back to article Paper factory fired its sysadmin. He returned via VPN and caused $1m in damage. Now jailed

A sacked system administrator has been jailed after hacking the control systems of his ex-employer – and causing over a million dollars in damage. Brian Johnson, 44, of Baton Rouge, Louisiana, US, had worked at paper maker Georgia-Pacific for years, but on Valentine's Day 2014 he was let go. He didn't take that lying down, and …

Page:

  1. Alister
    Facepalm

    "This case is a powerful reminder of the very real threat and danger that businesses and individuals face from cyberattacks and other cyber-related criminal activity," said United States Attorney Walt Green on Thursday.

    Or...

    This case is a powerful reminder to businesses to take rudimentary security precautions when terminating staff, like removing their access to your networks, for instance.

    1. ecofeco Silver badge

      Yep. Guy was still a stupid crook, though, but the company certainly fell down on their end as well.

    2. Anonymous Coward
      Anonymous Coward

      Which puts some question marks on his colleagues and/or his replacement...

      1. 2460 Something
        Facepalm

        Puts a question mark on his competence as well... getting caught, tsch, obviously didn't watch enough 'Hackers' ... or maybe he watched too much and was trying the VCR battle scene with toilet paper and kitchen roll...

        1. Anonymous Coward
          Anonymous Coward

          getting caught, tsch, obviously didn't watch enough 'Hackers'

          Those acting in rage are usually the most prone to do mistakes, and may not even have the full required skills to hide their tracks (luckily). Still they may do enough damages, before being caught.

        2. The IT Ghost

          He must've been angry and bitter - that much is clear from two facts - first, he started his rampage right after he was sacked, and second, a felony rap like this means he's going to have a hell of job finding work again at all, and the nature of his crime means he torpedoed his IT career. Its not like he took some exotic, skilled way in to make mischief he could teach others to avoid - they left the door wide open!

          HR has a tendency to forget to notify IT of things...I've had many a battle with them. The moment the head of HR closes their office or conference room door to have "The Talk" with the about-to-be-unemployed, an underling needs to be ON THE PHONE with IT. That person should not leave that room with working credentials.

    3. Sampler

      So how long...

      Did the sysadmin who didn't terminate his access get and how big was their fine for criminal negligence?

      1. chivo243 Silver badge

        Re: So how long...

        @Sampler

        As far as user accounts are concerned, where I'm at, we are bound by HR's decisions. In a company of that size, HR drone x was supposed to send out the message, was for few days, one request lost in the shuffle of catching up...

        However, IF one of my colleagues was given the moving box and shown the door by security, I would be asking my boss to contact HR STAT...

        1. Stoneshop
          Facepalm

          Re: So how long...

          As far as user accounts are concerned, where I'm at, we are bound by HR's decisions.

          In all cases that I can remember, the command

          $ mc authorize mod <user> /flag=disable/pass=<arglebargle> was issued roughly in sync with the door closing behind him/her, after which HR could (and sometimes would) take their own sweet time asking for the account to actually be deleted.

          If HR is stupid enough to object to that*, just point to the ICT department's task description, which should include "taking all required steps to prevent unauthorized access", or words along those lines.

          * as the request comes in to delete the user's accounts you just answer "done", not "done already a week ago".

      2. Anonymous Coward
        Anonymous Coward

        Re: So how long...

        "Did the sysadmin who didn't terminate his access get and how big was their fine for criminal negligence?"

        You're presuming they hired a new one and he had time to learn the set up. If they just got rid of him and left some poor bugger to pick up the pieces without fully understanding the layout of the systems.

    4. chivo243 Silver badge
      Pint

      @Alister

      Beat me to it +1 and a pint

      Sure sounds like the bullshit mill is producing 24/7 How fitting that their talking about a toilet paper factory that produces 24/7.

      This is not cyberterror. It's another rogue sysadmin. Pretty soon an incorrect setting a modem will be cyberterror. FUD flavored Kool-aid anyone?

