Who have you caught doing something they shouldn't be doing

Tyrant1919 · May 2008

Who have you caught doing something they shouldn't be doing in IT?

We had a recent hire in our IT shop use their administrative privileges to access sensitive data. They somehow added themselves to a bunch of security groups first, and started browsing fileservers for information. But, they would VNC into a users' computer after hours with access to data they specifically wanted to see, but couldn't. Most of the time their machine wouldn't be locked or anything. (This ticks me off so much coming from the DoD which pounds InfoSec) They'd take screenshots and e-mail them back home. Turns out that this is indeed a possible felony and there's now a full invistigation with the police. They had documents and spreadsheets of users passwords to restricted databases and everything. I kept out all the juicy details... :^), and boy there's a lot more. I'm going through my head how I would have done it. The stupidest thing was sending those screenshots using our exchange... duh... or just doing it period. Glad this was caught before Domain Admin was bestowed upon this person.

This happen to anybody around here lately? Just sparking a "IT is doing an excellent job by keeping everything up and running, and since everything is up and running, they're sitting on their but pusting on forums." kind of post.

undomiel · May 2008

Just people browsing **** over here and then claiming they didn't do it even in the face of the logs. It's amusing how they bluster.

Oh and one gal who was an administrative assistant was laid off so she immediately went back to her desk and started deleting everything. She also sent lots of nasty e-mails from her desk here in Spanish talking about how she hated the company and her boss.

Tyrant1919 · May 2008

I've seen a fair share of xxx problems. It's even in their own history.... how could they even deny it?

reminds me of http://en.wikipedia.org/wiki/Flat_Earth_Society

blargoe · May 2008

Sounds like you have a real security problem that you need to get fixed, for that to have happened. At my shop I have instituted security in AD so that none of the built-in groups are used for IT staff at all except for Domain Admin. Even account operators is too much IMO. If you're not a domain admin, you usually don't have any business modifying groups, but if someone else needs to modify groups you can audit the account events the domain controller to watch for changes in groups. Create groups for the roles in your IT department, and grant them only the rights in AD they need to do their job using delegation.

On the topic of catching people, someone who worked here before I started got a company laptop back from one of our salesmen that was having spyware problems, and they found a bunch videos of him participating in... um... dirty things... with other men on the laptop (not that there's anything wrong with that)

flares2 · May 2008

Just like Tyrant, I come from a DoD background so I've caught some really classified stuff in my days, but the most enjoyable was while we were in Iraq, we'd intercept emails of wives back home sending "pictures" of themselves to the deployed husbands.
Was it moral to look at them, no. But pics like that on our network was against policy.

jbaello · May 2008

flares2 wrote:

Just like Tyrant, I come from a DoD background so I've caught some really classified stuff in my days, but the most enjoyable was while we were in Iraq, we'd intercept emails of wives back home sending "pictures" of themselves to the deployed husbands.
Was it moral to look at them, no. But pics like that on our network was against policy.

Dude come on man...

Tyrant1919 · May 2008

If I was an admin of any sort I'd let any 'pictures' get through. I believe troop moral is more important then ensuring no pictures like that are around. If I knew it was happening, I wouldn't mention a word.

In fact, i've helped 'troubleshoot' a few issues with people trying to get messages from family.. If it doesn't compromise security, I'll let them do anything to improve moral. I'd install DVD playing software for them as well on their computers.

The things our employee were doing, half were resultant from people not locking their computers. Here they just give people DA after they've worked here awhile. I guess they don't feel like getting too complicated with things in AD. It's a real tight nit group, only 6 of us now. There's more to the story, but I would agree that there are some issues with giving people more privileges then they need.

snadam · May 2008

Tyrant1919 wrote:

If I was an admin of any sort I'd let any 'pictures' get through. I believe troop moral is more important then ensuring no pictures like that are around. If I knew it was happening, I wouldn't mention a word.

Guys, he was just following orders and policy. Im sure it wasnt a personal decision. Last thing he wants is to get in trouble for something like that.

and for the record, I agree with you; but Id still follow policy.

paintb4707 · May 2008

Tyrant1919 wrote:

The stupidest thing was sending those screenshots using our exchange

VNCing is pretty stupid too. I'd RDP (if it were enabled) instead, at least then the session is locked and no one could even monitor what is going on. And if local admin rights were granted, possibly even create a local username on the workstation identical to the person logged in, so that it wouldn't look completely suspicious.

