Hey, there! Log in / Register
Technician regrets hacking computers at former employer and its clients, but still gets prison and home confinement
By adamg on Wed, 11/23/2016 - 9:55am
A Lowell man will spend 24 days in federal prison after acknowledging he logged into the network of the computer-services that fired him and deleted data on a key server - and then repeated the process when he was charged with a crime, only this time doing the same thing to clients of the company.
After he gets out of prison, Kamlesh Patel, 39, will also have to serve a year in home confinement under the sentence handed down by US District Court Judge Leo Sorokin, the US Attorney's office in Boston reports.
Federal prosecutors had asked for a 14-month prison sentence, urging the court to make an example of Patel for other network engineers who might be thinking of malice when they're let go or fired.
Patel, who emigrated here from India, was a senior technician with Baesis, a Northborough computer services firm, when he was fired in 2010. He then logged into the company network, went to the server where the company stored configuration data for clients' networks and deleted the data. After Northborough police criminally charged him, he logged into the company network again and deleted more data - then logged into the networks of three client companies and deleted data on their networks. According to the US Attorney's office:
Following Patel’s actions, the victim companies temporarily lost use of their networks, including internet and e-mail access. One company lost access to its internet telephone system for several weeks.
That company also ripped up its contract with Baesis, since one of its tasks was to protect the company's network from intruders.
According to his lawyers, Patel is a good man who been active for more than 15 years in helping fellow immigrants from the Indian state of Gujarat and the incidents are just a one, well, two-time aberration in a life of honor and good will. They argued for no prison time.
He recognizes and accepts that he must be punished for his actions, and has pled guilty to a three-count Indictment charging him with computer-crime offenses. ...
To be sure, Mr. Patel’s intentions were not benign, but he believed he was engaging in the equivalent of spray-painting the outside walls of the business with graffiti. He neither expected nor intended to cause the significant damage that resulted.
The US Attorney's office scoffed at that, in its own brief urging Sorokin to toss him in the pen:
Company B was without Internet and phone service for weeks and had to pay its employees for nearly $80,000 in lost time. Baesis had to spend approximately $50,000 in equipment and employee time to get its clients up and running again. The better analogy is that Patel cut the power and phone lines to these businesses and destructively forced the victims to digitally rebuild. ...
The requested sentence of imprisonment is also necessary in this case to deter others. Like Patel in this case, system engineers have increasingly important roles in the institutions they serve. They are trusted with unfettered access to corporate computer networks. They are uniquely trained to understand how their employers' digital infrastructure works, and are often the only employees who can solve network problems for their colleagues and clients. These same characteristics, however, make them uniquely suited to cause significant and expensive problems in an employment dispute (as Patel did in this case).
Patel will not be the last IT professional to be let go from his job. Nor will he be the last to retaliate against colleagues and clients on his way out the door and beyond. But a custodial sentence here is necessary to deter these well-trained and highly trusted employees from picking digital fights with their employers, especially where the employers trained and trusted these same employees to protect them from destructive attacks.
How will Patel respond the next time he is laid off? What will happen if an expected bonus is smaller than hoped, or if a promised promotion doesn't come through? The government intends the custodial portion of Patel's ultimate sentence to serve as a reminder and deterrent for when life next disappoints him, as it inevitably will.
Topics:
| Attachment | Size |
|---|---|
 Sentencing memorandum by Patel's lawyers | 76.23 KB |
| Sentencing memorandum by US Attorney's office | 57.84 KB |
Ad:
Support Universal Hub
Help keep Universal Hub going. If you like what we're up to and want to help out, please consider a (completely non-deductible) contribution.
Comments
Wow
thanks adam for posting this. I'm trying to remember if I've ever heard of someone being caught in this manner. And even if it wasn't.. it's been a long time since I have heard of anything.
As far as the charges. Poo poo on this guy for doing it not only once, but twice. But I've been there as an IT person. I was fired from a position several years ago and was pretty damn angry. I could have done alot of damage if I wanted to. But I am a professional, and I'd like to continue working in my career so I didn't. (and this guy will never work in IT again because of this case)
And poo poo on his company for not killing network access right away. Most companies, including my last one, have policies in place to prevent this. When someone is fired. HR would immediately come to me to tell me when to term access. If they were a high level administrator, we killed as much access as possible. (sometimes it's not possible to do so quickly if the person was a keystone to the organization's network setup due to the way how some systems function)
And poo poo on the company for not having policies & procedures in place such as Change Control. This user should not have access to those files, un-restricted. Especially since it seems like this company is a Managed Service Provider (a company that provides IT services for other companies). And yeah, if I was a client, I'd be pretty pissed that my network configuration files were left without any controls on who could access them. Shows how that MSP is run and how much they value customer data (they don't)
Interesting story.. thanks
PS - US Attorneys Office comment is spot on:
She's 100% correct. But it's up to the company to put controls in place so things like this does not happen. I know some companies are a bit lax about this stuff. I've worked with several that did not have Change Control and it backfired on them. ChangeControl sucks to deal with (it's really an approval process) but its needed in cases like this. I just hope this MSP he worked for didn't deal with clients who fall under HIPAA and a few other privacy laws. That would be shameful if controls were not in place.