      1. John Brown (no body) Silver badge
        Thumb Up

        "This is not cyberterror. It's another rogue sysadmin. Pretty soon an incorrect setting a modem will be cyberterror. FUD flavored Kool-aid anyone?"

        Yup, that's what most jumped out of the page for me too on reading this article.

    5. cray74

      This case is a powerful reminder to businesses to take rudimentary security precautions when terminating staff, like removing their access to your networks, for instance.

      From the time my manager hung up on me, having delivered the explanation for the boot that was about to kick me out the door, I had about 5 minutes before I lost access to email and the network. Of course, they'd had a lot of practice shutting down access before getting to me.

      1. JetSetJim

        Was it *his* account being used?

        But was it *his* account or had he stolen someone else's credentials? They didn't say "after consulting server logs they found his account still active and causing havoc", but instead "the timing of the attacks raised their suspicion"

  2. Anonymous Coward
    Anonymous Coward

    Procedures matter

    When dealing with any termination, the process matters. And making sure you minimize your risk is paramount. To see in this day and age that negligence to protect ones own interests is still forgiven in all circumstances related to the F.M. that is Information Technology is beyond the pale.

    Not to say I am defending the sackee's actions, as in my opininion, it is NEVER okay to mess with a company you no longer work for, no matter how angry. But c'mon, let's see a bit of responsibility on the part of the sacker to protect their interests.

    Maybe a 50% loss on their loss to serve as a harsh reminder to take their own interests seriously in the IT realm?

    Anonymous for reasons...Mine will be the non-descript one.

    1. a_yank_lurker

      Re: Procedures matter

      Where I work, when someone leaves their access is terminated the day they leave. But this is such a rudimentary step that PHBs and there even more incompetent kin the MBAs can not grasp why it is important.

      1. Anonymous Coward
        Black Helicopters

        Re: Procedures matter

        Where I work, when someone leaves their access is terminated the day they leave.

        He was a sysop. Widespread root access while he was working there. Not rocket science to leave himself multitudinous backdoors (some perhaps time- or event-driven) that would outlive termination of his access.

        Even much deeper procedures - like audit trails via comprehensive and forensic logging - could have been subverted well in advance.

        1. Anonymous Coward
          Anonymous Coward

          Re: Procedures matter

          Even much deeper procedures - like audit trails via comprehensive and forensic logging - could have been subverted well in advance.

          Absolutely correct, which is why we rotate those audits not only between key staff but also contracted 3rd parties. Staff actively collaborate with this because they know these audits are their best chance of proving innocence if something similar happens.

          As for not locking down this person in full, that assumes indeed that you have a grip on all gateways to the company. During due diligence of a company we came across a WiFi access point jacked into the network. Due to network segregation it wasn't able to get to the financials, but for any DHCP enabled network adding one of these things takes seconds, and if you don't have ARP detection on your networks you may not even notice it being added.

          Yes, security is a process. It may be boring, but not executing it will eventually be costly.

          1. kmac499

            Re: Procedures matter

            "Staff actively collaborate with this because they know these audits are their best chance of proving innocence if something similar happens."

            Enlightened thinking, The simple, almost 100%, fact is that every new Hire will at some point leave, some amicably, some not, so be prepared.

            It's also a good argument for visible security procedures. If several people are reviewing the number and type of user accounts the sudden appearance of "Dingo101" with full sysadmin rights will be spotted early.

        2. John H Woods Silver badge

          Re: Procedures matter

          Whilst I agree it appears in this case they had not terminated his corporate VPN access.

        3. Stoneshop

          Re: Procedures matter

          Even much deeper procedures - like audit trails via comprehensive and forensic logging - could have been subverted well in advance.

          Could, but judging by his actions, it's unlikely he could have pulled that off.

    2. Steve Davies 3 Silver badge

      Re: Procedures matter

      The process of

      You are fired

      followed by

      Security will walk you off the premises

      Really does not work too well these days. With remote access almost mandatory for people in IT the PHB's really have no clue what pain could rain down on them for doing this to the wrong person.

      That said this perp was a bit thick. He should have been far more devious but to leave the VPN client on his Laptop and to not clear the logs is frankly stupid.

