Welcome to the SecAware blog

I spy with my beady eye ...

12 Sept 2008

More on SF rogue network admin

The drip-feed of news about the Terry Childs case continues. [Quick recap: Childs held the City Government of San Francisco to ransom by refusing to divulge the city's network admin passwords that were under his sole control.] The Washington Post tells us:
"Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains."

'Thousands of gigabytes'? That's an impressive capacity for a personal storage device.
The Post also says Childs had a criminal record:
"Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggravated robbery and theft, according to court documents. He also served four years in the Kansas state prison. Childs kept this from his employment application, court documents note. Vinson said San Francisco will probably expand its employee background checks to cross state lines."

Good idea!
Still, I agree with the thrust of the article that SF management's failings extend well beyond checking Childs' references. Childs was a privileged insider placed in a position of great responsibility and trust by management. It appears that management recognized the risk but failed to address it adequately. Dawn Capelli's comments about the insider threat are very apt. I'd call this a governance failure.

September update: San Francisco city's Department of Telecommunications and Information Services (DTIS) has spent just under $200k already, investigating what Childs has done to the network and hunting for a terminal server providing him a back-door.  The full cost is estimated to be around $1m.

No comments:

Post a Comment