back to article Ex penetrated us almost 700 times through secret backdoor, biz alleges

A sportswear company in Oregon has alleged that a senior IT manager left a backdoor in its systems before departing to a business partner and illegally used that access almost 700 times for his new employer's benefit. In its complaint to a federal court in Oregon [PDF], Columbia Sportswear demanded a jury trial for Michael …

  1. chivo243 Silver badge
    Facepalm

    Tough one

    Top dog creating an account the day before he left? Who in HR would have caught this during an exit procedure?

    He's going down the river one would think...

    1. mr. deadlift

      Re: Tough one

      i don't think tough one, his replacement assuming they hired one fucked up.

      does that not keep any admin up at night thinking, they guy that i replaced is probably ripping my network up? how hard is it to audit vpn accounts, takes a day even in a large network. oh jmanning that guy does, or does not exist. okay disabled. if it he calls back go through established authentication procedures via the helpdesk. Colombia need to take a bit of responsibility too.

  2. adam payne

    "Just a day before leaving, however, Leeper allegedly created a network account under the name "Jeff Manning", called "jmanning", which provided him with remote access to Columbia's network, including its VPN. Using this account, Leeper plundered Columbia nearly 700 times over the next two years, stealing corporate plans as well as information on its technology budget, all for the benefit of Denali as it competed for his former employer's cash."

    Not the most advanced backdoor is it?

    What about user account policies? AD auditing? etc etc

    1. Anonymous Coward
      Anonymous Coward

      Um, what about "Who does the auditing when it's the auditor who's quitting?" As I understand, he was their top IT man at the time, meaning he had all the keys, so to speak. Some in that level of power likely knows how to sneak things under the radar since no one else is above him who would know everything to the extent he did.

      It's the classic intractable problem: dealing with betrayal from up top.

      1. jmch Silver badge

        Proper audit of accounts should include all accounts... I would say ESPECIALLY of those accounts with high priviliges eg auditors themselves, superusers and senior execs

      2. The Man Who Fell To Earth Silver badge
        Alert

        @AC: top man

        "As I understand, he was their top IT man at the time..."

        First rule of any security system, not just IT, is always have checks & balances and let no one person have all of the keys to the Kingdom unsupervised. If nothing else, because any employee might might kick the bucket at any time. (In the US, odds of dying in a car accident in any given year is about 1-in-6000.)

        Banks learned this over 100 years ago. That's one of the reasons in the early 20th century most banks required all bank officers, even the President of the bank, to take off at least 2 consecutive weeks per year - it was a chance for the bank to audit what that officer had been doing. I know this because my in-laws owned some banks in the early 20th Century. Don't know how common a practice it is now.

        1. Charles 9

          Re: @AC: top man

          "it was a chance for the bank to audit what that officer had been doing."

          But AGAIN, who audits the AUDITOR? Especially since the firm was of a type where they lacked a second IT person with the same level of expertise? Besides, someone THAT high up would probably know enough to be able to hide their stuff FROM auditors.

    2. Anonymous Coward
      Joke

      > Not the most advanced backdoor is it?

      No, but what's the betting the only reason they found it was because they subsequently hired a Jeff Manning and wondered why he already had an account?

    3. Mark 85

      From what I've seen, Auditor types are basically bookkeepers, etc. who haven't a clue. Yes, indepth cross-checking of logs, accounts and employee lists/authorized user lists might have caught it. But most audits don't include such things (at least the ones I've been through).

      The bigger problem is that the person at the top of the food chain with max god power compared to everyone else pulled this off. The trust chain was broken and those in the C-Suite didn't think ahead here.

  3. Anonymous Coward
    Anonymous Coward

    In my experience

    Auditors don't get much permanent access except to office tools. System access is on request/time limited only as system administration and the majority of file systems are not part of their job or current audit. Auditor does not mean "god mode access" and if it was that should be a finding in its own right.

  4. The_Idiot

    And this...

    ... should be a salutory lesson for 'authorities' who want 'secret, impenetrable to unauthorised users' backdoors into security protocols and the like. Because 'secret' doesn't stay that way, and 'impenetrable' isn't - especially when 'authorised' users can become or act as 'unauthorised' any time they choose.

    Sigh...

  5. Hans Neeson-Bumpsadese Silver badge

    Hands-on

    I'm not for one minute condoning what this individual is accused of doing, but I do find it quite refreshing that someone at senior director level is still sufficiently in touch with the tools to be able to pull a stunt like this.

  6. Simon Harris
    Thumb Up

    Best headline of the day.

    Well done, El Reg!

  7. ma1010
    Facepalm

    How about his replacement?

    Whoever stepped into this guy's shoes should have audited all the user accounts him/her self. It's sort of important to know who has access to your network. After all, for all the new person knows, their predecessor was a twit who left an unauthenticated "Guest" account set up with full access to everything. Wouldn't be the first time that happened, either. So in early innings after taking over, a user account audit should have gone something like: "Who's this 'Jeff Manning'? Nobody knows him? Delete that account!"

    1. Charles 9

      Re: How about his replacement?

      But what if it WAS someone they knew? What if there really WAS someone in the firm named Jeff Manning complete with records and so on?

      Besides, there's also the possibility he knew the audit was coming and found a way to conceal the name FROM the audit using root tricks and so on.

    2. tom dial Silver badge

      Re: How about his replacement?

