

This is an interesting article, and a good insight into the admin mindset.

I'm interested to know if the guy was actually doing anything bad, or just violating procedures in what he would say was an attempt to "get something done".

He wasn'tcaught red-handed in any exploit, as far as we can tell. He had an excuse each time he broke procedures, and in the end gave up trying on his project.

Was there another way to deal with this? Could someone from IT have got alongside him and worked through the idea to find out if it would work?

It sounds like this is a company which has decided that anyone outside IT should leave the tech alone.

Peter Judge
ZDNet UK

IT is responsible for the reliable operation of the network. In order to fulfill this responsiblity, they need the authority to control what equipment goes on the network and what changes are made to the network.

The same goes for applications installed on workstations. IT is responsible for the smooth running of workstations issued by the company. They therefore need the authority to control what is installed on these workstations to ensure that all needed applications run as they should.
In reply to your comment "It sounds like this is a company which has decided that anyone outside IT should leave the tech alone", tell me, would the company sales department like IT conducting sales meetings with clients without the knowledge, consent, or participation of the sales department?

I think they would complain very vocally to upper management, because IT's job is IT, not sales. Similarly, sales' job is sales, not IT.

"Would the company sales department like IT conducting sales meetings with clients without the knowledge, consent, or participation of the sales department?

Great point -- this isn't about not wanting non-IT folks to do IT work. Debra and her dept worked with this individual, at great cost to them. Do you know how much time Debra et al probably had to spend just to prevent this person from doing what they already knew they shouldn't do?

Why is it so hard for people to accept that there are policies and procedures in IT that must be followed? If you follow them, you have more flexibility. But if you don't, you're going to have specific restrictions imposed on you. When you act in ways you were told not to, and you don't utilizethe help that has been offered to you (e.g., asking admins for help w/installs), then you can't expect to remain an employee for long.

>Great point -- this isn't about not wanting non-IT folks to do IT work. Debra and her dept worked with this individual, at great cost to them. Do you know how much time Debra et al probably had to spend just to prevent this person from doing what they already knew they shouldn't do?
=====
We don't know how much work Debra did "on the project." We do see a lot of monitoring of the new employee. We also know that both Debra and her supervisor felt the project was "to good to be true."

Not a very positive attitude to approach the project.

We also don't know if this was a "go ahead and build it, kid, but do it on your own time," project, in which case Debra, might not have been available after hours.

Firstly, there's a very good reason for not letting non-IT employees do IT-related jobs without the supervision of IT, EVEN if they are the most qualified people on the planet: CONSISTANCY!!! One hand wouldn't know what the other was doing. It sounds to me like this employee had WAY too much freedom with this project and the equipment assigned to him. Yes, Debra and the rest of the IT department got a good workout, and even benefited from the experience by being forced to lock down the gates, but this person should have been terminated SEVERAL violations ago.

Also, the impression I get from this article was that the employee was to do the bulk of the work, and ASK FOR HELP when he was to do something outside his boundaries. This wasSPELLED OUT FOR HIM CLEARLY SEVERAL TIMES, yet he CHOSE to ignore the warnings. All he had to do was open his mouth and ask, and he more than likely would have gotten the assistance he needed.

Lastly, by the time all of this nonsense settled into the dust, one leaves this story with the impression that this employee wasn't even very sincere about this alleged "project", and simply wanted some time to play "computer god", or maybe even conduct some electronic espionage.

He did not have the freedom to complete his project, because Debra and IT wouldn't leave him alone.

The guy created the problems himself which brought him to IT's attention. They responded in the only manner left open to them.

It looks more to me like IT tried to kill the project and limit this employee to nothing but failure. If IT was told to give their full support to this project why then was Debra not there every day to help this salesman attain the goal of a working project instead all she did was attempt to bust him and get him fired. How could anyone set up a working new network system if admin rights are not allowed????? What idiot in IT could not see that as a problem and in so not assign a full time IT staffer to help him out. Also how could this employee not know to go to his sales management and get IT to buy in on what he was doing if it was such a good idea. Sounds like a few VP's are to busy to know they have a job to do.

From what I read, the sales person had already been given a green light, to the point that a THIRD drop was given for a SERVER. Where is the road block?

