Shionogi shenanigans: Tech journalism hits a new low

As soon as I heard about the apparent IT infrastructure sabotage at the U.S. location of Japanese pharmaceutical manufacturer Shionogi, I knew I’d soon see the name Terry Childs popping up in tech articles all over the Web. I also knew that most if not all of them would flub the facts and try to draw a direct line between the two cases. Sadly, I wasn’t disappointed on either count.

Take this article from SC Magazine UK. Several oddities distinguish this particular piece, not the least of which is this:

He then used this to delete the contents of each of the 15 virtual hosts on Shionogi’s computer network, each of which contained the equivalent of 88 servers that represented most of Shionogi’s U.S. computer infrastructure to support email, BlackBerrys, its order tracking system and its financial management software.

[ Also on InfoWorld.com: Paul Venezia was first to discover the real story behind the bizarre Terry Childs incident. | InfoWorld has the full rundown on Terry Childs’s legal exploits. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

I’m assuming that what is actually meant here is that there were 15 physical hosts and a total of 88 virtual servers, not 15 “virtual hosts” with 88 servers for a total of 1,320 virtual servers. But whatever the numbers are, here’s what actually went down (as far as I can tell):

Jason Cornish was an IT admin at Shionogi who either left or was dismissed. His account was never disabled or removed, however, so he had full run of the infrastructure. Some time later, he decided to take revenge on the company for one reason or another, logged in via VPN, fired up a vSphere client, and deleted all the VMs. It’s a classic example of what a destructive rogue IT admin might do: He purposefully and with malice aforethought destroyed an entire server infrastructure.

In some news reports, the writers make it sound as if he installed vSphere secretly and treat it as if it’s some dark-arts malicious software. Anyhow, if he actually did “knowingly transmit computer code with the intent to damage computers in interstate commerce” as the criminal complaint reads, then he deserves the criminal charges and jail time, just as you’d expect if he’d burned the place down.

However, in that same article, there’s this quote from Mark Fullbrook, U.K. and Ireland director at Cyber-Ark:

We’ve seen the San Francisco city network come crashing to a halt through Terry Childs and Sam Chihlung Yin threaten Gucci’s global brand in similar incidents, all at a cost of hundreds of thousands of dollars. When will lessons be learnt?

Lumping Terry Childs in with Chihlung Yin and Cornish is incorrect and irresponsible. The last two directly and purposefully caused network and service downtime and destroyed servers in the process. The San Francisco network never went down. There was no service loss, and it most certainly did not “come crashing to a halt.” Spreading misinformation like this serves no purpose and actually worsens the public’s understanding of insider threats. For shame.

Inexplicably, the link in that quote relating to Terry Childs goes to a story on the Anonymous threats to hack BART in retaliation for shutting down its cell repeaters a few weeks ago. It has nothing to do with Childs at all.

There’s at least one other bizarre quote in this particular piece, courtesy of Eric Chiu, founder and president of HyTrust:

The breach at Shionogi is a great example of how vulnerable virtualisation infrastructure and the cloud can be. Critical systems like email, order tracking, financial and other services were impacted, having been virtualised without the proper controls in place.

This is nonsense. The sabotage at Shionogi has very little to do with virtualization, other than the fact it may have been slightly easier for Cornish to destroy all those servers. He didn’t hack into anything; they never disabled his accounts and those accounts apparently had full administrative rights over the vSphere implementation. What kind of “proper controls” for virtualization would have prevented that?

Further, if Shionogi wasn’t virtualized and had 88 physical servers, it’s the work of a few minutes for someone with Administrator-level access to write and run a script to cause each of those servers to format their disk and otherwise destroy themselves. It’s not quite as simple as clicking on the virtual server and deleting it from disk, but if a bad actor took an hour or so to prepare, logged in remotely, and ran that script, it may actually have been faster than logging into vSphere and destroying the servers in that manner. Virtualization had nearly no role in this fiasco, though the fact that they were virtual servers is likely to have been the reason that the services were reinstated in days, not weeks. Rebuilding and restoring 88 physical servers takes an awful lot longer than restoring virtual servers.

I really don’t mean to single out this one article, but it’s a good representation of the utter nonsense I’ve seen floating around the Web about this case. The technical errors in describing the actual events are one thing, but attempting to tie in Childs is simply irresponsible.

The only lesson to be learned by the Shionogi compromise is that you should disable user accounts when an employee leaves. That’s it. There’s nothing else to learn here.

This story, “Shionogi shenanigans: Tech journalism hits a new low,” was originally published at InfoWorld.com. Read more of Paul Venezia’s The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.