Forgot your password?
typodupeerror
Image

IT Worker's Revenge Lands Her In Jail 347

Posted by samzenpus
from the bad-idea dept.
aesoteric writes "A 30-year-old IT worker at a Florida-based health centre was this week sentenced to 19 months in a US federal prison for hacking, and then locking, her former employer's IT systems. Four days after being fired from the Suncoast Community Health Centers' for insubordination, Patricia Marie Fowler exacter her revenge by hacking the centre's systems, deleting files, changing passwords, removing access to infrastructure systems, and tampering with pay and accrued leave rates of staff."

*

This discussion has been archived. No new comments can be posted.

IT Worker's Revenge Lands Her In Jail

Comments Filter:
  • by Anonymous Coward on Friday December 10, 2010 @02:22PM (#34515968)

    Every time some person does stuff like this and it hits the press, every other IT person ends up suffering when the PHBs realize what the sysadmin or the Cisco guy is capable of.

    Will this mean better security? Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".

    • by mysidia (191772)

      Of course not. It just means that oftentimes someone who shouldn't have access to enable secrets or root passwords gets those as a "backup".

      You mean someone who in your technical opinion as an engineer shouldn't be using enable secrets or root passwords?

      The systems belong to the PHBs. If you want to avoid giving out root passwords, then don't have passwords.... use biometrics. Or use a "password under seal" system, where the password is available but secure, and will be changed within days if

      • Are you suggesting that the PHBs are more qualified to determine who should have root passwords?
        • by Rydia (556444)

          It's not a question of who is qualified. It's a question of who is entitled. It's their system and they are the PHB. There isn't a metaphysical judge of who should have what, merely practical; the admin arguing that the PHB shouldn't have access "just in case," and the PHB ignoring that and receiving it anyway.

        • by dgatwood (11270) on Friday December 10, 2010 @05:59PM (#34518622) Journal

          No one should have root passwords. The mere existence of a root password is a fundamental security hole. If everyone has a user account and certain people have sudo privileges, you have:

          • An audit log
          • A trivial way to cut off that person's admin access (with or without cutting off all access)

          Combine this with a proper centralized authentication/directory services system, and you're done.

      • I can see why some people have reservations about giving they keys to the kingdom to the PHBs
        I've heard some really horror stories.

        "I am the boss thus I demand the most important passwords you have!"
        Followed by
        "Password? Oh, ya, I found that big long one hard to remember so I just changed it to my name"
        Followed by
        "Someone has hacked our servers! This is your fault as you're in charge of IT security!"

        So if you must use the "password under seal" system make sure it's a physical system like a safe which sets

      • by lorenlal (164133)

        The systems belong to the PHBs.

        That's an assumption. Not all PHBs are in charge of that hardware. Depending on the cost center relationship, that PHB may have no business whatsoever other than being the IT PHB instead of a business PHB.

    • by hendersj (720767) on Friday December 10, 2010 @02:59PM (#34516442)

      Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.

      It's a job requirement to be trustworthy when working in IT. Those who aren't pull crap like this.

      Even if she hadn't gone to jail, if she got caught tampering with systems (either while employed there or after being terminated), she should never, ever, under any circumstances be trusted to admin a system again.

      Ever.

      • This applies across the board. Not just IT people but accountants, managers, legal advisers and so on. IT people are not the only ones who can cause significant damage to an organization.

        • by hendersj (720767)

          Good point - it seems to be less of a problem in the other areas (in my experience, in any event). Thing is that admin people tend to have access to data from multiple of the other organizations, so while I wouldn't say that hiring untrustworthy people in any position is a good practice, in IT it can be doubly bad because the IT staff can generally access docs on shared drives (for example) that belong to accounting, legal, etc - and can either disclose it or nuke it along with the backups.

          That can cause a

          • I don't agree. While rogue IT staff can bring infrastructure to its knees, an accountant is often far better placed to, say, rip off an organization in a huge way, and it happens enough via phony invoicing schemes to suggest to me that those in the financial end of an organization are by far the greater risk.

