Be Social


Ex-employee exploit on company website

February 4, 2015

Last week, one of the websites that I maintain was attacked.

The intruder seems to have exploited a misconfiguration in one of the items, to place an order for 0$. This exact thing happened last year too. In that previous case, Paul, ex-employee, a network administrator, had used his own name. At the time, I contacted him and  threatened to report the incident. It also pretty much ended our frienship.

This time, unless my memory fails me, he used a friend’s name. Someone he had mentioned casually. Maybe I’m mistaken.

Both attacks require the same intimate knowledge of the structure of the site, the nomenclature of the item codes, and one more thing: it requires one of the operators to have made a mistake in when creating the product.

The RCMP defines this as a crime:

Cyber insider threat

An insider threat is a malicious and often criminal threat to a public or private organization that comes from someone inside the organization, such as an employee or contractor, who is attempting to disrupt the activities of the organization. While not unique to cybercrime, insider threats involving unauthorized computer use or data mischief represent a growing risk to organizations that rely on the Internet, networked systems and related technologies. These threats extend the ways in which insiders can steal from an organization or commit criminal breach of trust. (Full text available here)

Because Paul was an ex-employee who had internal knowledge of the product nomenclature, which was the only way that this exploit could have worked, by having followed that nomenclature and arrived at the one visible item in the catalog which he was then able to order by creating a new user after placing it in the shopping cart while not logged in, this incident falls squarely in the “data mischief” category of the “Cyber insider threat” definition.

In the end I didn’t report it.

However, the fact that this more recent incident occured in exactly the same way gives me pause. Perhaps I should have been less gentle with an ex-friend and co-worker and done the “right” thing. If this happens again I will trace the activity, document it, and call the RCMP. No more nostalgic lenience.

Tagged with:

Leave a Comment

Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let us have a personal and meaningful conversation instead.