A system administrator has been sentenced to two years in prison and fined $26,000 (£21,000) after crashing his former employer’s network so seriously the company was unable to operate for a week.
According to the charge sheet, within days of being fired by Harrisburg internet service provider Pa Online in June 2010, Dariusz J Prugar (now 32) used privileged credentials to access the network in order to retrieve software he believed he had written.
To maintain covert access, he also planted backdoors and attempted to hide his tracks using scripts that deleted log files.
Unfortunately, doing this caused the company’s systems to crash, leaving several thousand of its residential and business customers without internet or email access.
When the company phoned him up for help, Prugar tried to negotiate his rights to the software in return for co-operation. By now suspicious, the company called in the FBI to investigate, at which point his activity was uncovered.
It’s still not clear how much damage Prugar meant to cause but the end result was a week’s downtime spent rebuilding the network from scratch to avoid future compromise and a lot of unhappy customers. The case took years to come to court and the ISP is no longer in business.
It’s the sort of incident that will send a chill through IT departments. Incidents where lone admins turn on employers often feature the same patterns.
The unsurprising one is that the they turn on employers in the days after being fired. An obvious point perhaps but companies seem unaware that this period represents peak danger.
The second is that they are typically individuals who have been afforded too much power in the first place, or were able to acquire it without anyone noticing.
These days, the industry standard is to operate some kind of privilege management layer that allows admin access to important systems in a temporary, logged way. Privileged access should never be invisible.
This should ideally be backed up by an authentication system (such as a hardware or software token), which is easier to track and revoke. Remote access through a management port secured with a password alone is asking for trouble.
Tales of the admin running amok seem to be getting less common, or at least less publicised.
In 2010, a former engineer at the Gucci fashion house took revenge for his firing by shutting down virtual servers and the corporate SAN and deleting email inboxes.
Perhaps the most cautionary tale of all happened in 2008 when an engineer at San Francisco’s Department of Telecommunications and Information Services (DTIS), Terry Childs, locked out staff from much of the city’s network and refused to divulge the passwords. Childs eventually revealed them to the city’s mayor.
fjllondon
Hmm. I quite a bit of the 1980’s breaking in to companies’ Novell and UNIX systems when they’d fired their sysadmin without the slightest understanding that they’d even need a password to change anything later.
Generally they had one employee to set things up for them. If he did his job well and it all worked, they decided he was now doing nothing and they could save some money by letting him go – or an external consultant who they’d save money on by not paying the final bill.
It was often the case that the company deserved what it got, and if I thought they’d treated a fellow engineer badly for no good reason I’d let them stew. In the modern world of IT, professional courtesy seems to play no part.
How do you know Dariusz J Prugar doesn’t have the moral high ground, even if the company he worked for has more expensive lawyers?
Bryan
How do you know Dariusz J Prugar doesn’t have the moral high ground?three reasons:
1) Why did he have the foresight to create accounts for covert access yet didn’t simply retain personal copies of his software? I archive every shell script I write, no matter where I am–not so much for the untold billions in profits as for hacker rule #2: “No problem should ever have to be solved twice.” Additionally, when remotely troubleshoot something I wrote last year it’s easier if I can read the code.
If his concern were retaining his “own” intellectual property, he’d have focused on a thumb drive or an occasional WAN sync instead of the accounts management tools. “I might get fired” means you do your resume and grab a couple personal documents, not install a backdoor.
2) Even if he was unjustly fired, having “moral high ground” preempts exacting revenge, let alone taking down a business network. We have a legal system for that–and plenty of hungry attorneys who “don’t collect unless I collect for you!”
3) The thousands who lost their internet were innocent victims–even discounting personal use as “not a big deal,” like NetFlix, browsing, and gaming. But some of them doubtless even lost money; I constantly work from home because I’m deranged, but some folks telecommute full time because they can’t drive or lack an office. This attention grabber brough the argument to many who didn’t deserve it.
He meant to do this. He had the hoosegow coming.
fjllondon
Do you know he was even actually employed? I’ve seen plenty of start-ups and small ISPs where a techie has provided lots of unpaid sweat equity and then been shafted. Without any actual details of this case I wouldn’t be so quick to jump to any conclusion, one way or the other.
This story has been re-reported ad nauseum without any actual facts of the case; such as has been revealed is one side only. When it surfaced on Sunday on /. it was said they split for “personal reasons”
Bryan
Good points, but… not much @slashdot conflicts with here. Maybe he was discriminated or something, but with this as his solution you could convince me maybe he was “personally” a dick to work with.
I hold dear my responsibility as a sysadmin, and taking the high road is non-optional. Irrespective of whether he was technically employed (and whether they wronged him), sabotage is a crappy way to make one’s point–and still illegal. The ISP’s story dominating, he still pleaded guilty to SOMEthing. And no one quotes his attorney touting “my client’s innocence blah blah…”
Even if he had only sweat equity and broken promises, he eschewed acceptable channels for making amends, foisting the spat upon unrelated bystanders.
Legality is half of why I use abundant comments, typically doubling the size of my code (the other half is troubleshooting in three years when I think of a new feature or find a bug). If I give a few hours and don’t get paid, the loss is annoying but minor. If I work months or years, my former employer’s world is littered enough with my name and style that an impartial audit would vindicate me. If I worked for pending stock/equity, I’d require some paperwork before investing much time–so they can’t weasel, “no we only said .5%” when they’d offered me 3%. I’m not the smartest dude by far, but that seems patently prudent.
