Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fired Gucci Employee Accused of Attacking Network

CmdrTaco posted about 3 years ago | from the well-that's-just-swell dept.

Security 62

WrongSizeGlass writes "Computer World, Information Week, The Register are all reporting on the story of a former Gucci IT employee who is accused of a November 2010 assault on Gucci's network deleting files and virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server. The lost productivity is estimated at $200,000. Sam Chihlung Yin, 34, of Jersey City, NJ, allegedly created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating in June 2010, a month after his employment contract was terminated by Gucci for unrelated reasons."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


They owe him (1)

Stenchwarrior (1335051) | about 3 years ago | (#35743936)

They should be paying him that lost $200,000 for running the white-hat attack to fish out the vulnerabilities. Yeah that's it...White. Hat.

Incompetent managers (1)

mangu (126918) | about 3 years ago | (#35744166)

I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.

The law about computer crimes should have strong penalties for managers that allow that shit to happen. It would be somewhat different if the guy still worked for the corporation, because it's much harder to guard against an attack from inside, but if someone is responsible for managing a valuable asset he should be competent enough to take reasonable precautions to protect it from any attack someone could bring from outside.

Re:Incompetent managers (1)

Xugumad (39311) | about 3 years ago | (#35744248)

> The law about computer crimes should have strong penalties for managers that allow that shit to happen.

Why does this need to be a legal thing? I mean, there's employment issues to look at (like, err, should they have a job still), but why on earth would this be a legal issue?

Re:Incompetent managers (2)

deKernel (65640) | about 3 years ago | (#35744634)

I would think this is a legal issue in the fact that the person destroyed company property without consent. Imagine if you stopped getting the newspaper delivered, and as a result, the paper boy took your car and had it stripped.

Re:Incompetent managers (1)

Artifakt (700173) | about 3 years ago | (#35744692)

There's this concept of criminal degrees of negligence (under US or UK law at least). If somebody does a big enough screw-up, something any 'reasonable' person should have known better than to do (as the law defines reasonable), they they have committed criminal acts. In this case, for example, some of the people working for the for the corporation made assurances to their boss that the system was better secured than that, and some of them made assurances to clients or to the government. If I know damned well there's a real chance of a leopard in the next room and I assure the people going through that door that things have been carefully inspected for their comfort, I've taken some of the responsibility for the crime as well as whomever planted the leopard. If I actually know the room inspector has no training in room inspection and was laid off six weeks ago anyway, that level of responsibility could rise to criminal.
        The point here is, anyone claiming this rises to the level of legal issue is claiming some employees of the company knew there were real risks, and lied, or lied about their training to detect risks, or they lied to investors, or customers, or inspectors. They lied knowing that their was a real chance somebody would suffer serious financial harm. The law is there so there are circumstances where nobody can just say "I didn't really lie, I'm just a big dumb-ass who didn't think about it at all."
        The fact that this is called 'criminal' negligence should explain that the law thinks justice can't be achieved by civil means only in such cases. I'm not sure just what your objecting to here - modifying a n existing law to include provisions for criminal negligence where it specifically relates to this sort of intrusion, or to the existence of criminal negligence as a legal concept in general.

Re:Incompetent managers (1)

derrickh (157646) | about 3 years ago | (#35744774)

You're actually blaming the victim? It's your fault for a thief picking your pocket, getting your keys and stealing your car because you should've had it chained to your waist? The home invasion was your fault because you didn't pay extra for the level 5 security system?

This wasn't a case of the IT staff inviting people into the office, sitting them at a PC with a list of passwords on the desktop. The criminal did very specific, targeted things to falsify keys and identities to gain access.

Re:Incompetent managers (1)

mangu (126918) | about 3 years ago | (#35745626)

You're actually blaming the victim?

No. The victims are Gucci stockholders. The incompetent manager was an accessory to crime, therefore he should share the blame.

Re:Incompetent managers (1)

Nickodeimus (1263214) | about 3 years ago | (#35744426)

Tell that to the manager that goes to upper management for additional funds to harden the network and is denied. I'm sure you'll say, oh he should just quit working for such an organization. You'll, of course, forget that he still has a mortgage and car to pay for and work is not as easy to come by as it once was.

Re:Incompetent managers (1)

Stenchwarrior (1335051) | about 3 years ago | (#35744540)

I'm inclined to agree with you. However, in this case simple education of the staff or change in VPN access policy would probably have kept this from happening since it was a social engineering method.

