Former Sysadmin Accused of Planting 'Time Bomb' In Company's Database (bleepingcomputer.com) 143
An anonymous reader writes: Allegro MicroSystems LLC is suing a former IT employee for sabotaging its database using a "time bomb" that deleted crucial financial data in the first week of the new fiscal year. According to court documents, after resigning from his job, a former sysadmin kept one of two laptops. On January 31, Patel entered the grounds of the Allegro headquarters in Worcester, Massachusetts, just enough to be in range of the factory's Wi-Fi network. Allegro says that Patel used the second business-use laptop to connect to the company's network using the credentials of another employee. While connected to the factory's network on January 31, Allegro claims Patel, who was one of the two people in charge of Oracle programming, uploaded a "time bomb" to the company's Oracle finance module. The code was designed to execute a few months later, on April 1, 2016, the first week of the new fiscal year, and was meant to "copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless." The company says that "defendant Patel knew that his sabotage of the finance module on the first week of the new fiscal year had the maximum potential to cause Allegro to suffer damages because it would prevent Allegro from completing the prior year's fiscal year-end accounting reconciliation and financial reports."
Backup, anyone? (Score:3, Insightful)
Seriously, why would it even be an issue? Critical code and data, but not backed up?
RTFA, anyone? (Score:5, Informative)
Allegro's IT staff discovered the sabotaged Oracle finance module on April 14, 2016. Ten days later, on April 24, the IT staffers found Patel's malicious code after comparing the current database with a copy from older backups.
Re:Backup, anyone? (Score:5, Insightful)
You think a malicious sysadmin wouldn't know to target the backups as well?
Re: (Score:3)
Or at least, have the code delete itself.
Re: (Score:1)
Re: (Score:3)
A good sysadmin would have a job.
Re: (Score:1)
No, because a good sysadmin would like to eat something besides mac&cheese, and the company prefers to pay wages that would require you live with your parents rent free, and on your "special night" you can afford to spring for mac&cheese...for yourself.
Re: (Score:2)
No, because a good sysadmin would like to eat something besides mac&cheese, and the company prefers to pay wages that would require you live with your parents rent free, and on your "special night" you can afford to spring for mac&cheese...for yourself.
So leaving and messing with the database gets you better food that mac & cheese. I'm not seeing your logic.
Re: (Score:2)
I don't think a malicious vindictive sysadmin has thought through any part of his life or what he is about to do. I don't credit these people with much in the way of brains.
Pretty Obvious What the Timebomb Is... (Score:5, Insightful)
Re: (Score:3, Interesting)
Of all the knocks on Oracle I have seen on Slashdot (most of which are completely valid), I have never seen an insinuation that their products are not reliable. I do not believe that is one of their weaknesses.
Oh, it's reliable alright.
You can count on being reliably fucked as as customer at any given time.
And that's just dealing with the software audit mafia. Forget actually patching the fucking thing and not breaking all kinds of shit in the process.
Re: Pretty Obvious What the Timebomb Is... (Score:1)
When I think of Oracle and 'time bomb', I think of getting locked in with a good deal, then getting screwed years down the road with increased licensingâ costs and audits. I do think the software is reliable though.
Re:Pretty Obvious What the Timebomb Is... (Score:5, Funny)
They're using Oracle.
Seriously. If they were using SAP he would have never figured out how to sabotage it.
Re: (Score:3)
Eletronic fingerprint? (Score:5, Insightful)
"Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint.""
Translation: Someone with a functioning braincell in the IT department googled about MAC addresses and thought maybe they should check the wifi router logs and look for unauthorised access by company issue laptops.
Re:Eletronic fingerprint? (Score:4, Informative)
It sounds like they depend on the MAC address for access security, and not-a-one-of-them has ever heard of MAC spoofing. (Or a Pingles can for extending WiFi range to off of company property.)
Re: (Score:1)
He wouldn't need to keep the laptop if all he had to do was spoof the MAC address. It sounds like they know more about network security than most Slashdot posters. Though, the articles are never clear on this so who knows. Anyway, what the company primarily at failed was proper asset control.