Besides... shouldn't you guys have gpo enforcing a lock threshold?

Tyrant1919 · May 2008

snadam wrote:

Guys, he was just following orders and policy. Im sure it wasnt a personal decision. Last thing he wants is to get in trouble for something like that.

And that's fine too, I commend him for that. I don't think I'd be able to stop someone from getting a picture from their significant other when they are so far away from home, no matter what it is. Keeping a family together during a deployment is tough if you've never done it. That's all.

I prefer the use of third party stuff like Dameware. We're using TightVNC right now. I'm the new guy here so, I'm just going with what's already here. Although I convinced them to at least switch to UltraVNC and use windows authentication instead when we start deploying Vista on our new computers.

paintb4707 · May 2008

Tyrant1919 wrote:

snadam wrote:

I prefer the use of third party stuff like Dameware. We're using TightVNC right now. I'm the new guy here so, I'm just going with what's already here. Although I convinced them to at least switch to UltraVNC and use windows authentication instead when we start deploying Vista on our new computers.

Yeah Dameware is great, I'd go with that.

nice343 · May 2008

Our receptionist has a lot of XXX's sites in the History. No wonder why she looks at me funny when I am passing by. One of these days I might hit

paintb4707 · May 2008

nice343 wrote:

Our receptionist has a lot of XXX's sites in the History. No wonder why she looks at me funny when I am passing by. One of these days I might hit

Add a DNS forward zone redirecting her to the company website. Then ask her if she's seen the company site lately, possibly she could provide some feedback. :P

flares2 · May 2008

Didn't mean to start a debate, just telling a story. And I'm all about morale. We even briefed our users that if stuff like that was sent, we'd catch it. They were more than welcome to use the "white line" (not on the .mil domain) computers to use a civilian webmail (AOL, Yahoo, etc.) to send and receive anything they wished.

Tyrant1919 · May 2008

I was thinking about buying Dameware myself and using it, but I don't want to throw something in the mix if nobody else would use it.

RTmarc · May 2008

Tyrant1919 wrote:

I was thinking about buying Dameware myself and using it, but I don't want to throw something in the mix if nobody else would use it.

I know this is OT, but every place that I've been that has not used DameWare and is introduced to it, typically switch over exclusively.

Oh, I caught a guy 'cybering' when I first came on board with my present company. It was disgusting enough having to investigate it but when we captured pictures of his "partner", woof....

snadam · May 2008

flares2 wrote:

Didn't mean to start a debate, just telling a story. And I'm all about morale. We even briefed our users that if stuff like that was sent, we'd catch it. They were more than welcome to use the "white line" (not on the .mil domain) computers to use a civilian webmail (AOL, Yahoo, etc.) to send and receive anything they wished.

nah dude, you're fine. I think we were all in agreement; I think they were just giving you a hard time. You bring up a very good point; using civilian avenues is a much better idea.

im just glad were keeping it civilized.

Tyrant1919 · May 2008

Yeah, no hard feeling flares.

I might bring up Dameware, I'd need at least one other person to try it and I bet they'd like it. I just enjoy the ability to install it on the fly on any machine.

whistler · May 2008

Aside from the couples I have caught in the parking lot canoodeling, no one.

Ahriakin · May 2008

The worst offenders I've found are auditors, they make up easily 50% of the folks I've had to have words with about File sharing and the like. Mostly it's XXX or P2P.
I did have one pair of idiots on nightshift last year that thought they were 1337 h@x0r$ because they had gotten around the imaginary-friend my predecessor liked to think was security. After getting decent webfilters, perimeter IPS and internal IDS in they started setting off alarms all over the place running the usual script kiddy crap. The best part was logging in remotely after they had managed to crash the remote service and figured they were safe and convincing I could see them on the security cameras and was about to call security and have them thrown out of the building (it was midnight and I was at home). Fun stuff

.

keatron · May 2008

nice343 wrote:

Our receptionist has a lot of XXX's sites in the History. No wonder why she looks at me funny when I am passing by. One of these days I might hit

Priceless.

Who have you caught doing something they shouldn't be doing

Comments