Some years ago I replaced the IT manager at a large motor manufacturer in Birmingham.
He left on a Friday.
The following Monday I noticed he was loged in over a modem that he curiously had forgotten to mention.
I unplugged it.
It's every sysadmin's worst nightmare: discovering that someone has planted a device in your network, among all your servers, and you have no idea where it came from nor what it does. What do you do? Well, one IT manager at a college in Austria decided the best bet was to get on Reddit and see what the tech hive mind could …
Some places I've left my corporate email etc accounts on my phone and been able to receive mail for months after I've left, others I get prompted for the password before I've gone through the door (ie account disabled).
My point being some companies have better exit processes than others.
Happens at the NHS. One trust I was at, I could pick up my e-mails for months after I'd left. I'm AC because the tech who was supervising us, who I'm friends with still works for the NHS, but at another trust. She said, quite rightly, "It's not my problem as I told them and filled in the forms informing them you'd left, the day you left. If they can't be bothered to then lock and close your account despite me giving them several warnings, that's their fault".
I do enjoy thinking of ways to get back in to places I've left though. Not because I'd ever do it, but to find out if it would be possible without being noticed. Sadly, it being highly illegal, you can't test your ideas out :)
When I left a couple of previous emplyoers, I ended up telling them to change their damned passwords after a couple of months, because i accidentally logged onto my old OWA instead of the new one and it was still active.
Or the Amazon or Also account etc. Web hosting? CMS system? Corporate Facebook page? Still Xing or LinkedIn corporate presence administrator... And that was an IT company!
In that case, I told them quickly, because I didn't want them blaming me for anything! I sent it registered post.
I left a small IT company about ten years ago, and went back about three years ago for a short term contract.
My email (username) and password still worked. Worse still, the network manager at the time had enforced the use of the company name as password because he was fed up of dealing with reset / forgotten password attempts by the peasants.
I went to one company, their previous sysadmin also found a standard password easier than individual passwords for all users. Apart from the CEO, every user had the password 123456 and wasn't allowed to change it...
Then, the best thing was, every user's email was available over OWA!
My first day there, I disabled OWA for everybody and set all the accounts to change the password at next login.,
My email (username) and password still worked.
Wow. At the other end of things, when a downsizing caught me my access was cut-off mid-email the morning I was booted out the door. While I was getting the bad news from HR (over the phone, because the local HR rep had been laid off before me), I had been trying to email coworkers to pick up my remaining tasks and notify customers. But IT had deadlines to cut access and happened in the middle of the call.
Since the company had been shriveling for some time they had apparently dealt with a number of emails from terminated employees that contained less-than-professional departing comments, hence the hurry to cut access.
Subsequent emails from the company, such as for termination benefits, went to my personal email address.
"Since the company had been shriveling for some time they had apparently dealt with a number of emails from terminated employees that contained less-than-professional departing comments, hence the hurry to cut access."
They would have done better to have sacked you through your immediate local supervisor and offered to pay you a premium (hefty) if you would spend a day with them detailing tasks that needed to be delegated to those that much remain behind. It would be well worth £1,000 or more for them to do that and that sort of dosh can sooth the fury enough to be civil. Multiples might make it possible to at least act friendly. Many companies handle terminations very poorly. It sucks, but any company of more than one is going to have to deal with it.
I left an engineering job and the COO didn't take my notice seriously. I was pissed at the whole train wreck of a shop and they had finally placed the last straw so I was out of there. 3 days before my final day I got an email asking me about following up on a project. I replied that Friday was my last day and I was currently making sure that all of files were backed up on SVN, my desk was tidy and I would be packing up my computer (BYOC) and personal items on Thursday so I would only have final check out to do on Friday. They did understand, belatedly, that having me spend some time on a hand over would be worth a premium, but they then went on to insist on all sorts of other things I would have to agree to be eligible for the payment. I had to go to the labor board to be paid for unused leave that I could never take. They failed to notice that every time I scheduled some time off, they would book testing that I had to be on-site for and didn't actually get to take that time. It's a damn good thing I keep a journal at work. If your work is independent or isn't subject to continuous supervision, keep a simple daily journal of what you did that day and the times. If you ever get an inquiry about where you were on a particular day and what you were doing, you can page back and tell somebody with some accuracy.