      Anyone with half a brain would do this via a VM that is easy to destroy, VPN to at least three different conutries before coming back to wreak havoc. I could go on but it is just common sense. He's obviously lacking in this department.

      1. Steve Knox
        Mushroom

        Re: Procedures matter

        Anyone with half a brain would do this ...

        Anyone with a functioning brain wouldn't do this.

        1. Peter2 Silver badge

          Re: Procedures matter

          Quite. It's an object demonstration of the skills crisis in IT.

          Professionalism matters. If you were going to do something like this then it ought to be done competently and thoroughly without leaving any fingerprints , both physically and metaphorically.

          If he was this sloppy then you can see why they fired him!

      2. Anonymous Coward
        Anonymous Coward

        Re: Procedures matter

        sounds like you have experience hacking and leaving destruction behind.

        1. Peter2 Silver badge

          Re: Procedures matter

          None whatsoever Mr Anonymous Coward, but if you haven't considered what somebody with your skill level and knowledge could do to your systems, then how do you put proceedures and logs in place to try and eliminate those defencies or ensure that you can see it coming?

          Any professional who can build and manage a complex system can come up with subtle and non obvious ways of making it degrade or fall apart without leaving any evidence when he knows the system inside out and has been responsible for reading the logs, and so knows what is (and is not) logged. That a sysadmin should get caught breaking a system he's this familiar with is does show he's not exactly the sharpest tool in the box.

          Along with the fact he did it at all instead of just getting another job of course.

  3. Steve Aubrey

    Not Mom and Pop

    With 200 facilities and 35K employees, they should have had their procedures down, as Alister said.

    I think the defense attorney could have spun this as a non-authorized penetration test and gotten the time reduced. An impromptu disaster recovery episode, and lower the fine. A single-person red team attack.

    None of that true, of course, and maybe that did happen at the trial. Perhaps the original sentence was ten years and ten million dollars.

    And perhaps the yoyo should have stayed out after he got his pink slip (and on Valentine's Day? C'mon, Georgia-Pacific. That was a bit cruel).

    1. A Non e-mouse Silver badge

      Re: Not Mom and Pop

      I think the defense attorney could have spun this as a non-authorized penetration test and gotten the time reduced

      *IF* (and that's a big if) he had caused no damage or loss, maybe. But he set out to damage equipment. That's not a penetration test, but wilful damage and he deserves to be banged to rights.

    2. Doctor Syntax Silver badge

      Re: Not Mom and Pop

      "I think the defense attorney could have spun this as a non-authorized penetration test"

      Indeed, a defence lawyer's job is to spin any defence that offers itself. There's not guarantee it will be accepted and if that one succeeded the court would need to provide a runway for the pigs.

  4. Blofeld's Cat

    Many years ago...

    A colleague of mine had to unexpectedly take over from a sysadmin who was dismissed without notice.

    The person concerned had been caught stealing from the company, and my colleague basically got the time it took the police to arrest him and do the paperwork, to lock him out of everything.

    It turned out that their former sysadmin had left behind numerous booby-traps (e.g. sending mail to a particular email address would drop database tables) and back-doors on the company's systems. Everything had to be treated as suspect and locked down.

    Fortunately the company had realised in advance that dismissing somebody with unrestricted access to their systems was a tricky business, and had made plans accordingly. They also had a long-standing procedure in place for making sure that both their regular backups, and all the key passwords held in the CEO's safe, actually worked.

    1. Anonymous Coward
      Black Helicopters

      Re: Many years ago...

      Cat and mouse there, when everything has to be treated as suspect. What easter eggs are deeply rooted in those backups? All the key passwords worked when tested, but what about the next day or week, if the evil mastermind wasn't there to trigger a (trojanised) process that incrementally prolonged their lifetimes?

      When all the resources of the US government give us Manning and Snowden, when a million students no doubt create diverse clever schemes to gain unauthorised access purely as an academic exercise with no intention of ever abusing that access, not everyone's defences are going to hold.