            • While rogue IT staff can bring infrastructure to its knees, an accountant is often far better placed to, say, rip off an organization in a huge way, and it happens enough via phony invoicing schemes to suggest to me that those in the financial end of an organization are by far the greater risk.

              Any business worth its salt has controls in place to prevent any accountant from having enough control with too little oversight to prevent this. In my entire career, I have never worked for a company that was vulner

          • by afidel (530433)
            IT people can cause havok, bad accountants and executives cause Enron and Health South.
            • Yeah, all the IT department can do is leak several hundred thousand secret cables to WikiLeaks. No real damage though.
          • by afidel (530433)
            This is one of many reasons I continue to advocate that if it's not offline it's not a backup.
            • Amen. The backup system that I have instituted has both onsite and offsite backups, with a weekly backup going offsite in a safety deposit box. Even if I were to go completely rogue and format everything, I couldn't in fact wipe organizational data; in particular accounting and payroll data. I might force bookkeeping to re-enter at most five days data from paper file, but that's the extent.

        • by Nadaka (224565) on Friday December 10, 2010 @03:59PM (#34517322)

          One difference is the respect that is shown and compensation provided to accountants, managers, legal advisers and so on. Meanwhile IT guys are basically treated like janitors.

          • by zolltron (863074) on Friday December 10, 2010 @04:08PM (#34517452)

            Meanwhile IT guys are basically treated like janitors.

            The irony of your comment is that it reproduces exactly the line of thinking that you criticize. You realize that janitors, by having physical access to almost all parts of a business, are capable of more havoc than IT folks. They often have physical access to all the same systems that IT people do and much more. If potential to cause damage should correlate with compensation, I'd argue that the janitors should get paid the most in any organization.

      • by Venik (915777) on Friday December 10, 2010 @03:33PM (#34516932)

        Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.

        And if you decided to fire them, make sure you terminate their access to your network in a timely manner. Somehow I seriously doubt Ms. Fowler actually "hacked" their systems. It is far more likely that after four days she discovered her remote access account still works and she took full advantage of this.

      • Really, I think this just highlights something I've said for years: If you don't trust your IT people, they shouldn't be your IT people.

        It goes MUCH deeper than just a trust issue.

        What should have happened and didn't within less than an hour of her walking out the door is she should have locked out of everything. This company did not and paid the cost for their stupidity and laziness. This being the case...all executives/HR/whole IT department should have been fired/prosecuted for allowing this to happen. For that matter...the whole business should have been shuttered by the state of Florida and the FBI.

        What she did was wrong...but it

        • by Americano (920576)

          You are an idiot. That is all.

          "But your honor, she could have prevented this by wearing a locking chastity belt and carrying a gun. It's HER FAULT that she got raped!"

      • by Hazelfield (1557317) on Friday December 10, 2010 @04:48PM (#34517926)

        If you don't trust your IT people, they shouldn't be your IT people.

        I think the managers sort of realized that, and that's why they fired her.
        Maybe the true lesson to learn is this: don't let former employees keep their access. Not even for a few days.

    • Re: (Score:2, Insightful)

      by Venik (915777)
      Every time I see news like this, it certainly makes me suffer: a good sysadmin would not get caught. For a sysadmin, incompetence is the worst crime.
  • Um good? (Score:5, Insightful)

    by Hatta (162192) on Friday December 10, 2010 @02:22PM (#34515972) Journal

    Person commits crime, goes to jail. Fascinating reporting there.

    • Re: (Score:3, Insightful)

      by scorp1us (235526)

      You missed it. There's a girl in IT. That's the news!

      Its not even that she hacked in. NASA has always had a problem with girlfriends of employees getting pissed, getting in and then breaking stuff.