Not being an IT person, my
Not being an IT person, my first thought was shame on Patel's former employer for not cutting off his access.
Thanks Cybah for providing the nuts and bolts explanation.
Yeah
I've just been there. Usually controls are put into place AFTER something big happens like this. Sad that it takes a knee jerk reaction to something to get something done. In IT dreamland, it should have been done before. But companies do not learn until it happens to them.
The thing that gets me is that he probably accessed their network remotely via VPN.. well I hope they do. Or via a software like Kaesya, ITSupport247/Continuum, LogMeIn, TeamViewer, etc . Again its all single logon and/or single sign on. One removal of his main account should have cut off his access everywhere. But then again, as I said, if he was a keystone player.. much like myself. I have multiple accounts for testing purposes. So he could have used one of those.
This of course, multiple accounts are a Information Security Director's Nightmare. Most InfoSec people do not permit one than one account per person, and if temp accounts are to be created. They have to expire within a certain number of days (typically 30).
And the client access he did is even scarier. Again, so much disregard for his company NOT to immediately change passwords and/or use a password manager (or public/private key system) to keep track of who has passwords. Even still, InfoSec people say all passwords should be changed frequently anyways on client side's server. (sometime this is not possible due to customer requests)
It just seems like it was several few things why he was able to do this. I just love companies who cry fowl when this happens, but when asked "where is your InfoSec policy and was it enforced", they throw their arms in the air like they just don't care. Not justifying this guys actions, but companies are partly to blame for allowing this to happen. Controls, policies, best pracitices, and software do exist to prevent this. Use them.
Full Disclosure: I used to work for a managed service provider, and its amazing how much disregard there is for client information. MSPs will claim they care and have policy, but audits usually say otherwise (that they aren't being followed). But with many MSPs, as long as the checks keep clearing and the customers are happy.. ignorance is bliss I guess.
I also just realized that my girlfriend I'm staying with in NH made the coffee waaaaaay to strong this morning. zooooooooooooom
"cry fowl"...
and let slip the turkeys of resistance!
DYA
That was auto-correct that did that.. :-)
Let me get this straight
He was nailed by the police for destroying files,. Yet he was still able to get back in to do it again?
Sounds like they fired the wrong guy. Makes me wonder if he was making too much unprofitable noise about security lapses?
he used other employees
he used other employees credentials to get access, not his own: (from linked Press Release):
In October 2010, after Baesis terminated Patel, he used a colleague’s network credentials to access Baesis’ computer network and delete the company’s image server, a computer that stored copies of clients’ network configurations.
Beginning in late January 2011, Patel again used his former colleague’s credentials to access Baesis’ network and access the networks of three former clients.
Ok
Still not really an excuse.
Poo Poo on the employees for sharing their passwords with him.. or even worse, having passwords he could guess.
Again it all falls back on his company. Their InfoSec policy should state passwords must be changed every X months. If there was a YEAR gap between the first incident and the second one, means the company probably didn't had one, or employees ignored it, if they did, or they were not performing audits in "best practices" to know passwords were not being changed.
Even if the employee just re-used the same password.. again poo poo on the company for allowing a policy that allows for the same password to be used again.
It really all falls on the company now. Again doesn't make what he did right, but shows how poorly run the company was and in the end they will pay dearly for it. (In Lawsuits, and lost customers)
hmm
its the company's fault eh
sounds like victim blaming to me
The real tragedy is that it
The real tragedy is that it took the courts 6 years to settle such an uncomplicated case.
Real Tragedy #2
He'll be back at work as a "security professional" once he gets home from jail and will use his "experience" of being caught as an example of what bad people will do and how he's smart enough to catch them.
Often in IT the bad guys go onto more lucrative jobs.
One would hope there's also a civil suit against him to at least recover some of the cash he cost his company and clients. That said, I'd never hire (or keep) a company which had such lax security policies as to let this happen the first time around.
Maybe not
I don't think he will ever work in IT again. What he did was malice... it would be very hard pressed for someone to even think about hiring him again. It would take years of low rate jobs with crappy employers who do not care about ethics to make this fall off his resume (because ya know, someone will ask "why did you leave that company" and "I need references")
Not everyone who is "bad" in IT move onto more lucrative jobs. Some never work again, especially ethically related issues. Its all how they work it. I've watched this happen. Such as well, if you're that jaded that you risk your professional career like that, we don't need you in our industry. It means you have anger issues.
As far as a civil suit. Sure his company could sue him for money. But if I was a client who had this happen to, I'd sue their company. They are liable for allowing it to happen.. TWICE. Which means (as I said above), they had no controls in place to prevent that from happening and/or were not auditing their process to make sure it wasn't happening. Its also falls on them if their employees fuck up because its probably written into their contractual agreement with the client.
That was my point above. You probably wouldn't know it was happening until it was too late. Like I said above, as long as the checks keep clearing and the clients are happy.. many MSPs overlook controls, audits and such. Because when it happens to you.................