Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Virtualization IT

Fired Techie Created Virtual Chaos At Pharma Co. 339

itwbennett writes "Using a secret vSphere console, Jason Cornish, formerly an IT staffer at the U.S. subsidiary of drug-maker Shionogi, wiped out most of the company's computer infrastructure earlier this year. Cornish, 37, pleaded guilty Tuesday to computer intrusion charges in connection with the attack."
This discussion has been archived. No new comments can be posted.

Fired Techie Created Virtual Chaos At Pharma Co.

Comments Filter:
  • How he got caught. (Score:5, Informative)

    by will_die ( 586523 ) on Wednesday August 17, 2011 @04:42AM (#37116916) Homepage
    For those wondering how he got caught, he accessed the servers from his home also for the McDonalds just before he accessed them he purchased some food using this credit card.
    • by 1s44c ( 552956 )

      For those wondering how he got caught, he accessed the servers from his home also for the McDonalds just before he accessed them he purchased some food using this credit card.

      That seems amazing stupid.

      • (1) He will not be incarcerated for anything like 10 years;

        (2) Incarceration's looking like a fine alternative to the next decade in the wild. Especially in countries with more lenient prison systems (the US is bad but not as bad as the Middle/Far East; the UK is better than all of the above).

        • Unless you've been convicted of using Facebook to incite a riot that never happened...
          http://www.guardian.co.uk/uk/2011/aug/17/facebook-cases-criticism-riot-sentences
    • Re: (Score:3, Funny)

      by Anonymous Coward

      That's bullshit, McDonalds doesn't sell food.

    • And, did he also use his own computer, probably running Windows, which keeps logs of contacts? Or, did he use a LiveCD, do his dirty deeds, then shut down the computer?

      I know for certain that if I were to do something like this, I would NOT use an installed operating system, and I would MOST CERTAINLY not use a Windows system! Not even from a public computer, from a library, or senior citizen's center!

      • by Intron ( 870560 )

        and of course you would remember to spoof your mac address? wear a mask when you pass the parking lot security camera? put stolen license plates on your car? wear gloves the whole time?

        There are a lot more traces left than just Windows log files.

      • by bsDaemon ( 87307 )

        Unfortunately, if there are vSphere clients that run on something other than Windows, I am apparently incapable of finding them on VMWare's website. I think vSphere 5 will have a Linux client though. So, the best he could hope for it using a VM and then resetting it back to a snapshot after use.

    • For those wondering how he was in a position to cause such mayhem: "Cornish had resigned from the company in July 2010 after getting into a dispute with management, but he had been kept on as a consultant for two more months." *slaps forehead* The guy had issues with management and resigned, so they let him stay on for two more months ... because?!

      However, the attack did not attack "vital" systems like research lab data. It affected emails, sales systems, and the like. Sure, that's annoying, but it was "onl

  • Damn, he took his time. Musta felt good though.

    But seriously, if you're smart enough and determined enough to do this, cant you foresee the outcomes?

    tl;dr, Shoulda just spliced an ethernet cable into a power cord, added a "Never unplug this!!!" sticker, and left it by a power outlet. Once the blue smoke is released, the magic is lost.

    • Re:One by one? (Score:5, Insightful)

      by somersault ( 912633 ) on Wednesday August 17, 2011 @05:27AM (#37117112) Homepage Journal

      Shouldn't a "too long; didn't read" section be shorter than the rest of your comment? And it should provide a summary, rather than go off on some tangent.

    • I initially read this as "Never plug this in!", would have been more funny that way. Indeed if someone did plug it in (and someone would... idiots are everywhere...), Mr Cornish would have been able to share his punishment with whomever disregarded this clear instruction...
    • by jamesh ( 87723 )

      Once the blue smoke is released, the magic is lost.

      This is true of people and of computers... guess which one will get you longer in prison of you are found to be responsible for the release of the blue smoke?

    • Wouldnt it just fry the NIC it is plugged into, or the motherboard at max?

      • by Intron ( 870560 )

        Most likely it would fry a switch, which would shut down the company network until it was replaced.

        Back in the day of a single thick ethernet cable connected to every machine, this would have been really spectacular.

    • But seriously, if you're smart enough and determined enough to do this, cant you foresee the outcomes?

      Evidently not necessarily. This is why intelligence and wisdom are different ability scores.

