Fired Employee Accessed NCS' Computer 'Test System' and Deleted Servers

An anonymous reader quotes a report from Singapore's CNA news channel: Kandula Nagaraju, 39, was sentenced to two years and eight months' jail on Monday (Jun 10) for one charge of unauthorized access to computer material. Another charge was taken into consideration for sentencing. His contract with NCS was terminated in October 2022 due to poor work performance and his official last date of employment was Nov 16, 2022. According to court documents, Kandula felt "confused and upset" when he was fired as he felt he had performed well and "made good contributions" to NCS during his employment. After leaving NCS, he did not have another job in Singapore and returned to India.

Between November 2021 and October 2022, Kandula was part of a 20-member team managing the quality assurance (QA) computer system at NCS. NCS is a company that offers information communication and technology services. The system that Kandula's former team was managing was used to test new software and programs before launch. In a statement to CNA on Wednesday, NCS said it was a "standalone test system." It consisted of about 180 virtual servers, and no sensitive information was stored on them. After Kandula's contract was terminated and he arrived back in India, he used his laptop to gain unauthorized access to the system using the administrator login credentials. He did so on six occasions between Jan 6 and Jan 17, 2023.

In February that year, Kandula returned to Singapore after finding a new job. He rented a room with a former NCS colleague and used his Wi-Fi network to access NCS' system once on Feb 23, 2023. During the unauthorized access in those two months, he wrote some computer scripts to test if they could be used on the system to delete the servers. In March 2023, he accessed NCS' QA system 13 times. On Mar 18 and 19, he ran a programmed script to delete 180 virtual servers in the system. His script was written such that it would delete the servers one at a time. The following day, the NCS team realized the system was inaccessible and tried to troubleshoot, but to no avail. They discovered that the servers had been deleted. [...] As a result of his actions, NCS suffered a loss of $679,493.

Re:

[Tony Isaac]

What company doesn't have issues with offboarding? Especially for its tech workers. HR has no idea how to disable accounts, and while IT does, there are so many random accounts that have to be disabled, it's really hard to catch all of them. Sure, they should, but I've never yet seen a company that had a smooth offboarding process.

Re:offboarding

[cusco]

That he kept the Admin password was his fault, but that the password didn't change for 6 months is the fault of the IT staff. Not turning off his VPN access (or allowing the Admin account to have VPN rights) is even worse. Everywhere that I worked after about 2004 had automatic scripts with queries to the HR database and once the user was marked as no longer active the script would disable the user account. Now if HR hadn't marked his record as inactive then it's their fault, but if he was fired that seems unlikely.

Having accessed that system so many times he probably was using it as a test system for his new job. Alternatively he may have been using the deleted servers to mine Bitcoin and thought to cover his tracks.

Re:

[Tony Isaac]

So does this fancy HR script of yours also disable GitHub accounts? Or Jira or Confluence or SalesForce or whatever third-party tools the company is using? Does it disable access to AWS or SQL users that aren't domain users? Does it disable Linux accounts on test servers? I'll bet that at least one of these entry points is vulnerable, even in your company with its HR script.

Re:

[cusco]

**BUT** if VPN access is turned off then they're not likely to get to where they can access those resources. Now if IT has given those service accounts remote access that's an entirely different level of stupidity (which I've seen several times).

If users are getting on your network without being authenticated by your centralized user management system, whether it be Active Directory, AWS, NDS (gods help you) or some other LDAP then you're doing it wrong. Go to Remedial Network Security 101. Do not pass Go

Re:

[Tony Isaac]

So how exactly does your VPN help with GitHub, Jira, AWS? It's been a long time since I even connected to the company's VPN. And if you're doing your lower environments right, you've got separate AWS accounts for Dev, QA, Staging, and so on. Somebody's got to remember to turn all that off when you leave.

Re:

[cusco]

So you just leave all those resources available to the great wide world just protected by a username/password??? Yikes. I hope you're at least using a smartcard or some other hardware authentication.

Re:

[Tony Isaac]

Yes, it is indeed a scary world. Security is hard, people, including IT professionals, don't understand how to do it right.

Re:

[JustAnotherOldGuy]

Yep, in a lot of companies this is all highly automated, and the removal of all grants, logins, permissions, access, etc is done this way, and it works. It'll turn off everything, every tool and internal site.

