Disgruntled admin gets 63 months for massive data deletion An IT manager who sought revenge for an unfavorable job evaluation was sentenced to more than five years in federal prison after being convicted of intentionally triggering a massive data collapse on his former employer's computer network. Jon Paul Oson, 38, of Chula Vista, California, was sentenced to 63 months behind bars …
At a guess, I'd say MS Remote Desktop. The client has a default setting that maps local printers to the terminal server. The client will advertise all of its local printers to the terminal server, and if the server has a matching driver, the printer will map. This is all recorder in the event log.
Bill, holy, because his software led to the guy being caught.
I hate these warning stories about the FBI can find data on your PC wiped 5 times,or by the printer used etc...The issue isn't if they can do this, the issue is will they? If you delete some company data the FBI will come and get you? They have better things to do, but to be safe don't open your closet, the boogie man will get you
Nevermind that he didn't cover his tracks well. He's all well deserving the prison time by willfully destroying patient records! He even shut down the backup systems, so it isn't like he intended to do a one-day scare; he practically slaughtered the entire hospital's record!
This guy deserves no parole, no mercy, and a really mean cellmate.
"At a guess, I'd say MS Remote Desktop. The client has a default setting that maps local printers to the terminal server. The client will advertise all of its local printers to the terminal server, and if the server has a matching driver, the printer will map. This is all recorder in the event log."
Remote Desktop is exactly correct. Should have included that detail in the story.
It's one thing to be bitter about a job experience, especially if it ends your career and you have to take up another field. But if the guy was able to pretty quickly get another job, why bother? Chalk it up to a learning experience; it's better to be employed and outside in the real world than sitting in prison.
if any admin leaves for whatever reason you lockdown the system, password changes etc, even if it does cause issues with users or apps not running. Its always been the first role when I have gone into a new client.
I think the new admin person is obviously lazy
Why did he still have access after being terminated? Let me guess.... the administrator account had the "default password syndrome"?
I know a company that have the administrator password as blank on every desktop, incase the user wanted to "install something". And the server administrator password was the company's name! And this is because the idiots in the IT department didn't want to get off their fat behinds to help the users!.
Regards the 63 months... if it was bank records then I understand... but these were medical records, he could have killed someone indirectly. Give him few more months.
P/H, she must have learned to change the admin password, after firing someone in IT, by now.... hopefully
When I go for a medical related appointments, I often get the feeling they are seeing me for the first time ever - particularly for follow up appointments. Maybe they just keep losing data but disgruntled* staff actions and are too embarrassed to admit it.
*why are people never 'gruntled'?
This spiteful moron got away pretty lightly when you consider that, with a little less luck for the victim, he may have killed someone. If that had happened he would now be facing the needle, as his actions were premeditated it would be murder, as it is, he can now look forward to being somebody's bitch and learning to lift weights. In this case 63 months is a bitch not life. Couldn't happen to a nicer guy!
the funny thing is, it seems the job evaluation was correct, there was obviously some personal conflict going on... enough that he went on a rampage.
linux, because he should have at least used a usb bootable (thus disposable) system? then he wouldn't need to wipe any home computers... case closed.
*FBI knocks on door, "hi boys! want to take my computers? cool, just ignore the barry white mp3's ok!"
Sue those responsible for letting it happen, as well.
And then maybe, maybe, people paid to secure sytems will do what their pay is for ?
And in case those paid to secure the system left a note to higher hierarchy to say they aren't given the right needs to secure it, sue the higher hierarchy, etc...
We will all go back to our jobs on Monday, the company security officer and CTO's will pick up this story, watered-down to idiot level of course, and next thing you're audited to death, have all but the bare essential rights taken away from you and you need 17 extra levels of paperwork to clear your change requests, all because some arrogant pr**k, with admin passwords considered himself godlike in the IT infrastructure. I just f**king hate these retarded dicks, that make the rest of us trustworthy IT people look as bad as them.
How stupid was this guy? Overlooking the fact he caused grief to innocent 3rd parties instead of directly picking on the people he feels aggrieved him he was a total amateur.
Forget the technical aspects for now - what;s the first question the FBI ask the organisation when they come looking for clues? "Any disgruntled former employees?" Ooops. A quick scan of the logs sees he logged in with a valid account, confirming he was the attacker, so they just need a bit more evidence to strengthen the case and voila. Case closed.
He had to know he was the first guy they'd check out. What he should have done was cracked the network instead of using a valid account. He could even have weakened the network security whilst on the job without it looking too obvious.
