Many of us that are DBAs and/or sysadmins find ourselves with privileged access to many systems. We can often read the data that’s stored in these systems, whether that’s a relational database, a NoSQL store, or even a mail system. As a result, it is incumbent upon us to be trustworthy and maintain confidentiality with privileged information.
Overall I think most of us do this, but there are always some rogue administrators out there, some of which might take malicious actions. There have been a few people that were arrested or sued for hacking into systems, trashing backups, or causing other issues. Often those are emotional outbursts that disrupt operations, and many people are aware there is an issue. However, what if people weren’t aware they were being hacked in some way?
I ran across this story about some “admin” software being sold on a hacker forum site, which was marketed as sys admin software, but used to control other people’s computers without their knowledge. This is essentially a remote access trojan application that a developer sold to others who used it to steal data from their victims. The software developer was arrested and signed a plea agreement, knowing that it was used in a malicious manner.
For those of us that have privileged access, we might learn passwords of users as we watch them enter the value over and over. We certainly might work with their data to help them solve an issue or understand the manipulation taking place. We We may have auditing systems or logs that allow us to replay or examine the data values people have entered into applications. We do this with their permission and understanding, or at least someone’s permission. A user might not know we have substantial instrumentation, perhaps even the equivalent of a keystroke logger, but there will be some management that is aware of the existence of these tools.
While I’ve played a few pranks on people, moving keyboards or mice, I’ve always ensured they knew it was me in a short period of time. Using admin software to spy on others without their knowledge is a breach of trust and ethics, in my opinion. Even being asked to use this by management would be immoral for me.
Knowing this type of software exists, is important, and if you find it, I’d make sure you report it to management immediately, preferably to a few different people. If anyone is using tools to spy on users, they’re likely up to no good and I’d hope we would all attempt to put a stop to the practice.