Guy is booted out of IT amid outsourcing, wipes databases, deletes emails... goes straight to jail for two-plus years A former IT administrator has been sentenced to more than two years in prison for accessing his employer's computers without authorization and deleting company files. The US Attorney's Office for the Central District of California today said Nikishna Polequaptewa, 37, of Avondale, Arizona, has been sentenced to 27 months in …
"Shortly after Polequaptewa announced his resignation, Blue Stone employees began to notice that the data, emails and computer files were being deleted/transferred from Blue Stone's databases, servers and email accounts," the civil filing explains.
I'm sorry, but shouldn't this read "Shortly after Polequaptewa announced his resignation, Blue Stone removed access and changed all passwords to accounts Polequaptewa had access to."?
Oh, my bad, it didn't read this because Blue Stone didn't do it.
"it spent about 10 hours restoring as much data as possible"
If you'd had a proper backup, stored offline and not available to the miscreant, it would not have taken 10 hours.
Then again, seeing as management didn't think of stripping him of his access in the first place, it's more than likely he could have gotten to the backup as well.
Well, Blue Stone has learned an expensive lesson and will now be making regular backups and not letting employees keep accesses that they no longer need, right ? RIGHT ?
And I'm going to win the Lottery next Friday.
Companies should constantly have contingency plans for when any of their key personnel decide to move on. This includes IT, senior management, accountants, and anyone who is key to the continued operations.
IT and other staff should always be aware that they can be made redundant (fired in the US) at any moment. The old days of corporate loyalty have long since disappeared.
As always, it's the kids that are hurt.
"Similar to how financial institutions fire people. You only find out on the day, and are then escorted by security the entire time you are clearing out your desk etc. to make sure you don't just sabotage everything"
(Part of the) problem here is he took his access with him; wiping the company iMac remotely using Find my iPhone. So the message is really yes; escort people from the premises as soon as they're removed from a position, but also make sure all access to company systems is granted/revoked in real time as responsibilities change. Back in my day that was automated through TIM/TAM, I'm sure there are better/more comprehensive access management tools around now.
Tim Tams' - the best biscuit in Oz
Also the nickname of one of my cats.. (her proper name is Tamera[1])
[1] We were on a Celtic naming burst then (and still are) - so her brother is Ruan[3], the next two cats are Tegan[2] and Gwenifer[4] and LatestCat is Anwen..
[2] Pronounced with a short e - not as "Teegan" like some uneducated people do..
[3] "Little red man" - he's an ENORMOUS ginger. Strong in arm and thick in head..
[4] Cornish version of Guinevere.
>You only find out on the day, and are then escorted by security the entire time you are clearing out your desk etc.
I remember yesterdays world...
The problem is systems access in the cloud era and specifically remote access and its timely revocation - which seems to be a major part of the case covered by the article.
Larger companies may had installed provisioning systems, that permit the instigation and revocation of access privileges within minutes across their estate. However, smaller companies rely much more on trust and manual systems, also within smaller companies you tend to have fewer people who understand the importance of access security and have the skills and time to do something about it.
With an SME client, who are (slowly step-by-step) moving to the cloud, one strand of the work is getting them to appreciate that management/sysadmin access to their cloud-based (non-financial) business processes is a business issue and not an IT issue. Interestingly, they fully get why the Fin.Dir. refuses to give IT access to the Sage cloud accounting and payroll system, bank account. Fortunately, this project was overtaken by GDPR which has done much to get the business to understand that some things it had previously thrown over the office partition to IT, were and are not.
Similar to how financial institutions fire people. You only find out on the day, and are then escorted by security the entire time you are clearing out your desk etc. to make sure you don't just sabotage everything
A good friend of mine once managed to wipe the complete database with security and police watching him closely. He just told the owner of the company she had a choice between letting him remove stuff licensed to him personally or have her offices raided within hours of his removal for running unlicensed programs.
My personal preference is to have a logical bomb go off if I haven't logged into the system for more than 189 days (27 weeks). And that logical bomb will wipe the complete system and all online backups.
