from Hacker News

Engineer admits he wiped 456 Cisco WebEx VMs from AWS after leaving

by swatkat on 8/29/20, 8:44 PM with 63 comments

  • by kstrauser on 8/30/20, 2:31 AM

    I left one job to switch to another. A year later, my new job started using a cloud-based task management app. When I went to sign in, my 1Password auto-filled the credentials I'd used for the same app at my previous job, and there I was looking at all of my old employer's current projects and other confidential info. I called my old boss (who I got along with just fine), told him what happened, and asked him to please cut off my access immediately.

    When you leave a job, it's in your own best interest to make sure that all of your access is removed. It's a lot harder for them to blame unexpected happenings on you if you can't even log into the thing. (Not that this happened here. I just wanted to point out a gotcha you might not have thought about.)

    If you find out that they missed something, report it to them immediately and keep that paper trail demonstrating your good intentions toward them. Then hound them about it until they get around to fixing the situation. And for the love of God, don't ever, EVER log in "just to look around". Absolutely no good can come of that.

  • by saidajigumi on 8/29/20, 10:29 PM

    This article leaves more questions than it answers. Room-elephant number one: access being available after an employee has left is bad. That access remaining five months later is beyond the pale, unless the real story is that the employee created a backdoor. Barring a backdoor, there are further serious questions about the employee retaining this access, presumably without any employer-provided and controlled hardware (e.g. laptop, yubikey, or what-have-you).

    Room-elephant number two: motive. The reported facts naively summarize as "oops, ex-employee blew up some stuff in prod, caused problems". <meme>But whyyyyy??</meme> There's no indication of specifics, and seeming denials of some obvious guesses: attempts at hacking (e.g. data exfiltration for profit, which are denied), ransomware, revenge, or anything else that would explain this behavior.

    Further confounding everything is the bit where the new employer's response to these revelations is apparently "shrug".

  • by nixgeek on 8/29/20, 9:40 PM

    Biggest question for me would be why the employee still had access so long after terminating employment with Cisco.

    A common piece of auditor evidence across many compliance frameworks is whether employees have access proportionate to their role (which is naturally highly subjective), but also proving that access is revoked when employees leave the company. This seems like an outright failure on Cisco’s part.

    Hopefully they’ve learned from this and put effort into enhancing their identity governance situation.

  • by viraptor on 8/29/20, 10:57 PM

    I can't find any place explicitly saying this was done maliciously. A theory: this could also be a really bad accident where (for example) he works without a company provided computer and didn't clean out his old AWS profiles from previous company - ended up deleting resources from the wrong account.

  • by gruez on 8/29/20, 10:23 PM

    This paragraph is baffling:

    >According to a court document, Ramesh is in the US on an H-1B visa and has a green card application pending. "Although he and his employer recognize that his guilty plea in this case may have immigration consequences, up to and including deportation, his employer … is willing to work with him regarding the possibility of his remaining in the country and continuing to work for the company," the document [PDF] says.

    Why would you re-hire someone who quit and wiped your servers?

  • by blinkingled on 8/30/20, 3:39 AM

    This feels like may be he at some point discovered that his AWS access to Cisco account was intact and got curious about it and maybe even did some harmless things. Then while playing around with GCP he managed to run something that deletes stuff (Terraform maybe) but the credentials used were that of Cisco AWS account which wasn't what he intended - clearly just deleting stuff is not the smart thing to do when it will be recorded against his AWS credentials.

    I think he is pleading guilty to unauthorized access which was intentional - but not to the deletion which was unintended.

  • by TwoBit on 8/30/20, 12:00 AM

    With that kind of sloppy security in place, Cisco is going to be easily ransomwared.

  • by eithed on 8/30/20, 6:03 PM

    Phhhh, 6 months... I'd still have access to my first company's Google local directory console almost 14 years after I've left it (this is despite numerous messages on my part to remove my access) if Google were not to remove the listing altogether

  • by gregoriol on 8/30/20, 3:20 PM

    This is a really scary situation for an employee: maybe this case was a mistake or maybe it was bad intentions, but imagine you are leaving a company and your access should be closed, but is actually not, then your account still active without your knowledge might get hacked... and you could be responsible?

  • by turowicz on 8/30/20, 8:05 AM

    It also means there was no orchestration for the VMs. System should have recreated them 1 by 1 on a health check triggered restore action.