Engineer admits he wiped 456 Cisco WebEx VMs from AWS after leaving the biz, derailed 16,000 Teams accounts A former Cisco employee pleaded guilty in a San Jose federal court on Wednesday to unlawfully accessing Switchzilla's Amazon Web Services infrastructure and damaging the networking giant's cloud computing resources. Sudhish Kasaba Ramesh, who worked at Cisco as a software engineer from July 2016 to April 2018, admitted in a …
But this was a cyber-crime. It is increasingly difficult to hire white collar criminals in the USA, the market is so tight and so many of the best have secure government jobs.
If it was possible to bring down the CISCO WebEx by shooting at it, then an American would be perfectly qualified
As someone on a working visa (in a different part of the world) you don't do anything that may jeopardise either that visa or potential of the next (including residency).
I've been made redundant by a company I know wouldn't have rescinded my access to most platforms (and that's just the accounts they were aware of) but, as tempting as it is to give a last fuck you, you move on, because the only one you're fucking is yourself.
And we are professionals...
I left one company and after a year, I noticed I still had access to the CEO's OneNote share! I wrote him an email to warn him. We had been to court over wrongful dismissal and I received a settlement, but I didn't want to endanger my situation with my new employer by doing something stupid.
This is the proper grown-up response. I had an acrimonious parting with two prior companies. In both cases, they failed to change all the passwords or remove access to all platforms. I found out later because I continued to receive alerts (my personal email was on the list for emergencies). When I figured out I could still get into things, I notified them. I even went so far as to work with the outsourced IT firm that had "replaced" me and my team because they were too incompetent to do it themselves.
Yeah, i could have given them the middle finger or pulled what this guy did. I knew enough about how to circumvent detection that I'd have gotten away with it. But ...I'm a professional. There were hundreds or thousands of people at the company I could've caused damage to by acting unprofessionally, and I had no beef with them. Throwing a tantrum is what children do, not adults in a respected profession.
>>as tempting as it is to give a last fuck you,
I remember an occasion where files went missing from a site, this was about the same time that an employee was let go. We had been co-workers for years, friendly be not what I'd call a close friend. When we ran into each other a few months later and I asked him if he had any ideas about the missing files. To my surprise, he confessed to having deleted the files, expressing his regret that he could have acted this way in a moment of anger and weakness.
This was a revelation to me.
Since that time I try not to underestimate what a person may do when under some emotional distress.
>> the only one you're fucking is yourself.
Absolutely. $2m is a drop in the ocean for Cisco. However 5 years in the slammer, $250,000 fine and potentially being booted out of the country is a serious personal cost for such stupidity. As is having a criminal record for when you next apply for a job.
He can't even use the "did something stupid in the heat of the moment" excuse, seeing as it was 5 months after he left the company.
"And it is nice to see that you can cause bold face to appear and also italics."
You may want to check this link here (it's an El Reg page, don't worry), scroll down to the section "Formatting".
Ah, my mistake, you were attempting to be sarcarstic!
(See, we can do hyperlinks as well!)
I suspect the issue was more along the lines of him using credentials other than his own, something like a shared admin account or a service account. Such stuff is depressingly common even in big organizations that know better. It's difficult to determine who might know those credentials and a pain to change them if they affect lots of users/services. That's one reason (out of many) why they're a bad idea.
So why is a security-oriented networking company NOT sufficiently cleaning up their login info (like changing passwords, deleting stale logins) after an employee leaves? Unless it was accessed with a deliberately installed back door...
Maybe I missed it but did they say WHY he left Cisco? Did he have a reason (in his own mind at any rate) to retaliate against them?
If I were his current employer I'd smile and carefully assign him a limited number of tasks while changing all of the access codes, without his knowledge. And not fire him. Reason for termination: incarceration. Works for me.
Maybe some firms are not as security-oriented as we hope they are.
