In-Depth

IT Gone Bad

Spying, blackmailing and thievery -- are there criminals in your IT shop?

• By Doug Barney
• 10/01/2006

In the right hands, information is a valuable tool. In the wrong hands, it can ruin lives, destroy companies and land offenders in jail. This puts IT in a precarious position. There is a fine line between protecting information and abusing it.

"IT can look at anything at anytime. All of the accounts and privileges go through IT," says one admin who, like most of the IT professionals interviewed for this story, declined to be identified due to the sensitivity of the topic.

"As the network systems admin for my company, I'm only a sniffer away from any information I want. Do I do that?" he asks. "Of course not. It's not ethical. If you don't trust your IT people, get rid of them. All of the data in your company is in their hands, so they had better be trustworthy."

Ensuring trustworthiness is easier said than done, because there are some who just can't resist temptation. "We have a network guy who monitors everyone's Internet usage. Most employees don't know this because our boss tells everyone that there's no one monitoring the Internet and that he doesn't want to know anyway, but this network guy always seems to know what everyone is surfing for. He even talks about it with other employees," says Jeff Osia, senior application developer for JW Software Inc.

Moonlighting by Day
Invasions of privacy are bad enough, but other IT abuses can be much more serious. An IT worker for a school district lived though a nightmare when the district's IT director and a network co-worker became partners in crime. "They had a computer consulting business they ran on the side and would leave the district several times a day to work on client computers without taking vacation time," the IT worker explains.

What started as moonlighting on school district time grew steadily worse. "They discovered the program eBlaster, which records everything you do on the computer and attaches keylogs, screenshots, Internet usage and a lot of other info in an e-mail and sends it to a specified address for review," the worker explains.

This went far beyond mere snooping. "This was initially used to monitor users suspected of spending too much time surfing the Internet or inappropriate e-mail. It was put on the CFO, COO and superintendent's computer. It's also suspected that it was put on a few of the school board members' computers."

According to the IT worker, those involved hoped to use knowledge of employees' and school board members' positions on various issues to help advance new initiatives and gain political favor.

"They also installed a server with Lightspeed software that would record all network packets and save any information that went through the network for specific users, including documents and e-mail and that would send reports to a specified address. This was brought to the attention of the CFO (who some suspected was the one who wanted the info) and he conducted an internal investigation. His investigation showed that nothing was happening," the worker continues.

While the internal investigation glossed over the situation, other authorities weren't convinced. "Less than a week after the internal investigation was complete and the school board was told nothing was going on, the FBI came in and confiscated our Exchange server, the LightSpeed server, all of the IT department computers and all the computers that were suspected to have eBlaster installed." The case is now with the local DA, who is reportedly negotiating plea bargains.

Besides spying on their colleagues, these miscreants also used school district funds to pay for their new company. "They were ordering parts from our vendor, building them into new cases and selling them to their clients. A few of us suspected this when we saw parts come in that we didn't use anywhere," he says. "One day we saw a tape drive in a box of parts and the next day it was gone. A few days later, our network engineer brought in pictures of the new server he built for a client and it had that tape drive in it."

Ironically, when this whistle-blower moved to a new job, he was able to help nail these crooks. "When I started my new job, I was trying to collect inventory of the computers and software. I used AuditWizard to scan all the computers and build the database. I was having problems with three computers collecting the information. I checked the data and they happened to be from the same vendor we had at the school district," he says.

Then it was time for some detective work. "I contacted the rep ... and gave him the serial numbers from the systems. He gave me the purchase order and specifications as computers that were sold to the school district," he says. "I had my accounting people pull the purchase orders and they were purchased from the business owned by the [school district's] network engineer and IT director less than two weeks after they were sold to the school with the identical configuration in a different case." No getting out of it this time -- they were busted.

Snoop Dog
Privacy invasions are the most common issues. "We hired a bright young guy to operate our network. We soon found he was operating an online store from our server," says the president of a computer firm who asked to remain anonymous. "We also discovered he was reading e-mail to and from executive staff and doing other subversive activities. The moron didn't see anything wrong with any of his activities."

Snooping on the CEO's e-mail to his mistress or your boss' personal messages may seem like a joke, but in doing so, you're violating corporate policy, personal privacy and possibly the law. Disclosing what you've learned to co-workers is a whole different level of wrongdoing.

"A couple of years ago, one of the techs in our department seemed to 'know' about announcements before they were made public. He also seemed to 'know' things about one other tech who had declined to go out with him. She was positive he must have been reading her e-mails, because he would say things to her he could only know by reading those e-mails," says Cathy, another anonymous IT pro.

