3Terry Childs Holds San Francisco Hostage
In July 2008, the mayor of San Francisco walked into a jail with the specific mission of talking with one man imprisoned there: Terry Childs.
This prisoner held something of vital importance to the city: the passwords to a system that controls every network in San Francisco, which only he knew. Why did Childs have access to that system? Because he's the one who created it ... and the one who locked everyone out.
"I could spring myself out of jail any time, but hey, free rape."
Childs had worked for the city as a computer engineer for about five years before he learned that he was about to get fired. So, he decided to take some insurance policies on his employment: He modified the networked system he had helped develop from the ground up, which controls everything from the mayor's email account to police records to inmate bookings, and changed it so that only he could access it.
When his employers asked him for the codes, he refused to give them up and was arrested. Even in jail, he would only give out fake codes, presumably just to mess with everyone since he was obviously beyond fired at this point.
"That's E-A-T, space, S-H-I ..."
Officials could still access the network, but they couldn't modify it on an administrative level, since Childs was the only administrator. The city set a bail of $5 million (five times more than a murder defendant) because they feared that if Childs got hold of a computer, he would log in to the network and delete everything -- the mayor later admitted that San Francisco was "in peril" because they were locked out of the network. The city spent nearly $1.5 million desperately trying to regain access (and failing) and testing further vulnerabilities that could potentially make them look stupid.
Childs, who was sentenced to four years in prison and charged a $1.5 million fine, was so paranoid that when he first learned about his possible firing he created a tracing system that would let him know what his coworkers were saying about him.
"Paranoid? Me? We'll see how paranoid I am when they find child porn on your hard drive."
After 12 days of sitting in a jail cell, Childs finally agreed to give out the passwords ... but only if the mayor himself came to play Clarice Starling with him, saying he didn't trust other people with the passwords to "his" creation. We're surprised he didn't send the mayor all around the city solving clues to piece the password together like the goddamned Riddler.
2Joseph Nolan and Jason Cornish Should Not Be Trusted With Passwords
Not every hacker out there is a computer genius: Sometimes all it takes to do some serious damage is a little password. It seems really obvious, but one thing that security experts have to keep reminding companies is that if you're gonna fire someone, it might be a good idea to change your damned passwords. Especially if the guy you fired happened to be a vindictive asshole.
Take Jason Cornish, a former IT administrator at the U.S. subsidiary of Japanese drug company Shionogi, who, after being fired for the second time that year (he was let go in July 2010 but brought back as a consultant, then fired again in September), decided to spend his wealth of free time messing with his former employer.
Throw in a mini-fridge, and you never have to leave the keyboard.
Over the next four months, Cornish attempted again and again to access the company's network -- using the passwords and system knowledge he acquired while working there -- until he succeeded in February 2011 and trashed 15 virtual hosts containing vital information. Oh, and he did that while sitting in a McDonald's, leeching off their free Wi-Fi.
Cornish's attack "froze Shionogi's operations for a number of days" -- employees were no longer able to ship products, cut checks or send emails, because all that stuff and more depended on the hosts that he deleted. Perhaps he wanted his former colleagues to know what it feels like to be unemployed and have nothing to do all day, although it's more likely that he was just being a douche. His attack cost Shionogi $800,000 in damages, and Cornish now faces 10 years in jail and a hefty fine. It wasn't hard to catch him; while he was smart enough to do it from the McDonald's public Wi-Fi connection instead of his own, he actually used his fucking credit card to buy food there five minutes before the attack.
Presumably while yelling, "I AM JASON CORNISH, AND I AM GOING TO HACK THINGS AT THAT BOOTH!"
But Cornish isn't the only disgruntled IT guy of dubious intelligence who abused passwords to get revenge on his old company. Joseph Patrick Nolan resigned from the Ann Arbor-based Pentastar Aviation in January 2007, but later found out that he wouldn't get his last paycheck because he neglected to sign his separation agreement in time. Nolan took the news like the mature 26-year-old that he was, by which we mean that he logged in to the company's computer system and took a shit all over it.
Nolan accessed his former employer's database and proceeded to obliterate an entire computer drive containing personnel information and payroll records, presumably figuring that if he didn't get paid, no one else should. It cost the company between $30,000 and $50,000 to repair the damage over the next few months, and in the meantime everyone at the office had to be called "that guy" or "that other guy."
"Well, for right now, I just put you in as Butt Muscle. So you'll probably want to let your bank know."
At least Cornish carried out his anonymous attack from a public Wi-Fi connection -- Nolan did it from his own apartment, and it's not clear how anyone mildly familiar with computers could have expected to get away with it. He was sentenced to four years probation, had to pay $1,158.25 to Pentastar and was even shamed into quitting his sweet new job as a senior infrastructure specialist at the Ann Arbor Information Technology Department. Hopefully he remembered to sign the damn agreement this time.