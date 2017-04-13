Former Sysadmin Accused of Planting 'Time Bomb' In Company's Database (bleepingcomputer.com) 43
An anonymous reader writes: Allegro MicroSystems LLC is suing a former IT employee for sabotaging its database using a "time bomb" that deleted crucial financial data in the first week of the new fiscal year. According to court documents, after resigning from his job, a former sysadmin kept one of two laptops. On January 31, Patel entered the grounds of the Allegro headquarters in Worcester, Massachusetts, just enough to be in range of the factory's Wi-Fi network. Allegro says that Patel used the second business-use laptop to connect to the company's network using the credentials of another employee. While connected to the factory's network on January 31, Allegro claims Patel, who was one of the two people in charge of Oracle programming, uploaded a "time bomb" to the company's Oracle finance module. The code was designed to execute a few months later, on April 1, 2016, the first week of the new fiscal year, and was meant to "copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless." The company says that "defendant Patel knew that his sabotage of the finance module on the first week of the new fiscal year had the maximum potential to cause Allegro to suffer damages because it would prevent Allegro from completing the prior year's fiscal year-end accounting reconciliation and financial reports."
Seriously, why would it even be an issue? Critical code and data, but not backed up?
Allegro's IT staff discovered the sabotaged Oracle finance module on April 14, 2016. Ten days later, on April 24, the IT staffers found Patel's malicious code after comparing the current database with a copy from older backups.
They're using Oracle.
Seriously. If they were using SAP he would have never figured out how to sabotage it.
"Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint.""
Translation: Someone with a functioning braincell in the IT department googled about MAC addresses and thought maybe they should check the wifi router logs and look for unauthorised access by company issue laptops.
It sounds like they depend on the MAC address for access security, and not-a-one-of-them has ever heard of MAC spoofing. (Or a Pingles can for extending WiFi range to off of company property.)
Second translation: DB admins are pretty inept at IT. It's trivial to change the Mac address.
Once again proving that those that do evil deed are typically pretty stupid and leave obvious clues.
Who in the heck was monitoring for changes to Oracle's software? Too many unanswered questions.
The article said he resigned.
In most cases of IT staff leaving a company, the word "resigned" is a euphemism, and should be written in quotes.
service accounts passwords can be hard to change and in some cases need downtime to change. Also some apps have DB passwords in plain text in the config files.
Also all apps have DB passwords in plain text in the config files.
FTFY.
Though it's been a weakness for so long you would think someone would have created a means of encrypting connection data like you would sign a certificate signing request for an SSL cert. At least add another hoop to jump through in case site performance wasn't dismal enough.
It's not worth posting stories about these amateurs. Everyone knows you don't just delete random stuff, you introduce subtle errors that can be passed off as genuine mistakes, and which take years to fully manifest, way beyond the point where backups can help.
is there a file anywhere with usernames and passwords? Is that jut mis-understanding and he cracked the hashes, or do these guys actually have everyone's password written down somewhere?
An yea these days, if your shit matters, you need 2FA of some sort.
Also, apparently, you need the guy who checks in the returned laptops to check serial & model numbers...
That said, how do they know it was said person? This is an accusation, not a proven fact.
More likely one of the senior execs deleted the files to cover up some theft on their part.
Never assume.
How does one calculate the damages a company suffered by being rendered unable to generate financial reports?
Unless their business is generating financial reports, that does not seem like that would get in the way of producing whatever it is they produce. And if they do not know how much money they have, how can they ever estimate how much they lost?
So the best evidence they have is the MAC address of the wifi adapter of the business laptop that wasn't returned. We all know how immutable that is.
The article seems merely to be parroting the court documents that were filed by Oracle, leading to a one sided story. Just as likely Patel is being being thrown under the bus for someone else' screwup, or perhaps a case of industrial sabotage. Excuse me if I don't assume anything Oracle is alleging as true.
Eventually, they traced the unauthorized access to Patel's second business laptop based on the device's "electronic fingerprint."
By "electronic fingerprint", I suspect they're referring to the MAC address of the laptop's WiFi adapter, in which case the guy is a bit of a noob for not spoofing it.
... for a sysadmin.
Know where the logs are and erase the goddam things.