What possible havoc can an insider conduct post-employment—especially an employee who voluntarily resigns (well, perhaps read the writing on the wall and voluntarily resigned)? The answer is plenty, so learned Navarro Security Group of Florida, which was forced to deal with the aftermath of the actions of Jonathan Eubanks, a young-man of 20-plus years who decided he would do all he could to destroy his employer after he departed the company.
Cutting quickly to the ending: Yes, he was caught (eventually) and was tried and sentenced to seven years of prison in late June 2017. But we are getting ahead of ourselves.
How did Eubanks infiltrate the company?
To learn just what occurred and how, we dug into the court records, including the indictment, exhibits and trial testimony given by the Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS) expert witness whose team conducted the forensic examinations of the various devices that Eubanks compromised.
Eubanks didn’t have to use any super-secret software to affect his remote access to Lavarro’s devices; he used the remote access software LogMeIn. It's same application professional help desk and technicians use every day. He downloaded the app to the targeted host, tweaked the settings so no interaction was required on the host device and then remotely accessed the client device (used by Eubanks) at his leisure. The target device: the company’s operations manager’s computer.
From the access availed to the operations manager’s device, Eubanks then ran a myriad of applications, all designed to sniff-out/crack passwords and access credentials. These included Cain & Abel password recovery tool, WinPcap remote packet capture tool, and VNCPassView, which recovers the password of the current logged-on user and passwords stored for the user.
Eubanks harvested passwords and solidified his access.
He compromised the operations manager’s computer and took user and admin control of the device (logging in as the operations manager when he desired). He took control of the company’s networked printer with administrator privileges. He accessed the company’s payroll app, Millennium3. He also took control of the company’s website. He now had the access necessary to wreak havoc upon Navarro, and that he did.
Files deleted, email system hacked, website traffic redirected
He went to work. Using the operations manager’s computer, he deleted all the files on one of the company’s servers, which included employee personnel files and schedules and assignments. Eubanks then went about sending disparaging emails from the operations manager’s corporate account to former co-workers.
Eubanks was just getting started.
Clients began receiving disparaging emails ostensibly from the operations manager’s account. He then installed a 301-permanent redirect that redirected all visitors to the company’s website to that of a local competitor (Blackwater Protection). He also went on to use the credit cards of three individuals for thousands of dollars of purchases.
In sum, over the course of a few weeks, from late December 2012 through January 2013, a former employee of a personal security company was able to inflict material damage on the company using off-the-shelf tools that did not require a great deal of technical acumen to use.
What is unknown is what type of off-boarding protocol was in place at Navarro when Eubanks departed. It is not clear if there were any infosec protocols in place within the small business, nor is it explained fully in the court documents exactly how Eubanks came to have unencumbered access to the operations manager’s device prior to his departure to install the LogMeIn application.
We won’t know, as Navarro Security has dissolved.
This article was originally posted on CSO Online (US) on the 10th July 2017.