[Flick Lives]

Specifically, at approximately 6:03 p.m. that evening, Brown knowingly transmitted a code and command to 10 core Citibank Global Control Center routers, and by transmitting that code, erased the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90% of all Citibank networks across North America.

A. Why would such a self-destruct command even exist.
B. Why did this guy have access to run such a command.

Says something about Citibank's computer security procedures, or lack thereof.

[HiTech RedNeck]

Sounds like “ssh admin@machine rm [somefile]” on Linux or UNIX. If he’d wanted to have been even more evil he could have blown away the tenth one too.

But the dark kind of mind necessary to carry out such evil also blinds one’s thinking. If Citibank had actually wronged him, his best move would have been to give it to God, get another job, and just quit. God, when trusted by the wronged, has a way of orchestrating what in other worldviews is sometimes called “karma.” Because the one doing the wrong has also brought about his own blindness too.

I had a boss a few years ago who was a jerk and I left the company. For the next three years this boss had to deal with another difficult and mercurial man in another division of the company — one that I was beginning to befriend and I might have made quite a difference to this boss in dealing successfully with. With me out of the picture... the jerk reaped the consequences and nothing evil or illegal was done by me.

[paulcissa]

Sounds to me like he was a sysadmin and dumped the configurations on the core network routers. Stupid-simple, effective and obviously, illegal due to malicious intent. Believe me, this crap happens all the time on small scales and no one notices except for the impacted environment. Reload the correct config/route tables from secure rom and you're back in business before the trouble ticket gets escalated.

After incarceration, he'll be ready for his close-up hanging off the tail of a garbage truck. He'll never work IT again, too toxic.

[chrisser]

A. Why would such a self-destruct command even exist. B. Why did this guy have access to run such a command.

Says something about Citibank's computer security procedures, or lack thereof.

I've worked IT in all sorts of industries, including as both a contractor and employee of a bank.

The people who are in positions of power in most industries are generally the people who work the core business. IT is too often an afterthought and seen as peripheral to "what we do". Consequently it's often underfunded and often lacks the power to force changes.

In my experience, the IT guys generally are acutely aware of the problems that exist, have repeatedly reported them up the chain, and simply don't have the time or resources to fix them the "right" way. Often the "good enough" way isn't the most secure way.

In the case of routers, there is generally an administrative password that is all-powerful - there are legitimate needs to wipe the configuration on occassion. You can generally also set up users with less power that can do some administrative tasks, but not all. In the best case, you can set up tiered levels of access, so maybe a low-level person can pull logging data, a mid-level person can make some tweaks to the configuration, and only the highest level can do dangerous things.

But that takes time. Someone has to think through which levels should have what capability. Those decisions need to have a plan of implementation that is replicated across the organization and that plan has to be maintained over time and enforced with policy and procedure. In the case of a router, it probably takes multiple times the amount of time and resources to build that security infrastructure than it does to just get the routers up, running and working right with basic security. When the IT guys are already working nights and weekends in their windowless basement cubicles in some grey building in a bad neighborhood and have projects stacked up years in advance, there's a lot of pressure to just "get it done" and move onto the next project.

Add into that mergers of large organizations with disparate equipment, policies, procedures, etc. which are chaos in the best of times and it becomes a disaster waiting to happen.

Not saying all industries or all banks are this way, but it happens more than you might think even today.

Another consideration I've seen (full disclosure: I am a white male) is affirmative action hires. Now, I've worked with some top notch female and minority IT people. People who I'd be proud to work for, with, or under me. But they are much harder to find than the quotas mandate and the quotas take priority. An incompetent IT person is a very dangerous thing to have in an organization and banks tend to have a lot of them thanks to diversity departments.

All of the above is just my experience and opinion.

[Bigg Red]

No IT knowledge here, but, if I may put on my tinfoil hat, is it possible that Citibank was actually able to recover whatever the perp had erased, but the incident made a great cover for the laundering of some funds?

[zeugma]

The reason such a command exists could very well be for maintenance. Let’s say you want to move the router from location A tolocation B. You don’t want it to come up with the configs from A when you plug it in to the B network, so you reset the device to factory defaults right before shutting it down.

Another is that when you retire the device, you don’t want any of your existing network configs on it for security reasons. This is standard practice at most places with aclue these days.

[MarkL]

at approximately 6:03 p.m. that evening, Brown knowingly transmitted a code and command to 10 core Citibank Global Control Center routers, and by transmitting that code, erased the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90% of all Citibank networks across North America.

A. Why would such a self-destruct command even exist.

It's not a "self-destruct" command. It's simply a delete command... BTW, these "journalists" appear to be nearly as well versed in technology as they are in their knowledge about firearms.

The simple fact is that network or system administrators must be among the most trusted people in any business. They literally "hold the keys to the kingdom." For instance, as a network administrator, since I had access to all of the data of our publicly traded company, I was covered under the same "insider trading" laws as our CEO, even though I really wouldn't know anything about what to do with the information.

B. Why did this guy have access to run such a command.

Security systems in modern networks allow RBAC, or "Role Based Security Access." Depending on your management role, you will have different levels of access. As a network administrator, the level of access is usually full access to do what needs to be done to modify the configuration on the routers. Those modifications include the ability to delete lines of code in the configuration, or even the entire configuration file. That's just a part of the job.

Again, it all comes down to a level of trust. They "trusted poorly."

Mark