I've had this done in quite routinely when I left a position, and once by mistake. That was a nightmare. :(

At Boeing in Renton a friend of mine gave his boss his notice, turned in his badge at the reception area, and then went back to his desk. By the time he got back he was already locked out of every

Re:

[Tony Isaac]

That's nice when your stuff is on-prem. When you're using the cloud--GitHub, Jira, Confluence, AWS--those scripts aren't so easy to write. And then there's the one-off tools or services that are only used by a handful of people. Nobody's going to remember to shut those off.

Re:

[JustAnotherOldGuy]

When you're using the cloud--GitHub, Jira, Confluence, AWS--those scripts aren't so easy to write. And then there's the one-off tools or services that are only used by a handful of people. Nobody's going to remember to shut those off.

We're heavily cloud-centric and we use all of those and more. When they decommission you, they all get wiped as well. Everything gets zeroed out, and I mean everything.

Re:

[Tony Isaac]

That's nice, your company decided to pay for somebody to build that process. Most don't.

Re:

[ElizabethGreene]

You've just made the core argument for federated identities like Azure AD. When the user's ID is disabled, it disables it everywhere.

There's still a gap with admin accounts. Those need to be a dedicated identity that's linked to a specific person and also disabled when that person is removed. This is a nontrivial problem.

There's still a gap with service accounts. On Windows, an imperfect workaround for that is "Managed Service Accounts" or "Group Managed Service Accounts" where the service account is "o

Re:

[Tony Isaac]

All of these are non-trivial problems, which is why they haven't been solved, including by NCS.

There are lots (I mean LOTS) of software vendors that don't yet support Federated ID.

Admin accounts shouldn't exist, period. Instead, specific people should be granted permissions to do specific things (like manage users or change configurations). Best practice in SQL Server, for example, is to disable "sa" and instead give specific people the permissions they need. But lots of software continues to follow the old

Re:

[cusco]

Never used GitHub or the others, but AWS will integrate with your LDAP authentication at no charge, there is no reason that I can see not to use it other than laziness. Any "one-off tools or services" absolutely should be within the company's security perimeter unless, again, laziness and/or incompetence is tolerated. Shutting off network access should mean shutting off access to everything on the network, period.

Re:

[Tony Isaac]

Not laziness. Doing security right is *extremely* expensive. For example, adding Federated ID capability to software is no small task, and it requires adaptations for each specific identity provider. It's going to take decades to rid the world of some of the bad security practices that originated decades ago, when they weren't actually bad security practices. Remember when triple-DES was considered high security? This isn't laziness, it's cost management.

Re: offboarding

[cusco]

"Cost management" is just an excuse for not doing the job right.

Re:

[Tony Isaac]

I disagree. What is the definition of "doing the job right"?

If I build a shed in my back yard, the definition of "done right" is very different than if I build a house, and again very different than if I build a high-rise. In software too, it matters who and how big the audience is, and the scale of the project, and the sensitivity of the data, and the consequences of outages, and so on. In other words, everything you do in software is a cost-benefit equation, and the answer is not the same for everyone.

Re:

[cusco]

So you're going to pretend that the Russian equivalent of Katherine Graham is an official Kremlin position. It's bad enough that you're boring, and not too smart, but dishonest too.

SlashDot used to be home to the greatest trolls on the Internet, the flame wars could outshine the sun. The current crop is pitiful.

Re:

[keltor]

Yes, very much so yes -100% every single third party tools' access is disabled outside of possibly some weird random SaaS stuff departments shadow IT people might be using.

The VAST majority is using SSO these days, but everything else is controlled via an IAM. There are some old mainframes responsible for payroll (it's always payroll) and certain SaaS that have to be done manually by an administrator. They get a ticket cut from the IAM to terminate access. I'm sure there's some SaaS stuff that takes like

Re:

[Tony Isaac]

some weird random SaaS stuff departments shadow IT people might be using

This is exactly the kind of stuff I'm talking about. Every department everywhere has its own "shadow" IT, or at least enterprising individuals who set up their own Google accounts or Trello or who knows what.

Re: offboarding

[orbit500]

We are looking at a system that sniffs corporate email for shadow IT signups.

Re:

[tirnacopu]

He may well have saved other access tokens that were not his password. Also, while it's nice that you have scripts and all, note this tidbit from TFS:

He rented a room with a former NCS colleague and used his Wi-Fi network

Social engineering still at work 40 years after Mitnick.

Re: offboarding

[orlanz]

Why is this news? It's not even that much money. The guy probably saved them as much in license costs. It probably cost more to investigate.

Heck, in today's monies, the "100 years old" lesson learned came pretty cheap. Now if they didn't learn the lesson... have it happen 2-3x more to learn it is still cheap.

