Former Citibank Employee Sentenced for Causing Intentional Damage to a Protected Computer

www.justice.gov ^ | 7-25-16 | DOJ Texas

[Bogey78O]

They was...

They guys...

I’m guessing he qualified for the job in a non-academic way.

[HiTech RedNeck]

Maybe they was on MJ. On the other hand, I’ve seen sloppy English being used by contractors and nobody seemed to care.

[paulcissa]

Sounds to me like he was a sysadmin and dumped the configurations on the core network routers. Stupid-simple, effective and obviously, illegal due to malicious intent. Believe me, this crap happens all the time on small scales and no one notices except for the impacted environment. Reload the correct config/route tables from secure rom and you're back in business before the trouble ticket gets escalated.

After incarceration, he'll be ready for his close-up hanging off the tail of a garbage truck. He'll never work IT again, too toxic.

[Original Lurker]

Shutting down one server shouldn’t cause an outage if the application runs on clustered servers. *Mission critical* applications should, IMHO, run on mainframes configured in a parallel sysplex environment.

You’d be surprised what some fortune 100 companies have. I vividly recall a major outage I supervised some 10 years ago for my customer (World’s 2nd largest retailer - hint) during the Christmas season. They outsourced their online sales to a company that ran the online sales application on end-of-life hardware (unsupported) on an unsupported configuration. Smart, huh?

They were down for days.

[LizardQueen]

From the article it sounds like it was network equipment that he toasted (routers) not servers.

Routers are the devices that hook networks together so that all the different sites can talk to each other.

Each router has a configuration running in it that tells it what networks its supposed to be connecting and how.

This configuration is remotely updateable so that valid network changes can be made. However, a malicious network admin (like this guy could’ve been) who has access to make these valid changes could also trash the config if they wanted to.

There usually are backups of router configs held somewhere but it makes it hard to get them back since its the network thats affected and you need that network to be able to talk to the router to fix it.

[chrisser]

A. Why would such a self-destruct command even exist. B. Why did this guy have access to run such a command.

Says something about Citibank's computer security procedures, or lack thereof.

I've worked IT in all sorts of industries, including as both a contractor and employee of a bank.

The people who are in positions of power in most industries are generally the people who work the core business. IT is too often an afterthought and seen as peripheral to "what we do". Consequently it's often underfunded and often lacks the power to force changes.

In my experience, the IT guys generally are acutely aware of the problems that exist, have repeatedly reported them up the chain, and simply don't have the time or resources to fix them the "right" way. Often the "good enough" way isn't the most secure way.

In the case of routers, there is generally an administrative password that is all-powerful - there are legitimate needs to wipe the configuration on occassion. You can generally also set up users with less power that can do some administrative tasks, but not all. In the best case, you can set up tiered levels of access, so maybe a low-level person can pull logging data, a mid-level person can make some tweaks to the configuration, and only the highest level can do dangerous things.

But that takes time. Someone has to think through which levels should have what capability. Those decisions need to have a plan of implementation that is replicated across the organization and that plan has to be maintained over time and enforced with policy and procedure. In the case of a router, it probably takes multiple times the amount of time and resources to build that security infrastructure than it does to just get the routers up, running and working right with basic security. When the IT guys are already working nights and weekends in their windowless basement cubicles in some grey building in a bad neighborhood and have projects stacked up years in advance, there's a lot of pressure to just "get it done" and move onto the next project.

Add into that mergers of large organizations with disparate equipment, policies, procedures, etc. which are chaos in the best of times and it becomes a disaster waiting to happen.

Not saying all industries or all banks are this way, but it happens more than you might think even today.

Another consideration I've seen (full disclosure: I am a white male) is affirmative action hires. Now, I've worked with some top notch female and minority IT people. People who I'd be proud to work for, with, or under me. But they are much harder to find than the quotas mandate and the quotas take priority. An incompetent IT person is a very dangerous thing to have in an organization and banks tend to have a lot of them thanks to diversity departments.

All of the above is just my experience and opinion.

[Chode]

they should fire whoever hired him

[Grampa Dave]

Bingo!: His language skills precedes him, no photo necessary!

[Bigg Red]

+1

[Bigg Red]

+1

[Bigg Red]

No IT knowledge here, but, if I may put on my tinfoil hat, is it possible that Citibank was actually able to recover whatever the perp had erased, but the incident made a great cover for the laundering of some funds?

[glasseye]

Think I know what that means...

[COBOL2Java]

they should fire whoever hired him

Interesting tripwire.com take on this story:

The State of Security: Citibank IT guy deliberately wiped routers, shut down 90% of firm’s networks across America

[Chode]

i've been RIFed three times, twice from the same place, and all three times the head of security was outside the HR door waiting to take me back to my office and watch me clean out my stuff, take my badges, keys and beeper or phone before escorting my out of the building...

[goldstategop]

He didn’t get Hillary’s gold-plated treatment from the federal government.

After all, he didn’t mean to do it. Isn’t that Hillary’s defense?

Then why does she skate and he goes to prison and has to pay restitution?

[goldstategop]

Bank servers, e-mail servers.

Two people breached security.

Oh - one of them is running for President.

[Chode]

shoulda picked this mutt for VP, would guarantee the black lies matter vote

[JimRed]

“Protected” computer? Was it black, Hispanic or homosexual?

[zeugma]

The reason such a command exists could very well be for maintenance. Let’s say you want to move the router from location A tolocation B. You don’t want it to come up with the configs from A when you plug it in to the B network, so you reset the device to factory defaults right before shutting it down.

Another is that when you retire the device, you don’t want any of your existing network configs on it for security reasons. This is standard practice at most places with aclue these days.

[minnesota_bound]

#34 How many servers did you shut down : )