Tuesday, January 15, 2008

Employee anger almost causes problems for company

Before I jump into my story, I wanted to introduce myself. Michael McCoy honored me by asking if I could contribute to this blog. My name is Nate Evans and I am a PHD candidate at Iowa State University in computer engineering. My research expertise is in an area very close to identity theft, social engineering. In some ways you could classify identity theft as a small piece of social engineering, but I don’t want to step on anyones toes here! I currently am working on my dissertation and am employed part time for the Walt Disney Company and The Krell Institute.

So in short, expect stories from me involving people ripping other people off.

When people define social engineering and try to explain the problem about it, they normally start with something like this:

“You can spend millions of dollars building a super secure computer system, but if the system admin sells his pass for $1,000, your system is now worth $1,000.” What if the system admin does not sell the password but instead uses it against the company to destroy or sell company data? This brings me to my story.

Recently a 51 year old administrator, Andy Lin, was given 30 months in jail and fined $81,200 for trying to destroy a medical drug database in a company he was employed with.

Way back in 2003, Andy learned that his company, Medco, was going to lay people off and he wasn’t sure he would survive the layoffs. In a fit of anger, he decided he would make the company pay by writing a script to delete everything in the company’s database. The script was set to go into effect automatically on his birthday April 23, 2004.

Well a couple weeks rolled by and Andy did not get laid off. As such he attempted to edit the code to make it ineffective. He failed and on April 23, 2004, the code deployed anyway.

Luckily the code contained numerous bugs and his program just crashed. Andy, still the cautious type, fixed the bug and reset his doomsday timer to the April 23, 2005.

Fortunately for the company, another System Admin was looking into this odd crash and found Andy’s code. On January 2005, Andy was arrested and pleaded guilty to one count of transmitting computer code with the intent to cause damage in excess of $5,000, and he was sentenced last week.

Its amazing how much damage one employee could do to a company. If that database was deleted the company would be in massive trouble. Imagine if the employee, instead of destroying it, sold it to the competitors...

You could take one of two lessons from this: Either don’t trust people, or pay your system administrators more!

Nate Evans
The Krell Institute

Labels: , , , , , , ,


Post a Comment

Links to this post:

Create a Link

<< Home

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft