Fired Gucci Employee Accused of Attacking Network

WrongSizeGlass writes "Computer World, Information Week, The Register are all reporting on the story of a former Gucci IT employee who is accused of a November 2010 assault on Gucci's network deleting files and virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server. The lost productivity is estimated at $200,000. Sam Chihlung Yin, 34, of Jersey City, NJ, allegedly created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating in June 2010, a month after his employment contract was terminated by Gucci for unrelated reasons."

First Post

[GameboyRMH]

Down with fashion!

Re:

[Jeremiah Cornelius]

200K? That's what, a belt, a pair of shoes, three handbags and a couple pairs of sunglasses.

They owe him

[Stenchwarrior]

They should be paying him that lost $200,000 for running the white-hat attack to fish out the vulnerabilities. Yeah that's it...White. Hat.

Incompetent managers

[mangu]

I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.

The law about computer crimes should have strong penalties for managers that allow that shit to happen. It would be somewhat different if the guy still worked for the corporation, because it's much harder to guard against an attack from inside, bu

Re:

[Xugumad]

> The law about computer crimes should have strong penalties for managers that allow that shit to happen.

Why does this need to be a legal thing? I mean, there's employment issues to look at (like, err, should they have a job still), but why on earth would this be a legal issue?

Re:

[deKernel]

I would think this is a legal issue in the fact that the person destroyed company property without consent. Imagine if you stopped getting the newspaper delivered, and as a result, the paper boy took your car and had it stripped.

Re:

[Artifakt]

There's this concept of criminal degrees of negligence (under US or UK law at least). If somebody does a big enough screw-up, something any 'reasonable' person should have known better than to do (as the law defines reasonable), they they have committed criminal acts. In this case, for example, some of the people working for the for the corporation made assurances to their boss that the system was better secured than that, and some of them made assurances to clients or to the government. If I know damned w

Re:

[g0bshiTe]

But what if there truely is a leopard in the room? http://www.apple.com/macosx/ [apple.com]

Re:

[derrickh]

You're actually blaming the victim? It's your fault for a thief picking your pocket, getting your keys and stealing your car because you should've had it chained to your waist? The home invasion was your fault because you didn't pay extra for the level 5 security system?

This wasn't a case of the IT staff inviting people into the office, sitting them at a PC with a list of passwords on the desktop. The criminal did very specific, targeted things to falsify keys and identities to gain access.

Re:

[mangu]

You're actually blaming the victim?

No. The victims are Gucci stockholders. The incompetent manager was an accessory to crime, therefore he should share the blame.

Re:

[Stenchwarrior]

I'm inclined to agree with you. However, in this case simple education of the staff or change in VPN access policy would probably have kept this from happening since it was a social engineering method.

Re:

[JosKarith]

"I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired."
It's called being a Director isn't it..?

Re:

[djdanlib]

I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.

Well, he didn't walk away with tangible things of value. A better analogy would be:
* Bank analogy: someone destroyed enough of the bank's records that it cost the bank $200,000 to fix the resulting mess.
* Car analogy: someone drove a monster truck onto the dealer's grounds and squashed $200,000 worth of cars.

It's not usually the case that a sysadmin's manager knows the system as well as the admin. So, it's not really possible for a sysadmin's manager to prevent all possible angles on something like that. It

Re:

[Hatta]

Am I desensitized by hyperbolic damage claims in other cases, or does $200,000 seem pretty low for this kind of attack?

Re:

[Stenchwarrior]

I thought the same thing, actually. I chalked up the low number to the fact that they seem to be running virtualization and restoration of these servers is really easy, assuming they are making timely snap shots and storing them somewhere the ex-employee didn't have access to. They likely restored the latest images and had to re-enter some data...a few hundred people and a couple hour's worth of time is probably how they came up with the figure.

Hacking

[SJHillman]

It's funny how the closer something is to hacking, the less the word is actually used in an article. While this seems to me to be more of a result of bad policies (admin passwords were never changes) and social engineering (which is a form of hacking) actual hacking, I find it funny that the term is hardly used at all whereas when Anonymous tries a DDoS, it's ZOMG HACK0RZ!!!! every other line.

Re:

[staticneuron]

Social Engineering is not a form of hacking. Hacking is not always a negative connotation but in every case it involves modifying hardware and software in ways it wasn't intended. Social Engineering existed as a term way before the term hacking and has more in common with fraud because it deals with people and not with devices and software.

Re:

[Ihmhi]

Social engineering is modifying society to do what you want it to, just like, say, getting an Xbox to play a copied game.

Re:

[gnud]

It's not modifying society, it's leveraging how a society behaves to achieve your goal.

Re:

[Ihmhi]

Hacking is the same thing - leveraging how a piece of software or hardware behaves to achieve your goal.

Re:Moral of the story

[The MAZZTer]

Being fired is likely to piss off someone whether they deserve to be fired or not.

Re:

[Moryath]

In other words... this is why anti-nepotism laws should be made a requirement of any business over the size of a 10-person "family business."

Re:

[schwit1]

For publicly traded companies. Private companies should have the right to shoot themselves in the foot all they want.

Re:Moral of the story

[Ogive17]

What he got fired for is irrelevant. Sounds like a nerd's way of "going postal" is to delete as many files as possible on their way out.

Revenge is not a smart move. You are most likely going to get caught and it will ruin your chances at future employment as soon as a prospective employer does a background check.

Re:Moral of the story

[sandytaru]

I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.

Re:

[Gunnut1124]

Ever seen what Buckyballs will do when placed in close proximity to a 15k drive?

