back to article Yee-hacked! Fired Texan sysadmin goes rogue, trashes boot business

A former IT administrator working at a cowboy boot manufacturer has pled guilty to hacking the servers and cloud accounts of his employer after they fired him and had him removed from the building. Joe Vito Venzor, 41, had been employed by the Lucchese Boot Company in El Paso, Texas, but he was let go on September 1 last year …

Page:

  1. Lou 2

    Quote "The attacker's work was so effective that the application server was totally borked and the company ended up having to buy a new one and reinstall all the software on it"

    Wow! He ruined the hardware on a server by loggin in from outside and deleted files. Yeah right. And that is why this company needs outside help. From a shrink.

    1. Crazy Operations Guy

      Its likely that they would purchase the new server so the old one could be used as evidence, or that someone could be building the new one getting things up and running while another person goes through the old system to pull files off that were deleted or they just didn't have a backup for (Like new order info, transaction logs, etc).

      I would also think that they'd use this excuse to bring in upgraded hardware if they never had a chance to take down the old one since it was used for so much important stuff.

      1. DougS Silver badge

        They might not be able to install the same version of software now, or chose to install newer software since it was available to avoid the need for a later upgrade. If that new software version requires newer hardware, that would mean a new server is needed.

        1. Version 1.0 Silver badge

          In that situation I'd go with a fresh installation - if you've just been nuked from orbit it's the only way to be sure. New hardware and software installations eliminate the possibility that there's another nasty waiting for you.

          1. bombastic bob Silver badge
            Devil

            new hardware + new software is probably EASIER than cleaning the mess up, too. Overall cost (when you include time and number of people involved) very well could be WAY cheaper than the alternative. No hidden back doors, either.

            1. Danny 14 Silver badge

              So the backups were accessible to such a degree remotely? They had zero offline backups?

              So what would they have done with an encryption virus?

              Rotated Ejected tapes might be a bit 90's tech but a firesafe with a week old set of tapes is better than fuck all.

              1. werdsmith Silver badge

                I guess if the company was using a virtual infrastructure then he would have had to attack the ESX hosts, otherwise they would have just needed to roll in the VEEAM or equivalent backups.

                But it sounds like they weren't ready for DR, whatever the cause of the disaster. That was probably down to him too. I guess there is always that risk of mental health problems with many jobs that involve trust, which is why there has to be more than one keyholder for the red nuke button.

              2. Crazy Operations Guy

                "So the backups were accessible to such a degree remotely? They had zero offline backups?"

                The system processed orders, so even if they had backed up the system 5 minutes before hand, the system still would have information, such as new orders and orders ready to ship, that isn't in the backup.

                Depending on volume, the number of orders lost could easily become more valuable than the cost of a new server. This would especially be true if they are customer-focused; If you were a customer that had paid for merchandise and received a confirmation email detailing the same, would you stand for the company telling you "Sorry, we lost your order"? On the other hand, a customer's order may have completed processing and shipped so a full manual search of which orders are still in the shipping dock, which have had shipping labels applied, which labels are on a truck, etc.

              3. Alan Brown Silver badge

                Backups

                Backups, and more fucking backups.

                And NOT online backups. They're far too susceptable to this kind of attack.

    2. Lord Elpuss Silver badge

      It's possible (though unlikely) that he also flashed a custom firmware rendering any potential repair financially impractical.

      Writing this as a technicality, as I don't believe for a second he actually rendered the hardware useless. It's just a way of getting the 'value' of the crime up to Grand Larceny levels so they could send him down for a 10 stretch. He was an idiot, but overreaching prosecutors are a plague and a menace to society.

      1. a_yank_lurker Silver badge

        @Lord Elpuss

        Given the nature of the attack, rebuilding the drive would mean reinstalling all the software. Since it would be evidence in a criminal trial, the company needs to buy a new server plus all the work to get it up an running. Depending on how much equipment and time was involved this could add up fast. Whether the prosecutors are overreaching, can not say without more details.

        1. Emmeran

          Re: @Lord Elpuss

          Sadly the prosecutors aren't over-reaching. How many people lost wages because of his shenanigans? He should be charged with theft against each and every of them. I guarantee you most of the line workers are paycheck-to-paycheck folks who cannot afford that 25% hit to their weekly pay.

          The far reaching effect of assault on infrastructure - whether it be physical or technical is usually understated. Nothing brings a company (and it's employees) to their knees faster than broken toilets or broken servers.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Lord Elpuss

            quote: Sadly the prosecutors aren't over-reaching. How many people lost wages because of his shenanigans? /quote

            actually, they are reaching for their paycheck.

            a lot of the "cost" here is for the forensic examinations done (at mandatory price rates where you don't get to choose)... there's very little chance that the company could get to cash in some of those once the various state fees and costs are deduced.

