Security

Also, missing school iPad resurfaced after coach’s kids uploaded video to YouTube

PWNED Welcome, once again, to PWNED, the weekly column where we cover high-security hijinks that are at least partially the victim’s fault. This week, we have a trio of tales that involve incredibly unprofessional behavior, inappropriate use of corporate resources, and outright theft, all dealt with by IT. 

Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request.

Our trilogy of tech exposure comes courtesy of Zach Lewis, the current CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis. Before his current role, Lewis worked for various other companies in IT roles and he has some tea to spill.

At one job, Lewis was working as a sysadmin when the CEO asked for help recovering photos he had accidentally deleted from a company file share. The files were accessible to anyone at the organization, and Lewis searched archived copies in Google Picasa to restore them.

Unfortunately, the pictures the CEO was missing included many that were very much NSFW.

“So I was called in to sit down with him and look at it. And we're just like I restore everything. We start clicking images to make sure everything's there, just doing a random subset check,” Lewis said. “And, uh, just some pornography comes up and he's sitting right next to me. I mean, right next to me, he's just like, oh yeah, that's just some of my porn.”

When he was done restoring the photos, Lewis left the room. It was clear the boss had no shame and no problem with IT seeing his explicit images or with storing them where any employee could download them. They were even mixed in with official photos and family pictures.

However, knowing this was bad policy and could probably lead to a lawsuit, Lewis approached human resources and told them about the problem. The HR representative instructed him to delete all the smut from the network, even though it belonged to the big boss. He did that, and fortunately, did not face any repercussions at work for deleting the big man’s cheeky pictures.

He wore a top hat

In another instance, Lewis was asked to look at a coworker’s computer when the employee thought he had gotten a virus on his laptop. However, the colleague cautioned IT not to look through his files.

After a little while, Lewis noticed a folder filled with other subfolders that were festooned with adult images, both of naked women and of the employee himself without clothes on. All of the photos had appropriately descriptive file names too.

Perhaps most embarrassing of all for the coworker is that Lewis saw his semi-naked pictures. To be fair, he was dressed in the images, as he was wearing a top hat – but nothing else. 

The problem, Lewis notes, is that employees treat their work computers as if they are home computers and do not think about the implications of having personal images on something that belongs to a corporation. He suggests setting a firm policy against this kind of thing and educating workers about the policy.

When workers inevitably violate the policy, it’s time for a gentle reminder.

“A policy is just, you know, paper, right? It's hard to enforce that,” Lewis said. “You can talk to the user in this instance. In this most recent instance with this guy in the top hat, it was ‘hey, these are company resources’ when I gave the computer back to him.”

Kids’ YouTube upload exposed a potential thief

In another gig, Lewis worked at a university. When one athletics coach quit, he was supposed to leave his school-issued iPad on his desk. But when the IT department came to collect the equipment, this tablet was missing.

No one could find the missing iPad, but a month later, someone uploaded a new video to the school’s YouTube channel. The video featured a different coach's kids and appeared to have been uploaded from his house.

Apparently, the other coach had allegedly snatched the iPad off of the first coach’s desk and given it to his kids. The kids then used the iPad to film a funny home video and upload it to YouTube, not realizing that it was connected to the school’s official YouTube account.

Lewis notified HR, who called the apparent thief in. At first, he denied that the children in the video were his offspring. However, the HR agent then showed him a photo of him and his kids on social media together and he admitted, okay, he was their dad.

The coach then said he didn’t know how the iPad got into his house. But he grabbed it and returned it to IT. 

There are a lot of problems with the iPad situation from a security perspective. First, the iPad that wasn’t turned over clearly was not locked to the point where someone else couldn’t get into it. It had access to the school’s YouTube account, so any thief could add their own content to it and it may have even had PII (personally identifiable information) about some student athletes. 

Bottom line: make sure departing employees hand over equipment directly to IT. Don’t let them just leave equipment on a desk. And make sure even tablets require biometric access. ®