Establish Effective Procedures for Removing Systems Access: Example

An article from last Wednesday (11/15) just caught my eye; it is intriguing: “Hoffacker charged with hacking system.” The article indicates a former VP of Technology at Source Media, Stevan Hoffacker, was

“charged with hacking into the company’s computer system three years after he was dismissed, and tipping off employees whose jobs were in jeopardy.”

The article also states:

“Prosecutors have alleged that Hoffacker, who worked for Source Media and its predecessor company from 1998 to 2003, hacked into the company’s e-mail network and sent e-mails to two Source Media employees in August and in September of this year, alerting them that they might lose their jobs. The messages were sent from a Yahoo account, according to court documents.
Hoffacker had access to usernames and passwords of other employees during his work in the company’s information technology department, prosecutors said.”

I wonder, what is the real story? It isn’t considered hacking to send emails…unless…were those email systems not accessible to send to from outside sources? That would be very rare (though, yes, they still exist) for an email system to be configured to only allow emails to originate and be delivered within the closed network system. The last time I used a system like this was on an IBM 360/370 mainframe-based email system accessible only through “dumb” terminals…around 10 – 12 years ago. The system was Emc2/TAO from Fisher International; but it could also have been installed to share email from outside the network. This particular installation was not.
So, if the Source Media email system could communicate with email senders and recipients outside the network, would sending emails to Source Media staff be considered hacking? If an email server is configured to receive emails from outside the network, and the Hoffacker email address was not explicitly blocked, in what other way could hacking occur? If there had been some type of restraining order for Hoffacker to not send emails and then he did anyway, could this legally be considered “hacking”? Or, if the known Hoffacker email address had been blocked, but then he used a different address to send to the two employees, could that be considered “hacking”?
Or…perhaps I’m missing a key component of the story…

“The two employees had been the subject of e-mails among executives discussing their employment status and possible termination, the government said.”

So, is the hacking claim based upon Hoffacker knowing information (that he used to tip off the two employees) that had been communicated within the Source Media system between the executives, but not, to Source Media’s knowledge or logs, sent directly to Hoffacker?
If so, and this is likely the case, this points out a few information security practices that Source Media apparently lacked:
* Implement policies and procedures to remove systems user account access to network and computer resources immediately upon, and in certain cases prior to, termination/dismissal.
* Implement additional controls to ensure systems access is monitored for trusted systems users, such as administrators.
* Never give administrators access to view the systems account passwords.
* Encrypt passwords in storage (at rest) and in transit (in motion).
* Encrypt confidential information within email messages.
* Consistently enforce policies and procedures.
* Communicate via training and awareness activities the importance of these information security and email issues, and explain, in multiple ways, how these activities impact business.

Tags: , , , , , , ,

Leave a Reply