Police blotter: Sysadmin loses e-intrusion case

"Police blotter" is a weekly report on the intersection of technology and the law.

What: A Missouri system administrator appeals his conviction for unauthorized computer intrusion.

When: The 8th Circuit Court of Appeals ruled on Jan. 9.

Outcome: Conviction of three months imprisonment, a fine and restitution was upheld.

What happened: Thomas Millot worked as a systems analyst at Aventis Pharmaceuticals, where he was responsible for computer security at the company's Kansas City, Mo., office. As part of his job, Millot administered the SecureID card system.

After Aventis outsourced its computer security operations to IBM in late 2000, Millot found himself out of a job.

But he kept an administrator-level SecureID card with him and used it to enter the network nine times. During one of those intrusions, Millot deleted the account for his former colleague Jeff Jernigan, Aventis' manager of technical services.

IBM employees eventually tracked down what happened and restored Jernigan's access. IBM billed Aventis for its investigators' time at $50 an hour, for a total cost of $20,350.

Millot admitted that he had misused the SecureID card, but his lawyers argued that the activity didn't meet the Computer Fraud and Abuse Act's requirement of $5,000 in damages.

A federal judge disagreed and handed down a relatively light sentence of three months of imprisonment, three months of home detention and three years of supervised release, plus a $5,000 fine and $20,350 in restitution.

Millot's attorneys reiterated their claim on appeal, which the 8th Circuit rejected.

Excerpt from the court's opinion (click here for PDF): "Millot argues that any costs incurred by IBM should not have been considered in determining whether the loss amounted to the statutory minimum because the system was owned by Aventis, and IBM was a 'volunteer' fixing the system. This argument lacks merit.

"The (Computer Fraud and Abuse Act) provides for a fine and imprisonment up to five years for an individual who 'intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage' and that conduct causes 'loss to one or more persons during any one-year period...aggregating at least $5,000 in value.'

"Although the damage was done to the Aventis computer system, the statute does not restrict consideration of losses to only the person who owns the computer system, and the district court properly instructed the jury to consider losses sustained by IBM in determining whether the statutory minimum was met.

"Next, we address the sufficiency of the evidence. Millot contends that the government's evidence was insufficient to establish that the actual loss exceeded the $5,000 minimum because there was no evidence that IBM specifically billed Aventis the amount alleged...At Millot's trial, the government presented undisputed evidence regarding the hours spent by (experts) Bridges and Meyers in response to the unauthorized intrusion, and that the time spent was valued at $50 per hour. IBM undoubtedly paid Meyers and Bridges for their time, and the work was done on behalf of Aventis to remedy damage to Aventis' computer system that Millot admits he caused.

"Accordingly, we find that the evidence presented was sufficient to support the conviction."

[thenet411]

He did wrong, let him have it

I hate it when idiots like Millot try and get out of punishment on technicalities. The bottom line is, the guy had his ego bruised and he was too immature to handle it. So, he deleted his collegue's account. Not only was it a childish thing to do, but also very dumb because the log trail he obviously left led right to him. The first rule in stealth is: NEVER LET THEM KNOW YOU WERE THERE.

Take your punishment, dude. You were childish and stupid. You deserve it.

[ukpm]

Yeah, but...

...this guy is obviously not the brightest penny in the purse. If he'd been as enterprising in his job as he was in his efforts to crack the security of his former employers, he might still have somewhere to go in the mornings!

However, I feel that his sentence, which essentially for deleting a users security account, was quite tough. The recompense sought in damages is categorically outrageous - did it really take IBM 407 hours to reconcile the problem of a deleted account?!?!

[SpinelessWonder]

$20,350, you have to be kidding

OK, I find the expenses that IBM charged for two people to recover the data to be excessive. At $50/hr, these guys each spent over 25 days (407 hours) recovering the data. Either the techs who were recovering the data were incompetent or IBM padded the expenses to recover the data.

How hard is it to recover using either a current backup or forensic software to recover the deleted files? I could possibly believe 100 hours total if they had to use software to recover the deleted files from the hard drives, because that process involves weeding through a bunch of useless noise to find the useful information.

[thenet411]

It wasn't for "data recovery"

It was for forensic analysis. If the guy was not a complete moron, he probably tried to hide his tracks. Speaking from experience, digital forensic analysis is not easy. And the analysis probably involved more than one engineer. So, you have multiple engineers working on different parts of the system to determine what happened including: attack origin, point of entry, method of entry, what data was compromised, and how to prevent a future attack from using the same holes in the security scheme. The task of determining what data was compromised is a very time consuming shore. And businesses need to know this so that they can take the appropriate action. Were critical files stolen/copied? Were figures on financial records altered (imagine a CEO with a $10,000 house payment to make that month and his check is only for $1, funny but damaging)? And too many other possibilities to list that MUST be checked so everyone at the compromised client can sleep a little easier or take the appropriate action. And if the intruder tried to cover his tracks, that means data recovery that may involve sending the hard drives to a company like OnTrack for recovery. Another very expensive proposition.
So, yes, ?data recovery? might have played a role in the investigation, but the overall forensic analysis was much broader and likely took many engineers to complete.