Why did he stop pcAnywhere if not keep out prying eys? Why did he continue to disconnect his Corp PC from the network and attach his Linux system?
Why after REPEATEDLY being told that he needed to contact IT for assistance did he continue to VIOLATE the agreement that was made between the Sales Management and IT management staff?
The only reason I can see for not wanting anyone in IT to be able to monitor his access, is that he was not doing what he was supposed to and may possibly have trying to access protected data, for what purpose is unknown.
If you feel that the rules and regulations in a company are designed to create 'Road Blocks' and not allow for anyone to just add and remove hardware and software at will, think about this:

The company is liable for licensing every piece of hardware and software that is present on company property. If any software is unlicensed (barring true Open Source, and with the changes I've seen in the GNU license, that may be changing)or if any customer data is compromised, the company risks very LARGE fines and lawsuits.
Keep tjat in mind the next time you want to just install 'whatever' and want the IT group to 'just mind their business' or you could become one of the unemployment statistics.

Keep in mind that this was an approved project. The new associate was not working indedpent. Having IT handle sales is often a good idea, and they should when their participation is approved.

The root problem is running development in a production environment. Put this project in a development lab, isolated from the production network, and the problem ceases to exist. Who is on the project should be based on the project needs and participant skills, not on org charts.

Sales and Techs/R+D have been at odds for the 30 years and 2 companies I been thru. Years ago a salesman sold a several CheckPosting machines to a Group of banks(remember Sharing Data Proc.Centers).The first service call I made the op manager said this an that feature doesn't work fix it. Sure I said I'll torch the mainline in half crank one half 90 degrees and reweld. i was 19,and these guys are still at it,worse if they browse manuals ;

We always fought issues like this at my last job. It was a nightmare. Only thing is we were treated like step children and the users, especially the execs, did what they wanted to and when things didn't work, we had to patch it all up. We also had a temp that tried this same thing. He'd play on the network and set up a pc to be a web server or something like that. When confronted about it he'd get angry and say we were being rediculous. Policies whether we like them or not should be applied indiscriminately and for the productivity of the company. If you can't be responsible to follow protocol then too bad.

I totally agree with aaube's statement. I have been in similar situations in the past, as an IT manager.

Unfortunately, the head of Sales was sleeping with the President and therefore my department was given the shaft end as 'not being team players'. What a crock of 'doo doo' that was.

I find that Sales people who 'think' they are technically inclined are quite delusional and should seek professional help. In _every_ instance where a 'sales techie' is allowed to do things themselves, their network and associated PCs _always_ end up in chaos.

Upper management always get what they deserve, they often make bad decisions on internal matters, and ultimately it affects them where it counts, in their wallets....

Talking about getting away with murder (figurativly). I have seen people sent to jail for less.

After catching the user changing the admin password on the server, that user should have been terminiated. The fact he received multiple chances showsa lack of respect by the user of management.

unless I missed something, the article said he changed the local admin password on the workstation not the server or even the domain admin password. Now if he had changed the domain admin password...THAT would have been exciting. But I do agree withyou, he should have been fired.

That's nothing, the 2nd internship I had with a government agency I had the top dog's domain admin password in about 3 months. That password was a bee-atch to crack. Ha ha. Oh well he was very security conscience and changed it shortly after. For me it was one of those "I had to see if I could do it" things. After that I left the poor man alone and in no way caused any damage when I had the password.

The fact that you carried out the crack, makes you a hacker. For which you can get a jail term.

Bull. Since when do we give jail terms for small crimes. Figuring out someone's password but not using it for any information gathering or changing is no major offense. Let the punsihment fit the crime. In my company he'd get a smack on the fingers and be watched for a while.

It also has a lot to do with how valuable that employee is to the company. In every job I've had I immediately set out to make myself so valuable to the company that they will overlook any mistakes I might make.

Russ

I mean get freakin real. I can murder someone in Holland and be out in 2 years.:) Also have any of these idiots posting here heard about a legal term called Intent. Oh wait Debra is comming. I have to go back to work shh. I am connecting another Hubto the network to SPAN THE PORT OOoosounds dangerous but I live for danger:)

1. changing someone's password without his/her consent is not a right things to do.
2. creating unnecesssary problems for others is very inconsiderated.
3. IT should have lay down rules on what can be done and what cannot done before works begin on the project.

Ok, IT has to review internal security. We don't know the extent of IT "support" on the project. Obviously, MANAGEMENT had bought in!!!

Interesting that after the first "incident" IT didn't attempt to get the "complete" technical requirements forthe effort and move this "project" into its own domain. Isolate this situation and most of the problems become "project" related not policy related.

Violation of policy is/can be a serious offence!!
Rules are in place to prevent anarchy. If there are exceptions IT should have been approached with the need for the exceptions.