  5. Ragequit
    FAIL

    For now the FBI...

    will use cases like this for a self congratulatory shoulder slap (not that they did much) but if they become too common I could see some laws being introduced to fine grossly negligent businesses like this. Then again governments have their heads in their nether regions in regards to IT so I hope all the free press is worth the extra case load.

  6. Anonymous Coward
    FAIL

    Call me old fashioned if you will but...

    I take pride in my work. Of course it helps that I'm a geek, but I enjoy working within IT, tinkering with stuff, network administration, sorting stuff out, keeping servers running, etc, etc. Sure, losing your job isn't fun nor easy, I speak from personal experience as well. Happened quite a few years ago, but I still remember.

    But seriously... No matter how mad I might have become I'd never stoop so low as to violate the trust people placed in you like that. And it's also something I don't get to be honest. If you're a real sysadmin (at least in the way I vision it of course) you'd think twice before taking such a destructive route. I mean, seriously, trying to destroy the very thing you worked so hard to build? That part makes no sense to me, none what so ever.

    Not to mention that there are much better ways to fight such a thing. Legal ways that is. Unless of course you're under a contract which expired and wasn't renewed. But especially then it also was something you could have seen coming, or at least kept in mind as a possibility.

    But... "let's put the blame on everyone else except yourself". Seems to be a very modern thing these days and to be honest it often appalls me.

    1. Anonymous South African Coward Bronze badge

      Re: Call me old fashioned if you will but...

      Agreed. I have the ways and means of installing undetected backdoors etc, but will never do it. Just is not worth the effort and the pain it brings.

      I won't do BOFH-style because the music that follows just is not worth it.

      Rather I'll suck it up, grin and bear it, and look for another job, and put everything behind me. Only immature people delight in revenge.

      1. BebopWeBop

        Re: Call me old fashioned if you will but...

        Generally I agree. However if you consider 'taking revenge', truthfully reporting ion the sh*tty behaviour of my ex employer than I am afraid I would have no problem taking that type of 'revenge'. Destroying and/ot disrupting systems however, I agree to be beyond the pale

        1. lglethal Silver badge
          FAIL

          Re: Call me old fashioned if you will but...

          There's also the fact, that you are very unlikely to get another job in IT, after destroying your previous employers system. So your basically saying, that in the future you will need a new job but will have to be one without computers. Good that you spent all those years training up as a sysadmin...

        2. Bruce Ordway

          Re: Call me old fashioned if you will but...

          Years ago an employee was let go in the middle of the week. This was a very competent, well liked individual and his dismissal came as a shock to me and my co-workers. In the coming weeks users reported to a series of missing files. I was able to restore them and I didn't think too much further at the time.

          The next time I ran into the person I mentioned the files.

          He was a little embarrassed to tell me had deleted those files while collecting his belongings from his desk. I've never forgotten since that even normally reasonable people can do very strange things when they are upset.

    2. Martin-73 Silver badge

      Re: Call me old fashioned if you will but...

      It's not a case of taking blame away from this sysadmin. He deserved jail. And the repayment order. But the company ALSO needs a massive smack for screwing up.

    3. Anonymous Coward
      Anonymous Coward

      Re: Call me old fashioned if you will but...

      legal ways? are you kidding? In America they have passed these laws miss-named as "right to work " which all workers have absolutely NO RIGHTS when it comes to dismissal. Employers can terminate anyone for any reason with fear of no legal reprisal. When you hire on you sign an agreement acknowledging you have NO RIGHTS.

      1. Swarthy

        Re: Call me old fashioned if you will but...

        A wee bit of correction:

        Right to work does not mean that you can be fired for any reason, it means you can be fired for no reason. If a reason is given, it must be a good one, else you can sue for wrongful termination.

        It also means that you can quit for no reason. Also that you cannot be forced to join a union, nor fired for joining one.

  7. Doctor Syntax Silver badge

    "Thanks to the victim's quick response"

    Quick response? A quick response would have been to lock things down when they fired him.