"I left a small IT company about ten years ago, and went back about three years ago for a short term contract.
My email (username) and password still worked."
Been in a similar situation with old client. Some development tools bought by my company and installed on the PC I used still installed....
This was only after a few months so it might have got cleaned off later.
I once had a work colleague who had previously worked for the same organisation, and then left for another job somewhere else, before finally later returning to a different job in the first organisation again.
They were not reallocated their old username (despite it still being in the system), because:
"That username has already been issued to someone else."
"Yes, that was me."
"Well, we've set up a new username for you now, we can't change it."
And one of the reasons that old usernames remained in the system was because the nature of the business meant that a reasonable number of employees were sometimes on temporary contracts and it was not unusual for them to work a number of temporary contracts in various organisations before finding themselves back again (and the people responsible for issuing usernames were supposed to check whether someone already existed in the system before doing so!).
After leaving, and maybe even returning again, it would be a rare company that always thought to remove email and phone numbers systematically and immediately from every previous application's configuration in all environments: test and dev as well as prod. So it is hardly surprising if some previous applications continue to send support mail or ticket updates to a reused internal email address, or even occasional SMS messages to a phone, which could be confusing or a nuisance if the address or phone number had a new owner. Content sent out of the app should have been vetted to ensure that it is not sensitive, but it would still be better to watch out for this contact lifetime issue in future and try to think of a way to manage it correctly.
"I left a small IT company about ten years ago, and went back about three years ago for a short term contract.
My email (username) and password still worked."
Many years ago, I had set up the company network, servers etc and the last few weeks I was there I did some documentation.
About five years later I was working there again, but with lower rights than before, as it was a question of trust. Until the network went pearshaped, and no one else to look at it, I was given ..... the same documentation that I created five years earlier, with my hand written notes and passwords....
Another company wanted all the admin passwords written down, put in sealed envelopes and placed in a safe, just in case of emergency. My colleague did so, I was too busy and never got round to it.
A few weeks later, there was a meeting about a management buyout, staff will be laid off. While the meeting was going on, some weaselly PHB had opened the safe, took the envelope and changed passwords. My colleague was locked out of his systems and mine still worked.
The BOFH law of password insecurity: all IT Manglers\\\\\agers choose relatively weak passwords for shared resources, because they are too lazy to remember (or record) stronger ones, no matter how often the BOFH attempts to advise that this is not exactly a very good practice.
(Unfortunately, the lifts in my workplace are not sufficiently reliable for this problem to yet have been rectified. It would be rather unfair if an unexpected object were to fall on an entirely innocent lift engineer.)
"In that case, I told them quickly, because I didn't want them blaming me for anything! I sent it registered post."
Wise move. When you leave a company, you want to make sure that your have given up all of your keys, codes and accounts on their computers. You also want to be receipted on that as well. Be sure to insist on that if before you agree to an exit interview, if they do that, or sign any documents.
If you don't need access to something as a part of your job, don't get keys/codes for it. It can be very unpleasant to have to answer a bunch of questions regarding a crime or breach in an area that isn't part of your normal activities. Get one time or temp access when you need it. If it's a secure area, get somebody responsible to walk you in and check you out or even sit there while you do your work. Even if they deactivate a key card or company ID, make sure you give it back and get a receipt.
"That's exactly what I would've done with this. Unplugged it, put it in my desk (locked of course) and waited to see who claimed it."
And that's exactly what I have done. Mind you, it wasn't anything quite as sophisticated as this. Mine was an old netbook plugged into an open wall socket and tucked behind a filing cabinet. Its sheepish owner got a lecture about professional behaviour, followed by how to throttle a torrent client so it doesn't cause trouble on the network (because no one in IT over the age of 35 hasn't done something similar and incompetence offends me).
"And then given them a talking to about putting things in MY server room that I don't know about."
I've also heard that argument from a network manager when organising sanctioned traffic monitoring. My answer was it wasn't "his" server room, it belonged to his employer. Turns out he had good reason to not want us snooping (or should that be snorting?) around "his" network.
We only allow signed code, which can only be done on a single computer in the IT department.
Nothing unusual about that.
