SF IT System Lockout Continues

An IT employee who is charged with gumming up the works at the City and County of San Francisco's main data center by changing access passwords for administrators could have been stopped short of crippling access to the system if IT management had had the right security software in place.

Terry Childs, 43, of Pittsburg, Calif., pleaded not guilty in court July 17 at his arraignment on four felony counts of computer tampering. Childs remains in custody in lieu of $5 million bail. Childs, who makes $127,000 per year and has worked for the city for five years, has a bail hearing set for July 23.

Childs, a network administrator for the Department of Technology, is charged with tampering with the system's FiberWAN (Fibre Channel-connected wide-area network), which contains San Francisco's sensitive Human Resources, payroll and other personal data. He created an administrative password that provided him superior access to the network.

Childs, who was arrested July 13, refuses to divulge to authorities the new secret password he concocted—even four days after his arrest.

Childs is accused of "tampering with the City and County of San Francisco's FiberWAN network system in such a way as to deny other authorized administrators access to the network and to set up devices to gain unauthorized access to the system," according to a statement from District Attorney Kamala Harris' office.

The city system—which handles most of the city's digital records, including confidential law enforcement documents, inmates' bookings, payroll records and departmental e-mail—apparently has no back-door access, even for highly authorized administrators. City officials were still trying to figure out how to get back into the FiberWAN Thursday afternoon.

City and County of San Francisco technology department manager Ron Vinson declined to return numerous messages left on his office phone by eWEEK. Mayor Gavin Newsom has had little or nothing to say publicly about the case thus far. Law enforcement officials have been tight-lipped with the media.

Security companies that sell into this market are beginning to come forward with  their expertise to discuss the incident. EMC's RSA Security—which also uses a relatively new security approach called dynamic security—Hewlett-Packard, Sun StorageTek, IBM and NetApp are the larger IT companies that sell centralized key management.

Cyber-Ark, an identity management specialist based in Newton, Mass., said that the network lockout could have been avoided if managers had operated a higher-security approach to master passwords.

"This is yet another example of the power privileged identities, such as administrative passwords, have and the havoc they can cause in the wrong hands," said Cyber-Ark Vice President Adam Bosnian.

"Hackers, or rogue employees such as this case, are savvier on how to create the most damage with the least effort, and the use of admin passwords does just that. Unfortunately, the San Francisco department left themselves wide open by not taking their privileged identity management seriously."

A city spokesperson estimated that this internal breakdown will cost millions of dollars in repairs. Though the network is running, there is still no way for IT administrators to access it at this time.

"It is critical to take a more proactive approach to secure company back doors," Bosnian said. "Companies install complex systems for personal passwords and overlook the more numerous privileged passwords and identities that provide even more system access. These security breakdowns will continue to occur until these keys to the kingdom are securely centralized and managed."