  • Harsh Sentence (Score:5, Insightful)

    by Manip (656104) on Friday December 10, 2010 @02:22PM (#34515974)
    I love how computer crimes are measured on an entirely different scale to all other crimes. While I think her crime was serious, when you look at the prison sentence relative to other things it seem disproportionate. If she had done the same thing without a computer I bet she would see less than 1/2 the jail time.
    • by nomadic (141991)
      If she had broken into the place, shredded documents, forged payroll records, changed some locks and damaged others so doors wouldn't open you think she would get less than half the jail time?
    • ... when you look at the prison sentence relative to other things it seem disproportionate.

      Your view might be different if it was your IT department, or your pay and leave records being dinked with...

      If the penalty is a slap on the wrist, what's the deterrent?

      • by Delusion_ (56114)

        You make a good case for not involving the victims in sentencing.

        • You make a good case for not involving the victims in sentencing.

          Bullshit. Sentiences *should* bare some relationship to the impact on the victim.

          Consider a geriatric wino living under a bridge - of no particular value to society. Does this make bum-killings "OK"?

          • by gfreeman (456642)

            Er, no ... which is entirely the point he was trying to make. Killing a bum gets you the same sentence as killing the President. Do you think it should be different?

          • No, parent's saying it shouldn't be up to the victims to decide the sentence.

            Yes, if it was my IT department, one could feel more strongly. That doesn't mean it's a better sentence.

          • Re:Harsh Sentence (Score:4, Insightful)

            by Delusion_ (56114) on Friday December 10, 2010 @03:07PM (#34516544) Homepage

            My point is that you are convicted by a jury of your peers and not a jury of your victims for a good reason; a jury and a judge have a better ability to be dispassionate.

            That we involve victims in sentencing hearings is abominable, as is that we enforce arbitrary minimum sentencing regulations.

            If I am guilty of a crime, what I did is what should matter, not how good or bad a person the victim was. Rather than go down Hypothetical Alley with you about the value of human life, I'd like to keep our hypothetical closer to the facts:

            Would this crime be more heinous "your IT department", as you put it, were genuinely good people? Would it worth less sentencing if it took place at an equivalent organization whose IT staff was lazy and whose managers were bombastic annoying pricks? Surely not. In that case, your opinions as the victim as to what the guilty party deserves regarding sentencing are too compromised.

            • My point is that you are convicted by a jury of your peers and not a jury of your victims for a good reason; a jury and a judge have a better ability to be dispassionate.

              As was the case here. The victim didn't choose the sentence.

              By the way, do you object to "Victim's Impact Statements" at the sentencing? For serious crimes like auto-related deaths / maiming, home invasions, and murder?

              • by Delusion_ (56114)

                I wasn't responding to the case. I was responding to your post:

                > Your view might be different if it was your IT department, or your pay and leave records being dinked with...

                > If the penalty is a slap on the wrist, what's the deterrent?

                RE "Victim's Impact Statements", yes, I object very strongly to them. This "Victim's Rights" movement is nonsense. It's not the victims who are on trial, it's the defendant. I understand why a victim desires a harsh, punitive sentence, but I think a judge and jury h

                • Let me bore you sometime about how traffic courts have become an immoral revenue generation scam in most jurisdictions.

                  My city has recently embraced the Traffic Camera - to improve traffic safety of course.

            • by pspahn (1175617)

              I dunno, I think morality of what happened should factor into the sentence (though, not whether you are guilty or innocent).

              A man mysteriously appears and jumps into the river to save your child. When he gets out of the water, you recognize him as an escaped convict from the news. Do you tell the authorities?

      • Your view might be different if it was your IT department, or your pay and leave records being dinked with...

        This.
        I used to work at a place with a really shitty asshole of a manager. One of the other employees apparently had the bright idea to create a program that would mess with all of the customer records, since it would somehow make the asshole manager look bad when stuff started to fail.

        Apparently he had been screwing around with the customer records for months, which pretty much made all of the backup

    • What if she broke into the office and set fire to a couple of file cabinets, and burned the company's financial books and payroll records as well (assuming they'd have none of it on computers)? Even if her actions wouldn't burn down the whole building, I should think she'd get a stiff penalty for that, including some jail time.
      • by TheLink (130905)
        Once you use fire, it could be categorized as arson.

