General discussion

Locked

Information Security - Liabilities?

By psbkp ·
I have heard of an incident (this may be total fiction, I don't know) of a network admin who had permissions to some specific folders/files on the company's network. Others had access too. Corporate data from these folders was leaked - apparently with detrimental consequences. After an investigation by the FBI, the admin had criminal charges pending against him solely because he had access to the files.

Has anyone heard any stories like this? The person I heard it from stated that the admin was a personal friend of his, so there weren't a whole lot of layers between the person and the source of the story. Is this just an Urban Legend designed to scare folks in the IT industry? It sure has scared me!

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

RE: Arrest

by DugaDugDug In reply to Information Security - Li ...

Is this the story you are talking about? Excerpt from SANS NewsBites Vol. 8 Num. 54 (great free subscription by the way...if interested go to http://portal.sans.org/) Now on to the story (editors comments are included):
------------------
--Consultant Pleads Guilty to Exceeding Authorized Access of FBI Computers
(6 July 2006)
Network engineer Joseph Thomas Colon has pleaded guilty to four charges of exceeding authorized access for breaking into FBI computers that held data regarding the Witness Protection Program and counterintelligence activities. Colon was working as a consultant on the now-scrapped Trilogy project at the time. He allegedly used an FBI agent's credentials to access a file that held 38,000 encrypted passwords for FBI system users. Colon reportedly obtained the password from an FBI agent to avoid "bureaucratic delays in performing 'such routine and mundane tasks as setting up workstations, printers, user accounts and to move individual computers from one operating system to another.'" Colon allegedly decrypted the passwords and used them to access the sensitive systems. Colon has been fired from his job and his top-secret security clearance has been revoked. He will be sentenced on July 13. "Prosecutors do not believe Colon was trying to damage national security or use the information for financial gain" and are seeking a sentence of approximately one year in prison. http://www.securityfocus.com/brief/244
http://www.msnbc.msn.com/id/13738637/
[Editor's Note (Honan): As demonstrated by this story, all the technology controls in place can be undermined by someone simply giving away their password in order to make life easier. When deploying controls and/or security policies it is essential that users are properly educated as to why it is necessary to have the controls in place.
(Weatherford): The prosecutors can trivialize it all they want but this is a bad guy! Exceeding authorized access is the least of his nefarious activities IMHO. He had a Top Secret security clearance, probably with some additional special accesses, and was working on a classified project. Colon knew what he was doing and that circumventing the security controls of an FBI system probably wouldn't look good on a resume. What did he do after decrypting passwords and accessing these systems? Simple curiosity? It will be interesting to see what his final sentence is and how much time he actually serves.]

Collapse -

I don't think so...

by psbkp In reply to RE: Arrest

The way I understood the story, it was a corporation that he worked for. The story teller/friend was very adament that the admin had not accessed the data, let alone done anything malicious with it...

Collapse -

Scapegoats....

by mroonie In reply to Information Security - Li ...

It seems to me that companies everywhere, and even our very own government is willing to pin the blame on anybody else but themselves.

http://news.com.com/U.K.+agrees+to+extradite+alleged+hacker+to+U.S./2100-7348_3-6091493.html?tag=cd.hed

All I can say is if you have access to sensitive information, all you can do is make sure that YOU'RE sending and using that information securely. There are lots of software out there that will allow you to safely share the information and the likelihood of getting pinned just because you have access to the information will go down dramatically.

http://www.essentialsecurity.com/products.htm

Collapse -

Probably an Urban Legend....

by faradhi In reply to Information Security - Li ...

My experience has been in companies where I am the only System Admin. There is no way to avoid this issue.

If you have information you are not supposed to see, like HR files, Deny yourself access and log permission changes and Logins. Even then you still will not be above suspicion. Because there are ways to beat these security measures.

Collapse -

FBI computer consultant?

by NI70 In reply to Information Security - Li ...

Read this article FBI computer consultantpleads guilty ...to four misdemeanor counts of intentionally exceeding his authorized computer access, and prosecutors are recommending roughly a year in prison.

Of course the computer consultant's lawyer stated the consultant was given a password by an FBI Agent.

Collapse -

Not enough info

by jdmercha In reply to Information Security - Li ...

Being charged with a crime is way different than being convicted of a crime. He can certainly be charged, but if its "solely because he had access to the files", then the charges would never stick.

Collapse -

I didn't think so either

by psbkp In reply to Not enough info

If there is a wreck in the parking lot of the office should all employees with driver's licenses be charged?

Still - just the investigation and pending charges could make someone's life miserable! Think of the legal fees that person might have, even if vindicated.

I just keep thinking that the corporate shield is no longer there to protect as it once did (Thanks, Kenneth Lay). Even if we can't neccessarily be charged criminally - can our customers sue us (as individuals) through civil court if data is leaked? Is there any precedence of that? I'm just trying to figure out how vulnerable I am!

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums