When Your Sysadmin Goes Rogue

Image credit: iStockphoto/Sylverarts

How well do you know your employees? Well enough to be confident they'll never lock you out of your systems?

It's a question being asked at Chinese real-estate brokerage Lianjia (链家), formerly known as Homelink, according to Wikipedia. One of their IT employees, former database administrator Han Bing, seems to have gone rogue in a 2018 incident, and the consequences were not pretty.

“[Han] Bing used admin privileges and a root account to access the company’s financial system and delete data found on two database servers and two application servers,” said IT Pro U.K. “The action immediately affected large parts of Lianjia’s operations which left tens of thousands of employees without salaries for an extended period. The company also had to carry out data restoration efforts which cost around [USD]30,000.”

Rogues and renegades

Han's case is far from unique. Last year, 35-year-old Juliana Barile of Brooklyn, New York, wasn't best pleased with her firing. “In an act of revenge for being terminated, Barile surreptitiously accessed the computer system of her former employer, a New York Credit Union, and deleted mortgage loan applications and other sensitive information maintained on its file server,” said Jacquelyn M Kasulis, Acting U.S. Attorney for the Eastern District of New York, in a press release.

“According to court filings, Barile was fired from her position as a part-time employee with the Credit Union on May 19, 2021. Two days later, on May 21, 2021, Barile remotely accessed the Credit Union’s file server and deleted more than 20,000 files and almost 3,500 directories, totaling approximately 21.3 gigabytes of data," said the DOJ. "To date, the Credit Union has spent approximately [USD]10,000 in remediating Barile’s unauthorized intrusion and destruction of data.”

“This sort of thing happens fairly frequently,” said The Register in a story reporting the Barile case. “In August 2020, for example, a former Cisco employee admitted to deleting 456 AWS virtual machines for Cisco’s WebEx Teams application without authorization some five months after leaving the networking biz. A year earlier, a former IT admin for Arizona-based Blue Stone Strategy Group was sentenced to more than two years in prison for deleting his employer's files. Also, in 2019, an IT consultant based in the U.K. earned a two-year sentence for deleting servers from his former employer's AWS accounts.”

The case of Terry Childs

“Terry Childs is a former network administrator [who] was convicted in 2010 of felony network tampering for refusing to divulge the administrative passwords to San Francisco city and county government's FiberWAN system to his supervisors,” reads Wikipedia. The case is a textbook lesson on delegation of responsibility and a wake-up call for CDOs everywhere.

"Childs...was a member of the San Francisco DTIS, the city's IT department, for the past five years," writes Paul Venezia at InfoWorld. "As the city's most experienced and advanced network administrator, he essentially single-handedly designed and built the FiberWAN, a city-wide network built on fiber interconnects and MPLS."

"'There's not one thing that man couldn't make,' said Childs's brother in a San Francisco Chronicle article. "'You could hand him a TV, and he could make a watch out of it'."

Understaffing tech support can be catastrophic

Venezia writes that Childs applied and was granted a copyright for the network design and "became the sole administrator of the FiberWAN, and the only person with the passwords to the routers and switches that comprised the network." Budget cuts led to staff reductions, and the alarm bells got louder: "Sources have stated that not only was Childs, the only admin, [but] he was also always on call, 24 hours a day, 7 days a week, 365 days a year."

What happened in the summer of 2008 is subject to interpretation, but what is clear is that Childs was suspended for insubordination on July 9. "That afternoon, Childs 'unwittingly' found himself in a surprise meeting in the city’s Hall of Justice, where Childs maintained network facilities," said PCWorld. "The July 9 meeting was the culmination of a long-simmering dispute between Childs and his managers, who had been seeking administrative passwords to the network since at least February." Ouch.

“Send the mayor to my jail cell”

Childs was arrested on the evening of July 12 but still refused to divulge the network passwords, saying he would only give them to then-San Francisco mayor (now California governor) Gavin Newsom. "Late on Monday, July 21, Newsom paid Childs a visit in jail, met with Childs for 15 minutes, and received the passwords. Newsom then gave this information to DTIS officials, and — following a clarifying call to Childs — DTIS was finally able to log into the routers and switches of the FiberWAN."

The court records as listed by Wikipedia show that "in October 2013, the California Court of Appeals affirmed Childs' conviction and his obligation to pay nearly USD1.5 million in restitution." But Venezia writes that those who knew Childs said he had to put up with political games, staff reductions, incompetent coworkers, and a hostile work environment.

What CDOs need to take away from this regrettable situation is that understaffing tech support can be catastrophic to network management. As FBI Assistant Director-in-Charge Driscoll said when commenting on the Barile case: “An insider threat can wreak just as much havoc, if not more, than an external criminal.

Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IOT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].

Image credit: iStockphoto/Sylverarts