      Columbia Sportswear is a publicly traded corporation with more than 5,000 employees, of whom many would have some kind of network account. Auditing all the user accounts would not be a one person job, nor would it normally be the job of the head of the organization.

      On the other hand, it should not be too hard to assign an operational employee (or better, two or three independently) to periodically compare the payroll list to the accounts and look carefully at any accounts for which a check was not issued in the most recent payroll cycle. That "Jeff Manning" seems to have operated for two years before detection indicates slackness beyond even the US OPM showed.

      1. Anonymous Coward
        Anonymous Coward

        Re: How about his replacement?

        Or he made sure Manning actually got a check cut...

  8. CustardGannet

    Obligatory 'hacker' stock-photo...

    ...hood up, typing whilst wearing gloves...

    ...actually makes sense for once. Those server rooms *can* get a tad nippy.

  9. akeane
    Facepalm

    jmanning...

    ... sounds like some advanced hacking/social engineering technique...

  10. Duncan Robertson

    My name is

    Jeff

  11. cd

    This would be a better story if the account was for cmanning.

    1. FrankAlphaXII

      or esnowden, jassange or even bmanning. Though someone would have probably noticed.

  12. Tikimon
    Angel

    Temptation is a terrible thing...

    I have felt the gentle but inexorable pull of its siren song. I was unceremoniously booted from an earlier company (I was trying hard to leave anyway, miserable place). A small and slightly odorous devil materialized on my shoulder, urging me to do all manner of dodgy and revengeful things. Leave a port open on the server. Leave some time-bomb batch files or scripts to cause mayhem weeks later. Such a long and varied list of digital mayhem it was, that little devil was creative and knew the territory.

    I resisted. God it was hard to do so, but I fought it off. And I've never once regretted it. Granted this was 16 years ago and I could probably have gotten away with it. But of course the anger has long cooled and I'm glad to not have that burden of guilt. And possibly, jail time.

    "Anger is a wind that blows out the lamp of the mind" - Robert Ingersoll.

    1. DNTP

      Re: Temptation is a terrible thing...

      "Professionals never bother spending the effort to get even, just to get paid."

      Or, as one of my teachers put it, "You can wield your sword, or your anger, but not both."

      1. Charles 9

        Re: Temptation is a terrible thing...

        I'd counter, "Then explain berserkers, who wield their swords IN a mad rage."

    2. Charles 9

      Re: Temptation is a terrible thing...

      ""Anger is a wind that blows out the lamp of the mind" - Robert Ingersoll."

      Ah, but wind doesn't always blow out a flame. Sometimes it stokes it instead. After all, wind is a bane to firefighters, not a boon.

  13. John Smith 19 Gold badge
    Unhappy

    Disappointing behavior alround

    The Ex Manager was clearly not good enough to cover his own tracks and it took them a while to find out what was going on.

    I'd like to believe that most employees leave their current employers on good terms, with the employer wishing them well after they have happily passed on their wisdom to their replacement

    Unfortunately IRL I'd have to consume personality altering medication in near lethal dosages to think that way.

    It's not about trust. It's about taking sensible precautions when any employee leaves a company to discourage them from considering behaving in this way.

  14. Anonymous Coward
    Terminator

    Sportswear company highly confidential information

    ianal: Unless Columbia specifically revoked his access to their system, Leeper could still claim he had authorized access excuse.

    "Top dog creating an account the day before he left?", chivo243

    "What about user account policies? AD auditing? etc etc", adam payne

    'AD auditing' .. haaaa .. 'Top dog' should have installed a rootkit into the BIOS using the Intel Management Engine (ME). Rendering it invisible to all known malware detection techniques. These come as binary blobs that execute before the main processor kicks-in, at a higher privilege than the kernel and cannot be disabled. They even run when powered down and still plugged in.

    "Columbia has implemented numerous safeguards to ensure the integrity and security of its IT systems. It uses similar safeguards to protect its confidential business information from unauthorized disclosure or use. In each instance, Columbia has no choice but to trust the IT staff that implements those safeguards to maintain and abide by them."

    What's needed is a fully audited irreconcilable second system to monitor the main one that is inaccessible to the first system. And give people a hardware dongle containing the only copy of their own keys, that must be plugged in to login/access their own records.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sportswear company highly confidential information

      "'AD auditing' .. haaaa .. 'Top dog' should have installed a rootkit into the BIOS using the Intel Management Engine (ME). Rendering it invisible to all known malware detection techniques. These come as binary blobs that execute before the main processor kicks-in, at a higher privilege than the kernel and cannot be disabled. They even run when powered down and still plugged in."

      Guess who would've been the person to install such a thing? The guy who went on to spy on them! It's hard to slip one past the top IT guy.

      "What's needed is a fully audited irreconcilable second system to monitor the main one that is inaccessible to the first system. And give people a hardware dongle containing the only copy of their own keys, that must be plugged in to login/access their own records."

      What's to stop him from accessing THAT system, too?

  15. JJKing

    Shoot the bastard as everyone seems to think he is guilty from the under whelming evidence in this article. Seems that he could just have easily been setup by an Admin type who still works at his old job. What better way to make someone look guilty than to create the backdoor account the day BEFORE he finishes up.

    Even if he is found not guilty, the shit will stick and follow him to the ends of the earth.

  16. Anonymous Coward
    Anonymous Coward

    "While on leave, Mike will have no responsibilities with Denali and will not have access to Denali customers, vendors, employees or other data."

    Well at least *hopefully* he wont have access.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like