  • by Viol8 ( 599362 ) on Wednesday August 17, 2011 @05:11AM (#37117028) Homepage

    He could have potentially wiped out some on going expensive research while he was at it and potentially cost lives not to mention jobs at a company that obviously wasn't in the best financial health to start with. This selt centered little prick doesn't deserve any leniency.

    • I believe you know the full story from both sides then, yes? So what was his dispute with the management that made him do this?

      • by ScentCone ( 795499 ) on Wednesday August 17, 2011 @05:26AM (#37117106)

        So what was his dispute with the management that made him do this?

        It doesn't matter what his dispute was. There are no circumstances in which doing the equivalent of burning down your former place of employment is a legitmate move in a dispute.

        • There are no circumstances in which doing the equivalent of burning down your former place of employment is a legitmate move in a dispute.

          Yes, burning down your place of employment should only be done in context of insurance fraud, or to help them save costs of properly disposing of dangerous goods. But never for petty revenge!

        • Of course there is. If you were a former Al Qaeda Terrorist for example.
          • That's what I was thinking. What if your former employer is planning on doing something that could kill lots of people and the regulators/police/media don't believe you or are complicit in the scheme? Never is a pretty strong word.

        • There are no circumstances in which doing the equivalent of burning down your former place of employment is a legitmate move in a dispute.

          What if they took your stapler and moved your desk in to the basement?

      • by Viol8 ( 599362 )

        There was no excuse for what he did. End of.

        • I'm not debating that what he did was right or wrong (it's certainly wrong), all I'm saying is that there is a good possibility that his actions weren't entirely selfish. It wasn't just him that got laid off and we don't have any information on what his initial disagreements with the management were, for all we know they wanted to experiment on baby pandas (yes I know that's unlikely, but the point remains). Saying he doesn't deserve any leniency without knowing the full story is just wrong.

          • there's no magical hollywood plotline that justifies his actions. there's no full story needed. some people are just so incredibly selfish this level of vindictiveness makes sense to them. can you imagine what any poor woman would go through/ went through after dating this guy?

          • by jamesh ( 87723 )

            Saying he doesn't deserve any leniency without knowing the full story is just wrong.

            As long as you know the full story of _what_ he did, then _why_ he did it shouldn't really matter unless it can be established that he was mentally incompetent at the time eg under duress (family being held hostage etc), having a psychotic episode, really really drunk/wired, upset because favourite TV show just got cancelled, or whatever else counts for "temporarily insane" these days.

    • Or he could've prevented a new strain of pandemic virus from being released and saved billions of lives. Or he could've accidently deleted the winning lottery numbers Or if is Uncle was his Aunty...
  • by Mysticalfruit ( 533341 ) on Wednesday August 17, 2011 @05:11AM (#37117030) Homepage Journal
    I usually can only destroy 10 or so vm's before my vsphere client runs out of memory / handles or just segfaults for the fun of it. Needless to say, my displeasure with that vpshere client has caused me to become somewhat of a vsphere command line ninja.

    Firstly, it appears this guy was treated poorly and not only is he a nitwit, it would appear that most of his coworkers/management were as well.

    Secondly, it's acts of sabotage like this that make it hard for the rest of us to do our jobs.

    Thirdly, on a not so serious note... wi-fi from McDonalds? vSphere console? How did he think he was NOT going to get caught? Did he even try to wipe the logs off the vsphere server? Had this guy two brain cells in his head, he could have obliterated their infrastructure and not left a trace of evidence.
    • by murdocj ( 543661 )

      Having read the article... other than being laid off, what makes you think that the guy was treated poorly?

    • by Syberz ( 1170343 )
      Had this guy had 2 brain cells in his head, he wouldn't have done anything except look at job boards... Why don't people just stick to stealing office supplies like in the good old days?
  • someone who has your root passwords...

  • by bertok ( 226922 ) on Wednesday August 17, 2011 @06:51AM (#37117566)

    Has anyone noticed that every system claiming "enterprise" robustness only ever protect against untrusted third parties or component failure? I think there's an enormous amount of research waiting to be done to develop systems that are robust against attacks by rogue administrators. Think about it this way: a modern distributed cluster can be made robust against nuclear warfare, but not a grumpy admin!

    Technologies like the kind developed by internet pirates could be applied to enterprise systems. For example, protocols like Bittorrent are designed to be robust against malicious peers. The lessons learned by Wikipedia (where everyone is an 'admin') could be applied too, such as enforced versioning of all configuration changes.