        In some places the penalties for arson can be quite significant.
    • Re: (Score:2, Interesting)

      1st: I do not think I agree with OP. If I did the same damage without a PC, I bet I would be arrested.

      2nd: The reporting is interesting. To a great extent, folks knowledgeable about computer systems/programming are looked on as some type of magicians. We get mixture of respect and contempt because of this. People depend on us and our services and that creates a high level of conflict.

      3rd: They are actually working on the idle CSS. Still sucks, but at least the edit textbox is no longer 0.75" wide.

      • by gmack (197796)

        I'm wondering why it took 3 months to get her to hand over the password. Not defending what she did but why couldn't they just preform a password reset?

        It really doesn't seem like either her or her employer were all that competent.

        • by davev2.0 (1873518)
          I worked there for a while. I am guessing she was the sole IT person. Thing to remember is that SCHC is a non-profit where most of the budget goes to health care.
        • by fluffy99 (870997)

          It took them 3 months to figure out who was intruding into the system. Once the FBI asked/interrogated her, she fessed up. Still 3-months is a long time to go without the password when I'm sure the manufacturer would have helped them rest the password.

    • by Bigjeff5 (1143585)

      Do you realize how much damage you can do with that kind of access?

      You are seriously underestimating the seriousness of the crime. That she didn't do all that much damage is relevant to a point, but she clearly intended to do as much harm as she could.

    • by redstar427 (81679)

      It's a good thing she didn't share music files from a CD at the same.
      She could have owed millions of dollars, and her sentence might have been for a much longer time!

    • by davev2.0 (1873518)
      I am betting the fact that SCHC is a non-profit providing health care to migrant workers, the elderly, and the poor might have figured into the sentencing.

      As for how she was able to do so, she was probably the only real IT person in the company



      Disclaimer: I worked at SCHC as the sole IT person for a long time.
    • Like breaking in after hours and swapping everyone's password stickies from under their keyboards? Or if the same department that secures IT secures the building, she probably still had her badge, so no breaking required. My guess is "The Guy" that handles AD/LDAP/whatever security was on vacation. Or they have some really shoddy security policies. Someone call the HIPAA/SOX police, quick!
    • by pgn674 (995941)
      In Maine, if you see a person's password for their email account on a post-it note, and subsequently use that password to log into that person's email account without their express permission, then that is considered a crime of the same class (I, II, A, B; not sure) as beating up a small child.
    • If she had broken and entered, destroyed some property, changed locks, sabotaged, say, manufacturing systems so they would need repair before normal business operations could continue, and falsified documents (fraud), you think she would have gotten a _smaller_ sentence?

    • by trevdak (797540)
      Hell, if she could change someone's passwords without a computer, I'd hire her.
  • Suncoast Community Health Centers for hiring such imbeciles to entrust with the health of you and your relatives!

    • what you say ! ! !
    • Suncoast Community Health Centers for hiring such imbeciles to entrust with the health of you and your relatives!

      As someone pointed out earlier in the comments,
      Suncoast Community Health Centers is a non-profit providing health care to migrant workers, the elderly, and the poor. I'm guessing they don't have a lot of money to blow on getting the cream-of-the-crop IT professionals.

  • Yeah, but... (Score:3, Informative)

    by Ecuador (740021) on Friday December 10, 2010 @02:24PM (#34516000) Homepage

    is she hot?
    Also, does she run linux at home?

  • "Revenge is a dish best served cold." (or by Anonymous, on your behalf...). A massive grudge-hack spree 4 days after your termination suggests that A) IT didn't have its shit together and B) You are now suspect #1.

    Unless you are very good, you aren't going to avoid leaving enough of a trail that wriggling out of the "#1 suspect" spot will be easy or comfortable...
    • Sure it's easy, just make sure you're behind seven proxies!