Then he should have scoped out some unprotected wifi, dropped off a fully charged laptop nearby with the attack on a cron job. Finally, go someplace about 50 miles away with lots of ppl and CCTV, spend some money on your credit card and you have a lovely alibi, so even when they do come calling they don't find your scrubbed laptop, and they see you have a very strong alibi.
Bloody amateurs...
Smarter and FBI haven't been in a sentence together in a long, long time. This guy was caught being a douche, plain and simple. Bad job review -> Let me hurt people and families which have nothing to do with the firing! Then using M$ products cover (more like illuminate!) his trail, what a genius. The FBI can hardly catch a cold, but this guy was begging for a stint at Club Fed.
Thumbs Down x2 - Boo for dumbassed lame quasi-hackers that think NO ONE has ever used a comercially available software tool.
So he disabled the backups and waited 6 days before deleting the data?
I am assuming that rather than disabling the backups he actually modified them to exclude the important data so that the tapes would then get overwritten...
My point?
A company holding medical records for 17 health centers seems to have only had a 5 tape rotation which was being overwritten the next week! Why on earth didn't they have end of week and end of month tapes?!?
@ Ross 14th June 2008 13:27 GMT
My, but you've given this sort of rampage quite alot of thought, haven't you...
My first question is why isn't his IP address mentioned? I'm assuming he used a backdoor as any idiot knows he can be IDed through acount, but surely he also obscured his IP? If so, how?
Um - Where's THERE responsbilty
Posted Saturday 14th June 2008 18:43 GMT
Ok - Yes- the guy was dumb, didn't cover his tracks and had it coming.
However - the points the story DID NOT cover and the points the comments did:
1) Where is there "terminated employee policy"
2) "they- the provider" are responsible for HIPPA - again - policies?
3) Why did they have back doors open?
4) Disaster plan?
5) Did NNOOOO ONNNEEE note the lack of backups?
6) 5 days - yes, while bad - does not justify the $$$
6A) again - 5 days - then run your tapes from 5 days before
Overall - bust the guy - yes. Sentence too harsh? - Maybe. LIves at risk - NO.
Paper records are kept on patients.
HIPPA in this company is cleary a 5 letter acronymn
I think the company needs to go to jail as well.
and they thought I had a cold.
Really, this just goes to show that medical records are being used more as a convenience to the ruling power then it is for the patient.
Why didn't the child receive a printout after the first examination detailing the problems, surely it would be better to have the data in the hands of the people who it is about.
And most will be told the diagnosis, hardly anything lost here whatsoever.
Just some guy going about things the wrong way, and highlighting the ineptness of that particular organization.
Oh and the comment:
"The court said that Oson seemed to think that he was the smartest guy around but, as often happens, he ran into someone smarter (the FBI)." -- now we have flaming trolling judges, only seemed did he. And the FBI really works on smarts, not guns and holding locations? They probably hired an outside consultant to do it as well, and then claim the credit. Bizarre, the prison term is too high for this, and some of the blame should have been extended to the organization as well.
I hear what your saying, but any new admin would expressly look for backdoors. A simple look through AD etc will highlight any sysadm or higher-than-user accounts. A quick check or disable until verified should be enough to thwart any future attack.
the point is that this could have been avoided if the new admin guy wasn't lazy and took the time to lock down the system.
.....just what the hell was in that personal evaluation that set him off like that?
Did it insult his family? Skin conditions? Intelligence? Girth?
Must have been really something to make him quit a job he'd presumably been happy enough to spend 5 years in, then go completely mental and try to obliterate the company.
...Large corporations and companies are usually impersonal and at times evil... trying to get back at whomever offended this guy the way he did (if true) is far worse. There could have been other ways. Nuking the payroll computers for one. Involving innocents is totally unwarranted.
Shame on him and credit goes to the law this time. Well deserved.
Seriously. If this is how we work as a society then we may as well just put ourselves in jail. 5 years, shit man.
Speaking of that though, when does a jail become a jail? When is it any different to what we already think our freedom is? They are closing in on us. We sit here in our homes thinking we are independent of this world when really we are just in a different sized box, constrained by do gooders who do not follow what they preach.
Surely the major point that everyone (besides a couple of people posting here) seems to be missing is that it's scary that this one person had so much power, so much access...
Interesting....
Instead of hijacking planes and what not, Al Qaeda should just send a couple of people to work in various IT jobs for a while. After a couple of months they are given a huge responsibility, hit delete, and the whole country goes to shit
Seriously, if random people keep being given this much access and responsibility, without being monitored, and if they are able to do it AFTER THEY LEAVE THE JOB! it's only a matter of time before someone freaks out and decides to publish everyone's medical records online or something.