    Similarly, multi-party authentication should be an option for critical enterprise systems. It should be possible to mark objects such as VMs or service accounts as "critical", allowing configuration changes only if, say, three admins authenticate together, like in a nuclear launch. This isn't a new concept -- Certificate Authorities often require secondary approval to issue certain types of certificates.

    The need will become ever greater as the trend of moving away from tape towards snapshots and replicas accelerates. Do you seriously think Google backs up to tape? Or Amazon? Or any cloud provider? They don't! They just keep two to thee copies of everything, and hope that none of their thousands of administrators ever cracks and does the equivalent of "rm -rf *" on the entire cloud all at once!

    Unfortunately, a business with general purpose servers running Windows or Linux are out of luck. Even if someone were to come up with, say, a virtual hosting environment that's robust against even administrators, that wouldn't prevent other mass attacks, such as formatting the SAN (shudder), deleting every object from the Active Directory domain, or my favourite: setting an encryption key on the backups for a month before leaving, wiping the password, and then formatting every server in parallel. Just resetting every password in the system at once is enough to bring most organisations to their knees, and can be done in seconds! How long would it take your organisation to recover from that? You'll just restore the AD from tape, right? Step one: log on to the backup server... err...

    Remember: Mirrors won't help. Replicas won't save you. Snapshots can be deleted just like everything else. If the business didn't have off-site tape backups of everything, it's game over.

    • Multiple Administrators? I think most companies see IT as an expense that needs to be minimized, so you're lucky if they have one Administrator who is competent.

    • by mallyn ( 136041 ) on Wednesday August 17, 2011 @09:03AM (#37118656) Homepage
      Good advise; thanks

      Here is one small step that was taken by a high end hosting provider

      All the systems had locked root passwords; nobody knew the actual root passwords; and they were different for each system.

      All root is done via sudo except for the system console, which is in the locked server room

      To gain sudo access, this is what happens

      First you go onto a secure database that is tied in with the trouble ticket system. You log in using a token. You request root access to server x. The system checks to see that you are supposed to be able to have root for server x and it checks to see that you are working on a currently open trouble ticket for an application on server x.

      If the secure database is happy, it sends a message to another secure server (in a different machine room). That system, which has yet another secure database, pulls an ssh private key from the database, installs it as a ssh private key in order to do an ssh shell session with the server you want to get on. That session runs a script that changes the /etc/sudoers to add your name. Along with that, it sets off a cron job that forces the /etc/sudoers fill back to its original configuration after a set ammount of time.

      You log in, do sudo, and do your stuff. All logging is done to what I call a toilet paper machine (paper log) in yet another secure room. You are through and log off. You close the ticket. The entire process as described above is done but to restore the /etc/sudoers file back to the way it was. Even if you 'forget' to close the ticket, the timer cron noted above will still revoke your access to sudo and send an email to security.

      The secure database servers noted above, each located in its own secure location, require two people authentication to access root. For those machines, the root password is split in half. One half is known by each of two key people. They both need to log in at the same time.

      This is about the most paranoid root access that I am aware of.

  • by dutchwhizzman ( 817898 ) on Wednesday August 17, 2011 @06:53AM (#37117578)
    Anyone doing this will never ever be put into a position of trust again. That is, if the potential future employer do a decent check on who's applying for the job. It doesn't matter how mad you are, you will ruin it for yourself if you do anything to harm your former employer.
    • by gatkinso ( 15975 )

      Getting a decent job is going to be the least of his worries.

      However he will be trusted to toss that salad.

  • by gatkinso ( 15975 ) on Wednesday August 17, 2011 @07:40AM (#37117890)

    ...make it impossible for some elderly people (along with some kids with cancer, and perhaps a few diabetics) to get their meds.

    Oh yeah, and incidentally, cost my employer money.

    Douchebag of the Year Award candidate.

  • Seems half the comments here are people who say how stupid this guy was -- that they could have done a much more thorough job of destruction AND covered their tracks better. Shows what kind of geeks we are. ;)

    Go ahead, post your "I could have done it better" comments here.

  • I don't understand. Was this guy the head of the IT department? Did they lay off the entire IT staff? Who was in charge of the IT department? I hope it is the guy stabbing himself in the stomach. What type of moron doesn't have machines storing VM drives separated from the network just in case of catastrophic disaster or intrusion? For the love of Yoda people! Hire a Security Engineer!

The reward for working hard is more hard work.

Working...