Re:Incompetent managers (1)

JosKarith (757063) | about 3 years ago | (#35744562)

"I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired."
It's called being a Director isn't it..?

Re:Incompetent managers (0)

Anonymous Coward | about 3 years ago | (#35745128)

I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired.

Give him a raise.

Re:Incompetent managers (1)

djdanlib (732853) | about 3 years ago | (#35748438)

I wonder what a bank would do to the branch manager if a former employee could walk away with $200,000 six months after being fired. Or, to use a car analogy, if a former employee was able to walk into a dealership and drive away with a $200,000 car just like that.

Well, he didn't walk away with tangible things of value. A better analogy would be:
* Bank analogy: someone destroyed enough of the bank's records that it cost the bank $200,000 to fix the resulting mess.
* Car analogy: someone drove a monster truck onto the dealer's grounds and squashed $200,000 worth of cars.

It's not usually the case that a sysadmin's manager knows the system as well as the admin. So, it's not really possible for a sysadmin's manager to prevent all possible angles on something like that. It's kind of unique to that business. A bank's branch manager would know where all the doors were, and have a sheet that accounts for all the keys. A dealership would have some accounting for who has the keys to each car, who has the keys to the safe, and when any car keys were ordered or made. I know this because I've had to deal with ordering a duplicate car key, and there was more to the process than you'd think.

I think the current system works pretty well. Corporate information security policies do need to be designed, kept updated, and followed better in general, though.

Re:They owe him (0)

Anonymous Coward | about 3 years ago | (#35744420)

Unless it is after May 1. Then only beige is acceptable... but only when the shoes are darker than #aaaaaa.

Re:They owe him (2)

Hatta (162192) | about 3 years ago | (#35745406)

Am I desensitized by hyperbolic damage claims in other cases, or does $200,000 seem pretty low for this kind of attack?

Re:They owe him (1)

Stenchwarrior (1335051) | about 3 years ago | (#35745540)

I thought the same thing, actually. I chalked up the low number to the fact that they seem to be running virtualization and restoration of these servers is really easy, assuming they are making timely snap shots and storing them somewhere the ex-employee didn't have access to. They likely restored the latest images and had to re-enter some data...a few hundred people and a couple hour's worth of time is probably how they came up with the figure.

that's fucking awesome (0)

Anonymous Coward | about 3 years ago | (#35743956)

I remember a guy in intermediate school wearing Gucci. He used to dance a lot with the ladies a lot, I don't know what happened to him. If he has a family I guarantee you he's feeding off of my tax dollars! GNU FTW!

Hacking (3, Interesting)

SJHillman (1966756) | about 3 years ago | (#35743964)

It's funny how the closer something is to hacking, the less the word is actually used in an article. While this seems to me to be more of a result of bad policies (admin passwords were never changes) and social engineering (which is a form of hacking) actual hacking, I find it funny that the term is hardly used at all whereas when Anonymous tries a DDoS, it's ZOMG HACK0RZ!!!! every other line.

Re:Hacking (2)

staticneuron (975073) | about 3 years ago | (#35744394)

Social Engineering is not a form of hacking. Hacking is not always a negative connotation but in every case it involves modifying hardware and software in ways it wasn't intended. Social Engineering existed as a term way before the term hacking and has more in common with fraud because it deals with people and not with devices and software.

Re:Hacking (1)

Ihmhi (1206036) | about 3 years ago | (#35745286)

Social engineering is modifying society to do what you want it to, just like, say, getting an Xbox to play a copied game.

Re:Hacking (2)

gnud (934243) | about 3 years ago | (#35747324)

It's not modifying society, it's leveraging how a society behaves to achieve your goal.

Re:Hacking (1)

Ihmhi (1206036) | about 3 years ago | (#35788566)

Hacking is the same thing - leveraging how a piece of software or hardware behaves to achieve your goal.

Moral of the story (-1)

sandytaru (1158959) | about 3 years ago | (#35743974)

Don't piss off network admins or sysadmins. Not saying don't fire them if they screw up, but don't fire them without a justified reason either. Without knowing the whole story I can't really pass judgment, but this sort of action smacks of revenge against pointy haired bosses to me.

Re:Moral of the story (3, Insightful)

The MAZZTer (911996) | about 3 years ago | (#35744054)

Being fired is likely to piss off someone whether they deserve to be fired or not.

Re:Moral of the story (0)

Anonymous Coward | about 3 years ago | (#35744368)

Really? If I do something I deserve to be fired for, I am not going to hold it against the company. On the other hand, losing my job because the boss wants to put his girlfriend's dimwit brother in my place might piss me off enough for me to consider retaliation.