This is not as rare as you would like to think. "I had been working for someone [from whom] I was learning administration. I saw cases where this person was fixing a problem, and reviewed seemingly every file the user had on the hard drive. 'Snooping' doesn't quite describe what he did," says an anonymous IT worker.

Attraction to a coworker is often the motivation for this type of cyber-stalking. "It boils down to either blackmail, when the person was disliked, or spying when there was a sort of attraction. It's pretty easy to set up rules to forward e-mails from one account to another," says AJ Burch, a consultant pro from Wilmington, N.C.

Indiscretions don't always end with simply snooping on electronic communications. "I worked for a company where the IT department read every e-mail that came from external sources or was sent to external destinations. They had great fun telling others the contents of the e-mails -- some very personal. It was well known who was doing what with whom and when," recounts an anonymous Redmond reader.

Dirty Work
Some IT folks are pressured into doing things that may be unethical or illegal. "When an employee is thought to be slacking and using the Internet for personal reasons, I'm told to find out what they're looking at. I poke around in their workstation at their history files and temp Internet files, and then report back to their team leader. At first, I was OK with this. Then an employee that I didn't particularly like (because he didn't do any work) was fired based on what I found on his computer," says an IT pro who asked to be called Reluctant Spy.

"Reluctant Spy" worries about his standing after that incident. "How do I prove that if he ever filed a suit? Could I be liable?" he asks. "I'm in a very awkward situation. There are others, including bosses and team leaders, who also abuse the Internet. I would really like to publish what they're doing, but I haven't gotten on their machines and looked."

IT is also sometimes used to cover up the actions of executives. "I've been asked too many times by senior level company personnel to cover up their mistakes and bad judgments," says Will, another anonymous admin. "I've been asked more than once to delete mail items out of users' mailboxes because someone who probably had good business skills but hadn't figured out the difference between 'Reply' and 'Reply to All' sent out sensitive or potentially damaging information via e-mail. I always did what was asked, but it sometimes rubbed me the wrong way."

While IT staffers often perpetrate abuse, they can also be the victim. "I was an e-mail admin for a local bank and was in charge of an automated user creation tool for several databases. I needed to keep track and retain many of the requests, so I created an agent to monitor delivery -- return receipt and post in a folder on my mail database. I used this format for most of my correspondence," says Scott, currently a systems integrator at another firm.

"I moved on to another position and transitioned my job to another admin. After about a month, I started getting return receipts and transmission reports from my old OU e-mail address. My replacement was going through not only my mail file but the smtp.box and local mail.box on the e-mail servers, reading mail and looking at attachments." There is a happy ending to this story, though. "By gathering information on the times and dates, we built a case for his termination."

Don't Be a Spy
There can be pressure from all over -- bosses, co-workers and even your own curiosity. Spying, snooping and stealing are wrong no matter who asks you to do it.

"I've witnessed ignorant IT management entertain other department manager's requests for user's browsing records. My recommendations that they refrain from snooping until HR is involved went unheeded. I refused to participate unless HR was involved, but the ignorant managers proceeded at their own peril," says Piper, an IT team leader.

"Just because IT has the ability to snoop on users does not give them the authority to do so unless directed by HR. Otherwise, you're simply setting yourself up for a labor relations lawsuit that will be difficult and expensive to defend. User behavior is a performance management issue, not an IT issue. It is only the incompetent IT manager that engages in user snooping without the assistance of HR. Competent managers are able to properly manage their staff's behavior."

HR and well-defined corporate policies should drive all "spying" activities, one IT pro argues. "I definitely think this should be done by HR, but they usually don't have the skills to go to the admin share on a workstation and know where to find the footprints."

The misguided actions of IT don't just result in dismissals, privacy invasions and anger. They can ruin lives. "My wife one day received an anonymous letter that contained several of my personal e-mails. They did not try to blackmail me by asking for money, they just felt it was their "moral" duty to inform my wife of what I was writing. I quit the company and my marriage ended in divorce. My credit was ruined by the bankruptcy and divorce," says Arnold Radloff of Lincoln, Neb. "Now I never use my company computers for personal e-mail. As a result, I have kept my current job and things are finally getting better in my life."

Silver Bullet?
There is no silver bullet solution to the spying problem. For IT managers, a lot boils down to simple judgment. Admins must be smart enough to use their tools and access privileges within the guidelines established by the company.

"I have had to tune spam filters and Web filtering software. In that position, you see many things that you would rather not see. It's hard to not be sucked into reading the e-mails about affairs and other things that people are stupid enough to include in messages from their work e-mail," says another IT professional who asked not to be identified. "It really changes the way you look at people. There are some things I would rather not know."