  8. Frank N. Stein

    Did the idiots who still worked there just not revoke his login? Seems like it. Maybe HE is not the one they should've sacked. Seems like the idiots who remained are at least to blame for not revoking his access.

  9. Anonymous Coward
    Anonymous Coward

    You cut off access during the 'come into my office' talk

    ....the perp returns to their desk to find an empty box and a security bod.

  10. rbf

    System Slowly Sank into Sunset

    Before a booked vacation my boss had me explain a weekly database update procedure to a non technical employee. Yes, there was a a SQL script to run. The trick was handling the exceptions, much due to the fact that the multinational corporate database was machine centric while the national CRM database was understandably customer centric. Machines would be swapped between customers and a fair bit of database leger de main was needed to tidy things up.

    The non techie with no concept of SQL had no chance comprehending page long SQL commands or what the exception messages met.

    A couple weeks later I was downsized. The weekly updates fell by the wayside and the CRM database inexorably drifted away from reality to the increasing confusion of support staff and customers.

    Some years and tens of millions later a corporate system eventually came into operation.

    I didn't have to so much as lift a finger.

  11. Roland6 Silver badge

    Why BYOD is not a good idea...

    "They found a VPN connection into the company's servers on his laptop, and a subsequent forensic investigation of his hard drive and broadband router got enough evidence to bust him."

    There are two parts to this. Firstly, there is the case that an employee has company access credentials on their laptop - don't know the details of this case, but if access uses certificates then this is a major problem. Secondly, as a departing sysadmin/superuser, you don't really want (unauthorised) valid access credentials to remain on your machine as naturally if something untoward happens after you leave you will be an automatic suspect.

    Hence why I think BYOD is probably going to die out in security aware organisations...

    1. Prst. V.Jeltz Silver badge

      Re: Why BYOD is not a good idea...

      I dont think BYOD has ever, or will ever , take off in security aware organisations...

      (which is most organisations these days)

      (they try , anyway)

    2. Anonymous Coward
      Anonymous Coward

      Re: Why BYOD is not a good idea...

      > I think BYOD is probably going to die out in security aware organisations...

      > I dont think BYOD has ever, or will ever , take off in security aware organisations...

      Or alternatively any truly security aware organisation has to be able to accommodate BYOD and remain secure. My bank doesn't tell me which device to use to run their banking app, I can't guarantee that the directors of the company I currently work for would accept any restrictions either.

      For 99% of organisations it's probably more realistic to work on the assumption that BYOD is happening regardless of policy and needs to be managed than it is to try and guarantee that it isn't.

  12. Ironclad

    Marching someone out the door...

    ...might not be strictly legal in the UK in the case of redundancy. Government advice on redundancy:

    https://www.gov.uk/redundant-your-rights/consultation

    5. Consultation

    You’re entitled to a consultation with your employer if you’re being made redundant.

    This involves speaking to them about:

    - why you’re being made redundant

    - any alternatives to redundancy

    You can make a claim to an employment tribunal if your employer doesn’t consult properly, eg if they start late, don’t consult properly or don’t consult at all.

    Alternatives to redundancy can include applying for other jobs within the organisation, if these are predominantly posted online then revoking all network access for the employee can be difficult.

    Of course you can still revoke access to critical systems and if they've been fired then none of this applies. Ditto I suspect in the USA.

    1. Peter2 Silver badge

      Re: Marching someone out the door...

      The question comes down to "have you suffered financial harm". As long as the company is reasonably generous with your exit package (eg placing you on garden leave and or paying you in lieu of notice) then in practice then it's quite difficult to win a claim at an employment tribunal.

      I note this having been made redundant from a company, which did so on reasonable terms. Reasonable enough that I didn't hold a grudge when they reemployed me about ten years later.

  13. Anonymous Coward
    Anonymous Coward

    "Sustained and sophisticated attacks"

    What's the point of all this expensive clobber to defend against "sustained and sophisticated attacks" when access for terminated employees isn't even revoked. Oh hang on a minute - unrevoked access probably falls under the classification of "sustained and sophisticated attack" from a PR perspective...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like