SoylentNews is people
SoylentNews
from the hell-hath-no-fury-like-a-sysadmin-scorned dept.
Angry IT admin wipes employer's databases, gets 7 years in prison:
Han Bing, a former database administrator for Lianjia, a Chinese real-estate brokerage giant, has been sentenced to 7 years in prison for logging into corporate systems and deleting the company's data.
Bing allegedly performed the act in June 2018, when he used his administrative privileges and "root" account to access the company's financial system and delete all stored data from two database servers and two application servers.
[...] Surprisingly, Bing had repeatedly informed his employer and supervisors about security gaps in the financial system, even sending emails to other administrators to raise his concerns.
However, he was largely ignored, as the leaders of his department never approved the security project he proposed to run.
This was confirmed by the testimony of the director of ethics at Lianjia, who told the court that Han Bing felt that his organizational proposals weren't valued and often entered arguments with his supervisors.
In a similar case from September 2021, a former New York-based credit union employee avenged her supervisors for firing her by deleting over 21.3GB of documents in a 40-minute attack.
Anyone have stories of any interesting employee departures that they have exprienced?
(Score: 2) by RS3 on Wednesday May 18 2022, @09:09PM (15 children)
I'm not defending Bing's actions at all, but the legal system / courts usually take many things into consideration when determining punishment. Again, Bing was definitely wrong, but TFS says he tried to get them to agree to a (possibly) better security system that he wanted to implement. I believe part of his action derived from him wanting to prove he was right, that the systems were quite vulnerable.
FTFA:
I guess they didn't have a good efficient backup / recovery system in place?
(Score: 2) by Revek on Wednesday May 18 2022, @09:43PM (1 child)
So basically the plot to a low rent die hard sequel with Jason Mewes as the basement dwelling hacker.
This page was generated by a Swarm of Roaming Elephants
(Score: -1, Spam) by Anonymous Coward on Thursday May 19 2022, @12:24AM
Yippie ki yay, doobie snax! [ehealthme.com]
(Score: 3, Insightful) by Anonymous Coward on Wednesday May 18 2022, @09:43PM (1 child)
This is one of those situations where being "right" should not work in your favor. If you point out a security flaw, and the company chooses not to fix it, that is not an invitation to exploit that security flaw. It is an invitation to laugh your ass off when someone else exploits it.
(Score: 1, Informative) by Anonymous Coward on Wednesday May 18 2022, @10:55PM
How do you know that wasn't exactly what happened, and then the bosses pointed the "investigators" to a convenient, too-informed scapegoat?
TFA: "The administrator immediately raised suspicion when he declined to give his laptop password to the company's investigators."
Which means, he was vary of them planting "evidence". Has not helped him any in the end; evidence conveniently found on company's devices afterwards (however it arrived there) was enough for Chinese court to jail him anyway.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday May 18 2022, @09:43PM (2 children)
PRC government, and their crony capitalists, can do absolutely anything to absolutely anyone. Done it for decades, are doing now, will continue till whatever finale they have coming. What is to discuss about this one case out of uncounted millions?
(Score: 0) by Anonymous Coward on Wednesday May 18 2022, @11:21PM (1 child)
What about the New York-based credit union employee mentioned in the story as well?
(Score: 0) by Anonymous Coward on Wednesday May 18 2022, @11:34PM
Two words: "plea bargain".
(Score: 4, Insightful) by hopdevil on Thursday May 19 2022, @01:40AM (4 children)
I'm sure most won't agree with this, but the company should be responsible for protecting itself from insider security threats. While I don't condone what was allegedly done here, prison time is way too heavy handed in my opinion.
Keeping a prison time threat against employees if they run afoul of a company should make sysadmins very uncomfortable. Since this guy has brought up the security risks and was ignored, argued with supervisors he was probably turned into an example.
There are certainly security mechanisms (like 2 people required to get root access) which can be built into systems which prevent this from happening.. if the company decided against doing this it is on them, not the lone wolf. If this guy actually has the permissions and capabilities to delete the data, he was acting on behalf of the company..
(Score: 3, Informative) by jasassin on Thursday May 19 2022, @04:24AM (3 children)
If the vulnerability was so bad, I’m wondering why the hell he logged in with the root password to wack the DB? Sounds like the biggest security threat they had was hiring this dildo.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 4, Insightful) by JoeMerchant on Thursday May 19 2022, @03:22PM (2 children)
First, and objectively worst, vulnerability: a root password which is not changed upon dismissal of an employee who knows it.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Touché) by RS3 on Thursday May 19 2022, @03:29PM (1 child)
That and many other things which all go back to: the company resisting security improvements.
(Score: 3, Funny) by JoeMerchant on Thursday May 19 2022, @03:50PM
Plot twist: they do change the password, but then they post it on an open website so "people who need it can get it."
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Thursday May 19 2022, @09:46AM (1 child)
In most companies even if they have separate people involved in sysadmin and handling of backups the sysadmins would still know ways to destroy the backups. There are certain backup systems in my company I'm not in charge of but I still know where the stuff is.
[1] Even if you hate the company that much and are willing to do something unethical, you don't do the deed yourself - you get someone else to do it. If some outsider can't do it even if you expose info to them (that has no links to you - e.g. not your ID and password) then maybe the company's systems really aren't that insecure? In which case the company's biggest security problem was him. And to fix it he should have resigned and got a job in a different industry.
(Score: 2) by RS3 on Thursday May 19 2022, @03:34PM
Proper backup includes making multiples, and also includes some kind of physical media that is removed from the site and stored by a 3rd-party company in a secure vault.
Even in a small company, corporate principals (CEO, president, VP, secretary) should keep copies in a small safe or fireproof strong box, at home, bank safety deposit box, etc.
(Score: 2) by JoeMerchant on Thursday May 19 2022, @03:14PM
Seems disproportionate: the data restoration effort only cost $30K but tens of thousands of employees were without salaries for an "extended period." In the U.S. they would lump on the cost of dealing with the employee salary snafu which doubtlessly would cost much more than $3 per employee.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end