You might not be aware of a porn site titled teen[sexual orientation][bodypart].com.
You most certainly don’t want to discover that site when you type in your company’s URL and get redirected to teen[sexual orientation][bodypart].com… all thanks to refusing to pay a $10,000 ransom to an IT admin contractor from Hell.
The IT admin is Tavis Tso, a 40-year-old Arizona man who’s confessed to lying to a client company in Phoenix, telling them he didn’t have the login information for their account with the registrar GoDaddy (likely for domain name or hosting).
Tso had renewed the company’s GoDaddy account in 2011. In May 2015, the company wanted to update its contact details with the domain registrar. Can’t help, Tso said; I don’t have the login anymore.
Fibber. He did have the login.
He just didn’t want to give it to them, instead changing the contact information in the GoDaddy account so he could defraud the company, Tso said in a plea deal. Then, he went ahead and set up his own account with Microsoft to take over the company’s domain.
This all went down between May and June 2015.
By tweaking the account, Tso made it so the company’s employees couldn’t use their email accounts. At first, he redirected the company’s homepage to a blank page. Then, he offered to make it all better… in exchange for a cool $10,000 for returning everything to normal.
No dice, the company said. After the company refused to pay the ransom, Tso redirected the company’s homepage to the porn site. Visitors to the company’s website were redirected for several days, during which they found themselves looking at teen something-something, before the company’s homepage was returned to normal.
According to a release from the Arizona US Attorney’s Office, Tso was sentenced on Monday to four years of probation and an order to pay $9,145 in restitution after having pleaded guilty to one count of wire fraud.
And just how did this young extortionist IT admin from Hell escape jail time? According to the sentencing memorandum, posted courtesy of Ars Technica, assistant US Attorney Matthew Binford said that the crime, committed by Tso when he was 39, was apparently out of character: a “one-time lapse.”
Given the fact that this appears to be a one-time lapse in judgment, a term of probation is the best way to address the seriousness of this offense, while affording adequate deterrence to future criminal conduct and protecting the public from future crimes.
How to keep your domain from redirecting to What the (*&^?!
As we’ve advised in the past, a sound course of action in dealing with security breaches, be they from malicious insiders, insiders who make mistakes or contractors, is to have an incident-handling plan in place before a breach takes place, rather than after.
For example, a good incident-handling plan includes things such as the distribution of call cards, which could help in the event that normal communications are held hostage by a malicious insider who disrupts access to the LAN so that nobody can find anyone else’s phone number and email.
Knowing how to report crimes and engage law enforcement can also be important.
Naked Security has published a series of quick guides on reporting computer crimes that should help your organization find out who to contact if you need them.
MrGutts
When will these companies learn separation of duties. Especially in IT.
Bryan
Many small businesses (mine for example) have no alternative IT staff. I’ve flown 4.5 solo years here, and no coworkers would have a clue how to use the GoDaddy/AWS/Gsuite creds. I’ve stopped asking for an assistant; it’s simply not in the budget. My last vacation was four years ago tomorrow. No one can cover my absence, so even days off are likely to produce emails only I can handle. The irony is that situations like mine are the perfect example of why duties should be separated–but it’s another salient example of “to whom?”
Just yesterday my boss and I had a diverse set of perspectives on my performance last Saturday, (you know…that day lots of folks call a “day off”), and he persisted his absentee opinion until I walked out on him. In the heat of moments like that I appreciate the temptation in directing our 60 or so web clients to granny[description][bodypart](dot)com. But of course most of us are grown-ups and get over it and get back to work. Tavis Tso did not.
Each day I have the option of dusting off my resume and leaving. That’s my where I can assert my employer has no power over me. Sabotaging him (even the days when he’s a dick) is not.
Mahhn
Bryan, don’t let yourself get stuck like that, no vacation/time off stuff. We have a job so we can have a life, not the other way around. You’ll get exactly what you put up with. Now maybe they will have to train 3+ people and each one does one part of your job half ass, but it’s better than nothing. I’ve been there.
Bryan
Thanks buddy. I got a touch whiny there, didn’t I?
It’s a small mom & pop, and my boss was once the sole employee, so I understand the ignorance. I’m currently working (between fires of course) extensive documentation which will help justify more billable hours. Actually billing our customers for my role could justify a raise and helper, and hopefully validate my prior (perceived) shortcomings.
Bottom line though is that you’re precisely right about this…and lately I evidently feel the burn enough to overdescribe it to near strangers. I really *REALLY* like the actual work I do–which has surely biased me in the wrong direction. However I’m confident this will resolve itself within the next six months.
One way or the other. :-)
Mahhn
Letting a 39 year old off the hook? He should have at least spent a month in a cage for being such a [bodypart]. (I can’t access the plea deal, so my comment is an under informed reaction)
Anton.
Hi Lisa,
Interesting post, 1 thing for sure there is no system that is full proof, at-least for what i have seen, experienced and witnessed. there will and shall always be a loop hole either with Auto/mechanical system or the people working in the system, you just never know where the hit will come from.
Incident -handling plan includes, involving company heads, imposing stricter rules on process, procedures and developments in any company or organisations. when it comes to the IT world that’s a big billboard sign in the face of IT contractors/admins [company has Trust issues] many will not feel comfortable getting the job done/ look for something better.
Many IT dependencies put in place for organisations or companies have IT contractors or Admins registered as the primary handlers, cause they are the only ones most time who can work the new development in the company and the rest are end users, which is a problem and not sure how change will come to that . That’s the other reason why some IT contractors keep at jobs for 10-20 something yrs.
Lisa Vaas
You know, I was thinking of writing up some of the segregation of duties/off-site backups type material that we often pass along with these employees from Hell stories, but then it struck me that any such advice is way beyond where the company in this case is at. As in, what were they thinking, to abdicate the responsibility of knowing how to get to their registrar/domain host/whatever function GoDaddy performs, and to not only entrust it to one, sole individual, but to entrust it to one, sole individual who isn’t even an employee?
I think you’re spot-on. IT contractors in situations like this wind up being pretty much the entire IT organization for companies, for decades. Such companies are lucky if they wind up putting all their nuts in one sack held by a caring, non-psycho, non-Hell-spawn IT admin. Best not to put all your nuts in one sack. Best to segregate duties. Best to pray and rub your rabbit’s foot if your company does otherwise.
Bryan
Huh huhuhuh huhuh
“nuts in one sack”
/Beavis
Rose
I’m glad I’m not that only one that smirked at that.
DaveC
This is what comes from a ‘gig’ economy. In most cases IT is still not consider a core business function. For example: you may use external auditors in finance but you would never have your financial boss as a yearly contractor.
IT, to be effective, must be part of the strategic management team and must be a full time (presumably loyal) employee. Otherwise the damage potential, even from passive resistance, is extreme. And that damage cannot be chargeable. As a now retired admin I still receive alerts from systems that should have been taken over by stunningly inept business people and which have the potential to create chaos in the company. Am I worried? Not even a bit. I simply need to do nothing – which is not a crime.
Real IT security will not happen until the top management accept responsibility for incorporating IT as a core function. Until that time it will remain the wild west show prevalent in today’s IT market place