            Just the costs of forensic cloning of a server raid drive array and follow-up examination alone can rise quickly to multiple-digit thousand dollars alone because of this: they need to buy at least the double of same amount of similar-capacity server-grade drives, and a new server that's raid-compatible with the old one. (Double the capacity because they would needed to make 2 sets of forensic drive clones, a read-only clone as primary evidence and a read/write one for functional examinations). Add to this the costs of the various licenses they need to buy again (if it's commercial software) since it's basically a new server build-up and the prosecution costs can rise sharply.

            And after all is finished and the guy is sentenced, all of this brand new equipment will go and rot into some evidence crate somewhere, nailed shut and gathering dust on some shelf.

            All paid through the 'costs' attached to the sentence.

      2. rh587

        Writing this as a technicality, as I don't believe for a second he actually rendered the hardware useless. It's just a way of getting the 'value' of the crime up to Grand Larceny levels so they could send him down for a 10 stretch. He was an idiot, but overreaching prosecutors are a plague and a menace to society.

        Puts you in mind of the Gary McKinnon charges, where the criminal damage to each computer accessed was claimed to be $1500 IIRC - $1500 "just happened" to be the value to move the charge from a misdemeanour to a more serious felony.

        Not that I have any sympathy for this chap - if you're a revenge-minded individual then there are more obvious ways of ex-filtrating data or credentials without leaving a trail in your corporate e-mail, and subtlety was apparently a foreign concept. Less BOFH and more Boss, with the inevitable result that he got cuffed.

        But I would concur that arbitrary damage valuations that just seem to be on the tipping point of a higher charge do make one quirk an eyebrow at the state of "justice".

      3. VanguardG

        I should think there were plenty of felonies here to get things ramped up high enough he would be looking at plenty of jailtime - especially if a prosecutor pushes for time to be served consectively, instead of concurrently, on at least some of the charges. Besides...the prosecutor would want as MANY counts of as MANY charges as possible, not just a few big ones. Then the defense attorney can't find a loophole that negates the ONE big charge and get his client off with only a few months on a handful of misdemeanors. Get him 7 or 8 charges that each carry 4 or 5 years, and push for consecutive sentencing, and you'll get the jailtime even if the defense gets some of the charges dismissed. And, were I a judge (luckily for criminals, I'm not) I'd see each server knockdown as a separate crime, and endorse consecutive sentencing - he had a chance to stop himself after screwing up each server, but he continued. So, he should also CONTINUE to serve time in jail after completing his time for each server. The actual judge probably will be much more forgiving...he might be sentenced to 10 years, but the judge will probably suspend 8 of them and let him get out "on good behavior" after just a few months. Then again, its Texas - he might get the firing squad.

    3. Instinct46

      Cloud Server

      It could of been a cloud based server, and if he'd delete and reconfigured a bunch of the hardware they may not of been able to connect to it

      1. Anonymous Coward
        Anonymous Coward

        Re: Cloud Server

        Could HAVE been.

        (Anon because I do post stuff that I fondly think is more significant and don't want to detract from that)

    4. Just Enough

      The quickest solution

      When you have a trashed server that needs to be forensically examined for a prosecution, what would you rather do in order to get you business back up and running ASAP?

      - Wait until it has been examined, then restore a backup, then examine it again to see what other nasty surprises might have been restored from the backup, before finally trusting it to start working with again?

      - Get in a new server, a clean install and a system you can trust ?

      1. Alan Brown Silver badge

        Re: The quickest solution

        Pull the drive, drop in a new one, reimage.

        the old drive is your forensics and being unplugged makes it unmodifiable.

    5. JCitizen
      Trollface

      One of da boys in Texas..

      Joe Vito Venzor of the Lucchese Boot Company got a deal he no can'na refuse! Bada-bing, Bada Boom!!!

  2. Dwarf Silver badge

    An interesting point to add to the risk register for those partaking in cloudy stuff.

    The usual approach of "deny physical access and remote access" is no longer enough to buy time whilst accounts are disabled.

    Sure the AWS training courses includes information on Identity and Access Management (IAM), and what to do when the admin leaves, but how many would remember to do that on the day and how many of those would need a change request signed in triplicate to get privileged accounts changed "just in case something goes wrong", even though something worse can go wrong without the approved change.

    As for the Muppet who did it, good luck in your new career, since nobody will touch you for IT roles now.

    1. Anonymous Coward
      Anonymous Coward

      Which is why you link IAM to AD via ADFS. Disable the AD account and all IAM access disappears.

      1. d3vy Silver badge

        "Which is why you link IAM to AD via ADFS. Disable the AD account and all IAM access disappears."

        RTFA

        He set up at least one new account they didn't know about.

      2. Joe Montana

        AD...

        If he had AD admin access you'd better lock all accounts, and change the KRBTGT password at least twice. He could easily have dumped the entire user database and have access to every single account.

        1. bombastic bob Silver badge

          Re: AD...

          "He could easily have dumped the entire user database and have access to every single account."

          right, and STILL have low-level access via some obscure user account, which [with the right tools] can get you admin access, depending on installed patches and running software, or a carefully installed back door (that would do it for sure). He ALREADY added a secret login with admin privs, so why wouldn't he put in a back door (or two) as well? [this is a good reason for "get new computer, re-build from scratch" to fix this]

          To add back doors, you could re-compile system stuff from modified source, or install your own dummy applications that run the real ones, or tack on 'virus-like' extensions to various programs that run in the context of 'root' or 'system' or 'administrator' and/or just install something that LOOKS like it belongs there, even signing it with your own certs [when needed] that you install [easy to do] when THAT kind of thing is necessary, yotta yotta yotta. Nothing new under the sun. These things are _EASY_ to do... which is why senior admins and/or managers need to watch out for that kind of crap.

          (but a lazy crooked sysadmin would probably install some "toolz" purchased off the darknet)

    2. chivo243 Silver badge

      @Dwarf

      +1, well said.

      "but how many would remember to do that on the day and how many of those would need a change request signed in triplicate to get privileged accounts changed "just in case something goes wrong", even though something worse can go wrong without the approved change."

      Not many approaching ZERO as HR and other less tech savvy departments usually have to be involved too. The cloud? Isn't that where we keep our stuff?

    3. bombastic bob Silver badge
      FAIL

      "As for the Muppet who did it, good luck in your new career, since nobody will touch you for IT roles now."

      well after 10 years in the Iron Bar hotel, he'll be 50-something and recently paroled, 10 years out of touch with the industry (no 'recent experience' in anything), and didn't even do anything famous/brilliant enough to get a consulting gig (to fight off other wanna-be hackers). So yeah. He's pretty much UNEMPLOYABLE in the IT field. And if his firing was for a really really good reason (like incompetence), there's that, too.

  3. NoneSuch
    Coffee/keyboard

    No job is worth jail time.

    When I was laid off in a particular snotty fashion, I got a phone call a week later asking if I wouldn't mind coming in to brief the new IT guy. I declined.

    1. Dwarf Silver badge

      When I was laid off in a particular snotty fashion, I got a phone call a week later asking if I wouldn't mind coming in to brief the new IT guy. I declined.

      The correct answer is that now I'm no longer employed by you, the consultancy rate is (5-10 x previous rate) and you would be happy to help, but given the circumstances, the terms are payment in advance.

      Obviously if you are still in the exit process and arguing about the package, then the same can be done on severance, again paid in advance.

      If they want it bad enough, they will pay. If not, then you tried to help, but it becomes someone else's problem. I think its called cause and effect.

      1. MonkeyCee Silver badge

        "The correct answer is that now I'm no longer employed by you, the consultancy rate is (5-10 x previous rate) and you would be happy to help, but given the circumstances, the terms are payment in advance."

        You're way too nice :)

        Either I'm already there on consultancy rates, in which case it's my summoning cost is being met.

        If it's from a previous workplace, then I start with q request for a months salary for even looking at the proposal, and about a months salary = daily rate (or weekly = hourly).

        I am no longer surprised when people will throw piles of money at you to solve their shit, who only weeks earlier where bitching about paying you a buck or two more an hour, and how your skills where easily available in the marketplace.

        I am still a little shocked at just how quickly they agree. I'm obviously not charging nearly enough....

        1. Anonymous Coward
          Anonymous Coward

          months salary = daily rate (or weekly = hourly).

          Your way too optimistic!

        2. Prst. V.Jeltz Silver badge

          My partner has just left a small company where she is the only one who knows how to operate the "navision" finance system.

          It took her about 6 months from giving notice to leaving due to protests , screams , threats & pleading from the company.

          Time and time again , I told her "Consultancy rates!!!!" , but it never happenend :(

      2. Alan Brown Silver badge

        "The correct answer is that now I'm no longer employed by you, the consultancy rate is (5-10 x previous rate) and you would be happy to help, but given the circumstances, the terms are payment in advance."