Re: (Score:2)
Second translation: DB admins are pretty inept at IT. It's trivial to change the Mac address.
Once again proving that those that do evil deed are typically pretty stupid and leave obvious clues.
Re:Eletronic fingerprint? (Score:4, Insightful)
Once again proving that those that do evil deed are typically pretty stupid and leave obvious clues.
Na, just proves the stupid evil doers are still stupid. We never hear about the smart evil doers. If there is such a thing. :D We'll never know, if they're smart enough.
Re:Eletronic fingerprint? (Score:5, Interesting)
Second translation: DB admins are pretty inept at IT. It's trivial to change the Mac address.
Once again proving that those that do evil deed are typically pretty stupid and leave obvious clues.
You missed the key point too.
The anon poster before you had the right idea.
He wouldn't need to keep the laptop if all he had to do was spoof the MAC address.>
If all he needed was the mac address, then he didn't even need the laptop. He could have spoofed the Mac Address. Most likely there was additional network security which is why he needed the laptop. It could be a cert/key etc. too that was on the laptop which he couldn't spoof.
Re: (Score:3)
maybe multiple time bombs (Score:2)
Of course Allegro had Backups? (Score:5, Interesting)
Who in the heck was monitoring for changes to Oracle's software? Too many unanswered questions.
Re: (Score:2)
Turnabout is fair play (Score:1)
Re: (Score:1)
Re:Turnabout is fair play (Score:5, Insightful)
The article said he resigned.
In most cases of IT staff leaving a company, the word "resigned" is a euphemism, and should be written in quotes.
Re: (Score:3)
Re: (Score:2)
Re:Turnabout is fair play (Score:5, Funny)
To this day (wow, has it really been 50 years?), I still don't know why Number Six resigned. Perhaps the reason he was kidnapped and taken to The Village, was that the government had serious concerns about what he was going to do next. Until you know why he resigned, it's really hard to guess anything else.
Re: (Score:1)
Re: (Score:2)
Whatever the circumstances, professionals do not sabotage their former employers (or current employers, for that matter).
Besides compromising your professional integrity, and risking criminal charges, it's just not work your time. Move on and live your life.
Re: (Score:2)
service accounts passwords can be hard to change and in some cases need downtime to change. Also some apps have DB passwords in plain text in the config files.
Re: (Score:2)
Also all apps have DB passwords in plain text in the config files.
FTFY.
Though it's been a weakness for so long you would think someone would have created a means of encrypting connection data like you would sign a certificate signing request for an SSL cert. At least add another hoop to jump through in case site performance wasn't dismal enough.
Re: (Score:2)
At work we just recently had Oracle come in and do a security analysis, and plain text passwords in files was one of their findings, (some, not all files); they have a method to remediate that, as they pointed it out.
Re: (Score:2)
As far as DevOps or infrastructure as code stuff goes passwords can be obfuscated through the use of encrypted data bags but ultimately the password is going to be in a plain text password file on the storage mechanism of the server like Wordpress or Drupal, etc.
I am referring to requiring the use of encrypted config files.
Re: (Score:2)
eyaml works very nicely for this
Re: (Score:2)
Encrypting client connection data gives little more than a false sense of security. If the client needs to automatically log in then it needs to be able to automatically decrypt the creditials. If the server can do that then most likely so can the sysadmin.
Accounts used for automatic authentication should have their credentials rotated frequently and the minimum privilages practical to do their job. Unfortunately that is a PITA to do so people often don't :/
Re: (Score:2)
Unfortunately that is a PITA to do so people often don't :/
Chef, Jenkins, Puppet, Thoughtworks GOCD.
There's no excuse.
Re: (Score:2)
what about apps where you need to restart them to update the DB password and it's hard to get the downtime to do that. Or there you need to change 4-6 apps at the same time as they are all tied to the same DB?
Re: (Score:2)
This is what the Change Advisory Board is for. Ever heard of a CAB meeting? Sometimes Downtime is mandatory. If you have other deployments that cannot be handled with a rolling update then piggy back during that deploy.
