Hacker Warned Former Colleagues Of Potential Layoffs

from the not-your-usual-hacking dept

Mon, Nov 20th 2006 7:23pm — Mike Masnick

Over the years, we've seen plenty of stories about former employees hacking into their former employer's computer system and causing all sorts of problems, from deleting data to spamming people to downloading confidential information. However, the latest arrest in such a case is a strange one. A former executive at a publishing company, who had left the company three years ago recently hacked into the network, read some emails about pending layoffs and warned some former employees that they might be at risk of losing their jobs. He did it all anonymously, but it wasn't that difficult to track the email and the network access back to him. Still, this seems odd. He clearly broke the law, accessing the network and reading private emails, but unlike most cases of bitter ex-employees getting back at their company, it seemed like he was just keeping an eye out for his former colleagues. Either way, can someone explain why the company left this guy's ability to login open for three whole years after he was no longer with the company?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

ElvesofZion, 20 Nov 2006 @ 8:17pm

Login
They didnt leave his ability to login open for 3 years, he HACKED IN.
[ link to this | view in chronology ]
Bri, 20 Nov 2006 @ 8:19pm

System Administration
Looking at the publically accessible data on the company, I would hazard a guess that their IT administration is not up to managing the number of users that they have. It wouldn't surprise me at all, as I've seen this all too many times while performing system administration duties myself, that HR (Personnel) doesn't coordinate with IT. This can be an even more complex issue when it involves coordinating with remote locations which is also an apparent issue with Source Media.
One of the first changes I would suggest/make when assuming the duties was that all employees would be required to 'check out' with the system adminstrator prior to completion of termination or transfer along with all the other stops they would have to make. This improved access control, which was also reviews on a regular basis, as well as the transfer backup, and elimination of files on the server(s).
As with any security issue, it's about process. If you don't have the processes in place, you don't have security and you end up as a poster child in the WSJ or Tech Dirt.
[ link to this | view in chronology ]
- Rico J. Halo, 21 Nov 2006 @ 5:24am
  
  Re: System Administration
  I think you nailed it. Im the network admin for my company and often I dont find our for months that a certain employee is no longer with us. If Im not told I dont know to close out their accounts.
  
  www.thatpoliticalblog.com
  [ link to this | view in chronology ]
- LightsOut, 21 Nov 2006 @ 2:20pm
  
  Re: System Administration
  I totally agree with you, as a IT guy myself and there are leak of HR Personnel coordinate with IT when someone is leaving the company but in this case I believe is the current IT Director or Manager is to balance. You have a IT DirectorVP of Technology leaving the company which mean this person have access to all your data including network and servers password, maybe one or all of current Executives or employees. Therefore it is the responsible of the next IT Manager to enforce a policy to change all of the users password and most importantly your network and servers password.
  
  They call this guy a HACKER which I doubt he is. If this guy actually access the company email by way of hacking, I believe they should fire the current IT Manager and the Network Admin. A good hackers do cover their foot print. A good hacker do know that their email can easily be track no matter where you send it from.
  
  Another example; I still can get to my X-employer data.... and email....lol without hacking of course.
  [ link to this | view in chronology ]
Mike F.M, 21 Nov 2006 @ 3:09am

Good On Him
It's very rare you see something like this, so I say well done to him. He may have been going in to cause some trouble for the company and gotten side-tracked by these emails but there has tro be alot of respect for what he did.
[ link to this | view in chronology ]
Jeremy, 21 Nov 2006 @ 3:14am

Hacking in?
Hacking in could be as simple as going to the company's webmail site and guessing email addresses and passwords. I seriously doubt that his account was left open and active after 3 years with SOX flying around.

The key thing is that he did hack in and break the law. What he did wasn't immoral, but it was illegal.
[ link to this | view in chronology ]
Sanguine Dream, 21 Nov 2006 @ 5:36am

Hold up...

Either way, can someone explain why the company left this guy's ability to login open for three whole years after he was no longer with the company?

If his company identity was still valid and that is what he used to get in then it wasn't a hack. Can't have it both ways. Either the door was left open and he walked in or he forced his way in.

What bothers me is that I'm willing to bet that the company in question is more upset that he warned employees than they are over fact that he got in.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Nov 2006 @ 8:29am
  
  Re: Hold up...
  I disagree with you. If he was fired he knew that he was not allowed access to that network. Hacking by legal definition is the unauthorized access of a computer network. He knew he was unauthorized to access the network by his being let go. Thus he broke the law by hacking the companies’ network.
  [ link to this | view in chronology ]
  - Sanguine Dream, 21 Nov 2006 @ 9:08am
    
    Re: Re: Hold up...
    Then I am corrected. It was my understanding that part of the definition of hacking was how the hacker got in as well as wheather or not he/she has authorization to access the system in question. Like if you invite me into your house for a party and I steal from you then I would not be charged with B&E just theft.
    [ link to this | view in chronology ]
  - Anonymous Coward, 21 Nov 2006 @ 9:29am
    
    Re: Re: Hold up...
    There used to be a difference between the access to company offices in the middle of the night using a crowbar and walking through the door during business hours to drop a message or a package to a friend, even if you have been previously fired by the same company.
    
    I am not very familliar with the legal aspects, but I think you would have to bypass some security mechanism (break the window, disable the alarm system) or refuse to leave after receiving a warning that you have no right being there, before you would be liable for this behavior.
    