        It's actually better to decline.

        If you start demanding high rates they may sic lawyers on the case claiming blackmail.

        I've seen it happen. Wait for them to make the monetary offer and give them time to worry you'll refuse.

  4. Will Godfrey Silver badge
    FAIL

    What a Muppet.

    What was he thinking, with all the very well publicised cases of rogue SysAdmins being thrown in the slammer.

    1. goldcd

      Re: What a Muppet.

      I'm pretty sure this wasn't a well thought out plan.

      Possibly the sort of 'planning' that got him the boot in the first place.

      1. Doctor Syntax Silver badge

        Re: What a Muppet.

        "I'm pretty sure this wasn't a well thought out plan."

        It sounds as if some preparations were made in advance.

    2. Robert Carnegie Silver badge

      Re: What a Muppet.

      If people don't know that you will demolish the company's IT if you are fired, then how do your preparations keep you from being fired?

      Maybe when he "became volatile" (was that the expression?) he was trying to explain what he could and would do if they went ahead and dispensed with his services.

    3. Anonymous Coward
      Anonymous Coward

      @Will

      Muppet is too friendly.

      Morons like that also ruin it for the serious IT staffers, because there will be employers who may start worrying about all this. The classic "can you really trust the IT department?" and that could have its affect an plenty of others.

      1. Danny 14 Silver badge

        Re: @Will

        Just wait a month and give some other spod adnin rights with your hidden account. Use their account to run an encryption virus on the server. Vpn the acces and away you go.

  5. Crazy Operations Guy

    Properly designed security

    In a properly-secured organization, you should always approach security as if the attacker has full admin access on your systems and has intimate knowledge of the network, specifically to prevent something like this from happening. Even if you trust your sysadmins, they could accidentally lose their devices with sensitive data on them and picked up by someone malicious, or if someone could compromise those people (Kidnap their family, blackmail them, etc).

    1. Anonymous Coward
      Anonymous Coward

      Re: Properly designed security

      Indeed! There's even this magical "new" thing called role based access, whereupon, get this, you only give limited access to anyone needing it, and further minimize risk by making more delineations in the roles where the work gets done. It's built into just about every software system I've seen. You can setup a class structure where only admin A can build a thing, and only admin B can give access to it, or other business role breakdowns based on the capabilities of the product.

      Although, that would require more people to man the operations and then making sure those roles are adhered to. And that requires well thought out planning and teamwork. Something that a shoe manufacturer may miss in their mad dash to cut costs in IT. I'm sure this madmin [sic] was of low cost and quality to begin with, and here's what you get for your money, Mr Boot CEO; fucked.

      Also, cowboy boots are made for; 1) actual livestock workers, 2) people pretending to be actual livestock workers IRL or on TV, and 3) racists.

      1. 404 Silver badge

        Re: Properly designed security

        Cowboy boots are also great for dancing, you uneducated judgmental sonuvabitch...

        1. Allan George Dyer Silver badge

          Re: Properly designed security

          @404 - I look forwards to your production of Swan Lake in Cowboy Boots!

          1. 404 Silver badge
            Pint

            Re: Properly designed security

            lmao! Trying to imagine that...

            However, Two-Step, Country Swing, or mosh pit - they're great!

            aww hell! It's April Fool's Day... Trolls abound...

          2. Francis Boyle Silver badge

            Well I'm currently crowdsourcing funding

            for a production of Swan Lake featuring crossdressing lumberjacks. Sling me some money and I'll put them in cowboy boots of your choice.

            That's my April Fools done. then.

            1. Richard 12 Silver badge

              Re: Well I'm currently crowdsourcing funding

              That still wouldn't be the strangest production of Swan Lake.

              The classics have been "re-imagined" in almost every way imaginable. And will continue to be so.

              Still waiting for the zero-G edition.

              1. This post has been deleted by a moderator

          3. LDS Silver badge
            Coat

            "Swan Lake in Cowboy Boots!"

            I can foresee the final shoutout between Siegfried and Von Rothbart...

            (taking the duster for the duel...)

          4. Chiiirac

            Re: Properly designed security

            started on this already

            https://www.youtube.com/watch?v=FvZO-UYsehs

        2. Fr. Ted Crilly

          Re: Properly designed security

          :-) Being a bit of a short arse meself, wanting to look a bit taller (i favour 1.5" heel, just enough y know) in worky formal clothes AND tbh when nicely broken in v comfortable too.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019