Once an admin would shut down a VM or two accidentally, now they fire off an old script in a far-flung repo and it takes out several cloud-farms and many thousands of users.
it is all part of the relentless rush to drive shareholder value. Many years ago, Switchzilla & Co developed new tech, and built sensible, innovative product. Now monster-corporations, they spend zillions tightening governance to effect better security. But they must also increase profit and market-cap, so reduce costs by outsourcing labour and automating everything. And, they leverage their IP by scaling services at such a rate that the reach and impact of simple failures multiply year on year at logarithmic levels.
This is the cost of being such a BigIT: The incompetence multiples top-down, bottom-up and middle-out.
This is why going to the cloud is fraught with danger.
The biggest security threat is going to be from an employee, former employee or contractor. Whether its malicious or not, this is where the security falls apart on the cloud.
Can it be mitigated? Sure. But there's a cost.
Now if you don't have your own On-Prem hardware... going native to the cloud may be a good way to control costs without having to make a fixed up front investment.
This is where a 'trust no one' and going k8 w containers could have helped mitigate some of this. Also tightening down security.
"his employer … is willing to work with him regarding the possibility of his remaining in the country and continuing to work for the company," the document [PDF] says."
His current employer must be really struggling to find staff if they are willing to take someone on who caused $1.4m of damages to their previous employer?
Unless of course he is now working sweeping the floor and making coffee since no one trusts him near any of their computers anymore
Sudhish Kasaba Ramesh, who worked at Cisco from July 2016 to April 2018, admitted in a plea agreement with prosecutors that he had deliberately connected to Cisco's AWS-hosted systems without authorization in September 2018 – five months after leaving the manufacturer.
And the point is this: Cisco got bit because they didn't remove his login credentials after he left the company. Granted, what the guy did was illegal, and he should go to jail for it, but Cisco is also at fault for not adhering to industry standard IT practices. When I worked for the local telephone company, when someone left, their logins to the myriad of systems was purged within 24 hours. They keys and badges were taken too. And this was in the 1990's.
"In my days as a BOFH we removed employee's access to systems while they were in the meeting telling them they were getting the boot."
But did that remove ALL of their access?
What about the test account they had for that new remote access system or the monitoring account that they were troubleshooting last week? Or maybe even the github or similar access that allowed them to modify a deployment script?
While implementing an isolated system with high levels of security and compliance is doable, as that system matures there are often weaknesses.
"Single sign on helps alot there..."
While SSO is useful, I'm not sure it addresses the issues found with special access accounts used for applications/monitoring/testing by admins that can likely bypass the SSO process.
I would suggest Cisco likely has a very robust user management workflow and that the accounts managed by SSO were correctly disabled and access removed based on comments by Cisco employees in other areas.
Where it has likely fallen down is potentially a publicly hosted build/validation script being altered using a service account with too many permissions (i.e. write when it should only have read) or something deliberately prepared in advance (check for URL X - if its inaccessible, do Y).
On what turned out to be my last day as a PFY at a certain formerly large engineering firm I processed my own redundancy through the HR system as a live test for the 15,000 who were to follow me out the door over the following months. The chief did check I didn't add an extra couple of 0's to the severance pay though.
The problem is that many companies don't seem to think that Joiners, Leavers, and Movers processes extend past sett a flag in the HR systems and disabling their "network" (usually AD account).
Even companies most important systems seem to get missed.
I recently did an exercise at one company, there were over 170 different applications that different people needed to be logged into, 70+ the IT department had know idea about. 90% were not part of the JML process.
With the advent of SaaS and Cloud Services it's so much easier to people in business so sign up for new services, and to the majority of people "authorisation" means getting their managers/directors sign-off.
How many people (usually the marketing department) know their companies Facebook, Instagram, Twitter account (note singular) and how many people have left since it was last changed?
When I was a system programmer, I got a call from my supervisor that was along the lines of "in 5 minutes, revoke <our boss's name>'s access to the mainframe and the PDP-11 and change the maintenance account password while you are at it." 10 minutes later our now ex-boss was walked out the door.