Why did he have access?

[iAmWaySmarterThanYou]

Firing people is a very well understood process. Or should be.

You arrange a meeting with person.
You let IT know that at time($x) person's access needs to be yanked. $x is the scheduled end of meeting.
You have meeting.
At end of meeting confirm with IT access has been terminated.

Seriously, this isn't rocket science.

Re:

[machineghost]

> After Kandula's contract was terminated and he arrived back in India, he used his laptop to gain unauthorized access to the system using the administrator login credentials

They don't give all the details, but it seems likely that this was a case where you needed an admin password to get something done at their job, so they gave that password to all 20 employees (and then didn't change it after he left).

That's *atrociously bad* security policy, but less of a "how they fire people" issue than just a basi

Re:

[iAmWaySmarterThanYou]

I've been at places like that.

1) why did his vpn still work?
2) if access to admin didn't require vpn, fire people until it does
3) if 1 & 2 are not options then yes you have to change the admin password(s) after firing someone.

Re:Why did he have access?

[Tony Isaac]

I once worked for a software company that's been around for 30 years or so. There was a lot of legacy crap that never kept up with the times, related to security. For example, they had a network admin account that was pretty much superuser everywhere, and that account had been used to set up a LOT of servers and services. Everybody knew the password, and it couldn't be changed without risking all kinds of things suddenly crashing or going down. My guess is that now, 10 years after I left that company, the password has never been changed.

While this is an extreme case, every company has dark corners where this kind of stuff goes on.

Re:

[iAmWaySmarterThanYou]

Wow, that makes my stomach hurt to read for so many reasons.

That's not only an atrocious security situation but says no one has maintained documentation on how the systems work or interoperate. I suspect several pieces couldn't be rebuilt when the underlying hardware finally burns out and dies. I've picked up jobs as the clean up fix it guy for places like that after they had the big disaster and several "key" people were no longer employed and their names struck from history, only to be whispered in dark

Re:

[Tony Isaac]

Yep, exactly. Many businesses, especially those that are owned by PE firms, are always go, go, go, don't stop to clean up old messes, just go, go, go, make money money money.

Re: Why did he have access?

[gnasher719]

I had a very harmless case. I took over responsibility for a service that wasnâ(TM)t actually used when the previous person responsible left. It used my phone for 2FA and you needed 2FA to change the person responsible for the server (including a password reset)

So a person at the company called me, I made sure I had my mobile phone ready, they did the password reset, I got the six digit code on my phone, gave it to them over the phone. They finished the password reset and changed 2FA away from my pho

Re:

[Tony Isaac]

That's nice. But try using that approach for hard-coded database connection strings. There are a lot of types of connections that still don't support 2FA.

Re:

[thegarbz]

Firing people is a very well understood process. Or should be.

You arrange a meeting with person.
You let IT know that at time($x) person's access needs to be yanked. $x is the scheduled end of meeting.
You have meeting.
At end of meeting confirm with IT access has been terminated.

Seriously, this isn't rocket science.

In many countries you're expected not only to provide notice of firing, but expected to continue to work months after. Sure something went wrong here given that he left the entire country and still had access, but your scenario is representative of only the most toxic work places or the most sensitive jobs.

In reality your access is normally yanked the day you clean out your desk, not the day you have a meeting.

Re:

[iAmWaySmarterThanYou]

Ok, yea, laws vary by country. What I've seen my overseas counterparts do is pay out the rest of their time and put then in what they called "green field" or some phrase like that which meant they are still on payroll and technically employed but access is cut and they have no work assignments.

In this case it looks like he had full access months later and still seems to have had his company laptop or his personal laptop still was in the system.

Either way, whatever the laws, there's no excuse to allow him t

Re:

[thegarbz]

And I've seen my American colleagues keep working for 2 months on the very project, in the very position before they were given notice.

There's no standard way of firing people. Not even within a country.

Re: Why did he have access?

[gnasher719]

If you trust the person, and there are no legal reasons, they can continue working. Alternatives are gardening leave (they are legally employed until the end of the notice period but donâ(TM)t do any work and have no access), or âoepayment in lieu of noticeâ, where someone has x weeks of notice but is paid x weeks of salary to give up their right to notice. Has tax advantages and you can even get a new job during what would have been the notice period and get twice the money.

Poor dumb motherfucker

[rsilvergun]

The laws around this are brutal. If he's lucky he'll do 5 years in prison and spend the rest of his life struggling to get by. You do not fuck with corporations in America they have all the power and they use it.

