back to article What the #!/%* is that rogue Raspberry Pi doing plugged into my company's server room, sysadmin despairs

It's every sysadmin's worst nightmare: discovering that someone has planted a device in your network, among all your servers, and you have no idea where it came from nor what it does. What do you do? Well, one IT manager at a college in Austria decided the best bet was to get on Reddit and see what the tech hive mind could …

Page:

  1. sitta_europea

    Some years ago I replaced the IT manager at a large motor manufacturer in Birmingham.

    He left on a Friday.

    The following Monday I noticed he was loged in over a modem that he curiously had forgotten to mention.

    I unplugged it.

    1. Mayday Silver badge
      Holmes

      Some places I've left my corporate email etc accounts on my phone and been able to receive mail for months after I've left, others I get prompted for the password before I've gone through the door (ie account disabled).

      My point being some companies have better exit processes than others.

      1. LeahroyNake Bronze badge

        Sometimes just changing the password doesn't work / Apple devices are a pain for remembering the auth token.

        Disable the account and wipe any connected devices as per your companies BYOD TOS ? Or is that going overboard ?

      2. Ryan D

        A few years back I had access to my old admin accounts for four years after I left my job.

        The scary part? It was a large government........ 'Nuff said.

      3. Anonymous Coward
        Anonymous Coward

        Happens at the NHS. One trust I was at, I could pick up my e-mails for months after I'd left. I'm AC because the tech who was supervising us, who I'm friends with still works for the NHS, but at another trust. She said, quite rightly, "It's not my problem as I told them and filled in the forms informing them you'd left, the day you left. If they can't be bothered to then lock and close your account despite me giving them several warnings, that's their fault".

        Quite right.

        I do enjoy thinking of ways to get back in to places I've left though. Not because I'd ever do it, but to find out if it would be possible without being noticed. Sadly, it being highly illegal, you can't test your ideas out :)

    2. big_D Silver badge

      When I left a couple of previous emplyoers, I ended up telling them to change their damned passwords after a couple of months, because i accidentally logged onto my old OWA instead of the new one and it was still active.

      Or the Amazon or Also account etc. Web hosting? CMS system? Corporate Facebook page? Still Xing or LinkedIn corporate presence administrator... And that was an IT company!

      In that case, I told them quickly, because I didn't want them blaming me for anything! I sent it registered post.

      1. Shady

        Re: easy pickings

        I left a small IT company about ten years ago, and went back about three years ago for a short term contract.

        My email (username) and password still worked. Worse still, the network manager at the time had enforced the use of the company name as password because he was fed up of dealing with reset / forgotten password attempts by the peasants.

        1. big_D Silver badge

          Re: easy pickings

          I went to one company, their previous sysadmin also found a standard password easier than individual passwords for all users. Apart from the CEO, every user had the password 123456 and wasn't allowed to change it...

          Then, the best thing was, every user's email was available over OWA!

          My first day there, I disabled OWA for everybody and set all the accounts to change the password at next login.,

        2. cray74 Silver badge

          Re: easy pickings

          My email (username) and password still worked.

          Wow. At the other end of things, when a downsizing caught me my access was cut-off mid-email the morning I was booted out the door. While I was getting the bad news from HR (over the phone, because the local HR rep had been laid off before me), I had been trying to email coworkers to pick up my remaining tasks and notify customers. But IT had deadlines to cut access and happened in the middle of the call.

          Since the company had been shriveling for some time they had apparently dealt with a number of emails from terminated employees that contained less-than-professional departing comments, hence the hurry to cut access.

          Subsequent emails from the company, such as for termination benefits, went to my personal email address.

          1. J.G.Harston Silver badge

            Re: easy pickings

            In one job I didn't know my contract had ended until I lost network access in the middle of the day in the middle of imaging a dozen desktops.

          2. MachDiamond Silver badge

            Re: easy pickings

            "Since the company had been shriveling for some time they had apparently dealt with a number of emails from terminated employees that contained less-than-professional departing comments, hence the hurry to cut access."

            They would have done better to have sacked you through your immediate local supervisor and offered to pay you a premium (hefty) if you would spend a day with them detailing tasks that needed to be delegated to those that much remain behind. It would be well worth £1,000 or more for them to do that and that sort of dosh can sooth the fury enough to be civil. Multiples might make it possible to at least act friendly. Many companies handle terminations very poorly. It sucks, but any company of more than one is going to have to deal with it.

