A week ago or so, I got an email from a friend of mine. She asked me some unix questions about a system she works with. As we coresponded I realized she had a bigger problem than she initially thought. This system is “managed” by a third party company that provides the software and support for the hardware. Unfortunately that does not include security support. That kind of support is supposed to be provided by one of her coworkers. To be polite, let us say that the coworker did not do a stelar job.
So I got to go and help confirm that the machine had been hacked into. It looks from the evidence left that it was set up as a drone in a DDOS network. The intruder whacked the log files, so who knows if they have been back. Unfortunately for my friend, it will cost her company $5000 to have the system restored. And unless her coworker learns about network security real quick, the machine will probably be just as vulnerable when it is “fixed” as it is now.
Thankfully, I think I did a good job of explaining all the horrible things that could happen, both to their data, and legally that they will bite the bullet and get the system rebuilt. I know that there have not been any definative legal decisions regarding a companies liability if it’s systems are used as a springboard for further ttacks, but I doubt they want to be a test case.
I really wish there was something I could do to help, other than provide advice. But although I am happy to provide advice for free, I can’t really offer to do the securing for free, as that is technically in her coworkers job description. Not to mention the assumption of some level of liability for the system’s security going forward. So for now, I will remain an unpaid advisor; the least I can do for a friend.