Re:

[Joshsmac]

it sounds like this was singapore?

Re:

[timeOday]

The first sentence of the summary says he got 2 years 8 months, not 5 years.

As for future employment prospects... yeah. It was worse than selfish, it was purely vindictive.

Re: Poor dumb motherfucker

[gnasher719]

It was in Singapore. Which might make it even worse.

Huh?

[Aighearach]

I feel bad for the Nutria Containment Society, they do important work!

That said, why do they need a 20 person QA team? Sounds fishy to me. He was probably framed.

$679,493

[Rosco P. Coltrane]

That is suspiciously precise. Someone invoiced the coffee machine breaks down the hall during recovery :)

Also, to NCS' credit, this amount looks "normal" for a change: usually when a company suffers computer damage from a former employee - or anyone really - it usually come up with figures in the millions for things that simply require reinstalling the backup on a few machine. Usually the quoted figures are completely outrageous and and obviously disconnected with the actual damage and what it took to fix it. In contrast, $679K sounds like it might actually be a realistic figure.

Re:

[cusco]

If it was their test system it might not have been backed up at all, and was probably poorly documented at best. It may well have taken that long to reconstruct.

Re:

[gavron]

It's entirely made up. It doesn't divide by 180, it ends with a 3 (human introduced fake numbers often do) and is not rationalized or justified in any way.

Also 1 year 8 months seems a randomly stupid amount of prison time. Couldn't round up to 2 yrs? Couldn't round down to 1.5 yrs? Just stupid.

But that is how third-world countries are. We're working on getting that stupid here in the US. Just wait to see what Hunter Biden's sentence is... when he did what EVERY SINGLE GANG MEMBER and EVERY SINGLE CART

Re:

[Anonymous Coward]

1. The $ amount was probably from a currency conversion
2. One year eight months is 1 2/3 years, nice and round
3. lol

Re:

[tlhIngan]

But that is how third-world countries are. We're working on getting that stupid here in the US. Just wait to see what Hunter Biden's sentence is... when he did what EVERY SINGLE GANG MEMBER and EVERY SINGLE CARTEL MEMBER does every day. Use drugs. Buy ammo. Buy firearms. Lie on forms.

Singapore is far from a third world nation. They are considered first world and highly advanced technologically. The government is rather bad - authoritarian to say it nicely, but generally considered "failed democracy" along w

Re:

[haruchai]

"Just wait to see what Hunter Biden's sentence is"
I don't understand what's the fuss about Hunter Biden & what's so heinous about what he did?
The text of the 2nd Amendment states clearly "the right of the people to keep & bear arms shall NOT be infringed".
So he used drugs? So what? What he dealing them? Giving them to kids? Committed a violent felony, or any felony while under the influence?
If you already own guns, is it illegal to get high?
Why can a convicted felon run for office - apparently even

Re:

[radarskiy]

"That is suspiciously precise."

The damages were not calculated in US dollars, since the trial was in Singapore. In fact, the actual source article reasonably rounds the S$918,000 value when converted as US$678,000.

$679,493 does not appear in the original article, which makes me think the submitter tried to be too clever and made that change on their own.

Re: $679,493

[gnasher719]

If someone damages _your_ computer system by logging in without authorisation, at the very least you have to check whether they have left any other surprises. If he is morally capable of causing damage after being laid off, you need to make absolutely sure that he cannot cause more damages after your company forced him to pay.

And if that costs more than just restoring service, thatâ(TM)s his problem. Shouldnâ(TM)t have hacked in in the first place.

cost?

[belmolis]

If it was a test system that he took down, why did it cost the company so much?

Re:

[hoofie]

It would need to be rebuilt plus would have knock-on effects to work in progress

Self-Inflicted Wound

[JustAnotherOldGuy]

Oh my, the fault is 99.9999% on the company for not immediately revoking all access and creds. If you're this sloppy and casual about security, you kinda deserved to get hammered.

Re:

[Baron_Yam]

I disagree. There were two crimes here (though only one is likely subject to prosecution): First, the crime of illegal computer access and the damage done with it, second, the corporate negligence that allowed that crime to be successfully executed.

Each crime has a 100% responsible entity to assign blame to.

How the does this happen?

[Dr_Ken]

It's hard to say which is worse here; the malevolence or the incompetence? Sheesh.

Re: How the does this happen?

[gnasher719]

It is not hard to say at all. He committed a crime. He was a criminal, and could have committed the same crime all the time that he was employed. He didn't change to a criminal the day he was laid off.