Coinciding with the release of The Dark Knight—the latest Batman blockbuster—it’s hard not to see this story’s dramatic potential: a disgruntled IT administrator locks the rest of the IT staff out of San Francisco’s IT switches and routers. He refuses to reveal the new password, backup configurations aren’t available, and he sits in jail for nine days in lieu of posting $5 million bail.
But wait, he’s not just a disgruntled rogue, he’s a vigilante of sorts. Published reports indicate that Terry Childs, chief designer of San Fran’s FiberWAN, pulled the cybercoup to prove a point: the city is lax in its security protocols. The standoff came to an end when Childs’ lawyer arranged a secret jailhouse meeting with Mayor Gavin Newsom, and Childs turns over the password. Order is restored to the city.
The backstory is even more interesting. The blogosphere is awash with posts from former city employees, including one who identifies himself as the former COO of the IT division, ranting about the politics in the department, and the folly of having managers with no IT experience running technical departments.
What’s the moral of the security story here? “This problem could have easily been avoided if management had proactively created a formal approach to dealing with master passwords. But Childs obviously gave more thought to breaking security than the city did in ensuring it,” says Ben Rothke, a New York City-based information security consultant.
“This incident should be a wakeup call to every organization. Unless an organization has directly and proactively addressed this security problem, and has a formal tested process to deal with it, they are clearly at risk,” Rothke says.
Rothke’s not alone in suggesting that a lack of enforced security protocols is putting many networks at risk. “I don’t think it’s a huge, huge anomaly,” says Joe Stewart, security researcher at SecureWorks. “In a best practices situation everybody above him, authority-wise, would have access to all the passwords they needed in case he quit, was fired, or was hospitalized….”
Or became really peeved about something.
