May 20th, 2004, 11:22 PM
summer intern is a known hacker
I just learned that my company has hired a student intern for the summer to do some work in the IT department. This student is currently being prosecuted for hacking a national chain store's network and stealing credit card numbers. This makes me a bit nervous since the majority of security related tasks fall in my lap. Have any of you found yourself in a situation where a known hacker (cracker, etc) was given access to your internal network? How have you handled this?
May 20th, 2004, 11:24 PM
Monitor the hell out of him, everything he does. One slip-up, and send him packing.
May 20th, 2004, 11:27 PM
Why would your company ever hire a hacker w. a file? Doesnt your company have enough sense to do $9.99 background checks?
And if the kid is being prosecuted i would hope that he is smart enough to not do anything like that in the future otherwise its definate long term jailtime for him
May 20th, 2004, 11:30 PM
Im not an employer or anything of the like so i havent been faced with this problem but he probably has skills far greater than his peers that just listen in class, im not saying what he did was right far from it!
He should probably be keep under close watch although you should make it clear that if he does stuff he's out, although i dont know whether that will have much affect...
May 20th, 2004, 11:32 PM
Let's start by locking him to the absolute minimum rights you can for him to do his job. Let's lock his login to specific workstations. Let's not allow him any admin priviledges... please.... Let's sit him down on day one with the person that employed him and yourself and lay it all out..... Tell him he's watched, monitored, logged and the first time he does something you don't fully understand he's out, period, whether he has a viable explanation or not.... Out!
Then apply the monitoring......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
May 21st, 2004, 12:59 AM
Why the hell would your company hire him? I mean, obviously your company know's this and out of all the other applicant's (I would assume there's more) you guy's choose the dude with the record? Definitely restrict his priv's and sit down with this dude. Oh, and to answer your question:
No. Never, and it'll never happen either. Case in point, make the internship very tight.
Have any of you found yourself in a situation where a known hacker (cracker, etc) was given access to your internal network?
May 21st, 2004, 01:06 AM
I definately agree with restricting his activities a little...but aren't we making some assumptions about his actual abilities? It's entirely possible that he just downloaded some nifty little apps, and happened to stumble onto a vulnerability, national chain or not. After all, he did get caught??
/me playing devil's advocate
May 21st, 2004, 01:22 AM
What happened to "innocent until proven guilty"? Watch him and give him a chance to follow the right path.
May 21st, 2004, 01:39 AM
This is probably the worst advice I shall ever give in my life?
1. I presume that HR are aware?..............is there a policy on persons with pending prosecutions? if not, there should be.........suggest that? HR directors are good at covering their a$$es?
2. I know you hate Finance, but to tip off the beancounters will be a favour they owe you?
I certainly would not employ someone with a pending criminal offence charge against him?
IT must not give him access rights to anything other than the coffee machine and the trash cans............NO computer access........If you have problems with this, I suggest that maybe you talk to any director who is not his Father or Uncle....better include in-laws?
Problems...........shop to auditors...........external ones, but if you have internal ones, talk to them now.
My thoughts, and would save a 30-06 round?
Hey, then he gets a job throwing trash or whatever..........if the prosecution fails he should be able to sue, and won't have to work to get the money?
May 21st, 2004, 02:05 AM
It's not an individual's "ability" that one has to worry about, it's their "intent".
Originally posted here by groovicus
but aren't we making some assumptions about his actual abilities? It's entirely possible that he just downloaded some nifty little apps, and happened to stumble onto a vulnerability, national chain or not. After all, he did get caught??
As far as I'm concerned, he can be innocent somewhere else. Once the specter of suspicion has been raised, I wouldn't want them anywhere near any information system that I was in charge of.
Originally posted here by ttau
What happened to "innocent until proven guilty"?
I take a different approach to this situation than most others that have given you advice. If the company that you work for wants to play parole officer to the neighborhood's juvenile delinquents, so be it. That is out of your control. However, I would make it very clear, IN WRITING, that as the individual in charge of information security, you have the strongest concerns and reservations about their decision to employ a known security threat. Also make it clear that you can not be held responsible for the integrity of the corporation's data and information systems as long as he is in the company's employment.
If the company isn't going to cover its ass, at least you can make sure that you cover your own.