Well, before the government do it 'by accident' that is...
No offilne backups? Anything digital is temporary data. That's the only way to think of it. One tape goes into a (fireproof) safe at the end of the week - and if its current stuff as important medical records, I'd say the IT manager should personally do it every evening.
And departing sysadmins often leave a backdoor - in case the new guy has issues, or you get a call to sort something out urgently after you have left the company.
@ AC "Surely the major point that everyone (besides a couple of people posting here) seems to be missing is that it's scary that this one person had so much power, so much access..." never been a sysadmin, AC?
He/she took over the job knowing that their predecessor had been frogmarched out of the building by security. Anyone with a minimum of competence would assume the worst and lock down the system, certainly not leaving any admin accounts with their original passwords.
Paris, because she knows what it's like to do hard time.
Quote 'Instead of hijacking planes and what not, Al Qaeda should just send a couple of people to work in various IT jobs for a while. After a couple of months they are given a huge responsibility, hit delete, and the whole country goes to shit'
Someone call the police, I've located an Al-Qaeda terrorist - He lives at No.10 Downing Street, London.
You don't hack in after you've left to wreak this kind of havoc. No. There should be a series of at/cron/autosys/<your scheduler here> jobs to do it IF YOU DON'T LOG IN AND TELL IT NOT TO. Much better - kind of like the inverse of a failsafe.. If you get killed by a bus you can beat karma and get your revenge from beyond the grave. Karma can't kill you for being mean enough to set it up - cos that'll set it off! The universe has to leave you alone or else.
Not AC cos no one can fire me or IT'll all break. Ha!
We used to be very gruntled. Then our company was combined with several others and we became expensive overhead and got outsourced. Then our company was bought by another company and we were insourced again. And then our company bought another company and another company and all of a sudden we weren't just expensive overhead. Hell, we were a stone around the neck of the company and they couldn't wait to oursource us all again. In fact, they've been oursourcing people and jobs as fast as they can since they can't figure out how to grow the business properly and don't want to invest any real money into infrastructure and training (you can do that yourself in the bog) . Now we'll just leave it to those other companies to screw folks out of their jobs and then eventually we'll insource the susvivors to a lower pay scall and less seniority. Oh yeah, that'll make a great big bonus for the avp's and up this year.
"The court said that Oson seemed to think that he was the smartest guy around but, as often happens, he ran into someone smarter (the FBI)."
Surely this proves that the guy must have been a fuckwit, if the court terms the FBI as being "smarter"?
Seriously.....attempt to be the BOFH?........FAIL! Simon would have got away with it, and got his job back with a pay rise, as well as organising a nasty accident for the person who bad-mouthed him in the first place!
Honestly, this guy deserves what he got though. It's obvious that he willfully destroyed the data without any care for the people who owned it (the patients), out of a petty need for revenge on his former employer.
"When he returned a few weeks later, doctors had no record of the previous diagnosis, and they also had no idea he was due for a routine physical exam."
"Patients who visited the clinic in the weeks following .... were kept waiting hours and sometimes futilely while their charts were located and delivered to the appropriate clinic and doctor,"
Sounds like another great health service we know and love....
... answers on a postcard please
As many have said.... the scary parts are that the new Sysadmin didn't lock out the old (or any suscpicious accounts...) and also that by the sounds of it a company as large and significant as that dealing in health records appears to have a 5 day tape rotation and no online/offline storage backup*
*this may be incorrect as it does sound as though they got back up and running eventually, but still....
"The court said that Oson seemed to think that he was the smartest guy around but, as often happens, he ran into someone smarter (the FBI)."
I saw a program about the FBI real life cases a while ago and it stated. (by talking to the FBI agents involved.)
"The criminals left no finger prints, so the FBI surmised that they wore gloves. The ladder left against the wall leading to the roof, and the large hole they had cut into the roof, the FBI surmised this had been how they got into the buidling."
So I don't believe the FBI are that smart.
"We used to be very gruntled. Then our company was combined with several others and we became expensive overhead and got outsourced. Then our company was bought by another company and we were insourced again. And then our company bought another company and another company and all of a sudden we weren't just expensive overhead. Hell, we were a stone around the neck of the company and they couldn't wait to oursource us all again. In fact, they've been oursourcing people and jobs as fast as they can since they can't figure out how to grow the business properly and don't want to invest any real money into infrastructure and training (you can do that yourself in the bog) . Now we'll just leave it to those other companies to screw folks out of their jobs and then eventually we'll insource the susvivors to a lower pay scall and less seniority. Oh yeah, that'll make a great big bonus for the avp's and up this year."