”My personal preference is to have a logical bomb go off if I haven't logged into the system for more than 189 days (27 weeks). And that logical bomb will wipe the complete system and all online backups.“
Well, at least after reading this article you know what you can expect for sh*t like that...
You can only lose your good reputation once.
If you happen to work for idiots that require you to bring in your own gear/licences to do the job they hired you for. Immediately start looking for something else.
That also prevents very bad situations where someone thinks a logic bomb is a good idea.
Good reputations take years to build and only minutes to destroy.
On that note. Make sure you also always retain a copy of any emails where you're providing advice that may prevent disasters that's being blatantly ignored.
You can only lose your good reputation once
This is true - many years ago, a couple of IT contractors that I worked with got convicted of stealing stuff from our employer (it's hard to argue when several bits of kit secretly marked with SmartWater turn out to be in your house..).
Post-charging and conviction, I don't think they ever got an IT contract again. Not many employers are going to trust someone convicted of stealing from employers..
I once got accused of illegal access to an employer's servers when they got hacked. I was contract programming for them - an internet startup - at the time and had warned them that their systems were insecure. When the inevitable happened they decided to pretend i must have done it because they didn't want to acknowledge to the investors that they'd been incompetent. They marched me out and then didn't pay my last invoice. So I took them to small claims court, which ruled in my favour as they didn't bother to respond to the letters. I hoped they wouldn't pay up so I could send the bailiffs in, but they did finally send a cheque in time. Took nine months of faffing about though.
Kinda overboard when revoking the passwords/keys should work.
When dealing with the one guy who does IT in a small company:
- are you sure you have disabled ALL his access? Has he opened up some database or a file share to the outside world (because the head honcho found it would make his job, and/or that of some of the other cheeses, easier) which can't be changed or disabled because @reasons and $breakage?
- is there anyone else around to actually do that?
That doesn't prevent the IT version of a dead man switch. Like a system wipe that goes off unless some specific action is done every few weeks.
This can be designed even a passive version that can't be interpreted as malicious. Something like having to do a manual cleanup of the backup storage so new backups can be archived. And due to a accidentally-on-purpose forgetting to configure the warning mails nobody will know until they need to restore a critical server....
My guess is that they brought in some external people at high rates to do it (probably getting them in a rush, too), and that those people took it upon themselves to spend extra money, such as paying for someone to recover data from the hard drives in the mac on the theory that some data might be on that but not yet in the backup. Add in some money for lost productivity and fifty thousand sounds more normal, if still a bit inflated.
I once has a RAID 5 rank fail with double disk failure within the rebuild window (with hot spare configured, no less). I have since then preferred RAID 6. And always have at least 3 copies of backup, each with multiple generations, at 2 different sites.
Probably all of the disks came from the same batch, with the same MTBF. It's a common problem with large RAID arrays. Once you get into the main part of the distribution bell curve, many will fail at around the same time.
You would have thought that the people providing large raid arrays would have learned this by now, but I still see disks with near sequential serial numbers being supplied.
I had a RAID6 fail with three drives dying in quick succession - I suspect the first chucked up some nasty vibrations in its death throes that took out the two next to it...
And it was on Christmas Eve...
Still, the on-site backups worked well enough to get me through to the New Year on a reduced array (and a couple of hot spare machines) until I could get hands on to sort it out...
Not my story, so AC, but a mate of mine had a bearing fail in an Infortrend enclosure. The vibrations were so bad they caused drive write timeouts all through the cabinet.
And, as you say, at the start of a long weekend, so the damage could take longer to accrue.
RAID is only useful if it can actually write everything back to the drives. When some drives are writing and others aren't it's a mess. He had a total loss.
On the other hand he had meticulous backups. It took time to recover, and he was begging and borrowing whatever drives he could lay his hands on to get the most urgent data running, but he got everything back. Pretty scary what a single failed spindle can do though.
On the plus side, SSDs are now only 4x the cost of spinning drives!
I had my home RAID6 crap itself last week. It's now taken a week to get everything back in order again. I think it's been a cooling issue, but the sweat ran cold when I saw that 4 drives had dropped at once.