    • One important thing about getting out of the number one spot, don't broadcast how you would get out of it on Slashdot.

    • It's not that hard to be good at being bad.

      Certainly, a dish served cold. Preparations can begin while the plate is still hot though.

      1. Start by using your access to create new superuser accounts for yourself which have no reference to your name.
      2. Use your new superuser accounts to delete your old superuser accounts and clean up the logs left behind.
      3. Write some clever scripts that will do your dirty work at a frenzied pace, then self destruct after altering log files to point at someone you don't like.
      4. Set up a
    • Obvious Suspect Fail. If my wife or my business partner were to suddenly turn up murdered, the cops would be at my door in a heartbeat. I fire my IT person and three days later my entire IT infrastructure goes down hard. I don't need to be Sherlock Holmes to figure out who did it.

      The way to do it is to put in a few accounts for other ex-employees, "accidentally" elevate them to admin privileges and then walk away. If you still feel the need for revenge 6 months later use one of those accounts to do your da
  • What? (Score:5, Insightful)

    by segedunum (883035) on Friday December 10, 2010 @02:30PM (#34516082)

    Fowler's attack on the company's firewall, which had caused a "lockout", took Federal Bureau of Investigations (FBI) three months to resolve.

    What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?

    • by pilgrim23 (716938)
      What she did was remove all security and allow her Bosses to do exactly what they asked for... 10 minutes later the missiles launched and all was ruin.
    • by lymond01 (314120)

      Seriously. Replace the firewall.

    • Fowler's attack on the company's firewall, which had caused a "lockout", took Federal Bureau of Investigations (FBI) three months to resolve.

      What? Seriously. What? What the hell is a lockout and why would it take anyone three months to solve a firewall issue?

      That's how long the FBI spent running all the staff through ICE (Immigrations) before they replaced it. And you thought your last doctor's appointment was a long wait...

      At the speed of government.

    • Have you seen the amount of paperwork involved? That alone could take up to 90 days for the FBI to process.

      Now, if it's not actually helping people, it'll be done by tomorrow.

    • Re:What? (Score:5, Informative)

      by Charliemopps (1157495) on Friday December 10, 2010 @03:12PM (#34516614)
      I'm fairly sure I know exactly what she did. Most companies have the same security flaw. They have their network hardware resolve user names and passwords the same way all their workstations do. They also have a "Lockout" if you get the password wrong a certain number of times (usually 3.) I'm sure you've seen this before. The vaulnerability is, if you then have everyones email be: userid@yourcompany.com, anyone can very easily pull down a full listed of userids from the exchange server. The companies address list literally has every userid in the company. You then simply write a script to hit a piece of network equipment 3x with a garbage password for every single user in the company. Because it's a telnet connection it's REALLY fast. The system locks out every single user. If the admins weren't smart enough to reserve a single master login (and they usually are not) you can cripple the entire company.
  • by darjen (879890) on Friday December 10, 2010 @02:46PM (#34516282)

    or did she use passwords she already had to get into the system? I wouldn't be surprised if this was yet more abuse of the word "hacking".

  • Sounds like she got what was coming to her. Whether or not she had a legitimate grievance with her employer is irrelevant; you just don't pull shit like that. Period.
  • Hmmm, given that this is not the first time this kind of thing has been in the news, you'd think that companies would not leave a single point of failure like this in place. You always have to be ready for someone with privileges to go rogue, especially when terminating them. During the tech bust of the 90s I remember IT people being routinely escorted from the building during layoffs, not even allowed to turn their computers back on. It was brutal, but I could see how some of those guys could go rogue and
  • Sounds like she tried to start a mutiny or something!

    Perhaps she refused a code red?

    Seriously how can someone that works in IT at a freaking community health centre get canned for insubordination?

    Maybe she had good reason to trash their systems... I'm guessing rogue AI.

As far as we know, our computer has never had an undetected error. -- Weisert

Working...