I was reminiscing about some funny stories from my career this morning. One in particular that came to mind was a request that a sysadmin at one shop asked of me when I left to pursue a new opportunity. He asked, "Please don't hack the company after you go."
I was dumbfounded and a little put out that he would think I would do something like that. I was leaving the company on good terms. Never even crossed my mind.
But, this is far more of a wider concern than I had previously really wrapped my head around. I have read many stories about former employees "hacking" their ex-employers to exact revenge or use resources that they no longer had privileged access too.
This came into vivid detail for me yesterday when a restaurant called, "The Plough" somewhere in the UK decided to let go of their head chef. When they did so, they forgot one key point. That the chef had access to their Twitter account.
This happens a fair bit. The part that I'm always amused by is that it tends to be spun as "hacking" in the media. It's not. It is a case of companies have a poor or no staff add/remove process.
Example from CSO in 2011:
Prosecutors say that Palmer set up a back-door user account entitled "Palmer Lt" before being terminated by McLane at the end of 2009. That account was used to break into the Lone Star Plastics computer and was linked to other intrusions at McLane. Palmer had logged into it from a variety of locations, including his home address in Temple, Texas; Bikinis Sports Bar and Grill; and Buffalo Wild Wings in Waco, Texas.
Did he illegally access the network of his former employer? Yes. Did he hack? No. He simply accessed an account that the company had completely failed to lock out.
This led me to a discussion with some friends this morning on the topic.
"...it occurred to me that I still have full control of [REDACTED]'s Twitter, Facebook and LinkedIn accounts."
"I still have access to my former business's Facebook, twitter, linked in, google places, mailing list system, web hosting, and reservations systems."
This is rather incredible to me that so many companies do not have a solid staff add / remove process for onboarding and releasing staff. Another example was when I left another company I had to convince them that on my last day someone needed to walk me out. They were oblivious to the need for a proper exit process and this drove me nuts as I had campaigned for it only to have it land on deaf ears.
So ask yourself a salient question, did you leave the door open? Who controls your public facing social media? Taking that a step further, how many accounts in your Active Directory are still...well, active?
If you hesitated even for a moment, you need to check.
(Image used under CC from *Fede*)