Say you’re chilling out at your local watering hole, enjoying burgers and beers served by waitresses who could double as extras from The Dukes of Hazzard. For many people, it might be the aftermath of a successful night out at the town or yet another post-work happy hour. For David Palmer, it was the perfect backdrop to hack defense contractor McLane Advanced Technologies and wipe the payroll files:
Prosecutors say that Palmer set up a back-door user account entitled “Palmer Lt” before being terminated by McLane at the end of 2009. That account was used to break into the Lone Star Plastics computer and was linked to other intrusions at McLane. Palmer had logged into it from a variety of locations, including his home address in Temple, Texas; Bikinis Sports Bar and Grill; and Buffalo Wild Wings in Waco, Texas.
Palmer used his illicit access to terminate a McLane client’s payroll files, fully intending to cause havoc for his former employer. The episode illustrates the perennial problem of the insider in IT security. Palmer is far from alone in (futilely) using a public Wi-Fi network to try to cover his tracks. Jason Cornish of a U.S. subsidiary of Shionogi took down his former employer’s VMware systems running various logistical functions while enjoying McDonald’s food (and Wi-Fi). The drug company did a bad job of revoking passwords, hence Cornish was able to log into a Shionogi account via McDonald’s public Wi-Fi.
A less dramatic–but much more serious case of insider hacking can be found in the recent insider hacking scandal at the US Citizenship and Immigration Services (USCIS). USCIS employees and supervisors had granted unauthorized access, abused logon privileges, altered audit logs to hide evidence of their activities, and installed their own programs to intercept sensitive information. According to NextGov, there was some element of warning to the whole mess, as there were a number of documented cases where employees or contractors tampered with secure IT systems:
Government investigators have warned the agency could become more vulnerable to insider threats because designs for a current IT overhaul do not include protections against such activities. The agency could open itself up to greater risk of insider wrongdoing due to poor planning for an ongoing $2.4 billion project to automate immigration paperwork, IG officials reported in January. USCIS Transformation, the online system that is supposed to improve fraud detection, is missing controls to prevent internal hacking, according to the audit. Frank Deffer, assistant IG for information technology audits, wrote that based on a “review of the requirements for fraud detection and national security issues, it appears there are no requirements to address insider threats” to Transformation.
The story of the insider hack is as old as security itself. What created the entire WikiLeaks mess was one enlisted soldier, SIPRNet, JWICS, CD-RWs, and Lady Gaga. Unfortunately, it is often lost under both cyberwar hype as well as the daily requirements of network defense against long-range cyber reconnaissance, industrial espionage, and criminal activity.