Back Doors

Many years ago I was the Vice President of Consulting for a small computer company. We specialized in writing applications for medium to large businesses on larger computer systems running the OpenVMS operating system. All of the people who worked on my team were good programmers, doing quality work with a high sense of ethics.

All but one person, that is. I had one guy on my team who was not performing well. He had claimed to be a high power C programmer, but it turned out he probably had taken one class on high school. At least, after reviewing his code, that's what it seemed like to me.

After giving him plenty of opportunity to correct his difficulties, the day finally came when I had to tell him to find employment elsewhere. That was a tough day, as I have never enjoyed firing someone. There are times when it has to be done, but it's never fun.

So the poor guy got fired, packed up his things and walked out the front door. I never expected to hear from him again. He was quiet, didn't attend symposiums and I was not likely to run into him anywhere - or so I thought.

A few weeks later one of my team noticed some unusual happenings on one of our clients computer systems. It seemed to be doing too much work. You see, we did all of our programming work on-site at the customers office. We did this because we wanted to be near the customer (good for building up a solid working relationship) and, well, by using the customer's computer for development we didn't need to buy one for ourselves. Of course, we usually got a desk in the computer room so we could be close to the equipment.

If you've ever spent many hours in front of one of those old computers, you know that you get used to hearing a certain pattern of activity. The disk drives, magnetic tape reels and other equipment made a lot of noise, and depending upon what was going on the random clicks and whirs got louder, more frantic or downright hectic.

Thus, I was sitting at home enjoying my favorite television program when one of my teammates called me with a concern. He was sitting at the desk in a computer room and had noticed the disks were making a lot more noise than normal. In fact, the sound was almost deafening.

I dialed into the machine myself to see if anything obvious was wrong. It took me a few minutes to determine that there was nothing out-of-place: all of the proper applications were running and the jobs were completing as expected.

I almost missed a critical piece of information, but just as I was logging out I did another list of jobs running in the system. Hmm, that was strange. There was someone logged into the account of the person that I had terminated a few weeks before. I started to kill the process, then stopped and thought for a minute. This didn't feel right. The oddest fact was the job login was not recorded in the system operator log files. You see, normally every single time someone logs in a note is made of when, who and on what terminal. This time there was no such log.

The next day, I went down to the customer site and installed a special program which would log everything entered on the dialup lines to a set of files. This way I could see what was happening overnight.

A few days latter I checked this file and found out some fascinating things. Apparently the guy that I fired had left behind something called a back door.

I was stunned to silence as I looked through the logs and saw the line where he typed a special command and immediately gained entrance to his old account. As I examined the logs it was apparent that he was engaged in a little bit of industrial espionage, or perhaps he just wanted to try and steal the account from us. What he was doing was downloading the source files to the customer applications to his own system. In those days modems were much slower than now, so at 1200 baud it was taking weeks for him to get what he wanted.

Once I knew what he was doing it was just a matter of patching the hole. This guy had simply added some special, home-grown code to the login program which recognized some text as a back door. If that text was typed on any dial-up line, then the front security was bypassed and the job was created. His mistake was creating the job with his old username - if he had used SYSTEM or something like that I probably would never have even noticed.

When had he done this? I determined upon my own investigation that he had made the changes only a few days after he was hired! It was easy and he probably did it at all of his jobs - perhaps he just wanted to avoid typing a password.

Anyway, I had to personally examine every single program on all of our customer sites for any suspicious modifications; I found one other site that was compromised. After that, it was a small effort to disable the change and monitor the dial-ups for any other similar activities. 

What happened to him? I never followed up as I didn't know what happened the poor guy. He just disappeared after I fired him and there was no way for me to figure out where he went.

After that, of course, I kept my eye on things a little more carefully. Later, I also began doing background and reference on any potential job candidates just to gain a little more confidence that their past was clean. And if any high-level computer people leave the company (especially in a hostile manner) I make sure that the modem phone numbers, system passwords and keys are immediately changed. It's only prudent.