Vengeful sacked IT bod destroyed ex-employer's AWS cloud accounts. Now he'll spent rest of 2019 in the clink An irate sacked techie who rampaged through his former employer's AWS accounts with a purloined login, nuking 23 servers and triggering a wave of redundancies, has been jailed. Steffan Needham spent four weeks working for software biz Voova before he was let go for "below-par performance". The "embittered" IT consultant, of …
In a twist of irony, as they are now teaching prisoners I.T. skills, he'll likely come out of the clink with the very skills that he should have had, before going in there in the first place.
https://www.bbc.co.uk/news/technology-47570134
You can't make this stuff up.
This post has been deleted by its author
Most cafe's don't change their wi-fi logins that frequently. Go in, buy a coffee, get the password and leave. An hour or so later, park a fair bit away, walk to someplace near the cafe out of CCTV coverage and login.
There are plenty of ways to muddy the path a bit. I had a mate that did installs and kept a log of address and wi-fi passwords. Most people were too clueless to change them and would just gleefully use what the installer wrote down on the the little "welcome" packet the were given. If he was the one to punch up their laptops to get on in the first place, the people may not have even known how to to that on their own. I can't say if he ever used any of that info for something dodgy. He did it mainly to CYA when he'd get a call back a couple of days later because somebody else in the house wasn't there at the time and now they can't find that welcome packet to have the password to put in another computer/device. He was just doing the final install and training so he'd be on several jobs per day. A year later he could probably visit the areas and find at least several places he could still get in.
Via a machine that is running a VPN. Then booting into a VM that also runs the TOR over VPN. So you're doubling up on your VPN connection so if they trace one, they still don't have the real location. Then of course you have the TOR network. Although we all know most TOR nodes are compromised but at least if you VPN over TOR, even if the node is compromised, they can't see your traffic.
I don't know why all the down votes. I'm sure we've all thought about how to break in to a company we leave. Even if its just to see if they notice. Not big or clever but just interesting to think of ways you could get in without getting caught. An unofficial and illegal pentest if you will. Are we down voting for thought crimes now?
Although this one appears to be bad due to the redundancies But I wonder, I wonder if the redundancies were being blamed on this but had nothing to do with it, but the boss thought "Great, we can use it as an excuse". Along with the contracts being lost. Although I guess, knowing the details, knowing they didn't have MFA on, would make you not want to trust them with your data anyway.
But yeah. I assume the rage made him not think about how he could get caught.
Most sales Droids would just google the term, find another few security terms to use then swear on their mothers lives that everything is tiketty boo. The company then goes out and hires an inept misfit with anger management issues and give him the keys to the kingdom.
Even if MFA were implemented 'speedy' would probably have l kept a back door for the time he was called at 3 am at a party and needed to RDP in from a mates random PC from a cottage in the cotswolds with no mobile coverage.
I'm not dissing Speedy here, I suspect the poor blighter is on call 24/7/365 without pay for this outfit and forgot the concept of 'me time' years ago.
I didn't downvote, but the attitude is not great. I've had annoying employers, but I don't want to destroy them. I want to not have any connection to them, and I don't really care what happens to them. I'll go as far as making my disdain for them clear to anyone who might use their services. More than that is too vindictive for me, unless they are actively doing something harmful to people.
I am told that AWS features a service called "Glacier". You put data into this service, and for a fairly nominal fee Amazon store the data. If the worst happens and you need the data in a hurry, then Amazon will get the data for you, for a somewhat less than nominal fee (but hey, they're in this game for the money).
I have not used this service, but it sounds tailor-made for disaster recovery.
Yes Glacier is used for long-term archival purposes, but yes the durability of the data is ranked at 99.999999999% as far as I'm aware (though availability is a different matter). That said, this could have been entirely avoided had the organization setup their IAM policies correctly to begin with, so they only have themselves to blame really. Design for failure!
Backup in the cloud costs extra and some don't think they'll need it because "the cloud". Interestingly I've just had a look at AWS backup and the prices are in the 0.05c per gb per month range depending of course on what you are backing up with an extra cost to restore so no excuse really.
Though curiously and I'm sure someone could help me out here but if it's in the cloud is it not backed up anyway by the cloud provider in case of problems with them?
Surely this is a due diligence question that gets asked before starting the service ?
When companies charge for their services, I think it's fair to expect - and extract in court - a higher standard of service that if you got your neighbours nephew or niece to do the job. Although, reading El Reg regularly, it seems I'm a weirdo in the world.
A cloud back up can be handy for "routine" emergencies, but having multiple physical backups is still mandatory. A very simple test is to compare the size of what you pay AWS to what AWS grosses. If the number is very very small, which is usual, how much chance to you honestly believe that they are going to rush to your rescue when the SHTF?