So if I hack and get, say your ATM pin number, or account details. You would sit quite happy and not want me punished.

If you were on the recieving end...your tune would change my friend.

I don't make the law!

Was he a hacker? Was it a case of Industrial espionage? I feel cheated. I would have cut him off after the second strike.

Looks like IT didn't have to horsepower to "cut him off."
I've seen things like that. People cross IT's line in the sand and their manager won't do anything but tell them not to do it again....
It's a headach...

Although it may be "fun" to "see if I could do it", messing around in an official government network is not amusing. I'm sure you were warned about not performing these kinds of activities, and if you weren't, then the agency needs some security awareness refresher training. Even the "top dog" may have thought it cute after you finally cracked his password, but he at least had a very strong security-minded setup in place.

Messing around on the taxpayers' dime, and in computers designed to provide services to taxpayers is no laughing matter -- ever.

I have to agree that this is a serious matter, all government computers are required to have a notice at logon that details the terms of use, and details the penalties for mis-use. Activly hacking a password (yes that is what you did, because you were actively trying to find it) would be a serious breach and most likely result in criminal actions being taken, likely to end up with a jail term served as well. I make it quite clear to the users on my net that nothing like that will be toleratedand at first suspicion of mis-conduct they will have all access revoked until an investigation can be completed. As my alias states I am a net admin for the US government, namely the US Navy.

The active hacking of the password can be likened to just walking into a restricted area to 'see what happens'. Well, the intent there is not at issue. What is at issue is that as soon as the restricted area is breached, you get arrested and go to Leavenworth for say, 40 years. The 'I just wanted to see if I could do it' defense would not work and would just lenghten the sentence. Everyone that works for any Government agency knows this, and I wonder if we don't have a little story teller.

can you teach me how to hack, send me all the things i need to know, please help

hey_tsm@yahoo.com

hello i am interested in hacking and was wondering wether if you know how to if you could teatch me how to hack please get back to me on shadowspur@gmail.com

I AGREE WITH SKICAT--THIS GUY WAS TOLD THE COMPANY POLICY WHEN HE WAS HIRED--HE WAS ALLOWED FAR TO MANY CHANCES, WHEN IN FACT HE SHOULD HAVE BEEN FIRED--IT WAS AN INEPT "IT DEPT." THAT FELT
THEY HAD TESTED THERE SECURITY POLICY.

Why blame IT? IT was just doing their job, keeping an eye on the system and reporting information back to management.

Many many things come back to poor management in a company.

Many many things come back to lack of experience in managing aspecific type of breach, too. This may have been a first-time learning experience for that firm, but you can bet that the next person who tries it will receive harsher punishment much more quickly.

I'd like to know what happened to the associateafterwards - ie: was that person actually able to do their base job, or were they one of those "Hire me for one thing but I really want to work on another" type of hires who eventually don't make it because they can't do their base job duties?

Jill
http://www.metrex.net

What type of company is this? Most places this guy would have been fired, or been taken off the project right away.
Seems like the Network eng. had way too much free time on her hands.

Hasn't anybody heard of the process of developing a system. Putting a bunch of stuff on a whiteboard isn't even close to proper software engineering techniques. Besides that, how could an outsider improve a system without access to it?

How is it possible that an ordinary user was able to get a hold of administrator privs in the first place?
IT is so busy going after this guy that they aren't thinking about security holistically. The sales guy is finding their security holes for them, doing their security audits for them, and they are trying to bust the guy.

Shades of Randall Schwartz! Read
http://www.lightlink.com/spacenka/fors/ for details.

I take the point that several potential flaws in the overall security of the organisation have been highlighted by this incident, but to then waive the 'breaking either one of these rules can be grounds for termination' policy in the case of this salesguy, just because there was a small benefit to his actions is not only a bad idea from a purely IT standpoint, but also bad management, as it is unfair to all your other employees who recognise the benefits and reasons why policies are put in place.
Do you really think that while this user was very 'conscientiously pointing out security holes to the IT department' he wasn't actually acting maliciously ? get real ...

Its not all that hard to find a boot disk image on the internet that will allow you to change the local administrator password on a winnt/win2k/winxp workstation. I have one locked up in my sysadmin tool box. I needed it when I was turned over a very slipshod, undocumented network and all of the workstations had different admin passwords. When the server failed I had no way of logging into the workstations. Gaining the admin priveleges on the system would have taken no more than about 10 minutes if he used this route.

The Associate had local access. That can be acquired by running loopht against the workstation's SAM. Physical access makes cracking much easier.

No breach to network security, but the workstation is compomised.

