Hacker Holds Key to City's Network (San Francisco computers held hostage)

Source: ABC News

An Alleged Hacker Won't Reveal Secret Password to Unlock San Francisco's Network
By RUSSELL GOLDMAN
July 17, 2008

A San Francisco municipal employee is charged with hacking the city's computer system and creating a secret password that gave him virtually exclusive access to most of the city's municipal data.

While in jail, held on $5 million bail, he still has refused to reveal the password that would give full access to the network back to city employees, city officials say.

Terry Childs, 43, will plead not guilty in court today, his lawyer told ABCNews.com.

Childs, an employee of the city's Department of Technology, was arrested Sunday and charged with four counts of computer network tampering.

"He was able to prevent other authorized users from being able to access the system, and at same time, put in place devices that gave him access to areas of the network which he was not authorized to access," said Erica Derryck, spokeswoman for the San Francisco district attorney's office.
...
The network on which he worked reportedly stored 60 percent of all municipal data, including the city's 311 system, employee e-mail and law enforcement records.

San Francisco Mayor Gavin Newsom told reporters Tuesday that Childs was a "rogue employee that got a bit maniacal and full of himself.
...
He chalked up the arrest to a "misunderstanding between and a supervisor that does not affect anything."
...
Prosecutors would not release the full criminal complaint to the public, nor would they disclose what they believe was Childs' motive for creating a password that would block other administrators from accessing the network.

Read more: http://abcnews.go.com/Technology/story?id=5390020&page=1

Electronic Voting machines are absolutely safe.:eyes:

don't piss us off! :evilgrin:

OTOH, how can a government be so lax with data security? Where I work--a major corporation--everything is set up so that no one person has enough access to grant anyone else access without at least two other people knowing about it.

All it takes is one smartass who doesn't care.

>su
Please enter the password for Root:
>1234pass
You are now logged on as Root
>passwd
Current Password:
>1234pass
New Password:
>iamahax0rg0d
Confirm New Password:
>iamahax0rg0d
Password changed for user Root
>cd /usr/sbin
>./userdel -r otheradmin1
>./userdel -r otheradmin2

etcetera

Quis custodiet ipsos custodes?

See my .sig line. ;-)

It's pinned to the wall in our datacenter...just below the security camera :)

and I don't know much more about the Unix operating system.

Q3JR4.

don't be holding San Francisco up to any great standards.

Most municipalities have decent steady jobs, but don't always pay what you get in the private sector. Everyone likely works with the system "as is", they probably don't have any network security experts on staff. It's pretty casual, I assume. You work for a major corporation, so there's trade secrets and all kinds of stuff they'll be security conscious about. But city government?

I'm a software engineer, but once upon a time was in charge of mainframes. It was an issue of trust - you have to assume your engineers and admins aren't going to be malicious. If they are, as someone noted down-thread, you can kiss your career goodbye at a minimum, and it doesn't take long to figure out who did it. I have access to all kinds of stuff, but I would never abuse it - one, because I just wouldn't; two, because even if there were no legal ramifications, I'd never get another job in the field, certainly not one that trusted me with passwords. As an engineer or an admin, you have to get superuser privileges, you have to log in as root sometimes, and even if you're in a place that's structured up so that only two people have access to root, if one of those people wants to change the password, you're hosed.

In this case, it wouldn't matter if two other people knew about it - it was too late. They know he did it, and he doesn't care.

This has to be one of the dumbest things a sysadmin or a programmer can do. I've known two guys who got pissed off at employers for one reason or another and trashed the system (one guy deleted four years worth of software code, and the other purged a 45,000 user account database). Both were identified as the culprits within hours, and both were arrested and tried (neither got long sentences because the purged data was quickly restored from backups). At worst, it was an irritating interruption for their employers. But for them, it ended up becoming a legal nightmare that not only consumed several years of trial, jail, and parole, but it also ended ANY chance they had of EVER holding another job in their chosen field. Once a computer programmer or sysadmin pulls something like this, no employer will EVER take a chance on them again. This Child's guy just terminated the last computer job he'll ever have. When you calculate in that the average time served for nondestructive computer tampering is about a year, and then the probable length of a trial, he's looking at starting his new job training at 45. Way to screw up your retirement options.

They don't even need to charge him: nobody will ever hire him to do IT again.

I'm a bit curious about what sparked this. At 43, he seems kind of old to be pulling stupid hacker stunts. Then again, many of us computer-types are a little odd... :)

There's a potential anarchist in most of us, I believe.

But when you have a big network, it creates enough of its own problems by itself that most of the time you can do plenty of damage by just taking a day off.

When I was in High School the head of our A/V club got a little crazy like that.

You give someone a giant set of keys, and before you know it the video-geeks are on strike.

I don't remember what it was all about, but I think it may have been that he wanted more keys.

