Techie’s revenge lands her in jail
By Liam Tung on Dec 10, 2010 9:25 AM
*** begin quote ***
Four days after being fired from the Suncoast Community Health Centers’ for insubordination, Patricia Marie Fowler exacter her revenge by hacking the centre’s systems, deleting files, changing passwords, removing access to infrastructure systems, and tampering with pay and accrued leave rates of staff.
*** end quote ***
This story begs a number of questions about hardware / software engineering.
(1) Firewalls, hardware, and software are NOT designed to avoid the “King” effect. One example. The SWIFT funds transfer network in the 80’s had the concept of split authentication. The contract with SWIFT and the institution REQUIRED two separate “supervisors of an administrator” and “technology administrators”. There had to be collusion between FOUR people to subvert the security system. Bosses were NOT permitted to access the system but did receive the couriered envelop with their half of the institution’s code. They gave it to their administrator. Once the two haves were used, a new pair was generated and sent to the bosses. Either “administrator” could lock the “kingdom”. (I forget how long the “keys” were, but I remember typing it in was a giant pain.) Surprisingly, even honchos, who were openly hostile to “security”, meekly went along with this kabuki.
(2) It seems like there was very little separation of duties. The IT administrator apparently has access to the firewalls, other platforms, and data tables in applications. Seems like the place was an accident set up to happen. Where were the internal and external auditors? At the very least, with suitable automation, rebuilding components of the infrastructure should be near trivial. You wonder where was their disaster recovery plan; probably locked up in the head of the rogue administrator.
(3) “Passwords” in and around a serious “security” situation. Guess they never heard of two factor authentication?
Nice to know we don’t need no stinkin’ security!
# # # # #