This is not Debra's problem so why fire her? She is just doing her job. Maybe we should fire the IT manager for not having a secure network or Bill Gates for not having a flawless network OS. Where do you draw the line, holistically.

From the way the article reads, Debra was supposed to be helping this person and instead spent most of her time frustrating him. She should have been working closely with this person and trying to find out what his needs would be before he resortedto doing things himself. If they were working closely, he would not had to do many of the things he did. She shares the blame here.

This boils down to a management issue as both his management(Sales)and her management (IT) should have been working together to make this work form the outset.

You think that the only thing she had to do was to babysit this sales guy doing his project? Apparently you have never worked in the IT environments I have worked in. In those evironments you had more than one job, usually 15 - 20 depending on the size of the company and the IT deparment.
She was working with him. He VIOLATED the agreement the FIRST DAY! He STOPPED the PCANYWHERE service to prevent IT from being able to gain access to his system. Why do you suppose he would do that? To work on his project?

You can breach the security on a local system with a Linux boot disk...or didn't you know that?
The only thing she is guilty of is not being aware of that fact and for trusting this person.
The fact remains that a certain degree of trust of the end-users needs to be in place or productivity can be hampered. If you truly want to control system acces, try a Terminal Server and diskless workstations. It may not stop this completely, but you should at least know about attempts before they become problems.

I work for a Police force and there is no way this employee would have kept their job for so long - we have let IT staff go for less infringements than that. We work with highly sensitive information and cannot take any chances

My suspician is that such a scenario would never occur in your highly sensitive environment.

Looking at the scenario, the big problem occurs when "The new associate's office was equipped with two network connections: one to his company-supplied Windows NT PC and the other to his Linux box." Everything stems from this. Had IT taken the action of setting up a secure development lab and identified the specific constraints and the justifications, the Linux project could have proceeded.

Given that this did not happen, would you not terminate the IT worker given responsibility for the project (Debra) and at least reprimand that individual's manager?

Every prudent IT department should already have a lab. How in the world do they test service pack's? Surly they don't simply apply them to production machines and hope for the best?

Sometimes we in IT loose sight of the big picture in that "The Network exists to serve the users" not "Users exist to give the network something to do"

Juat came off a project doing rollouts on Win2K servers. I just love trying to do a job with no admin access.

They had the system locked down so tight that I could only do 2/3 of the install then go to the network people and get an ip. And, begthem to give me some connectivity for part 2. Work somemore, then go get the sysadmin to join the domain. Then work some more. Then go get the sysadmin to attach to some network drives for more software installs.

This could have worked ok, if the only sysadmin with the POWER had not been in meetings 6 out of 8 hours a day.

And, then to get ragged on for not producing more....sigh.

I can feel his pain.

lefty

Proper Prior Planning Prevents Piss Poor Performance.
The great majority of users ask for resources only after they are in a crisis. Too late to make any problem go smoothly. Work with your IT Dept., (ie Scheduling, Discussions, Planning...) and you might be surprised how well things flow.

that said administrative access is a requirement of your job. Even if you can make a case that a sales associate needs that kind of access, why did he resort to subterfuge instead of just asking? Especially after being caught in said subterfuge and being specifically directed to ask.

There are reasons for security, we deal with patient and their information and to have someone break the rules repeatedly would be disastrous. If they violated patient confidentiality by sniffing or were to bring down the network because of something they installed could possibly put patients at risk.

I'm a User Support Specialist for my company and while I too want to lock down computers from the users, I only want it done so they don't install harmful apps, adware, or malicious code without knowing about it. Here this guy is trying to save hiscompany money and the IT department is fighting him every step of the way. While I agreed with all of the auditing and monitoring, as long as he wasn't perpetuating actual security breaches to the outside world, what was the big deal?? the IT department in this case should have let him go until actual security had been breached. Absolutely ridiculous.

"Let him go until actual security had been breached"

If you think that changing the local admin password, disabling the monitoring software(PCAnywhere), disabling the virus scanning software, connecting an unauthorized machine to the network(the Linux box) are not all major security breaches, you're wrong.

"as long as he wasn't perpetuating actual security breaches to the outside world".
You are missing the point of the article. He is breaking company policy. He is a new guy, and for a new guy to come in and start breaching security so blatently, I would start to question his intent in working for the company.

He was told to work with IT on the project, and he obviously wasn't, even going as far as preventing them from working with him. He was up to something. I would love to know how long after this incident this employee left the company(after not being able to accomplish whatever it was he was up to).