I well remember the Terry Childs fiasco in San Francisco in 2008. Principal network engineer for the City's IT department with Cisco CCIE certification was allowed to run amok and set up the City's system so that "he alone could fix it." Then when his behavior became insufferably egomaniacal & he was to be given a lateral position, went rogue and refused to allow anyone access to the City's WAN which supported 65 city agencies.
Apparently a brilliant bundle of resentments, that one.
Off to prison, and now released after serving his sentence.
Oh yes and he concealed one or more prior convictions for which he also did time.
A pity we don't get to find out what axe he had to grind, that would be more interesting. I worked at a big City firm for 5 years, when I left (time to move on) I had to remove myself from the systems because they were not smart enough to know where all my accounts were. Luckily for them I didn't have any axes to grind ;-)
Wow. StichFix must be really hard up for IT talent if they're willing to keep on a person who plead guilty to sabotage. Remind me never to use their services for anything.
I spent years as a freelance IT consultant and several times after I parted ways (occasionally unpleasantly) with a company I noticed that I was still getting important emails for them or had access to one of their systems. I informed them right away and deleted the saved password.
Why? Because I'm not an unethical douchebag.
The only emails I still get are updates to my still-active retirement/pension account.
But I was in charge of a bunch of off-network test laptops, being a good little mini-BOFH (and patching regularly over a cellular Wi-Fi hotspot since there was little public WiFi in the place). And if I had really wanted to screw folks, I could have done everything from change the passwords to full nuke & pave, or possibly even just throw them in the garbage.
Two reasons why not:
1. These were my respected colleagues and peers -- the closest to "friends" I had aside from my missus -- and honestly I was leaving them in a total talent bind, so I didn't want to screw them also.
2. Technically, the "customer" (US DoD) owned (paid for) them. While just binning them would look horrible on a future audit, eventually it would come back to me and I'd be in DEEEEEP shaving cream.
So I dutifully handed them over, along with all the necessary test kit, asset list / tracking spreadsheet, and the like, along with everything else useful. All I took out of there was a load of office supplies included a Sharp printing calculator (I've told y'all about that before).
* Note: I have to remind you it's Stryker the armored vehicle because my state (Michigan) is also home to Stryker medical products. A hospital bed may have wheels but isn't as fun to ride on.
worked for my last company for over 40 years and when they let me go i had access to my computer and the relevant systems up until i left at the end of the day.
no sabotage, no bad behaviour; just one more schmuck shoved out the door at the end of the day.
Doing something like what this wanker did should have been an instant H1B revoke, green card option permanently revoked, and time in chokey, and then shipped out of country.
Its not just IT companies that are rubbish at deletion of accounts and access. I rejoined Deutsche Bank in 2013 having left them in 2006. Upon my return HR queried whether I had worked for them before as they just re enabled my HR account .... it included my next of kin / emergency contact which was my deceased mother (she passed in 2006 just before I left for the second time) . Surprised that they had not deleted my details ... Not really. :)
You don’t delete accounts until you’re certain you don’t need to keep the SID<->Name translations intact anymore, the list of security groups granted at the point of leaving or any other associated metadata. In general, you should not delete an account but instead anonymise it many years after systems have been updated to the point where there’s no valid audit trail any more anyway.
Sure, add a pseudonym with a confidentially stored historical record which can be called upon if necessary, but to delete accounts risks losing the ability to review the system for past mistakes or deliberate misconducts years down the line.
Not one of them did I consider going back into their systems and looking to see if they had, in fact, changed or deleted my account. I always kept my personal and work email separate, so that I did not have to worry about getting a copy of my mailbox.
When I was laid off at a Stockbrokers during the GFC, I knew I was on the chopping block even before the HR lady called me into a meeting in the board room. I made sure that anything personal was on my external drive and not on the work computer. I was still good friends with my boss and warned him that the company had not cancelled my home internet service that they were paying for. He was happy to let me hang onto it until I could get it signed over as he was wary that he might need me to help out remotely.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