Also, Since we are most likely dealing with AWS or some other virtualization an entirely new cluster could be rolled out if engineered correctly, and the traffic routed to the new cluster.
ITIL :
http://www.bmc.com/guides/itil... [bmc.com]
SAFe:
http://www.scaledagileframewor... [scaledagileframework.com]
Re: (Score:1)
couldnt the 4-6 apps each use their own user, so they could be updated one at a time?
Re: (Score:2)
Re: (Score:2)
Am I missing anything?
Jackasses like this are why:
4. Anyone who gives notice to quit is immediately escorted (dragged?) out by security while an HR droid packs up their desk of personal items and mails it to them.
They had backups right? (Score:5, Funny)
Re:They had backups right? (Score:5, Insightful)
It's not worth posting stories about these amateurs. Everyone knows you don't just delete random stuff, you introduce subtle errors that can be passed off as genuine mistakes, and which take years to fully manifest, way beyond the point where backups can help.
Re: (Score:2)
Re: (Score:2)
Of course, but you keep all your noxious code always in the stack, rendered inactive by a script that you bring in your USB stick, and manually execute every six months. Then when you are no longer there to execute the script...
Much safer than having to hack the network to delete things and leaving a trail and all that. Of course it's a lot of work, and perhaps your wife is right, and if you had used all that work for the benefit of your company, perhaps they wouldn't have fired you.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2, Interesting)
An effective (and legal) way of screwing over an employer would be not to automate certain infrequent but mission-critical tasks. Just document what needs to be done (and when) in your well-written and exhaustive handover notes. If you're feeling unkind don't explicitly state why or how to perform such a task (e.g. "purge old logs from the database server instance weekly"). Bonus points if before you leave you pitch a project to automate essential maintenance tasks to your boss, and they shoot it down as a
How... (Score:2)
is there a file anywhere with usernames and passwords? Is that jut mis-understanding and he cracked the hashes, or do these guys actually have everyone's password written down somewhere?
An yea these days, if your shit matters, you need 2FA of some sort.
Also, apparently, you need the guy who checks in the returned laptops to check serial & model numbers...
Re: (Score:2)
Re: (Score:2)
I don't care if you ARE a senior system administrator, you have NO business having a list of user passwords. You have no business having anyone's password, EVER. There are times we need to connect as a user or login to their network account to fix a problem or test something. When that happens, we reset their password, do our work, hand them over the reset password, and their account has the "must change password immediately at next login" flag set. (A) we never know their password old OR new, (B) we ge
Re: (Score:2)
So much this. The only time I know someone's password is when I set it the first time with a forced change the first time they log in, typically minutes later. I don't want to know anyone's password, nor do I need to know anyone's password.
When someone leaves, I immediately nuke all of their account credentials, often before they even exit the building.
Re: (Score:2)
But, you do know the "password" is not the key to the account?
As a "sysadmin" I can basically always use your account without you noticing and without knowing your password. How to do that ofc varies from OS.
Re: (Score:2)
I've seen that feature in directory services, when you go to the directory admin account configuration. "Use directory admin password to masquerade as other user". Basically means the diradmin master password will authenticate ANY account if you check that box. I've never used that before, and we don'
Obviously the firm had bad data retention (Score:1)
That said, how do they know it was said person? This is an accusation, not a proven fact.
More likely one of the senior execs deleted the files to cover up some theft on their part.
Never assume.
Financial Damages? (Score:2)
How does one calculate the damages a company suffered by being rendered unable to generate financial reports?
Unless their business is generating financial reports, that does not seem like that would get in the way of producing whatever it is they produce. And if they do not know how much money they have, how can they ever estimate how much they lost?
Re: (Score:2)
Part four of this (about half way through it) has an example (about half way through it) of how ridiculous damage estimates for computer crime were "determined".
http://www.mit.edu/hacker/hack... [mit.edu]
Damage of $79,449 was determined (in itemised detail) for downloading a document that could be purchased in hard copy form for $13.
