Who have you caught doing something they shouldn't be doing

Tyrant1919Tyrant1919 Senior MemberMember Posts: 519 ■■■□□□□□□□
Who have you caught doing something they shouldn't be doing in IT?

We had a recent hire in our IT shop use their administrative privileges to access sensitive data. They somehow added themselves to a bunch of security groups first, and started browsing fileservers for information. But, they would VNC into a users' computer after hours with access to data they specifically wanted to see, but couldn't. Most of the time their machine wouldn't be locked or anything. (This ticks me off so much coming from the DoD which pounds InfoSec) They'd take screenshots and e-mail them back home. Turns out that this is indeed a possible felony and there's now a full invistigation with the police. They had documents and spreadsheets of users passwords to restricted databases and everything. I kept out all the juicy details... :^), and boy there's a lot more. I'm going through my head how I would have done it. The stupidest thing was sending those screenshots using our exchange... duh... or just doing it period. Glad this was caught before Domain Admin was bestowed upon this person.

This happen to anybody around here lately? Just sparking a "IT is doing an excellent job by keeping everything up and running, and since everything is up and running, they're sitting on their but pusting on forums." kind of post.
A+/N+/S+/L+/Svr+
MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
CCNA

Comments

  • undomielundomiel Member Posts: 2,818
    Just people browsing **** over here and then claiming they didn't do it even in the face of the logs. It's amusing how they bluster.

    Oh and one gal who was an administrative assistant was laid off so she immediately went back to her desk and started deleting everything. She also sent lots of nasty e-mails from her desk here in Spanish talking about how she hated the company and her boss.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • Tyrant1919Tyrant1919 Senior Member Member Posts: 519 ■■■□□□□□□□
    I've seen a fair share of xxx problems. It's even in their own history.... how could they even deny it?

    reminds me of http://en.wikipedia.org/wiki/Flat_Earth_Society
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Sounds like you have a real security problem that you need to get fixed, for that to have happened. At my shop I have instituted security in AD so that none of the built-in groups are used for IT staff at all except for Domain Admin. Even account operators is too much IMO. If you're not a domain admin, you usually don't have any business modifying groups, but if someone else needs to modify groups you can audit the account events the domain controller to watch for changes in groups. Create groups for the roles in your IT department, and grant them only the rights in AD they need to do their job using delegation.

    On the topic of catching people, someone who worked here before I started got a company laptop back from one of our salesmen that was having spyware problems, and they found a bunch videos of him participating in... um... dirty things... with other men on the laptop (not that there's anything wrong with that)
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • flares2flares2 Member Posts: 79 ■■□□□□□□□□
    Just like Tyrant, I come from a DoD background so I've caught some really classified stuff in my days, but the most enjoyable was while we were in Iraq, we'd intercept emails of wives back home sending "pictures" of themselves to the deployed husbands.
    Was it moral to look at them, no. But pics like that on our network was against policy.
    Techexams.net - Job security for one more day.
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    flares2 wrote:
    Just like Tyrant, I come from a DoD background so I've caught some really classified stuff in my days, but the most enjoyable was while we were in Iraq, we'd intercept emails of wives back home sending "pictures" of themselves to the deployed husbands.
    Was it moral to look at them, no. But pics like that on our network was against policy.

    Dude come on man...
  • Tyrant1919Tyrant1919 Senior Member Member Posts: 519 ■■■□□□□□□□
    If I was an admin of any sort I'd let any 'pictures' get through. I believe troop moral is more important then ensuring no pictures like that are around. If I knew it was happening, I wouldn't mention a word.

    In fact, i've helped 'troubleshoot' a few issues with people trying to get messages from family.. If it doesn't compromise security, I'll let them do anything to improve moral. I'd install DVD playing software for them as well on their computers.

    The things our employee were doing, half were resultant from people not locking their computers. Here they just give people DA after they've worked here awhile. I guess they don't feel like getting too complicated with things in AD. It's a real tight nit group, only 6 of us now. There's more to the story, but I would agree that there are some issues with giving people more privileges then they need.
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
  • snadamsnadam Member Posts: 2,234 ■■■■□□□□□□
    Tyrant1919 wrote:
    If I was an admin of any sort I'd let any 'pictures' get through. I believe troop moral is more important then ensuring no pictures like that are around. If I knew it was happening, I wouldn't mention a word.

    Guys, he was just following orders and policy. Im sure it wasnt a personal decision. Last thing he wants is to get in trouble for something like that.


    and for the record, I agree with you; but Id still follow policy.
    **** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine

    :study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security
  • paintb4707paintb4707 Member Posts: 420
    Tyrant1919 wrote:
    The stupidest thing was sending those screenshots using our exchange

    icon_lol.gif

    VNCing is pretty stupid too. I'd RDP (if it were enabled) instead, at least then the session is locked and no one could even monitor what is going on. And if local admin rights were granted, possibly even create a local username on the workstation identical to the person logged in, so that it wouldn't look completely suspicious.

