All that’s missing in the story of a computer administrator charged with running amok is central casting. But this is no work of fiction — as it turns into a cautionary tale for network administrators.
Terry Childs, a network administrator for the City and County of San Francisco’s Department of Technology (DOT), is accused of tampering with the city’s new FiberWAN network system in such a way as to deny other authorized administrators access to the network and with setting up devices to gain unauthorized access to the system. The system stores records such as officials’ e-mails, city payroll files, confidential law enforcement documents and jail inmates’ bookings.
According to a report in the San Francisco Chronicle, Childs initially gave pass codes to police, but they didn’t work. When pressed, Childs refused to divulge the real code even when threatened with arrest, according to the Chronicle, citing unnamed city officials.
Now, Childs who had been tasked with safeguarding the city’s computer systems against the bad guys, is in custody.
He is charged with four felony counts of computer network tampering, according to San Francisco District Attorney Kamala Harris. Childs has been charged with causing losses in excess of $200,000 as a result of his alleged actions. An arraignment originally scheduled for today has been postponed till Thursday.
“Essentially, as we’ve alleged in the complaint, this individual is accused of preventing other authorized users access to the system and potentially giving himself authorized access not allowed,” Erica Derryck, a spokeswoman for San Francisco District Attorney Kamala Harris, told InternetNews.com.
Derryck also said the San Francisco DA considered Childs’ actions a threat to public safety, but had no comment on his motives. “The district attorney has said we do not need to prove motive to charge the crime.”
Childs reportedly was disgruntled over warnings he had been given by managers about his performance on the job, which reportedly paid him close to $150,000 a year, including benefits.
Childs was arrested Sunday, July 13, at his home in Pittsburg, California. He’s in custody facing $5 million bail.
The system continues to operate even though administrators have limited or no access. “Right now our system is up and running and we haven’t had any problems so far,” Ron Vinson, chief administrative officer for the Department of Technology, told the Chronicle.
Vinson said the city is “working around the clock” to make sure the system is maintained and operable.
Access gone amok
“This is your basic computer admin with plenty of privileged access gone amok,” said Jeff Nielsen, senior product manager at computer security firm Symark.
Nielsen claims it’s all too common for network administrators to be given broad, if not complete, access to computer systems. “We’ve had this trust-based system in the industry forever,” Nielsen told InternetNews.com. “It becomes like a badge of honor for these guys to have access to everything. And 99 percent of the time you’re ok, but that other one percent, you can have someone on their own agenda do things like lock everyone out from the system.”
As an alternative, Nielsen said there are process-based systems that provide more accountability and authorization or an approval mechanism to access certain files and systems. Symark, among others, makes i/o logging or keystroke logging software that then keeps a record of those actions so they can be recreated later to sort out problems such as Childs is alleged to have committed.
“We have provisions in our tools so that certain privileged people can fetch the information they need immediately in case of an emergency,” said Nielsen. “But the difference is you also have an audit trail to get at any new passwords entered or other changes made to the system.”