    The article talks about hacking but does not mention any specific activity. It would even be possible, that the information has been obtained from a mail being sent to an out of date mailing list and then forwarded to an external account or by using his (after 3 years still active) old company account to check his mail.
    [ link to this | view in chronology ]
Nobody Special, 21 Nov 2006 @ 6:03am

how many accounts did he have?
I suspect that they turned off the main account he used. But that doesn't mean that he didn't have more then one account that was used. It would be very easy for him to have multiple access accounts and have them overlooked. At the same time, it is also possible that his main account was active.

He was guilty of "hacking" his way in by the very nature of connecting. And the article doesn't say if he broke in or simply had an active account. At any rate, there is a good chance he would know a number of user names, and might know at least some of the people's password schemes. Most people use a easily identifiable scheme for rotating their password.
[ link to this | view in chronology ]
Heh, 21 Nov 2006 @ 8:47am

Hacking in.
Last I checked, unless you have up a banner or something along those lines prohibiting login access (and informing the person that what they are doing is illegal) then it is not hacking. So unless the admins were smart enough to place that as a default on all email and servers, then I think this guy can beat it with a good enough lawyer.

I say this because by definition a Hacker is a person who gains "Unauthorized" Access to a system or series of systems. If there is nothing in place stating that the system is for Authorized personnel, then access is not restricted, even if there is a security mechanism.

-The Computer Fraud and Abuse Act. - read it sometime, as it is kind of funny and irritating at the same time.

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--

Anyhow, if there is nothing in place telling him to the contrary, then he did not hack a damn thing, only wondered around and open system. It's their fault should that be the case for not trying to let people know the authorization level of a system.
[ link to this | view in chronology ]
- previous Appen, 21 Nov 2006 @ 8:49am
  
  Re: Hacking in.
  I can't do grammer so well, obviously.... "Only wondered around ^a(n)^ open system"
  [ link to this | view in chronology ]
- Chronno S. Trigger, 21 Nov 2006 @ 11:26am
  
  Re: Hacking in.
  so your saying that if I forcibly (or not) get into your computer its not hacking because you don't have the banner? I think your mistaken. If your getting into a system that you need a password for you know if your authorized or not. If you have been fired then you know that your not allowed into the system if your password is removed or not. He's an IT guy so he knows this
  [ link to this | view in chronology ]
Solo, 21 Nov 2006 @ 10:28am

May I suggest you RTFA.

"He worked for Source Media, a company with 1,000 employees, between 1997 and his termination in 2003. He worked there, at different times, as both the director of IT and VP of technology. In those positions, he reportedly had access to the passwords for the e-mail accounts of Source Media employees."

1) bad security policy is bad security policy. Nobody should have access to other people's password. Having password available to anyone else but the user of the account is asinine. This is my guess how he *hacked* in the system.

2) real hackers cover their tracks. Even when being a good samaritan and warning a friend, you know there is a potential for backlash, especially when what you are doing is illegal. Best advice for people commiting a crime: don't get caught, don't leave fingerprints all over the place (or ip addresses, username/passwords or other bits of log that point back to you)

3) media like to spin banal abuse and bad computer security as hacking, just like now any flavor of credit card fraud is identity theft. Makes juicier headlines I guess.
[ link to this | view in chronology ]
Sanguine Dream, 21 Nov 2006 @ 10:56am

I wonder...
I guess he had no other way to contact those people or else he would have just called or something.
[ link to this | view in chronology ]
willgetin, 21 Nov 2006 @ 11:57am

Re: IT Director?
Interesting thing is...

This guy was the Director of IT. Obviously he was not at the top of his game when he worked there, or any possible methods of him gaining access would have been nullified upon his leaving the company. More than likely, he either left a couple of user accounts for himself available or used someone elses username and password.

Again, any IT director that has any business being an IT director would make sure that there was a) a password policy b) a Remote Access policy c) A Termination Policy.

Personally, this tells me that their current IT staff is negligent. The new IT director would obviously know that this guy left and that he would have access to the system and should have made changes to prevent this type of thing from happening.

I flip burgers, can I be your new IT guy? :-)
[ link to this | view in chronology ]
?, 21 Nov 2006 @ 12:47pm

Its easier to turn access on than off. Hell, I know of a top 5 drug company that still gives out shares of their stock to employees that are no longer with the company. Their finance dept. knows that this is going on, but it would cost them more to fix the problem rathen than just keep giving out stock.

Thats the kind of thing that I need.
[ link to this | view in chronology ]
bubba, 21 Nov 2006 @ 3:34pm

"Hoffacker allegedly hacked into Source Media's network on 'various occasions.' He worked for Source Media, a company with 1,000 employees, between 1997 and his termination in 2003. He worked there, at different times, as both the director of IT and VP of technology. In those positions, he reportedly had access to the passwords for the e-mail accounts of Source Media employees."

http://www.techweb.com/showArticle.jhtml?articleID=194700003&cid=RSSfeed_TechWeb
[ link to this | view in chronology ]
Steve, 21 Nov 2006 @ 4:50pm

Re: System Administration
I agree any good systems administrator would lock down any old accounts. They need a good procedure in place to disable and/or delete accounts when a person leaves the company.

I have worked as a contractor at companies where different systems and web accounts were not locked down. I corrected all these problems.
[ link to this | view in chronology ]
Jenny, 22 Nov 2006 @ 6:01am

I wonder if this company requires users to change their passwords. Co-workers share passwords all the time, even though they are warned not to. Maybe his account was removed, but he used a login from someone who still works there.
[ link to this | view in chronology ]