Linux mdadm has hauled me out of the shit more than once on that wee box. I'm now making plans to build a new home server and repurpose this box as a backup.
Best time to deploy a backup system was 6 months ago. Second best time is today.
@Doctor Syntax
"The company says it spent about 10 hours restoring as much data as possible, at a cost of about $50,000."
There are teh direct costs of restoration plus the indirect loss that employees cannot work effectively.
It looks like they have around 25 employees and given the actions taken probably took out the ability for those employees to work effectively for around 5 days giving time for reaction, sourcing a supplier to address the issue, and the supplier to address the issue the loss per employeee being claimed is only $2000 or assuming 5 days $50 an hour. That does not seem outrageous.
"The company says it spent about 10 hours restoring as much data as possible, at a cost of about $50,000."
Isn't there a clipping level beyond which crimes become a federal matter? Any good prosecutor will do their damndest to make sure any losses exceed that level in order to secure the 'proper' punishment - so a "We needed to buy a new USB disk" (cost $50) becomes "We needed to implement a total hierarchical data recovery procedure involving the stepwise retrieval of more than 3 million files, employing consultants to make sure the restored data tree reflected both the original state plus any modifications since that time, plus accounting for losses incurred during the retrieval operation" ($50,001).
"During the meeting with Polequaptewa, Blue Stone executives asked that Polequaptewa 'turn over' all of the data needed to hand the IT, web design and marketing over to the third party external companies,"
I'd have thought he could have done a fair amount of damage quite legally by just resigning on the spot depending on how well - or not - it was all documented. It'd probably have cost them a packet just to have the outsourcers get up to speed.
Surely just do exactly and literally as he was told.
It's worked for the Devil for millennia: He can grant someone an ill-advised wish with lawyerly precision and meticulous attention to detail, and watch them suffer. And an inadequately-specified[1] IT handover is an open goal for the bloody-minded.
[1] excuse the redundancy in my language.
Even in situations where the person leaving has been as helpful as possible, there's still always an old system that everyone has forgotten about...until it fall over.
Then you're left going through all the old passwords you can remember, and frantically searching for your predecessor's contact details.
Don't you just love being asked to contract for the company that made you redundant.
Luckily for my previous employers I'm not a vindictive bastard, I just charged them double the salary I was getting when working there full time. And made sure to point out that if they needed me to come in and do my previous job because no one else could do it then just maybe the job wasn't actually redundant and they were technically breaking the law by getting rid of me and not the other analyst that I had to keep helping out because he didn't know how to do his job.
I didn't however point out the obvious flaw in their recruitment, why the hell would you invite back the guy you just got rid of? That's just asking for trouble.
I just charged them double the salary I was getting when working there full time.
You priced yourself too cheaply then.
As a rule of thumb, when contracting, you need to be looking for 2x the equivalent employed rate.
For some sort of disaster, mess, then the rate is going to much higher.
I was the higher paid of the 2 analysts, so as you said my requested rate was 2x what I was paid while I was there. It certainly wasn't any sort of disaster or mess that I was returning to fix, they just needed a couple of reports changing, something the other guy really should have known how to do.
A quick Google and I see the company in question changed hands and rebranded shortly afterwards.
"Don't you just love being asked to contract for the company that made you redundant."
I told mine to go fuck themselves with a red-hot poker, because I may not be vindictive, but I am certainly a bastard. That was right after I told them it would take me about 5 minutes to fix the problem that their new Indian engineers had been unsuccessfully working on for the past 2 weeks. Outsource the guy who built the system, and you can fucking well take care of it yourself, starting immediately.
I had a similar situation, I was the local IT and he thought my position was redundant, he decided to play silly buggers. Got a new position, wrote meticulous documentation, made sure I left everything in order.
He didn't actually understand my role, but soon realised.
Whatever instructions/documentation etc would not be followed and calling me two days after I left and started my new role, that I wasn't going to "do him a favour" and bail him out of brown stuff.
It cost him a weeks wages to get me back in, in cash before I set foot in the area the fault had occurred.
Despite me telling me repeatedly that spares are good in time critical situations, it backfired spectacularly when they lost around 100,000 quids worth of production, a production line crew standing idle for what should have cost 1600 in parts and one electrician following instructions to restore a backup to a touchscreen. He had to wait till morning to get a refurbed screen,
I left site 10 minutes after I arrived, a huge grin and a perfect tale for future employers that documentation, courtesy and spare parts can really make a difference, and Schadenfreude is real and so, so satisfying.
It is why I always make absolutely sure that ALL passwords are passed over and ALL data is transferred in a manner that gets me a signoff or other confirmation I can later draw on in case someone tries to pull a fast one.
Once I have confirmation, all data of that job is erased on my end (including paswords, even though it's part of handover to witness them being changed by the client) - that way, even a breach or theft won't be able to disclose sensitive data.
I would not WANT access to any client system post job, so I make sure it's very clear I can't. Better safe than falsely accused.
Sounds a little paranoid to me.
also , if something does happen "post job" and they get it into their heads it was you they'll be thinking:
"oh , remember that big song and dance he made about watching us change the passwords, and then making us watch him erase stuff off his laptop , that was a couple of hours we'll never get back , anyway he was clearly setting up his alibi for the sting, and must have made a secret back door"
I use the exact same procedures that are required in the turnover of classified materials and their repositories as required by the US DoD. If someone has a problem with that, good luck in court. Requiring the passwords be changed is exactly the same as requiring that all safe combinations be changed. The Book exists for a reason.
>Sounds a little paranoid to me.
Yes it does, however, what is helpful is establishing professional habits.
Whilst for some clients I do remember passwords etc I still ask the IT guy to log me in and either sit and watch whilst I perform the sysadmin action or get them to be my pair of hands; it doesn't make things quicker but it helps give the client confidence that they knew what I was doing and I wasn't 'exploring' their system.
>Secret trapdoor
As a networking expert, it is a little worrying that I have all the passwords and configuration details of their network, client isn't in a hurry to find someone for me to hand this information over to, so in some ways the secret trapdoor is knowing the IP address of the management system. Fortunately, the FinDir is happy for me to leave a brown envelope in her safe...
>Sounds a little paranoid to me.
Yes it does, however, what is helpful is establishing professional habits.
Thank you. It's about the first thing I hammer into new recruits: good habits rescue you when your brain isn't quite up to speed yet (or anymore).
You shall not rely on them, but build them ye shall, for fate and Murphy's Law will otherwise have you for breakfast.
Whenever I take my car in to be worked on, I remove the key from my keychain & hand them the key. My wife saw this and asked, "Don't you trust him?" "If I did not trust him, I would not let him work on my car. I'm doing this because I like him." She looked at the mechanic. "He's doing this because he likes me."
The principle of Least Access is so fundamental that if you don't practice it, you don't have security.
From an individual standpoint, the obverse is equally important. If I get robbed, my mechanic does not want the police crawling all over his establishment. If a former employer get hacked, I don't want to get a call.
Sounds a little paranoid to me.
You don't sound paranoid enough.
There are vindictive gits out there who would not shy from destroying your reputation by claiming you did something to the company's infrastructure after you left.
My rule of thumb is to make sure that all my accounts are removed/disabled the day I leave and that I have a copy of my entire mailbox, including the confirmation mail that my accounts have been disabled to prevent 'misunderstandings'.
Once had a company that, while returning their kit, tried to sneak a very expensive phone into the declaration that they wanted me to sign off on, which I had never received.
Sounds a little paranoid to me.
That depends what you work on. I work with a lot of sensitive material, in some cases to the point where it is not even allowed to leave the premises and so lives on a dedicated, client provided machine for the duration (and typically only the required extracts). In order to work at such sensitive levels you MUST follow the rules to the letter, and sometimes even go beyond your obligations because 99% of security and confidentiality depend on the attitude of the operator - let's be honest, if you have access, you are in principle a possible leak, deliberate or accidental.
There is no way in hell that I would ever even think of taking shortcuts with information I am entrusted with, doing The Right Thing™ is IMHO quite simply the only possible modus operandi.