            I left an engineering job and the COO didn't take my notice seriously. I was pissed at the whole train wreck of a shop and they had finally placed the last straw so I was out of there. 3 days before my final day I got an email asking me about following up on a project. I replied that Friday was my last day and I was currently making sure that all of files were backed up on SVN, my desk was tidy and I would be packing up my computer (BYOC) and personal items on Thursday so I would only have final check out to do on Friday. They did understand, belatedly, that having me spend some time on a hand over would be worth a premium, but they then went on to insist on all sorts of other things I would have to agree to be eligible for the payment. I had to go to the labor board to be paid for unused leave that I could never take. They failed to notice that every time I scheduled some time off, they would book testing that I had to be on-site for and didn't actually get to take that time. It's a damn good thing I keep a journal at work. If your work is independent or isn't subject to continuous supervision, keep a simple daily journal of what you did that day and the times. If you ever get an inquiry about where you were on a particular day and what you were doing, you can page back and tell somebody with some accuracy.

        3. Doctor Syntax Silver badge

          Re: easy pickings

          "I left a small IT company about ten years ago, and went back about three years ago for a short term contract.

          My email (username) and password still worked."

          Been in a similar situation with old client. Some development tools bought by my company and installed on the PC I used still installed....

          This was only after a few months so it might have got cleaned off later.

          1. Anonymous Coward
            Anonymous Coward

            Re: easy pickings

            I once had a work colleague who had previously worked for the same organisation, and then left for another job somewhere else, before finally later returning to a different job in the first organisation again.

            They were not reallocated their old username (despite it still being in the system), because:

            "That username has already been issued to someone else."

            "Yes, that was me."

            "Well, we've set up a new username for you now, we can't change it."

            And one of the reasons that old usernames remained in the system was because the nature of the business meant that a reasonable number of employees were sometimes on temporary contracts and it was not unusual for them to work a number of temporary contracts in various organisations before finding themselves back again (and the people responsible for issuing usernames were supposed to check whether someone already existed in the system before doing so!).

            1. Dr Paul Taylor

              "That username has already been issued to someone else."

              That's the reason why I am "Dr" Paul Taylor on El Reg. There seems to be no way of getting my login merged with my earlier "Paul Taylor".

            2. James R Grinter

              Re: easy pickings

              Its actually a good procedure (or would be if they’d done it intentionally) - the returning person may not be doing the same job as before so giving a new account name can avoid giving access they used to have but no longer need.

              1. Anonymous Coward
                Anonymous Coward

                Re: easy pickings

                After leaving, and maybe even returning again, it would be a rare company that always thought to remove email and phone numbers systematically and immediately from every previous application's configuration in all environments: test and dev as well as prod. So it is hardly surprising if some previous applications continue to send support mail or ticket updates to a reused internal email address, or even occasional SMS messages to a phone, which could be confusing or a nuisance if the address or phone number had a new owner. Content sent out of the app should have been vetted to ensure that it is not sensitive, but it would still be better to watch out for this contact lifetime issue in future and try to think of a way to manage it correctly.

          2. Anonymous Coward
            Anonymous Coward

            Re: easy pickings

            "I left a small IT company about ten years ago, and went back about three years ago for a short term contract.

            My email (username) and password still worked."

            Many years ago, I had set up the company network, servers etc and the last few weeks I was there I did some documentation.

            About five years later I was working there again, but with lower rights than before, as it was a question of trust. Until the network went pearshaped, and no one else to look at it, I was given ..... the same documentation that I created five years earlier, with my hand written notes and passwords....

            Another company wanted all the admin passwords written down, put in sealed envelopes and placed in a safe, just in case of emergency. My colleague did so, I was too busy and never got round to it.

            A few weeks later, there was a meeting about a management buyout, staff will be laid off. While the meeting was going on, some weaselly PHB had opened the safe, took the envelope and changed passwords. My colleague was locked out of his systems and mine still worked.

        4. Anonymous Coward
          Anonymous Coward

          Re: easy pickings

          The BOFH law of password insecurity: all IT Manglers\\\\\agers choose relatively weak passwords for shared resources, because they are too lazy to remember (or record) stronger ones, no matter how often the BOFH attempts to advise that this is not exactly a very good practice.

          (Unfortunately, the lifts in my workplace are not sufficiently reliable for this problem to yet have been rectified. It would be rather unfair if an unexpected object were to fall on an entirely innocent lift engineer.)

          1. Michael Habel Silver badge
            Devil

            Re: easy pickings

            Speaking of what has Mr. Travaglia been up to these many months? November is on the wane, and I'm jonesen for some new BOFH...

      2. MachDiamond Silver badge

        "In that case, I told them quickly, because I didn't want them blaming me for anything! I sent it registered post."

