Forgot your password?
typodupeerror
Security IT

Fired Gucci Employee Accused of Attacking Network 62

Posted by CmdrTaco
from the well-that's-just-swell dept.
WrongSizeGlass writes "Computer World, Information Week, The Register are all reporting on the story of a former Gucci IT employee who is accused of a November 2010 assault on Gucci's network deleting files and virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server. The lost productivity is estimated at $200,000. Sam Chihlung Yin, 34, of Jersey City, NJ, allegedly created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating in June 2010, a month after his employment contract was terminated by Gucci for unrelated reasons."
This discussion has been archived. No new comments can be posted.

Fired Gucci Employee Accused of Attacking Network

Comments Filter:
  • Down with fashion!

  • They should be paying him that lost $200,000 for running the white-hat attack to fish out the vulnerabilities. Yeah that's it...White. Hat.
    • I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.

      The law about computer crimes should have strong penalties for managers that allow that shit to happen. It would be somewhat different if the guy still worked for the corporation, because it's much harder to guard against an attack from inside, bu

      • by Xugumad (39311)

        > The law about computer crimes should have strong penalties for managers that allow that shit to happen.

        Why does this need to be a legal thing? I mean, there's employment issues to look at (like, err, should they have a job still), but why on earth would this be a legal issue?

        • by deKernel (65640)

          I would think this is a legal issue in the fact that the person destroyed company property without consent. Imagine if you stopped getting the newspaper delivered, and as a result, the paper boy took your car and had it stripped.

        • by Artifakt (700173)

          There's this concept of criminal degrees of negligence (under US or UK law at least). If somebody does a big enough screw-up, something any 'reasonable' person should have known better than to do (as the law defines reasonable), they they have committed criminal acts. In this case, for example, some of the people working for the for the corporation made assurances to their boss that the system was better secured than that, and some of them made assurances to clients or to the government. If I know damned w

        • by derrickh (157646)

          You're actually blaming the victim? It's your fault for a thief picking your pocket, getting your keys and stealing your car because you should've had it chained to your waist? The home invasion was your fault because you didn't pay extra for the level 5 security system?

          This wasn't a case of the IT staff inviting people into the office, sitting them at a PC with a list of passwords on the desktop. The criminal did very specific, targeted things to falsify keys and identities to gain access.

          • by mangu (126918)

            You're actually blaming the victim?

            No. The victims are Gucci stockholders. The incompetent manager was an accessory to crime, therefore he should share the blame.

      • by JosKarith (757063)
        "I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired."
        It's called being a Director isn't it..?
      • by djdanlib (732853)

        I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.

        Well, he didn't walk away with tangible things of value. A better analogy would be:
        * Bank analogy: someone destroyed enough of the bank's records that it cost the bank $200,000 to fix the resulting mess.
        * Car analogy: someone drove a monster truck onto the dealer's grounds and squashed $200,000 worth of cars.

        It's not usually the case that a sysadmin's manager knows the system as well as the admin. So, it's not really possible for a sysadmin's manager to prevent all possible angles on something like that. It

    • by Hatta (162192)

      Am I desensitized by hyperbolic damage claims in other cases, or does $200,000 seem pretty low for this kind of attack?

      • I thought the same thing, actually. I chalked up the low number to the fact that they seem to be running virtualization and restoration of these servers is really easy, assuming they are making timely snap shots and storing them somewhere the ex-employee didn't have access to. They likely restored the latest images and had to re-enter some data...a few hundred people and a couple hour's worth of time is probably how they came up with the figure.
  • Hacking (Score:3, Interesting)

    by SJHillman (1966756) on Thursday April 07, 2011 @09:37AM (#35743964)
    It's funny how the closer something is to hacking, the less the word is actually used in an article. While this seems to me to be more of a result of bad policies (admin passwords were never changes) and social engineering (which is a form of hacking) actual hacking, I find it funny that the term is hardly used at all whereas when Anonymous tries a DDoS, it's ZOMG HACK0RZ!!!! every other line.
    • Social Engineering is not a form of hacking. Hacking is not always a negative connotation but in every case it involves modifying hardware and software in ways it wasn't intended. Social Engineering existed as a term way before the term hacking and has more in common with fraud because it deals with people and not with devices and software.
      • by Ihmhi (1206036)

        Social engineering is modifying society to do what you want it to, just like, say, getting an Xbox to play a copied game.

