Usually, it’s a mayor who hands out the key to his or her city to residents deserving special recognition. In San Francisco’s case, it was Mayor Gavin Newsom who took back the key to his city’s computer network from the man who held it hostage for more than a week.
The only positive recognition system administrator Terry Childs is likely to get from his escapade is credit for alerting other cities to take a second look at their information technology security practices.
Childs was jailed July 13 after he changed crucial passwords to the city’s wide area network. He was held on US$5 million dollars bond while experts from Cisco Systems attempted to restore access without disabling the entire system.
On Monday, July 21, Childs said through his attorney that he would give up the new passwords, but only to Mayor Newsom. By Tuesday evening, the city was back in control of its own computer network.
How Could This Happen?
Childs may have been driven to enact his cyber-sabotage plan because of what he called “incompetence” at the Department of Telecommunications and Information Services, where he worked for five years, Childs’ attorney, Erin Crane, has told reporters. The department had recently seen cutbacks and layoffs, and Childs apparently was worried about potential damage to city networks.
Lean budgets are indeed an issue in the IT world, but cutbacks can also make someone like Childs more valuable.
“The problem with city and state governments is that a lot of times, they don’t have a lot in their IT budgets,” Paul Ferguson, advanced threat researcher at Trend Micro, told TechNewsWorld.
“We see the same problem all the time — they hire some third party to set up Web sites or networks, and the consultant collects the money and goes on their way. We have a real hard time finding the right person to clean up the problem,” Ferguson said, “because there’s no expertise there. It’s usually a smalll number of people who have high-level access to the network infrastructure and have the ability to wreak havoc should the opportunity arise.”
What Other Cities Should Do
San Francisco’s embarrassing IT debacle is a lesson for other municipalities and those who are in charge of their networks.
“They should review their processes,” Jamz Yaneza, threat research manager at Trend Micro, told TechNewsWorld.
“It’s basically Network 101 to make backups and audit trails of everything,” he noted. “Also, you need [to conduct] due diligence of the process and find out who’s in charge of what, do background checks. It depends on how much trust you put on the person doing the [system] configuring. Have you done your background checks on this guy? But, on the other hand, have you done your own homework to make sure there are backup processes in place?”
Other cities are likely vulnerable to their own insider threats, according to Ferguson.
“It will happen again,” he predicted. “It’s happened in the past where some disgruntled employee has planted logic bombs.”
DTIS Disaster Recovery website, created by the City’s "Enterprise Engineer" William Goldberg. The site has been publicly exposing the VPN password to and other sensitive information about the City’s offsite disaster recovery network for months.
http://dtisdr.org/Lists/Announcements/DispForm.aspx?ID=35
…"Childs may have been driven to enact his cyber-sabotage plan "…
He is not charged with any act of sabotage. City officials made statements to the effect that Childs had configured some of the routers without saved copies of the configuration. One potential problem with doing so is that the configuration would be lost if power to the unit were to be turned off. A potential problem with saving the configurations is that the routers were located in various public buildings around the city where thousands of people could gain physical access to the routers and could modify the saved configuration to bypass network security and the router would then continue to function after its security had been completely breached. The network administrator (Terry Childs) chose to configure the routers in such a way that any attempt to tamper with the configuration would result in the loss of the current configuration and the router would not continue to function as it had. At which point, it would be the duty of the network administrator (again, Terry Childs) to connect to the router and re-establish the configuration.
In short, while some city officials had portrayed this configuration as evidence of sabotage, it can also be considered evidence of a network administrator securing the routers from potential abuse and unauthorized access.
Terry Childs has not been charged with any act of sabotage. The network has functioned under his care for years and continued to function even after he was arrested.
…"Childs was jailed July 13 after he changed crucial passwords to the city’s wide area network ."…
It was and had been Terry Childs job, for years, to administer the routers including setting passwords to limit access to the administrative functions of the routers. It remains to be seen who, if anyone, other than Terry Childs was actually authorized to have such access and it was part of his job, specifically, to change the passwords in the routers.
He has not been charged with changing passwords but rather with not providing a password with which DTIS managers could gain administrative access to the routers. We do not know specifically what they asked him, nor specifically what his answers were. We do know that he did answer them and that DTIS managers were (for some reason) unable to test the password while he was present and that they claim the password he supplied did not allow them the access they had sought.
…"freezing the city’s computer network"…
The network remained functional for normal use. The city’s DTIS department claimed that they were not able to administer the routers on the network, not that the network was at any time rendered non-functional or "frozen". In addition they claimed that they chose not to reset the routers because the configuration information in some of the routers might be lost and they apparently did not know how to reconfigure them.
…"it was Mayor Gavin Newsom who took back the key to his city’s computer network from the man who held it hostage for more than a week."…
It was actually Terry Childs who asked his attorney to offer the password to the mayor. It remains to be seen whether or not the password (which worked) is the same password Terry gave to DTIS managers on July 9th, 2008 prior to his arrest. We still don’t know exactly what he was asked by DTIS, nor exactly what his response was. We do know that he did respond on July 9th to the satisfaction of SF police inspector James Ramsey who had told Childs that he would arrest him if he didn’t answer. We also know that DTIS managers later claimed that they were unable to get the password to work and that they had been unable to test it during the meeting with Childs and that he had been allowed to leave.