[zaznet]

Yeah!

This bill was for tracking down the cause, but still...

My jaw hit the floor when I looked at the bill. That is a lot of hours spent looking over logs and such. You are talking 5 weeks of work if it was 2 IBM Employees working on it all work day every day non stop.

This does seem quite outrageous.

[likes2comment]

RSA SecureID - just issue a new card, duh.

They probably issued a new card, but then needed to find out how/why the original card was compromised. I agree spending 25 days is excessive and probably incompentent. Our RSA has logfiles, etc, and change logs for each user, and who made the changes. Maybe an hour of time to find, including getting coffee and BS'ing with the security/auditors/etc. Certainly not 407 hours.

[eitanc]

I applause IBM!

What a great job IBM did!

Not only leaving the former security administrator's SecureID account open, but also evading responsibility for that and charging shameless amount for fixing the damage caused by their negligence.

No business like information security business!

Regards,

Eitan Caspi
Israel

Professional Blog (Hebrew): http://www.notes.co.il/eitan
Personal Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Blog (English): http://eitancaspi.blogspot.com
"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)

[wbenton]

What's the real story?

IBM Bills Aventis $50/hr. for a combined total of $20,350.

Simple calculation shows that $20,350 divided by $50/hr comes to roughly 407 hours.

407 hours divided by 24 hours (assuming they worked non-stop around the clock comes to 16.95 days.

You mean it took IBM almost 17 days to figure out what happened?

I smell stench in here somewhere... just trying to figure out where... but it smells so bad that I find it hard to continue looking!!!

Walt

[fcgreg]

Or perhaps...

Or perhaps, just possibly, IBM had more than one person working on the investigation simultaneously?

[zaznet]

More like...

I think it took more like 10 weeks for them to figure out what happened.

[hipparchus2001]

using his key card... are you serious???

Something is very stinky here. If the guy has a private key on his keycard then the public key in the system should have been deleted on the day he left the organisation, so that he could no longer be authenticated. Anything else is lack of care.

Did the guy have access to root organisational certifier key and the tools to make a new key, and sign it afterwards?

I really think that public private key asymmetric systems are just a pile of junk. The whole world need to use One Time Pad instead.

Discard the key both ends every time it is used. Hey this is 2006, you can fit thousands of keys on a regular USB key fob, so there is no excuse.

Security depends on what you trust, and if you're trusting an organistional root certifier for a hundred years, it will be broken.

Apart from that, it's amazing that there was no activity log. 400 hours?? So this guy got in (VPN? - no access log?), logged into a server (no login activity log??), and deleted another guys account (don't tell me, no log).

Why could he even log into the server. I'd prevent logins the day the guy left.
Speaks more for total laxness of security in this case than the guys' actions. In some cases, people downsized in this way WILL be pissed. You have to expect that.

Sounds like he's paying for the company's rubbish security to me.

[zaznet]

Your method is less secure.

SecureID uses a constantly changing key. Each sign on is unique. If someone were to record the next 800 keys provided, they would not be able to guess the next one. The problem that caused this intrusion was poor security practices of not removing the users access to critical systems and his ability to modify the accounts of others. No secure system would prevent this.

The methods you propose are far worse than most systems in place today. Your system would allow them to copy hundreds of WORKING keys unsecurely to any device that can read off your USB Flash ROM. They can even delete them off your while they are at it so you don't use up the 1 time key.

This is much like the old Lotus Notes security method that used a secure key file for access. With Notes you could copy the original file secured by a default password, then re-use that original file any time after the user updated their password to gain access with their account. The password was used against a localy saved file, and never sent to the server. That was another poorly designed system. :)

[joepsu]

redemption

Wow, $20k for restoring an account. Just think of how much money we could all make for the crap Microsoft bugs create on a daily basis. Lets all call our attornies.

[casper2004]

What a dummy!

The guy should have known that the only ones allowed to intrude, is Bush and company.

[David Arbogast]

Bad Numbers

Multiply your rate by 2 and thus cut your time in half... then you'll be closer to IBM's actual rate. Most decent I.T. firms are not charging less than $80/hour. $100+ is very common. Its hard to judge IT professionals when you have no idea what they cost, eh?

~200 hours to find out what happened, who did it, how it happened, and how it can be avoided in the future... all while gathering enough evidence to prosecute.... Not bad at all.

[David Arbogast]

was responding to Victor Ortiz

was responding to Victor Ortiz

[zaznet]

Wrong math...

It is 407 hours, check the article before you do your math. Yes IBM had two people working on it, and it still took over 5 weeks if that was all they worked on. That's a long time to wait for an answer.

[bowergo]

Sarbanes Oxley

A good example of why there was a need for SOX. I wonder why they did not try the "It was valid access because he still had valid credentials" defense. I suspect all of the billable time was spent looking into all nine "sessions" for details related to pressing charges.