The IT staff can develop on their own test VMs, but the code can only run on those devices, to run it on the core infrastructure, it first needs to be approved and signed.
Just recounting this for someone I might have worked with.
He apparently knew someone who worked at some company that was moving to a new location. That someone asked a neighboring business if he could run a TP through the dropped ceiling over the dividing wall for his router to get access to power and LAN. Friendly neighbor said "sure". As far as someone knows, that router is still blinking lights happily. (The credentials might be admin$ad...)
Another bloke actually left a second modem and phone line in a house that he sold. The purpose was to be able to do remote call forwarding without paying some crazy long-distance charges. The buyers happened to work for some spooky agency but it took a few months for a security scan to find out the leaky bits.
Or, this may just be hearsay.
A pet hate of mine is the enthusiasm with which pointy haired bosses and sundry HR rejects, oxygen thieves etc. enthuse about things like Yammer, Tibbr and similar in-house Faecebook lookalikes and how we can get Answers To All Our Problems(TM) by posting on the hallowed turf
If I'm feeling particularly awkward I ask about the quality implications of relying on advice from complete strangers (it's a large organisation) and point out that it is largely the same as saying "some bloke down the pub told me". The follow-up question is along the lines of how does that square with ISO9000 etc., certification.
Oi, that's effectively the modus operandi of StackExchange (and in a former era, usenet), or even this forum, that you're dissing there!
For every random nutter complete stranger out there on the internet, there is at least one kind, helpful stranger willing to offer (hopefully) sensible advice, partly because they are a decent human being, and partly because they hope that someone might return the favour to them one day if need be.
Sometimes the nutter:angel ratio is even better than that.
Oh... The arguments I've had with people on Yammer.
Them "Does anyone know how to resolve issue x on my work laptop"
Stranger #1 : "just download this thing from www.totallynotmalware.com and install it, fixed my issue"
Stranger #2 : "I had the same thing and fixed it by deleting files x,y,z"
Me : "FFS, we have a massive service desk with tonnes of people who do this for a living, why are you trusting Frank the janitors cousin to tell you how to fix your corporate laptop?!?"
Yep, I got paid an extra month's salary and various accounts were still available to me after I resigned. I wemailed, then wrote, asking to whom I should pay back the salary, etc., but heard nothing. The money sits in my account earning whole pennies of interest until they finally get a clue.
Never been fortunate enough (although the last employer didn't tell HMRC that I'd left and they weren't paying me any longer, with the result that HMRC then changed my tax code to reflect that my salary had doubled....) but about 15 years ago, several employers ago, the Head of IT was let go (following a vile takeover for him to be replaced by a useless PHB). Nine months later, he turned up on site for a service - in his company car. Turns out that, although he'd been let go (and paid a settlement figure to avoid a tribunal) HR hadn't stopping paying his salary (and new PHB hadn't spotted the cost), providing medical cover or asked him to return the car, his laptop, his security pass, etc, etc He'd been putting all the money into a specific savings account so he could return it if asked.
So what we have is a former employee who for some reason had access to a secure server room in the heart of the organization, without the IT manager being informed, and who installed a fairly sophisticated bit of kit
It's lucky this isn't some high-value target or very private industry otherwise this could end in a messy kashogghi or a vatican-bank-style suicide.
Better watch out regardless, it's good that a heads-up has been posted on El Reg already. IT peons are not valued highly.
Thankfully we have here The Register's army of commentards, who are sure to remain universally calm and rational!
One would have hoped there were enough clues in the article but not for the first time something like this has clearly gone "whoosh!" straight over the heads of many commentards.
Seriously, a commodity USB wifi/Bluetooth combo is a "pretty powerful IoT device", and obviously a program called "logger" is automatically suspicious on a Unix system. You expect that on Reddit but you'd expect at least enough nous to recognise satire here.
"Seriously, a commodity USB wifi/Bluetooth combo is a "pretty powerful IoT device", and obviously a program called "logger" is automatically suspicious on a Unix system. You expect that on Reddit but you'd expect at least enough nous to recognise satire here."
Not only that, but there's no further info on the ex-employee. We don't know if he was sacked or just moved to a new job. For all we know, he left to be a pen tester and was doing the college a favour :-)
Biting the hand that feeds IT © 1998–2019