        • by gnud (934243)
          It's not modifying society, it's leveraging how a society behaves to achieve your goal.
          • by Ihmhi (1206036)

            Hacking is the same thing - leveraging how a piece of software or hardware behaves to achieve your goal.

  • I wonder how long it took for the IT staff to determine the bogus user and remove remote access. The IT department must have activated that account with a minimum of domain admin permission. Bad IT policy at Gucci.
    • Depending on the programs used, they might just add blanket "domain users" to the admin group on their systems. We do it at our smaller sites (that have no native IT staff) because it's either that or answer emails every 15 minutes about why they can't add in Google toolbar.
      • by ArhcAngel (247594)
        I love how 20 years later Microsoft's Active Directory still doesn't have the granular functionality that Novell Netware had way back in 1990.
      • Instead you spend hours of time re-imaging hosed systems because of Antivirus 2011 installations, Limewire-sourced trojans, and AWWW DA ICKLE KOOT SKWEEN SAVUR!!1

        Seriously, if they don't need Google toolbar, why the hell would you let them install it? And let's be honest... You don't need Google toolbar, ever.
  • by chill (34294) on Thursday April 07, 2011 @09:43AM (#35744020) Journal

    Conjugal visits? Not that I know of. Minimum security prison is no picnic. The trick is, kick someone's ass on the first day or become someone's bitch.

    http://www.killerclips.com/clip.php?id=74&qid=669&PHPSESSID=6ea47a84f4b8b325495d3b4b2a7ed7cd [killerclips.com]

  • by JDHannan (786636) on Thursday April 07, 2011 @10:21AM (#35744422)
    Thanks Gucci for not breaching time continuity for not firing him for something he would do in the future!
  • 1) if you're going to fire an IT admin who has access to all your stuff, you meet him at the door in the morning while your other admins are changing passwords. He doesn't touch a computer in your building again. You'll put his files on a flash drive and don't let the door hit you on the way out.

    2) Anyone posting IT post-firing sabotage fantasies who isn't posting as a Anonymous Coward deserves the results of their next interview. I'm looking at you sandytaru.

    • by xnpu (963139)

      Typically we pay these types of employees a delayed bonus. If after 6 months they did nothing to harm the company, it's paid, otherwise it's not. This usually buys IT enough time to have fully replaced all passwords, etc.

    • by Krneki (1192201)
      And if he planted a backdoor somewhere?
    • by moco (222985)

      Or make sure you hire professionals. A professional will take their severance pay (or whatever they are entitled by law) and move on.

      Also, the way people are fired says a lot about a company. Generally, if people are treated the way you suggest, that company is not a good place to be.

      I'll agree with your second point. Those fantasies are either an indication of immaturity or personality disorders.

  • by tecker (793737) on Thursday April 07, 2011 @12:22PM (#35745992) Homepage
    Why wasn't this guys password deactivated? Did Gucci actually have common all-powerful known to all the engineers? We did that at our little IT shop because we didn't have full control of the network (we were a first response team to the main IT guys). It seems like you would give the guys some logins to use to things, use LDAP or ActiveDirectory groups to put them in the admin user level, and then when they leave/fired/downsized/outsourced/etc revoke them from the admin group(s).

    How many times do we need to read "Fired techguy used his/known admin passwords to cause hell" before someone catches on?
  • It`s like you have an emplyee, who duplicate his company keys and burns down the company at night. What he did is he commited a crime..If he did that with fake accounts or fake keys makes no difference. If I would get fired I WOULD NOT EVEN REMOTELY THINK of harming the company...what he did is really dumb and even if he left in anger, this does not justify any of his actions. I once got fired, but I worked till my last day like every day.Especially in IT you have to have some kind of tact, or you are CO

Machines that have broken down will work perfectly when the repairman arrives.

Working...