One of the ways I make money is photography. One copy on my computer, one archive drive offline and two archive drives that rotate off site. I also make a longer term archive of my best images that goes off-site and doesn't rotate (spinning rust is cheap) I can drive several hours to where my off-site backups are kept and have the data if both my computer and on-site backups are destroyed. The distance means that a natural disaster such as a flood isn't going to take out all copies. If that were to happen, I wouldn't be that worried about the photos, I'd have much bigger problems to deal with. I don't do cloud backups. I don't need the data 24/7 from anywhere in the world. A complete download of my backed up data would take ages and likely trip out some limits on my unlimited account and get me a nasty note (or complete silence and a red light on my "modem"). The ISP isn't big on communication unless you are late paying the bill.
This company that relies on their data or the data they manage for somebody else (and then outsource responsibility for) was counting on a single supplier to do their job that they have no control over. In aerospace we called it a single point of failure fault and would spend lots of time find ing them and adding redundancy. It sounds again like a huge lack of qualified management.
Though curiously and I'm sure someone could help me out here but if it's in the cloud is it not backed up anyway by the cloud provider in case of problems with them?
To take AWS as an example, instance storage doesn't even survive a reboot. S3 storage is redundantly stored, and you can even version things stored in the bucket so that you can roll them back to previous versions, however if you deliberately erase the bucket, there isn't a backup of it that they can restore for you. You can backup S3 buckets to Glacier for archival/backup, but again, you can also destroy those backups.
You can also apply different security policies to stop admin credentials being used to perform these sorts of disasters, but many firms don't bother and just have virtually no restrictions at all on their admins.
Yup, but it's perfectly safe because it's cloud. Suddenly the laws of physics, logic, and any form of oversight can all be dismissed because apparently there is no infrastructure in the cloud.
Yes they do deserve some blame for this. Good practice comes with cost and time though. Will never be a priority in their agile backlog...
Grrr
When you delete S3 buckets on AWS it asks you to confirm by typing the name of the bucket (so you really have to be intentional about it) - though since the company was so lackadaisical in it's organization of IAM policies the chances are any admin could have maliciously acted like this. Double fail for not having secured backups in Glacier or another service!
"Double fail for not having secured backups in Glacier or another service!"
Screw another service! Physical backups held off site. A hacked off IT staffer may be able to get to everything online, but may not be able to physically access backups on real hardware secured someplace else. They also might not want to try that since it would take a large pair of brass ones.
Ephemeral storage will lose data upon reboot, but EBS volumes (which most instances run these days) can be stopped and started at will without data loss. As you say though, they should definitely have been making use of IAM policies for groups and placing users in said groups to control access to functionality like this.
> however if you deliberately erase the bucket, there isn't a backup of it that they can restore for you.
Actually there is, they just don't advertise that fact. Erasure is 'lazy' so assuming you open a support ticket fast enough (same/next day) there's a very good chance you can still get the data before the housekeeping catches up (about 3-5 days) with the "freed but not zero'd" block list and really does annihilate your data.
My take on this, as a non IT type*, is that the cloud provider will have backed it up, but only for sorting out their own mess. If you want a back up for sorting out your mess then you'll have to pay for it.
*But I know enough from reading on places like this to have at least three back up copies on different media and at least one off site. Vague general thanks to all.
"As the company has evolved over the last four or five years, we decided that it was time to create a group name. We were originally a digital marketing company and started to develop some cloud based products, initially on a small scale."
https://voovagroup.com/news/interview-voova-ceo-mark-bond/
'Digital Marketing' - sympathy level has dropped somewhat...
'Cloud Based Products' - sympathy level still falling....
No backups you say? Well if they're looking for sympathy, it's in the dictionary between shit and syphilis
Yeah, no. The security team here has a little game. Whenever somebody leaves the team, they receive a gadget with their password engraved on it. Essentially no one has managed to keep it secret from them. It's really hard to prevent people from finding your password when they try.
"Worked for 4 weeks before he was let go for below par performance"
Not a lot of time to assist him in reaching at least a level par performance. Had Voova spent a few days guiding him, then they'd have saved a bucket load of grief, cash and customers.
Serious questions also need to be raised as to their recruitment procedures. But as above, i'm on the low end, the very low end of the sympathy scale.
I checked out a few old colleagues on Linkedin a while back, one, a former manager, has quite different recollections of our time together, he remembers it as him instigating a training and mentoring regime, nurturing and developing talent in his team,... whereas I recall him spending money like water and crashing three company cars because he drove like a twat.
Another had every role he'd ever had, straight out of Uni, described as 'Senior', yeah, because firms hire recent graduates and give them 'senior' roles,......
It's good a laugh though.
I need to be able to upvote this multiple times, if only as I'm going to borrow it as part of my unofficial role of Paranoid Cloud Cynic. Now repeat after me everyone, "The cloud is somone else's computer you have no crontrol over..."
On a more serious note I can see where could is useful, but it's never "because" or as a way to effectively create shadow IT to bypass us pesky security (and money) concious IT pros.
Worth a shot at least, so if you're identified as the miscreant you could try bargaining with the employer for "I might just remember where I stashed a backup - and the password. What's it worth?". Might backfire and result in a longer sentence but what would the employer prefer, BOGU or lose some good contracts and have to make some staff redundancies but have the satisfaction of seeing the guy jailed?