Re:Moral of the story (1)

Moryath (553296) | about 3 years ago | (#35745132)

In other words... this is why anti-nepotism laws should be made a requirement of any business over the size of a 10-person "family business."

Re:Moral of the story (1)

schwit1 (797399) | about 3 years ago | (#35748724)

For publicly traded companies. Private companies should have the right to shoot themselves in the foot all they want.

Re:Moral of the story (4, Insightful)

Ogive17 (691899) | about 3 years ago | (#35744096)

What he got fired for is irrelevant. Sounds like a nerd's way of "going postal" is to delete as many files as possible on their way out.

Revenge is not a smart move. You are most likely going to get caught and it will ruin your chances at future employment as soon as a prospective employer does a background check.

Re:Moral of the story (4, Insightful)

sandytaru (1158959) | about 3 years ago | (#35744124)

I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.

Re:Moral of the story (1)

Gunnut1124 (961311) | about 3 years ago | (#35744538)

Ever seen what Buckyballs will do when placed in close proximity to a 15k drive?

Re:Moral of the story (1)

tecker (793737) | about 3 years ago | (#35746098)

Um nothing? I play with them next to my HDs all the time and the backups still work fine. Of course this is my personal machine and I am not to paranoid about the backups getting hosed.

We also took some HD magnets (scrapped from an old HD we just wiped) and tried to zap a stack of remaining HDs to be wiped with them. No luck. We could still read the data off of it when we tested to see if the magnets worked so we had to DBAN each and every one of them.

Buckyballs next to the tape archives.... well that's a different story.

Re:Moral of the story (1)

knight24k (1115643) | about 3 years ago | (#35746618)

I can't say I didn't fantasize about throwing a supermagnet into the data center of an ex-employer I was downsized from, but I knew better and the majority of adults I hope would know better too.

Yeah, I have had those fantasies too. You don't realize just how much damage you can do until you sit and think about it. After being let go by a retail chain with about 700 stores I realized that in about 15min I could pretty much put the entire chain out of business. They had just scrapped all their phones for VOIP and I had the passwords to all the routers and knew they had the domain admin password hardcoded into the mainframe (I had tried, unsuccessfully for over a year to get them to change that). It would have been very easy to vpn in using the admin account, telnet to the furthest VOIP router and erase mem my way back to the office effectively wiping out their phone network. Then, set the tape robot to bulk erase (they didn't use offsite storage - too expensive), wipe the fileserver, domain controllers, AIX and Linux and logoff. They also refused to buy any intrusion detection software so very little chance of getting caught. I would never do that, but it gave me a little perverse pleasure knowing that I could.

That company is still in business and I know of at least two instances where they have had breaches due to their refusal to implement even the most basic of security precautions. Still, I should thank them for canning me. I now work for a Fortune 500 company making more than double what they were paying, so all's well that ends well I guess.

Re:Moral of the story (2)

hubie (108345) | about 3 years ago | (#35744438)

I'm curious, even if he was fired without any justified reason, and let's assume for the moment that it was for some petty reason, would you think what he did was in any way justified or correct? If you are withholding judgment to hear what the cause of his termination was, I'm trying to imagine any scenario that would justify his actions. Simply being pissed off doesn't work (for me, at least). If it wasn't virtual damage, but instead if on his way out of the building he did $200k damage by smashing computer monitors, slashing the furniture, and breaking the fancy piece of art in the lobby, would it be any different in your mind?

Re:Moral of the story (0)

Anonymous Coward | about 3 years ago | (#35744874)

Of course we shouldn't feel sorry for the guy, nor should be feel sorry for the corporation. Injustice by the employer shouldn't be surprised to find injustice by the employee. Not that we know why he was fired to begin with.

An no, the damage done is damage done, makes now difference how it was perpetrated. Simply punish him fairly and move on as he may have felt his punishment may have been worth the revenge.

There is no question that what he did was wrong but there should also be no surprise considering how many places treat their employees.

Re:Moral of the story (-1)

Anonymous Coward | about 3 years ago | (#35744452)

Just another self-entitled 'I'm better than you' IT guy who can't stand frustration and thinks the company's machines are his property. It's definitely a fact that in a group of friends, the doctor, the lawyer, the carpenter and the car mechanic will give you advice on anything related to their profession but the geek won't even agree to upgrade your computer's RAM. I heard most geeks are like that because they were bullied in school but I think when you're still trying to get revenge for that at 35 it's just sad.