Sadly the same sort of reasoning still applies.
Re: (Score:2)
How does one calculate the damages a company suffered by being rendered unable to generate financial reports?
By the fine they get and by the time/efford they need to recover the data and finally deliver the report.
Where's the proof? (Score:1)
So the best evidence they have is the MAC address of the wifi adapter of the business laptop that wasn't returned. We all know how immutable that is.
The article seems merely to be parroting the court documents that were filed by Oracle, leading to a one sided story. Just as likely Patel is being being thrown under the bus for someone else' screwup, or perhaps a case of industrial sabotage. Excuse me if I don't assume anything Oracle is alleging as true.
Why are they suing? (Score:2)
Re: (Score:2)
Not very good at covering tracks. (Score:4, Informative)
Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint."
By "electronic fingerprint", I suspect they're referring to the MAC address of the laptop's WiFi adapter, in which case the guy is a bit of a noob for not spoofing it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
... you suspect it because it gives you a sense of superiority and a feeling of being much more intelligent that the stupid noobs.
No, I suspect it because it strikes me as a plausible explanation.
Me? I have no fucking clue what their setup is.
Which is perfectly fine, but then why feel the need to chime in?
But my self worth doesn't depend on assuming that everyone else are idiots.
Oh, I see, You're making some gigantic assumption about what motivates me and gives me a sense of self-worth. OK.
For my part, I'm not assuming the guy is an idiot. I'm making an assessment based on the published facts. Merely setting out to do what this guy did, competently or not, is a bit idiotic, don't you think?
Not how it's done ... (Score:4, Insightful)
... for a sysadmin.
Know where the logs are and erase the goddam things.
Re: (Score:2)
Re: (Score:2)
From TFS:
According to court documents, after resigning from his job, a former sysadmin kept one of two laptops.
Re: (Score:2)
... for a sysadmin.
Know where the logs are and erase the goddam things.
For a sysadmin who left their job and then decided to vindictively retaliate against his former company, you actually think they have brains?
Re: (Score:2)
... you actually think they have brains ...
I was speaking from experience, you insensitive clod.
an administrator leaves a company (Score:2)
An administrator leaves a company. A few weeks or months later, things start to fall apart. This tends to happen even if there's no malicious code involved.
Re: (Score:1)
This could also happen if they forgot to renew the software.
A long time ago, I remember it was fairly common practice, in fact.
But, hey, I'm sure the relative of one of the execs they hired is good at his job.
Re:an administrator leaves a company (Score:5, Interesting)
"This could also happen if they forgot to renew the software."
Absolutely. The biggest time bomb of all might be simply to decline to share the file of license renewals. The company starts to feel the results of *that* after the admin is long gone. And all the warning messages go to the admin's closed account, or to a service account that nobody checks since he left.
The problem is, the results are indistinguishable from the case where the admin passed the information to "transition management" prior to being outsourced, only to have them lose it, so he gives them his spare copy, and they lose that also, and then a few months down the road when appliances and software suddenly stop working, offshore management blames the former admins for the debacle(s).
Don't ask me how I know this.
Re: (Score:2)
Probably for the same reason I know that.
Sigh.
Jail time (Score:2)
Hello, jail time. Or prison time, perhaps. Either way it sounds like they have this clown dead to rights.
Re: (Score:2)
He's being sued instead of being subject to a criminal investigation. I think that's an indication that there is less going on here than was claimed. If you are going to accuse an ex-employee of a crime and you are confident that they actually did it surely it's time to call the police instead of suing them?
If they really did have him dead to rights I think you will find that the police would be involved - there is theft in the allegations to start with and it goes on from there into st
Re: (Score:2)
He's being sued instead of being subject to a criminal investigation. I think that's an indication that there is less going on here than was claimed. If you are going to accuse an ex-employee of a crime and you are confident that they actually did it surely it's time to call the police instead of suing them?
Depends on what you want. If you smashed my car and I had the choice between (a) you going to jail for a year, or (b) you paying for all the damage, I'd want to get paid for the damage (if for some reason no insurance would pay). They might say "it's $500,000 damage, the guy is 40 and can work for another 25 years and pay $20,000 a year for the damage".