        Wise move. When you leave a company, you want to make sure that your have given up all of your keys, codes and accounts on their computers. You also want to be receipted on that as well. Be sure to insist on that if before you agree to an exit interview, if they do that, or sign any documents.

        If you don't need access to something as a part of your job, don't get keys/codes for it. It can be very unpleasant to have to answer a bunch of questions regarding a crime or breach in an area that isn't part of your normal activities. Get one time or temp access when you need it. If it's a secure area, get somebody responsible to walk you in and check you out or even sit there while you do your work. Even if they deactivate a key card or company ID, make sure you give it back and get a receipt.

    3. Anonymous Coward
      Anonymous Coward

      Before or after calling the FBI?

    4. Mike Friedman

      That's exactly what I would've done with this. Unplugged it, put it in my desk (locked of course) and waited to see who claimed it.

      And then given them a talking to about putting things in MY server room that I don't know about.

      1. Pete4000uk

        'A meeting without coffee'

      2. Cpt Blue Bear

        "That's exactly what I would've done with this. Unplugged it, put it in my desk (locked of course) and waited to see who claimed it."

        And that's exactly what I have done. Mind you, it wasn't anything quite as sophisticated as this. Mine was an old netbook plugged into an open wall socket and tucked behind a filing cabinet. Its sheepish owner got a lecture about professional behaviour, followed by how to throttle a torrent client so it doesn't cause trouble on the network (because no one in IT over the age of 35 hasn't done something similar and incompetence offends me).

        "And then given them a talking to about putting things in MY server room that I don't know about."

        I've also heard that argument from a network manager when organising sanctioned traffic monitoring. My answer was it wasn't "his" server room, it belonged to his employer. Turns out he had good reason to not want us snooping (or should that be snorting?) around "his" network.

  2. Anonymous Coward
    Anonymous Coward

    I would complain more at the seemingly-paranoid security measures currently being rolled out at my place (only code submitted to the main repo may be run at all), if it wasn't clear how much real damage rogue employees can do.

    1. big_D Silver badge

      We only allow signed code, which can only be done on a single computer in the IT department.

      Nothing unusual about that.

      The IT staff can develop on their own test VMs, but the code can only run on those devices, to run it on the core infrastructure, it first needs to be approved and signed.

  3. This post has been deleted by its author

  4. elDog Silver badge

    Leaving routers in dropped ceilings; unidentified phone lines; ...

    Just recounting this for someone I might have worked with.

    He apparently knew someone who worked at some company that was moving to a new location. That someone asked a neighboring business if he could run a TP through the dropped ceiling over the dividing wall for his router to get access to power and LAN. Friendly neighbor said "sure". As far as someone knows, that router is still blinking lights happily. (The credentials might be admin$ad...)

    Another bloke actually left a second modem and phone line in a house that he sold. The purpose was to be able to do remote call forwarding without paying some crazy long-distance charges. The buyers happened to work for some spooky agency but it took a few months for a security scan to find out the leaky bits.

    Or, this may just be hearsay.

    1. Anonymous Coward
      Anonymous Coward

      if you heard it down the pub

      then it must be true - first rule of IT security :)

      I used to drink with the pen test team from a large IT services company. They had some hilarious stories.

      1. Anonymous Coward
        Anonymous Coward

        Re: if you heard it down the pub

        A pet hate of mine is the enthusiasm with which pointy haired bosses and sundry HR rejects, oxygen thieves etc. enthuse about things like Yammer, Tibbr and similar in-house Faecebook lookalikes and how we can get Answers To All Our Problems(TM) by posting on the hallowed turf

        If I'm feeling particularly awkward I ask about the quality implications of relying on advice from complete strangers (it's a large organisation) and point out that it is largely the same as saying "some bloke down the pub told me". The follow-up question is along the lines of how does that square with ISO9000 etc., certification.

        1. Anonymous Coward
          Anonymous Coward

          Re: if you heard it down the pub

          Oi, that's effectively the modus operandi of StackExchange (and in a former era, usenet), or even this forum, that you're dissing there!

          For every random nutter complete stranger out there on the internet, there is at least one kind, helpful stranger willing to offer (hopefully) sensible advice, partly because they are a decent human being, and partly because they hope that someone might return the favour to them one day if need be.

          Sometimes the nutter:angel ratio is even better than that.

          1. Anonymous Coward
            Anonymous Coward

            Re: nutters v angels

            The tricky bit is telling them apart.

            Especially here.

            <Looks around furtively to see if the BOFH is listening>

        2. Vincent Ballard

          ISO9000

          Surely you're fine with ISO9000 as long as you sneak a line about "Consulting outside expertise" into the process document.

        3. d3vy Silver badge

          Re: if you heard it down the pub

          Oh... The arguments I've had with people on Yammer.

