Tough one
Top dog creating an account the day before he left? Who in HR would have caught this during an exit procedure?
He's going down the river one would think...
A sportswear company in Oregon has alleged that a senior IT manager left a backdoor in its systems before departing to a business partner and illegally used that access almost 700 times for his new employer's benefit. In its complaint to a federal court in Oregon [PDF], Columbia Sportswear demanded a jury trial for Michael …
i don't think tough one, his replacement assuming they hired one fucked up.
does that not keep any admin up at night thinking, they guy that i replaced is probably ripping my network up? how hard is it to audit vpn accounts, takes a day even in a large network. oh jmanning that guy does, or does not exist. okay disabled. if it he calls back go through established authentication procedures via the helpdesk. Colombia need to take a bit of responsibility too.
"Just a day before leaving, however, Leeper allegedly created a network account under the name "Jeff Manning", called "jmanning", which provided him with remote access to Columbia's network, including its VPN. Using this account, Leeper plundered Columbia nearly 700 times over the next two years, stealing corporate plans as well as information on its technology budget, all for the benefit of Denali as it competed for his former employer's cash."
Not the most advanced backdoor is it?
What about user account policies? AD auditing? etc etc
Um, what about "Who does the auditing when it's the auditor who's quitting?" As I understand, he was their top IT man at the time, meaning he had all the keys, so to speak. Some in that level of power likely knows how to sneak things under the radar since no one else is above him who would know everything to the extent he did.
It's the classic intractable problem: dealing with betrayal from up top.
"As I understand, he was their top IT man at the time..."
First rule of any security system, not just IT, is always have checks & balances and let no one person have all of the keys to the Kingdom unsupervised. If nothing else, because any employee might might kick the bucket at any time. (In the US, odds of dying in a car accident in any given year is about 1-in-6000.)
Banks learned this over 100 years ago. That's one of the reasons in the early 20th century most banks required all bank officers, even the President of the bank, to take off at least 2 consecutive weeks per year - it was a chance for the bank to audit what that officer had been doing. I know this because my in-laws owned some banks in the early 20th Century. Don't know how common a practice it is now.
"it was a chance for the bank to audit what that officer had been doing."
But AGAIN, who audits the AUDITOR? Especially since the firm was of a type where they lacked a second IT person with the same level of expertise? Besides, someone THAT high up would probably know enough to be able to hide their stuff FROM auditors.
From what I've seen, Auditor types are basically bookkeepers, etc. who haven't a clue. Yes, indepth cross-checking of logs, accounts and employee lists/authorized user lists might have caught it. But most audits don't include such things (at least the ones I've been through).
The bigger problem is that the person at the top of the food chain with max god power compared to everyone else pulled this off. The trust chain was broken and those in the C-Suite didn't think ahead here.
Auditors don't get much permanent access except to office tools. System access is on request/time limited only as system administration and the majority of file systems are not part of their job or current audit. Auditor does not mean "god mode access" and if it was that should be a finding in its own right.
... should be a salutory lesson for 'authorities' who want 'secret, impenetrable to unauthorised users' backdoors into security protocols and the like. Because 'secret' doesn't stay that way, and 'impenetrable' isn't - especially when 'authorised' users can become or act as 'unauthorised' any time they choose.
Sigh...
Whoever stepped into this guy's shoes should have audited all the user accounts him/her self. It's sort of important to know who has access to your network. After all, for all the new person knows, their predecessor was a twit who left an unauthenticated "Guest" account set up with full access to everything. Wouldn't be the first time that happened, either. So in early innings after taking over, a user account audit should have gone something like: "Who's this 'Jeff Manning'? Nobody knows him? Delete that account!"
But what if it WAS someone they knew? What if there really WAS someone in the firm named Jeff Manning complete with records and so on?
Besides, there's also the possibility he knew the audit was coming and found a way to conceal the name FROM the audit using root tricks and so on.
Columbia Sportswear is a publicly traded corporation with more than 5,000 employees, of whom many would have some kind of network account. Auditing all the user accounts would not be a one person job, nor would it normally be the job of the head of the organization.
On the other hand, it should not be too hard to assign an operational employee (or better, two or three independently) to periodically compare the payroll list to the accounts and look carefully at any accounts for which a check was not issued in the most recent payroll cycle. That "Jeff Manning" seems to have operated for two years before detection indicates slackness beyond even the US OPM showed.
I have felt the gentle but inexorable pull of its siren song. I was unceremoniously booted from an earlier company (I was trying hard to leave anyway, miserable place). A small and slightly odorous devil materialized on my shoulder, urging me to do all manner of dodgy and revengeful things. Leave a port open on the server. Leave some time-bomb batch files or scripts to cause mayhem weeks later. Such a long and varied list of digital mayhem it was, that little devil was creative and knew the territory.
I resisted. God it was hard to do so, but I fought it off. And I've never once regretted it. Granted this was 16 years ago and I could probably have gotten away with it. But of course the anger has long cooled and I'm glad to not have that burden of guilt. And possibly, jail time.
"Anger is a wind that blows out the lamp of the mind" - Robert Ingersoll.
The Ex Manager was clearly not good enough to cover his own tracks and it took them a while to find out what was going on.
I'd like to believe that most employees leave their current employers on good terms, with the employer wishing them well after they have happily passed on their wisdom to their replacement
Unfortunately IRL I'd have to consume personality altering medication in near lethal dosages to think that way.
It's not about trust. It's about taking sensible precautions when any employee leaves a company to discourage them from considering behaving in this way.
ianal: Unless Columbia specifically revoked his access to their system, Leeper could still claim he had authorized access excuse.
"Top dog creating an account the day before he left?", chivo243
"What about user account policies? AD auditing? etc etc", adam payne
'AD auditing' .. haaaa .. 'Top dog' should have installed a rootkit into the BIOS using the Intel Management Engine (ME). Rendering it invisible to all known malware detection techniques. These come as binary blobs that execute before the main processor kicks-in, at a higher privilege than the kernel and cannot be disabled. They even run when powered down and still plugged in.
"Columbia has implemented numerous safeguards to ensure the integrity and security of its IT systems. It uses similar safeguards to protect its confidential business information from unauthorized disclosure or use. In each instance, Columbia has no choice but to trust the IT staff that implements those safeguards to maintain and abide by them."
What's needed is a fully audited irreconcilable second system to monitor the main one that is inaccessible to the first system. And give people a hardware dongle containing the only copy of their own keys, that must be plugged in to login/access their own records.
"'AD auditing' .. haaaa .. 'Top dog' should have installed a rootkit into the BIOS using the Intel Management Engine (ME). Rendering it invisible to all known malware detection techniques. These come as binary blobs that execute before the main processor kicks-in, at a higher privilege than the kernel and cannot be disabled. They even run when powered down and still plugged in."
Guess who would've been the person to install such a thing? The guy who went on to spy on them! It's hard to slip one past the top IT guy.
"What's needed is a fully audited irreconcilable second system to monitor the main one that is inaccessible to the first system. And give people a hardware dongle containing the only copy of their own keys, that must be plugged in to login/access their own records."
What's to stop him from accessing THAT system, too?
Shoot the bastard as everyone seems to think he is guilty from the under whelming evidence in this article. Seems that he could just have easily been setup by an Admin type who still works at his old job. What better way to make someone look guilty than to create the backdoor account the day BEFORE he finishes up.
Even if he is found not guilty, the shit will stick and follow him to the ends of the earth.