Re: (Score:2)
This thing's into medieval "weregild" territory where a crime with damage gets paid off. It's not the way crimes are normally dealt with in the west.
Seriously, if it's as bad as suggested why are the FBI not all over this? They've kicked up a huge fuss over far less in the past.
Let go of your hate. It's not worth it. (Score:2)
This is one of those cases where people really need to learn to let their anger go. I'm sure this guy thought he was smart; that he could take precautions. Maybe he even avoided all the security cameras. Maybe it was one ticket sitting in a provisioning system that said that laptop was last on his desk. No matter how well you think you've covered your tracks, in companies that big, there will be a record.
I'm reminded of the kid who sent a bomb threat via Tor to get out of something at his University. They d
Is it real? If so why not criminal charges? (Score:2)
It really looks a lot like trying to blame an ex-employee for a fuckup If this was real there is a long list of law enforcement types that would be very interested.
Found his profile (Score:2)
Bonus points ... (Score:2)
... if the Sysadmin sabotaged the back ups, too.
Sorry, stories like this are just ridiculous. A guy who knows his business surely knew that the company has back ups. And a "End of Year" is usually not calculated over the last 365 days, but over the last 11 or 12 "end of month" and the last 1, 3 or 4 or 5 "end of weeks". Depending how and when you make "the end of month".
This sounds familiar... (Score:1)
Re:So many stupid questions (Score:5, Funny)
Have you ever worked anywhere before?
Re:So many stupid questions (Score:5, Insightful)
The other anon is right: in the real world, unless your employer is NSA or something of comparable caliber, as an admin you have access to everything - whatever you don't have access to, you can obtain, without the employer's knowledge.
The only defenses against rogue admins companies really have is to have more loyal admins, and not to piss admins off. Plus threat of lawsuit if the admin fails to cover his traces after going rogue. Essentially, you can only try to reduce damage after the attack, you can't prevent the attack.
And to have anything "better", you have to spend so much on security, that unless security is your *product*, you'll be creating losses.
Re: (Score:2)
I'm always amused by the importance that people place on having a security clearance from the government, like it's a badge of pride. They seem to have this belief that they've been investigated and found to be super trustworthy people. Like an official certification of worthiness. In reality the whole purpose of a security clearance is to ensure that a person isn't already or likely to be vulnerable to blackmail, paltry bribes, or a bout of guilty conscious. And of course, despite that whole process, peopl
Re: (Score:2)
How did you know IT didn't keep a keylogger on any of the PCs that accessed it?
Re: (Score:2)
"An admin needs to be able to generate and revoke passwords, not know them."
"Doesn't need" or "Shouldn't" versus "Can't".
If you have control over the process of setting the passwords, you can have the passwords. You shouldn't and you're not supposed to need to, but who's to stop you, and who will ever know?
Re: (Score:2)
Most companies have no problem auditing their accounting teams, they should do the same with their IT teams.
Re: (Score:2)
The audit will find cases of incompetence or laziness. It would be very hard for it to find cases of actual subversion, especially if the admin has enough time to hide all the evidence off-site. Never mind his "booby traps" blowing up upon discovery by the auditor, and blaming the auditor for breaking the system.
Re: (Score:2)
Well I guess the best thing to do then is nothing. Just know the admin is all powerful and pay him 6 figures.
Re: (Score:2)
The right thing is to have competent people perform the hiring, hire a couple competent admins, and treat them well.
They don't go rogue "for teh lulz".
Re: (Score:1)
A few years ago I worked for a large S/W development company that was in the process of being aquired. As part of the due diligence they needed to do an audit of all their PCs. They couldn't account for roughly 25,000 machines.
It's not as bad as it sounds, mostly they weren't good at recording which machines had died and were parted out or were put on a shelf somewhere but never properly decommissioned.
.
Re: (Score:2)
But the user account logged in after his employment ended. Then bad stuff happened. That might be enough.