You may call it paranoid, for me this is simply matching diligence to requirement.
is it just me, or does it read that the Co had a single point of failure built into their IT set up ?
who, in this day and age has a single enterprise / domain admin
T - his
I - s
T - he
S - ingle
U - ser
P - aradox
and who in their right minds has all data so easily accessible it can all be cleared in a single visit
as for the recovery rates ..............
The company says it spent about 10 hours restoring as much data as possible, at a cost of about $50,000.
does anyone else suspect a litlle bit of enhancment for 'insurance purposes' ffs
Plenty of small places have only one admin. Some very small places have no admin. I, for example, am a volunteer admin for a charity near me. Other than me, they have nobody, outsourced or not. When I arrived, their server was running on the "it better not fall over because nobody knows what it does or how its configured or the login password" paradigm. So it isn't that unusual to have only one admin, or at least one admin who manages all the systems with lower-level admins who do specific systems or systems in specific places. And I could destroy all this place's data in about five minutes should it turn out that I'm evil.
Hmm, tricky. Top wing on a biplane or triplane is often one structure, so I guess that counts as one.
I've had a swift dekko at some pictures of Fokkers and Sopwiths, and it's difficult to tell from the pictures online.
I'm going to go with:-
Monoplane - one or two
Biplane - three or four.
Triplane - three, four or five.
Dick Dastardly's plane - variable.
Let that be final.
That look very like it, the film I saw showed the wings folding up and the undercarriage collapsing when take-off was attempted.
Anyone interested in early flight should definitely follow the link on that page. What were they all thinking?
Single admin here (single as in the only IT person employed by the company).
It's part of my job to ensure the outsourced IT company does what we require of them. And then have the pleasure of fixing all the issues they create when they cock it all up. Next month will be very pleasurable when we change IT outsourcer.
We actually got lucky, we acquired a business earlier in the year. Response from the people transferred over was that their IT company was actually well liked, knowledgeable, and good at communicating issues. As we required their knowledge of the systems we transferred over to us, we also transferred their support as well. As a result we were able to work with them for several months. Not often you get to "try before you buy" in this business. It certainly made the decision to switch a lot easier.
Given that their total central IT infrastructure seems to be one Mac and one home standard NAS (I have a synology under my stairs serving media) and a gSuite account, how many people should they have employed?
And of course they didn't care what they paid, they knew they'd sue and they knew they'd win.
I manage a website for a local square dance federation. I try to document everything and try to make sure that other people have the root password and understand the update process etc.
Previously this same federation lost their entire subscription database when the secretive owner of the database got killed in a car crash an no one knew the password to her mac to fetch it.
I throw all client passwords into a SecureSafe account and give them the inheritance code.
That way, they can get to them in two days (which is the time I set) if something happens to me, yet they cannot use my passwords to log in as me while I'm working. Protects both sides at the cost of a tiny bit of effort - worth it IMHO.
It depends a bit on how they manage access, typically, the stuff I work on is too sensitive to be hooked up to an AD where a rogue admin can reset a password.
Would it not be safer to encrypt the data instead of deleting it? Stick the files in one big container and 512 bit scramble it.
Let the management types figure that one out. The data is there..kinda. That would get you 12 months vacation in minimum security.
While we are at it, where are the backups? The activity we all supposed to do, but find out later we didn't.
Backups would have been the perp's responsibility, yes? So chalk that one to him as well. My bet he is self taught and it was his 'baby' he was being asked to hand over to strangers. Then when he found out they were stiffing him on his wages, possible, and giving tribal backhanders he snapped.
Then again it is entirely possible they tried to mature their systems and he was obstructive.
> it was decided that the company would move its IT, web design, and marketing to external vendors.
then
>When officers arrived and interviewed Polequaptewa in his hotel room, he admitted accessing the company's infrastructure, according to Blue Stone's civil filing.
What an idiot
"_Blue Stone stored its work-related data on an in-office Mac Pro computer and an in-office Synology server in Irvine, and on cloud services run by Google, Bluehost, MailChimp, and Cox Communications._"
Yeah. Really sounds like a professional outfit. The real crime here was gross technological malpractice by company leadership. Not likely to inspire confidence by their investors, assuming said investors have more of a clue than the company's execs.