You work for Capita too?
If the outgoing admin is slightly more imaginative in their backdoor-creation than "add a new Administrator account" then you are going to be hard-pushed to find it. So no, this couldn't necessarily have been avoided, and "locking the system down" is not possible in the way you suggest.
Firstly, as has been already mentioned if you want a backdoor there are much more subtle ways than creating a separate account called mysupersweetsecretadmin and making it a globally administrative account.
Secondly, depending on how much of his notice he ended up working (and where I come from when you sack / make redundant / accept the resignation of a [senior] sysadmin you have security immediately escort him to pick up his goods and leave the building) it is likely that IT was temporarily being done by Sonia from accounts whose IT experience consists of changing the backup tapes and resetting passwords when the sysadmin is on holiday.
Poor configuration brings bad habits.
If all the windows and doors were closed and fortified by Privileges then i do think, this guy of ours wouldn't have made it through. All the same is oson had had a good IT guy to sweep the change and make admendments then that wouldn't have been the case. This is a lesson to learn. We all fall prey to this kind of thing..... Most administrators would not change a single password of a retired employee, niether have they configured their AD to expire them too.
But by the dates on the story, it was 6 months between firing and taking action.
1) He had to be SERIOUSLY angry to delay revenge that long. That or deranged. I go for the latter.
2) The real crime is that in 6 months, they MUST have employed a new Sysadmin who should have checked the system for anything untoward left by the previous guy. OK he may have missed something, but then to have no security log and no back up log (or not checking either/both logs) is verging on criminal. Where did they recruit them from, the local internet cafe?
Maybe Paris found herself a 'real' job?
a good, clean cut case where everyone will attack the perpetrator-OMG he deleted POOR PEOPLE's data! Burn him! Kill him! give him "the needle" if someone dies!
But whenever someone actually specifically kills someone, then there's "no death penalty!" but I digress..
Now, there is a precedent for jail time and "restitution". No one questions the "Righteousness" of this case. But the next case, where someone deliberately deletes WOW game accounts, or worthless company data...the legal precedent has been set and the "criminal" gets punished. Notice the case doesn't use any sort of set "value" for amount and type of data, other than mention to get the case prosecuted.
So if your girlfriend's "rebellious" tween deletes your files, are they now a criminal? How big a company do you have to be to get criminal charges filed about "your" data?
next up, a criminal case for accidental or neglegent activities that delete data. Just like grades of Murder or Manslaughter, but for someone getting rid of ones and zeros. But only for "politically correct" deleted data. Data belonging to Big Oil companies will for some reason, not be considered "criminal", where if anyone touches Howard Dean's screaming pr0n collection, the gas chamber will be called into account.
The one thing about the "slippery slope" argument when applied to civil and legal proceedings, where the "slope" suppresses the rights and lives and freedoms of "the people" (as opposed to monied and famous elites) is that the worst case paranoid "slipperiness" almost always happens. Take copyright law for example, or "hate speech" laws, government entitled "energy programs" (ethanol) or the worst case scenarios the 2nd Amendment crowd has warned people about. The inch was given, the assurances flowed, but the mile was taken instead.
Assuming separation of duties (federal regulations and all that), the "technical services manager" shouldn't have that sort of system access.
Even if he was able to get the proper department to pull him a list of admin accounts, what if the offending account was a local account on a barely used server? It wouldn't show up on the report.
If you are trying to sneak in, putting a new admin account in the domain might set off alarms if monitoring is being done. Use an out of the way, but still accessible system instead. If you used to be the network engineer, you probably know the locations of networks that nobody else remembers.
Does the company *you* work for run full penetration testing / internal system audits every time someone leaves or is fired?
Suppose they had scheduled automated audit scans that kicked off once a week. He'd probably know that schedule, too which may explain why he waited 6 days.
We've got technical details, but nothing about the intent or the intelligence behind it.
Everything is speculation.
They failed to change the network admin password after they fired him. Bad security practices.
Had the guy instead used a program on the server to remove shared printers, shred the system logs on startup, and reset the machine, he likely would have gotten away with it. Or had he used a clean system for the attack. It's practically impossible to get away with this sort of thing, though. There's always traces of some sort. The fact that all his home machines had been wiped was major evidence in itself.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