    Besides... shouldn't you guys have gpo enforcing a lock threshold?
  • Tyrant1919Tyrant1919 Senior Member Member Posts: 519 ■■■□□□□□□□
    snadam wrote:
    Guys, he was just following orders and policy. Im sure it wasnt a personal decision. Last thing he wants is to get in trouble for something like that.

    And that's fine too, I commend him for that. I don't think I'd be able to stop someone from getting a picture from their significant other when they are so far away from home, no matter what it is. Keeping a family together during a deployment is tough if you've never done it. That's all.

    I prefer the use of third party stuff like Dameware. We're using TightVNC right now. I'm the new guy here so, I'm just going with what's already here. Although I convinced them to at least switch to UltraVNC and use windows authentication instead when we start deploying Vista on our new computers.
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
  • paintb4707paintb4707 Member Posts: 420
    Tyrant1919 wrote:
    snadam wrote:
    I prefer the use of third party stuff like Dameware. We're using TightVNC right now. I'm the new guy here so, I'm just going with what's already here. Although I convinced them to at least switch to UltraVNC and use windows authentication instead when we start deploying Vista on our new computers.

    Yeah Dameware is great, I'd go with that.
  • nice343nice343 Member Posts: 391
    Our receptionist has a lot of XXX's sites in the History. No wonder why she looks at me funny when I am passing by. One of these days I might hit :D
    My daily blog about IT and tech stuff
    http://techintuition.com/
  • paintb4707paintb4707 Member Posts: 420
    nice343 wrote:
    Our receptionist has a lot of XXX's sites in the History. No wonder why she looks at me funny when I am passing by. One of these days I might hit :D

    Add a DNS forward zone redirecting her to the company website. Then ask her if she's seen the company site lately, possibly she could provide some feedback. :P
  • flares2flares2 Member Posts: 79 ■■□□□□□□□□
    Didn't mean to start a debate, just telling a story. And I'm all about morale. We even briefed our users that if stuff like that was sent, we'd catch it. They were more than welcome to use the "white line" (not on the .mil domain) computers to use a civilian webmail (AOL, Yahoo, etc.) to send and receive anything they wished.
    Techexams.net - Job security for one more day.
  • Tyrant1919Tyrant1919 Senior Member Member Posts: 519 ■■■□□□□□□□
    I was thinking about buying Dameware myself and using it, but I don't want to throw something in the mix if nobody else would use it.
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Tyrant1919 wrote:
    I was thinking about buying Dameware myself and using it, but I don't want to throw something in the mix if nobody else would use it.
    I know this is OT, but every place that I've been that has not used DameWare and is introduced to it, typically switch over exclusively.

    Oh, I caught a guy 'cybering' when I first came on board with my present company. It was disgusting enough having to investigate it but when we captured pictures of his "partner", woof....
  • snadamsnadam Member Posts: 2,234 ■■■■□□□□□□
    flares2 wrote:
    Didn't mean to start a debate, just telling a story. And I'm all about morale. We even briefed our users that if stuff like that was sent, we'd catch it. They were more than welcome to use the "white line" (not on the .mil domain) computers to use a civilian webmail (AOL, Yahoo, etc.) to send and receive anything they wished.

    nah dude, you're fine. I think we were all in agreement; I think they were just giving you a hard time. You bring up a very good point; using civilian avenues is a much better idea.

    im just glad were keeping it civilized.
    **** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine

    :study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security
  • Tyrant1919Tyrant1919 Senior Member Member Posts: 519 ■■■□□□□□□□
    Yeah, no hard feeling flares.

    I might bring up Dameware, I'd need at least one other person to try it and I bet they'd like it. I just enjoy the ability to install it on the fly on any machine.
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
  • whistlerwhistler Member Posts: 108
    Aside from the couples I have caught in the parking lot canoodeling, no one.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    The worst offenders I've found are auditors, they make up easily 50% of the folks I've had to have words with about File sharing and the like. Mostly it's XXX or P2P.
    I did have one pair of idiots on nightshift last year that thought they were 1337 [email protected]$ because they had gotten around the imaginary-friend my predecessor liked to think was security. After getting decent webfilters, perimeter IPS and internal IDS in they started setting off alarms all over the place running the usual script kiddy crap. The best part was logging in remotely after they had managed to crash the remote service and figured they were safe and convincing I could see them on the security cameras and was about to call security and have them thrown out of the building (it was midnight and I was at home). Fun stuff :).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    nice343 wrote:
    Our receptionist has a lot of XXX's sites in the History. No wonder why she looks at me funny when I am passing by. One of these days I might hit :D

    Priceless.
Sign In or Register to comment.