Wacky guy.

Ignorant reporter is ignorant.

Seriously, if you are completely trusted and already have all of the keys to the kingdom, locking everyone out isn't an impressive feat.

Also, computer criminal != hacker.

The story reads to me like he's a cracker, not just a hacker.

I guess Corporate Media doesn't want kids becoming computer experts (hackers), so gotta mis-frame the terms so their parents get afraid and discourage computer and Internet use.

since he was trusted with control of the system to begin with.

basically embezzlement.

It says he plans to plead not guilty. So he may be maintaining that he didn't do it. If that's the case, they cannot take any sanctions against him "until he reveals the password," since to do so would be a violation of his 5th Amendment rights against self-incrimination.

That's the really clever hack: not a hack of the computer system, but a hack of the LAW. Consider the upshot. If a judge rules that the password is not protected, then they would have to place it in a different category of speech, which will then have consequences for ALL password or encryption code, a la the DeCSS case (the finding in which was that encryption codes like one CSS developed for DVD playback are functional rather than expressive, and therefore not protected under the 1st Amendment). In that case, the question was "Can we speak an encryption code?" In this case, the question is reversed: "Can we NOT speak an encryption code?" It's an interesting problem.

I'm sure he's holding out for some kind of plea deal with the DA before he coughs it up.

Of course, from a security perspective it can't stop there. Everything in the zone where he had access, illicit or legit (prior to termination), has to be scrubbed, redone from scratch. There are too many opportunities for a disgruntled highly-privileged employee to create backdoors, and one has to assume that he's contaminated everything he touched. We're talking a hard shutdown of all the gateway routers, a complete user audit, a total inventory of every scheduled task and batch process, every password on every network device redone, every VLAN configuration verified, etc. Walking that cat backwards is a sonofabitch, a major administrative nightmare. I only hope they have a very competent team prepared to sort through this mess.

And if he had root access, he'd been there for a long time, likely. Apparently he set up stuff to watch for changes to his employee file and who knows what else. It's not hard to do if no one is expecting you to be causing trouble, but to backtrack it through logs or whatever would be a nightmare.

Since it apparently started with this tiff with his supervisor, I suppose you could use that as the start date, but chances are that was going on for a while. I wouldn't want to have to trace back a few days, much less months and months, and try to separate legit stuff from non-legit.

On the other hand, if you want a job with the SF city IT dept, this is probably the time to apply. Don't bother buying an alarm clock, though, 'cause you probably won't get any sleep.

And needs to be redone from scratch to know it is secure. This is a complete mess from an IT structure point of view.

to certain systems. IE a network admin who can manipulate routers switches and firewalls would not have root on a large system(s).

It would be interest to see what his access.

Sounds like a crypto blackmail job.

and anyone who can snoop network traffic effectively has complete access to all unencrypted data traversing that network. Unfortunately, a lot of the common authentication techniques are either insecure or have insecure modes they operate in by default. As the article describes his primary role as network designer and administrator, we can assume he was able to do at least this much.

Worse, the guys who do internal network design and configuration are often tasked with setting up domain trusts, establish LDAP and NIS, and other activities at the heart of network security. If he didn't have that responsibility himself, he was probably in the same division as those that did and had daily interactions with them. It's not super hard to steal a password from someone if you can watch them type. Even if you can't, there are ways to hard-bug keyboards or trick people into using consoles that record keypresses, etc.

Like most network pros, this guy was in a position to do inestimable damage to everyone who worked there. Stable network environments exist on the basis of a real code of honor between their various administrators. Anyone that close to the heart of the computing environment has to be trustworthy; just "not having root" on, e.g., the accounting systems is a purely optional situation that exists solely at the discretion of such an employee.

They're rather lucky Childs just went ballistic and locked other admins out in a fairly obvious way. If he'd been the quiet sinister type, he could have set up some easy-to-find jobs that embezzled funds into accounts in his enemies' names, forged offensive and harassing email from his targets that would be basically impossible to disprove, automate their web browsers to open pornographic websites during working hours, or any number of other painfully disruptive activities. Instead, lost his temper, made a stinking asshole of himself, and locked himself out of the computer job market for life. To be sure, it will take months to rebuild the infrastructure, but he could have lingered for years getting people he disliked demoted and fired.

How about using "disgruntled employee" to describe the guy.

If he already had root/admin access, and I assume he did as a network administrator, it's pretty darn easy to hand yourself access to other areas of the system that you're not supposed to be in. I guess this guy is a hackless hacker?

Performance anxiety.

... was he working for someone else?

:tinfoilhat:

depending on what he did it would be easy to recover. if he took root and locked people out most machines boot to single user mode and allow a password change.

If he encrypted data or stole a master key that could be more complicated.

However if facing life in prison he may come around.