Re:Moral of the story (1)

Moryath (553296) | about 3 years ago | (#35745324)

On behalf of all of us... fuck you [pcpro.co.uk] .

I help my friends with their PCs all the time. I do it out of the kindness of my heart. I help my parents when I can.

But when I help them, I also educate them. I show them what I'm doing. I doublecheck to make sure they've got up to date virus protection, up to date OS, properly locked down home network (PC direct into cable modem = AUGH).

And I tell them look - I'm your friend. I'm helping you out. But I get a ton of people asking for this every day. Coworkers constantly ask for "help" with their personal machines. Friends-of-friends. Friends want someone to help their mom, or their aunt too. I could make a full-time job of "helping friends" with their computer and NEVER MAKE A FUCKING DIME. So I have to limit it. And that means that I'll gladly help a friend out, provided that they're not just being total morons about this stuff and doing crap I warned them not to do.

Is it a bit rough? Sure. Do I want to be a 24/7 free "tech help center" for anyone who has my cell number? Fuck no.

In conclusion, if you didn't read the link the first time, fuck you [pcpro.co.uk] . I guarantee if you treated a doctor, lawyer, carpenter, or car mechanic the way you treat the IT/Computer people, they'd tell you to fuck off as well.

Re:Moral of the story (1)

Arrepiadd (688829) | about 3 years ago | (#35745682)

I heard most geeks are like that because (...)

The problem is clearly not in the geeks If you are gullible to the point of believing everything you hear.

Re:Moral of the story (0)

Anonymous Coward | about 3 years ago | (#35744462)

The thing is, it might not be what it seems. A few years ago I got fired, apparently because my incompetent boss thought I was after his job (which couldn't be further from the truth; the last thing I want to be is a manager). Thanks to at-will employment, I was escorted from the building without so much as warning. A couple weeks later, one of their public-facing systems was cracked. Never mind that it was a system I didn't even have an account on, or that I knew much of anything about, and never mind that at the time I was diplomatically asking for chance to plead my case with HR as the wronged party... the execs immediately assumed I'd done it, and sent the F-B-fucking-I to my house. It was probably a random drive-by cracking. It might have been my boss faking the incident out of spite for me, or some other asshole trying to frame me for lulz. But I had nothing whatsoever to do with it. I'm just lucky the Feds found my protests of innocence credible enough to not seize my computers (which incidentally had a bunch of downloaded porn (all of legal age as far as I know, but not by much, and just try proving that to a jury) and a couple dozen ripped movie DVDs on them (stuff I'd rented and wanted to watch again later), and could have been used to ruin what was left of my life at that point). All for being better qualified than my boss. So I'm a big fan of "innocent until proven guilty".

How long.... (1)

Junior1120 (2026188) | about 3 years ago | (#35743988)

I wonder how long it took for the IT staff to determine the bogus user and remove remote access. The IT department must have activated that account with a minimum of domain admin permission. Bad IT policy at Gucci.

Re:How long.... (2)

sandytaru (1158959) | about 3 years ago | (#35744032)

Depending on the programs used, they might just add blanket "domain users" to the admin group on their systems. We do it at our smaller sites (that have no native IT staff) because it's either that or answer emails every 15 minutes about why they can't add in Google toolbar.

Re:How long.... (1)

ArhcAngel (247594) | about 3 years ago | (#35744468)

I love how 20 years later Microsoft's Active Directory still doesn't have the granular functionality that Novell Netware had way back in 1990.

Re:How long.... (1)

L4t3r4lu5 (1216702) | about 3 years ago | (#35744770)

Instead you spend hours of time re-imaging hosed systems because of Antivirus 2011 installations, Limewire-sourced trojans, and AWWW DA ICKLE KOOT SKWEEN SAVUR!!1

Seriously, if they don't need Google toolbar, why the hell would you let them install it? And let's be honest... You don't need Google toolbar, ever.

Word Association (0)

Anonymous Coward | about 3 years ago | (#35744094)


Cleavon Little...

The new sheriff is a ni[BONG]

200,000 is that even a loss for gucci? (0)

Anonymous Coward | about 3 years ago | (#35744224)

In other news Gucci recouped the lost revenue today with one sale (1 item). I kid I kid

Unrelated reasons? (3, Funny)

JDHannan (786636) | about 3 years ago | (#35744422)

Thanks Gucci for not breaching time continuity for not firing him for something he would do in the future!