Not trying to take away the fuckwittery of this genius' crimes, but what of "he quit after filing whistleblower complaints against Blue Stone for alleged improper payments to Indian gaming officials, tribal leaders and a New Mexico politician."
Presumably these complaints have been swept under the teepee?
You don't just wipe everything. You use a colleagues login to make a cron job that every so often *changes* data *ever so subtly* in ways that are almost impossible to remove. Increase or decrease order quantities, change the house number or phone number in a CRM by a digit or two, swap the parent field of records so they both look sane, but are utterly wrong. Make the script become more and more damaging and run more often, as time passes, perhaps an exponential increase, multipying the number of records changed per day by 1.5. The idea is that nobody notices for a while, so restoring to a known good backup would cause months worth of data loss, and that the corruption looks very similar to genuine changes.
It's not new. In 1979, I left the company I had been working for as IT manager. I continued to do some freelance work for them, remotely via an acoustic coupler. SHortly afterwards, a junior member of staff left under something of a cloud (I forget why; I didn't work for them when it happened). A little later, things started to go wrong, and it turned out that said underling had installed logic bombs in some of his code; my memory is not perfect at this distance in time, but I think I found some of them. At that point the company decided that my external access was a security hole too far, and we parted company amicably (they knew the logic bombs weren't mine!).
If your employer really is horribly bad, leave on good terms and let them fail on their own.
If you've been screwed, there are government phone numbers that will fix things faster than you think (because the government collects fines).
If they're doing fine, it's probably you. Leave on good terms and hope everything stays quiet.
Trashing the place and going to jail - no.
The best thing he could have done was do as they’d asked and watch it all burn. The outsourced systems would undoubtedly end up costing more than having one guy part time on it. In my experience even a minimally trained in house IT guy often has more knowledge / skills than outsourcers and are more aware of the business needs. That said, given he decided to be an idiot perhaps I am giving him too much credit.
If I left my job I’ve made sure that although it’d be a pain to replace me as it’s hard to recruit quality IT people, there are others in the team that could between them do my job. This was not the case when I took over from the last guy!
As IT person, it saddens me to see people lose their jobs to outsourcing. Fucking over people's lives for profit margins. I don't condone this. However, there should be a less humiliating and disrespectful way to transfer responsibility then to make your outgoing employee do it. The company had a chance to be proactive when they noticed he was being uncooperative.. fuck that company both parties got what they deserved. Hopefully, this is a lesson for companies to just do their own dirty work.. I never once seen a job description that said your job responsibility is to train your replacement after you get fired or demoted
...on the cheap. You also need to think criminally minded to defend yourself. Had a user recently who didn't make their probation so were escorted from the building. Nothing personal, its just how it is and you have to cover yourselves. Account was disabled before the escorting happened. And because of who they were, we had to change all known passwords that we knew they'd of had access too and I monitored systems during day and evening to makes sure nothing "odd" happened.
Don't piss off your IT people -- they know all the passwords to everything.
I personally like destroying the boot partition on Linux servers that guarantees it will never boot again during the next service window. It is hard for some ahole to triage that failure MONTHS AFTER YOU HAVE LEFT THE BUILDING .
Worked for a Medicaid billing company going through a merger many years ago in the IT department. About two weeks before they fired me, they had a meeting and demanded all the IT staff remove any non-licensed software from their work systems to keep from being fined another $250,000 like they had been the previous year. When they fired me (had another job lined up for more money and MUCH better conditions)...my first call was not to my new employer to be able to start working on Monday, but to the Business Software Alliance. Never heard what happened, but hope many heads rolled. Also hope the executives in the new company never hold another meeting about piracy before they start firing staff.
I do wonder how many firms have one IT bod with his hands in every cookie jar (I've been him for years) with no idea what they'd do if said bod dies, gets the can or storms off.
Management at my employer don't know or care (at the minute). Hopefully they don't have to find out the hard way
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
