Rogue admin jailed after taking down former employer’s network

A system administrator has been sentenced to two years in prison and fined $26,000 (£21,000) after crashing his former employer’s network so seriously the company was unable to operate for a week.

According to the charge sheet, within days of being fired by Harrisburg internet service provider Pa Online in June 2010, Dariusz J Prugar (now 32) used privileged credentials to access the network in order to retrieve software he believed he had written.

To maintain covert access, he also planted backdoors and attempted to hide his tracks using scripts that deleted log files.

Unfortunately, doing this caused the company’s systems to crash, leaving several thousand of its residential and business customers without internet or email access.

When the company phoned him up for help, Prugar tried to negotiate his rights to the software in return for co-operation. By now suspicious, the company called in the FBI to investigate, at which point his activity was uncovered.

It’s still not clear how much damage Prugar meant to cause but the end result was a week’s downtime spent rebuilding the network from scratch to avoid future compromise and a lot of unhappy customers. The case took years to come to court and the ISP is no longer in business.

It’s the sort of incident that will send a chill through IT departments. Incidents where lone admins turn on employers often feature the same patterns.

The unsurprising one is that the they turn on employers in the days after being fired. An obvious point perhaps but companies seem unaware that this period represents peak danger.

The second is that they are typically individuals who have been afforded too much power in the first place, or were able to acquire it without anyone noticing.

These days, the industry standard is to operate some kind of privilege management layer that allows admin access to important systems in a temporary, logged way. Privileged access should never be invisible.

This should ideally be backed up by an authentication system (such as a hardware or software token), which is easier to track and revoke. Remote access through a management port secured with a password alone is asking for trouble.

Tales of the admin running amok seem to be getting less common, or at least less publicised.

In 2010, a former engineer at the Gucci fashion house took revenge for his firing by shutting down virtual servers and the corporate SAN and deleting email inboxes.

Perhaps the most cautionary tale of all happened in 2008 when an engineer at San Francisco’s Department of Telecommunications and Information Services (DTIS), Terry Childs, locked out staff from much of the city’s network and refused to divulge the passwords. Childs eventually revealed them to the city’s mayor.