Beware the ex-employee hacker

Disgruntled employees have always posed dangers for businesses, but in the information age that danger has become far greater. Despite the amount of effort put into securing e-commerce businesses, it is hard to guard against attacks from the very people who are meant to be protecting you.

Doug Carlson, CEO of online greengrocer GreenGrocer.com.au, put it this way: "The security guard that's guarding your house has got all your keys. If he goes in and robs the place, it's not that you have bad security, it's just that you¡¦ve hired the wrong person. It's a personnel issue rather than a security issue."

Matthew Smith was hired by GreenGrocer.com.au as a computer network engineer, to implement the security systems on its Web site. On March 21, 2000, he had an argument with the company's chief executive officer and quit. A few days earlier he had changed all the security codes. When he returned home he accessed the computer system for GreenGrocer and began deleting files. The business lost its connection to the Internet.

GreenGrocer.com.au managed to re-establish a connection that night, but the following day Smith again accessed the system and began deleting files crucial to the operating system. This second attack ensured the site remained offline for the rest of the week. Smith pled guilty in the District Court and will be sentenced next year.

"When it happened we got three or four consultants in to get us back up to speed, and get everything set up again. We now have more procedures for people who have access to those kinds of codes" said Carlson.

The incident cost the company an estimated A$136,500, but Carlson doesn't believe it had any long-term impact. "I don't think it hurt our business, most of our customers were pretty understanding," he said. "We're doing very well." In October this year GreenGrocer.com.au was sold to Woolworths for A$7 million.

It is not just dot-com companies under risk of this kind of attack. There is currently an inquiry before the Independent Commission Against Corruption (ICAC) concerning the University of Technology Sydney (UTS).

It has been alleged that student liaison officer Toto Sujanto accepted payment from 11 international students to have their failed marks removed from the university computer system. By having their "fails" deleted they would have avoided paying fees, costing the university between A$25,000 and A$30,000. The inquiry is continuing.

UTS got off lightly compared to Maroochy Shire in Queensland, whose computerized waste management system was hacked into, causing millions of litres of raw sewage to spill out into local parks, rivers, and the grounds of a Hyatt-Regency hotel. Vitek Boden, who worked for the company that installed the system, applied for a job at the area's Council. When his application was rejected, he made 46 attempts to take control of the waste system, with disgusting results. On the 31st of October he was sentenced to two years in prison.

"The single most important thing you can do is have a regular review of peoples access. Good housekeeping security will prevent that sort of unauthorised access," said Peter Wesley, of Rivendell Consulting, an IT security firm. "So it's like a broom, and you don't have all these things left over from when you set up the system."

Wesley recommends having a security procedure in place. The procedure should have three main arms:

• Regularly changing access codes;
• Regularly reviewing who has access to what;
• Automatically changing passwords every month, or week, depending on the sensitivity of the data;

Regular reviews ensure you are aware of who has access to your system at any time.

"The pressures of business sometimes mean procedures aren't followed," said Wesley. "People share passwords, because it gets the job done, and they don't realize the implications. No one cares about security until something happens."

"There is very little defence against an intelligent person who deliberately sets up a back door, especially if you trust them," said Wesley. "In finance they often use the four-eyes principle, which equates to protecting highly sensitive data by requiring two passwords, known by different people."

Also recommended is having good documentation of what is running on a computer compared to what should be running on the computer, which can pick up things that shouldn't be there, such as an open back door.

Having an independent review of security can pick up security breaches, but how does Wesley suggest guarding against disgruntled employees? "The best way to prevent it is to keep your employees happy."