          Them "Does anyone know how to resolve issue x on my work laptop"

          Stranger #1 : "just download this thing from www.totallynotmalware.com and install it, fixed my issue"

          Stranger #2 : "I had the same thing and fixed it by deleting files x,y,z"

          Me : "FFS, we have a massive service desk with tonnes of people who do this for a living, why are you trusting Frank the janitors cousin to tell you how to fix your corporate laptop?!?"

  5. Anonymous Coward
    Anonymous Coward

    Not quite as dire

    But I retired from a large corporate workplace a while back.

    I rather think they borked the offboarding (or whatever the trendy HR expression of the day is) as, over two months later, I still had full access, and was still being paid.

    Knobwits

    1. Hollerithevo Silver badge

      Re: Not quite as dire

      Yep, I got paid an extra month's salary and various accounts were still available to me after I resigned. I wemailed, then wrote, asking to whom I should pay back the salary, etc., but heard nothing. The money sits in my account earning whole pennies of interest until they finally get a clue.

    2. DuchessofDukeStreet

      Re: Not quite as dire

      Never been fortunate enough (although the last employer didn't tell HMRC that I'd left and they weren't paying me any longer, with the result that HMRC then changed my tax code to reflect that my salary had doubled....) but about 15 years ago, several employers ago, the Head of IT was let go (following a vile takeover for him to be replaced by a useless PHB). Nine months later, he turned up on site for a service - in his company car. Turns out that, although he'd been let go (and paid a settlement figure to avoid a tribunal) HR hadn't stopping paying his salary (and new PHB hadn't spotted the cost), providing medical cover or asked him to return the car, his laptop, his security pass, etc, etc He'd been putting all the money into a specific savings account so he could return it if asked.

  6. KieranTully

    It's to tell you how busy the wiring closet is, before you visit

    A student in the US found hidden Pis were being used to count MAC addresses to generate busyness heat maps for college facilities. See https://youtu.be/UeAKTjx_eKA

  7. Chris King Silver badge
  8. Destroy All Monsters Silver badge
    Black Helicopters

    Uh-huh. "Former employee with high-level access".

    So what we have is a former employee who for some reason had access to a secure server room in the heart of the organization, without the IT manager being informed, and who installed a fairly sophisticated bit of kit

    It's lucky this isn't some high-value target or very private industry otherwise this could end in a messy kashogghi or a vatican-bank-style suicide.

    Better watch out regardless, it's good that a heads-up has been posted on El Reg already. IT peons are not valued highly.

  9. Throatwarbler Mangrove Silver badge

    LOL Reddit

    Thankfully we have here The Register's army of commentards, who are sure to remain universally calm and rational!

    1. DavidRa
      Joke

      Re: LOL Reddit

      Oi, who are you calling calm and rational!?

      1. Korev Silver badge
        Joke

        Re: LOL Reddit

        OI, WHO ARE YOU CALLING CALM AND RATIONAL!?

        Fixed the capitalisation for you...

    2. the spectacularly refined chap

      Re: LOL Reddit

      Thankfully we have here The Register's army of commentards, who are sure to remain universally calm and rational!

      One would have hoped there were enough clues in the article but not for the first time something like this has clearly gone "whoosh!" straight over the heads of many commentards.

      Seriously, a commodity USB wifi/Bluetooth combo is a "pretty powerful IoT device", and obviously a program called "logger" is automatically suspicious on a Unix system. You expect that on Reddit but you'd expect at least enough nous to recognise satire here.

      1. John Brown (no body) Silver badge

        Re: LOL Reddit

        "Seriously, a commodity USB wifi/Bluetooth combo is a "pretty powerful IoT device", and obviously a program called "logger" is automatically suspicious on a Unix system. You expect that on Reddit but you'd expect at least enough nous to recognise satire here."

        Not only that, but there's no further info on the ex-employee. We don't know if he was sacked or just moved to a new job. For all we know, he left to be a pen tester and was doing the college a favour :-)

      2. This post has been deleted by its author

    3. Inventor of the Marmite Laser Silver badge

      Re: LOL Reddit

      Marmite lasers are neither calm nor rational.

      Beware the blinding beam of brown

      1. fedoraman

        Re: LOL Reddit (Marmite Lasers)

        I've always wanted to ask this - how do you get the population inversion with these things?

  10. herman Silver badge

    So, after all this 'helpful' Reddit chinwagging, has the extremely competent IT Administrator unplugged the RPi yet?

    1. raving angry loony

      Depending on the size of the company, it might take 3 months for the change management request to be approved by an I.T. illiterate management.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019