I wouldn't assume they had no backups. more that it was one of those / most places where admin = universal power.
He's more likely to have clouted the backups too, while he was at it.
No vpn.
Should have left a random script somewhere that was triggered by a quarterly activity long after you've gone.
Amateur.
...I read an interesting story in one of Kevin Mitnick's books. Of an sysadmin who was a bit of a dick but equally so was the director or whoever managed him. So summoned him up to a meeting in front of everyone and fired him. Then stupidly allowed him back to his desk for the rest of the day.
When evening came and all was quiet and he was long gone, all the servers rebooted and wiped themselves. Although pretty obvious, there wasn't enough evidence left to be able to pin it on the fired sysadmin.*
*It was read many years ago so may not be accurate retelling of said story.
I know I'm a bit of a grammar pedant but my radar went off the scale when I read the following, which is attributed to the legal bod....
"What has occurred is user Steffan Needham accesses Amazon Web Services for Voova, changed Mr Gonzalez password and secured his user login 'Speedy'. He has then terminated servers, checked the settings and logged out. They were done by the defendant, who used the Speedy login covering up that it was he deleting the servers."
Where does one even begin with such an egregious barrage of crimes against our beautiful language? Has it been mistyped? Even if one ignores the grammatical issues how does one even go about 'deleting' a 'server'?
I give up.
It's VERY noticeable from the comments here, that ElReg's commentards know buggerall about security in terms of anonymity in context of the real world.
Hell's bells, I was covering my tracks vastly more thoroughly just for anon-blogging nearly 20yrs ago. What's being offered here by way of comment or disparagement or recommendation is hair-raising, in terms of people's understanding of security. As in, you'd be busted at step one of law enforcement's follow-up.
.
Although, to be fair, the actually knowledgeable people are hardly likely to chime in with a HOWTO on this sort of forum. Hmm...
How to protect a company's cloud resources....Don't put it in the cloud to start with.
Nothing wrong with the cloud if used properly. There are resources available for pennies that would cost quite a lot to host in-house for a start.
There is a LOT wrong with the cloud if it's wrongly used.
I’m less interested in all of the amateur hacking advise, and more interested in hearing from folks on how they would go about securing and protecting their company’s cloud resources.
Quite simple (at least in theory), onsite and offsite backups are the first and biggest key to protecting your systems. If you don't have a backup, you don't have any data worth backing up. Offline backups are critical to that of course :)
Any multi-factor or even multi-person authentication system, if you can get it set up, is also valuable. DON'T have the 2 bits with one person of course.
Wellington city could be nuked, everything within 100km wiped out, and my data would be safe. I probably wouldn't be around to get to it of course, but at least my dying moments won't involve worrying if my backups are safe or not :)
Let's make a list of everything Voova did wrong. Proper IT practices are supposed to safeguard against things like this.
* Why didn't they have two-factor authentication, preventing Needham from logging in after he was sacked?
* Where are the backups?
* What if the accounts hadn't been deleted, but instead crypto-locked by ransom hackers?
It sounds like Voova was very poorly prepared for data loss, and they've blamed a rogue employee for everything THEY did wrong.
Just checking.
Who configures the 2FA?
It wouldn't, by any chance, be the sysadmins would it?
I have often (more than a hundred times in the last 2 years) taken a machine to a password prompt[1] and then turned my back or even left a room while the user typed in their password. If configured so a code is sent to a cellphone, and the system needs said code exchange to change the # to another phone, then when the non-admin's phone # is entered it should be fairly safe from abuse (so long as the phone is not lost or left around where idle hands can find some work)
I'm sure many of those who chose not to reply thought this was pretty obvious :)
[1] Either a "enter your existing password" or a "create a new password" prompt.
Gee, that's the thanks the company gets for giving him a job, giving him a chance, and giving him two (or four if paid weekly) paychecks?
In employment, two different parties come together and come to an agreement or arrangement where both parties mutually benefit and enjoy an enrichment that they both did not before their agreement. And at any time in such an arrangement, if either party feels that this arrangement is no longer in their best interest, or is providing value or benefit to them, that party may end the relationship and remove themselves from the deal. The beauty of such an arrangement is that it maximizes freedoms, a true free market spirit wherein good ideas, quality work and good value flourish the most and everyone gets maximum benefit while still acting only in their self-interest. Its a beautiful thing.
And so when an employee is failing to do his job, is incompetent, or is taking advantage by doing little to no actual work on company time, and the company decides to quit funding the employee's laziness or 'free ride', instead of being thankful for the opportunity and the ability to pay his/her bills and make rent for another month, the employee decides to go on a vindictive, self-pity-fueled vandalism spree? Yikes. Some people, man... They need to have a little more perspective...
It certainly is true there ought to have been backups to which that employee would not have had access.
But that would involve spending extra money, and a business competing ferociously has to cut costs everywhere it can, even some places where it shouldn't.
The guilty party is the dishonest person who did what he knew he wasn't allowed to. But the employees made redundant should still be able to include their former employer as well as the perpetrator as having a joint and several responsibility, given that not having backups is not standard best practice.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