Two things (1)

lymond01 (314120) | about 3 years ago | (#35744636)

1) if you're going to fire an IT admin who has access to all your stuff, you meet him at the door in the morning while your other admins are changing passwords. He doesn't touch a computer in your building again. You'll put his files on a flash drive and don't let the door hit you on the way out.

2) Anyone posting IT post-firing sabotage fantasies who isn't posting as a Anonymous Coward deserves the results of their next interview. I'm looking at you sandytaru.

Re:Two things (1)

xnpu (963139) | about 3 years ago | (#35745186)

Typically we pay these types of employees a delayed bonus. If after 6 months they did nothing to harm the company, it's paid, otherwise it's not. This usually buys IT enough time to have fully replaced all passwords, etc.

Re:Two things (1)

moco (222985) | about 3 years ago | (#35745786)

Or make sure you hire professionals. A professional will take their severance pay (or whatever they are entitled by law) and move on.

Also, the way people are fired says a lot about a company. Generally, if people are treated the way you suggest, that company is not a good place to be.

I'll agree with your second point. Those fantasies are either an indication of immaturity or personality disorders.

Death spiral? (0)

Anonymous Coward | about 3 years ago | (#35745060)

Quote from google finance.
"Gucci Group, an Italian company with a Dutch address that sells French fashion, does quite well in Japan, too. Its offerings include handbags and other leather goods, shoes, ready-to-wear clothing, cosmetics, skin care, jewelry, and watches. Gucci family squabbles and imprudent licensing once nearly doomed the firm. New management revived it with fresh product lines and stricter licensing, as well as heavy investing in its Asian presence. Gucci operates more than 550 stores worldwide and wholesales products through franchisees and upscale department stores. French retailer PPR purchased almost all of the remaining shares in the company in 2004, taking its interest up to 99.4%. "

Although this is a private company, i'd guess that recent events (Tsunami, credit crunch,) have put this company into the corporate death spiral.But , it needs to be confirmed... wonder if gucci turnover figures are available from any ex employees.

two sides to every story (0)

Anonymous Coward | about 3 years ago | (#35745280)

I don't believe any mention has been made about the reasons for the original termination.
Maybe this guy had a real asshole boss or something.
Doesn't completely excuse what he did but....
At least he didn't follow the Postal model of getting even.

sounds to me like (1)

nopainogain (1091795) | about 3 years ago | (#35745658)

sounds to me like ", allegedly created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating" means he found a serious process issue. everywhere ive ever worked you had to jump through more hoops than a Ringling brothers trained animal to get any access. In most places, IS security calls physical security (or the other way around) and the resulting person has to check with a manager of a department who gets authority from someone with director in their name. I guess gucci will be enlarging it's process model now.

Wait he used old passwords? (2)

tecker (793737) | about 3 years ago | (#35745992)

Why wasn't this guys password deactivated? Did Gucci actually have common all-powerful known to all the engineers? We did that at our little IT shop because we didn't have full control of the network (we were a first response team to the main IT guys). It seems like you would give the guys some logins to use to things, use LDAP or ActiveDirectory groups to put them in the admin user level, and then when they leave/fired/downsized/outsourced/etc revoke them from the admin group(s).

How many times do we need to read "Fired techguy used his/known admin passwords to cause hell" before someone catches on?

Unrelated reasons? (0)

Anonymous Coward | about 3 years ago | (#35748808)

Sam Chihlung Yin allegedly created a fake VPN token... which he tricked Gucci IT staff into activating a month after his employment contract was terminated by Gucci for unrelated reasons.

I certainly hope the reason they fired him wasn't for something he hadn't done yet. Especially if it was in retaliation for being fired in the first place.

That's not remotely IT related! (1)

Skeesicks (1402133) | about 3 years ago | (#35749066)

It`s like you have an emplyee, who duplicate his company keys and burns down the company at night. What he did is he commited a crime..If he did that with fake accounts or fake keys makes no difference. If I would get fired I WOULD NOT EVEN REMOTELY THINK of harming the company...what he did is really dumb and even if he left in anger, this does not justify any of his actions. I once got fired, but I worked till my last day like every day.Especially in IT you have to have some kind of tact, or you are COMPLETELY WRONG in IT. With great power comes great responsibility!

Skeesicks, step into my office. (0)

Anonymous Coward | about 3 years ago | (#35749278)

We've been having a lot of trouble with you lately, and that ALL-CAPS tirade is the last straw. You're fired, now grab your coat and hat and get the hell out!

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account