If this crash was an honest mistake, and he “only” intended to delete logs which would betray his illicit entry [already a red flag] then his amateurish oversights will have me doubt his capacity to design software for an ISP anyway. If it’s software he wrote, why couldn’t he anticipate which logs/files would be critical to continued operation?
Good chance that “software” here means switch/router configuration, but even those still allow comments. Anyone fluent in that sort of gear can trash a network in a hurry–and prevent recovery if they delete rollback config files. But that isn’t easy to do by accident. The fact that they called him for help suggests he knew precisely what was going on the entire time.
It’s tough to accept
– this was unintentional *and*
– he was competent enough to be integral to the system *and*
– this saga *required* a Robin Hood solution
Bryan
Well-weathered IT adage:
A good sysadmin will script himself out of a job.
Simon McAllister
Forensic methods of investigation have been around since before IT systems so he and anyone else with privileges and trusts are complete fools if they act like that or abuse it in anyway and expect to get away with it.
But an ISP operating without a privilege management layer? Slightly worrying. No wonder they went out of business
Jim
Sad tale. Unfortunately, that company is not alone. They’re probably too small to hire out the security when dismissing a system administrator. In other words, the guy you’re parting with is the only one who knows how to properly disable his accounts.
The only way around it is to enlist a security “hired-gun”, but they probably don’t realize that.
Many system admins are ethical enough that they won’t do any dirty work on the way out. But, a business can’t count on that.
I’m not sure how to fix the root issue (in small companies).
Goose@gmail.com
Dont treat your employees like shit would be a good start…
Bryan
fix the “root” issue… har. :-)
Bryan
Jim’s right; small companies are in a tough spot. Many of them are inextricably linked to IT/cloud/digital while paradoxically still meandering the road to accepting that they even need IT beyond, “oh shoot, the printer broke.”
I support ~80 people and solely comprise the IT department. The business is small enough that I’m paid ~$25k less than equivalent jobs, so hiring an assistant is not up for consideration. My options therefore are (a) seek another job (b) average 60 hours and keep doing this one. We have some great people here, and that so far has apparently been worth the stress–so I stay. Maybe surfing Naked Security gives me more cathartic reprieve than I’m willing to admit.
Our lack of budget naturally includes a dearth of auth control which affords me what would be an unseemly helping of power if I weren’t trustworthy.** In 15 minutes I could wipe the intellectual property, websites, mailboxes, financial records, and backups for it all. With another hour or so I could eliminate all the Windows backups as well–local QuickBooks archives and such–and commit Scrambled DNS Atrocity across several hundred domain names. Cherry on top: medical records in a small clinic.
If I were to follow Mr. Prugar’s lead and strike for the jugular, my employers would spend far longer than a week reeling–or spend 5-10 times my salary with consulting support. It was a bit scary the first time I realized this. Of course, there’d be no one but me under the pointy fingers, but the damage would have already been done.
I suppose my (long-winded) point is to agree with Jim–likely thousands of businesses who are ignorant of their true needs and don’t even realize they’re on the precipice of disaster. Note to self: if I’m ever a maniacal overlord bent on world domination, I should be kind to my IT guys.
** assume today for the sake of argument that I am indeed trustworthy
Jim
Thanks!
I think I’ve come to the realization that most companies, especially small ones, are on the edge of disaster. Even big ones have the same problems, like the Target and Home Depot hacks a few years ago.
The root problem, though, bites harder on small companies. The root is that security is a pure cost. There is no profit or even revenue to be gained by being more secure.
Security is more like a line that stands between a company and oblivion. Small companies realize that they’re at risk (or not), but they can’t afford to do anything to solve the problem.
So, they play a variation of Russian Roulette. They roll the dice and hope.
However, there is a small segment of CEOs and/or CFOs who DO understand, but still don’t correct the problems, because the price is too high. This is exactly what happened to Target.
My problem is that I have no clue how to fix the problem. When a business is riding a thin line between profit and loss, it’s hard to justify spending enough money to get secure. Spend they must, but they simply can’t.
There’s a market opportunity here, but I’ll be darned if I can figure out how to build it.
Bryan
Yeah, I often say my job is the digital analog (har) of the TSA–no one wants to admit you need me, you can’t charge extra for what I do, and I make everything less convenient. Naturally I try to mitigate these, but with limited funding some aspects are unavoidable.
With what security (and IT in general) can cost, it’s easy from the outside to compare the resources in handling a major crisis to the “ounce of prevention.” But reality often dictates that “ounce” will instead go to silly things like employee salaries and paying the light bill.
Business owners rightly feel like they already pay enough insurance in other ways and “that’s what I have you for” becomes a final argument by necessity.
Heavy sigh.
I’m surprised no one’s mentioned the relevance of a Sophos (or others) edge device–which wouldn’t prevent sabotage like this directly but would preempt the need for certain IT functions. In situations like mine it would merely make my job easier but not completely remove the need for my position. With an IT staff of four or five (or fifty), that hardware could be very well worth it–but with one…prolly not.
Bryan
There is no profit or even revenue to be gained by being more secure.
actually not universally true. Depending on services provided, good security can be a very strong selling point–albeit it’s rare to see an invoice line item thus:
– plus hey, we didn’t leak your information to Russian spies – $100
Jim
Yeah, I argued with myself a bit before added the comment on revenue. You’re right, of course. I know I would jump at the chance to find a well-secured device in any facet of the IoT. So far, I have yet to find a single well-known IoT device that is serious about security. (There are a few on the fringes, though.)
Jayson
Hmmmm, sounds like something I would do ;)
Bryan
Heheh. We’ve all *thought* it. I’m hoping your smiley means that’s as far as you’ve taken it. :-)