Re:

[tecker]

Um nothing? I play with them next to my HDs all the time and the backups still work fine. Of course this is my personal machine and I am not to paranoid about the backups getting hosed.

We also took some HD magnets (scrapped from an old HD we just wiped) and tried to zap a stack of remaining HDs to be wiped with them. No luck. We could still read the data off of it when we tested to see if the magnets worked so we had to DBAN each and every one of them.

Buckyballs next to the tape archives.... well that

Re:

[knight24k]

I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.

Yeah, I have had those fantasies too. You don't realize just how much damage you can do until you sit and think about it. After being let go by a retail chain with about 700 stores I realized that in about 15min I could pretty much put the entire chain out of business. They had just scrapped all their phones for VOIP and I had the passwords to all the routers and knew they had the domain admin password hardcoded into the mainframe (I had tried, unsuccessfully for over a year to get them to change that). I

Re:

[hubie]

I'm curious, even if he was fired without any justified reason, and let's assume for the moment that it was for some petty reason, would you think what he did was in any way justified or correct? If you are withholding judgment to hear what the cause of his termination was, I'm trying to imagine any scenario that would justify his actions. Simply being pissed off doesn't work (for me, at least). If it wasn't virtual damage, but instead if on his way out of the building he did $200k damage by smashing com

Re:

[Moryath]

On behalf of all of us... fuck you [pcpro.co.uk].

I help my friends with their PCs all the time. I do it out of the kindness of my heart. I help my parents when I can.

But when I help them, I also educate them. I show them what I'm doing. I doublecheck to make sure they've got up to date virus protection, up to date OS, properly locked down home network (PC direct into cable modem = AUGH).

And I tell them look - I'm your friend. I'm helping you out. But I get a ton of people asking for this every day. Coworkers constantly a

Re:

[Arrepiadd]

I heard most geeks are like that because (...)

The problem is clearly not in the geeks If you are gullible to the point of believing everything you hear.

How long....

[Junior1120]

I wonder how long it took for the IT staff to determine the bogus user and remove remote access. The IT department must have activated that account with a minimum of domain admin permission. Bad IT policy at Gucci.

Re:

[sandytaru]

Depending on the programs used, they might just add blanket "domain users" to the admin group on their systems. We do it at our smaller sites (that have no native IT staff) because it's either that or answer emails every 15 minutes about why they can't add in Google toolbar.

Re:

[ArhcAngel]

I love how 20 years later Microsoft's Active Directory still doesn't have the granular functionality that Novell Netware had way back in 1990.

Re:

[L4t3r4lu5]

Instead you spend hours of time re-imaging hosed systems because of Antivirus 2011 installations, Limewire-sourced trojans, and AWWW DA ICKLE KOOT SKWEEN SAVUR!!1

Seriously, if they don't need Google toolbar, why the hell would you let them install it? And let's be honest... You don't need Google toolbar, ever.

Conjugal Visits?

[chill]

Conjugal visits? Not that I know of. Minimum security prison is no picnic. The trick is, kick someone's ass on the first day or become someone's bitch.

http://www.killerclips.com/clip.php?id=74&qid=669&PHPSESSID=6ea47a84f4b8b325495d3b4b2a7ed7cd [killerclips.com]

Re:

[lysdexia]

"I dunno ... Play chess. Screw."

"Let's stick with chess."

Unrelated reasons?

[JDHannan]

Thanks Gucci for not breaching time continuity for not firing him for something he would do in the future!

Re:

[delinear]

Maybe he accidentally deleted the files while looking for his minority report.

Two things

[lymond01]

1) if you're going to fire an IT admin who has access to all your stuff, you meet him at the door in the morning while your other admins are changing passwords. He doesn't touch a computer in your building again. You'll put his files on a flash drive and don't let the door hit you on the way out.

2) Anyone posting IT post-firing sabotage fantasies who isn't posting as a Anonymous Coward deserves the results of their next interview. I'm looking at you sandytaru.

Re:

[xnpu]

Typically we pay these types of employees a delayed bonus. If after 6 months they did nothing to harm the company, it's paid, otherwise it's not. This usually buys IT enough time to have fully replaced all passwords, etc.

Re:

[Krneki]

And if he planted a backdoor somewhere?

Re:

[moco]

Or make sure you hire professionals. A professional will take their severance pay (or whatever they are entitled by law) and move on.

Also, the way people are fired says a lot about a company. Generally, if people are treated the way you suggest, that company is not a good place to be.

I'll agree with your second point. Those fantasies are either an indication of immaturity or personality disorders.

Wait he used old passwords?

[tecker]

Why wasn't this guys password deactivated? Did Gucci actually have common all-powerful known to all the engineers? We did that at our little IT shop because we didn't have full control of the network (we were a first response team to the main IT guys). It seems like you would give the guys some logins to use to things, use LDAP or ActiveDirectory groups to put them in the admin user level, and then when they leave/fired/downsized/outsourced/etc revoke them from the admin group(s).

How many times do we need to read "Fired techguy used his/known admin passwords to cause hell" before someone catches on?

That's not remotely IT related!

[Skeesicks]

It`s like you have an emplyee, who duplicate his company keys and burns down the company at night. What he did is he commited a crime..If he did that with fake accounts or fake keys makes no difference. If I would get fired I WOULD NOT EVEN REMOTELY THINK of harming the company...what he did is really dumb and even if he left in anger, this does not justify any of his actions. I once got fired, but I worked till my last day like every day.Especially in IT you have to have some kind of tact, or you are CO