Helping people with computers... one answer at a time.
When you have someone who helps manage your IT needs, you often give them a surprising amount of access. What happens if they turn evil?
I had employed an IT consultant to provide some advice about streamlining my various email accounts. I have four websites and various email addresses attached to these. He had suggested Gmail as a better option to Mozilla because it was cloud based. Yesterday, however, we had a falling out. He threatened to "turn-off" my emails and actually did this for a couple of hours today. In setting up the Gmail, I have allowed him to talk to my previous host and my ISP on my behalf. How do I prevent him from being able to do this? What steps can I take to retain total control over my websites and emails?
This is tough.
I play the role of IT consultant for a handful of folks and I have a pretty clear understanding of the responsibilities inherent in doing so. The amount of damage that an unethical and pissed-off or just plain evil IT consultant or sysadmin can do it pretty frightening.
And yet, there's a certain amount of access that they need just to do what you're expecting of them.
So, let's walk the list. There's a lot to be considered and it's going to take some work to regain sole control over your properties.
As I wrote what follows, it dawned on me that the same set of instructions apply to a different yet related scenario.
That of a hacker gaining access to your information.
The gruesome reality is that an IT consultant that elects to side-step ethical behavior and start threatening you with things like shutting down your email or worse has become, in my opinion, the equivalent of a hacker; someone who has gained access to your information with malicious intent.
It's actually a very good way to view the now-changed relationship and his or her role in it.
I had this lower on the list, but I moved it first. If your IT consultant / hacker has access to this, he could kick you off the internet with a phone call.
You need to login to your ISP's account management portal and confirm all the information associated with your account. You might just want to give them a call as well for safety.
You need to change your password, and any and all password recovery information associated with the account. Anything that isn't under your sole and direct control is suspect and could be used as means for your IT consultant to regain access to the account and, in turn, disable it or cause other problems.
Gmail is important because your email account is going to get many of the confirmation and verification emails resulting from what follows. You'll want to secure this as soon as possible.
Change the password. Immediately. Change it to something that is a good, strong password - something that you will remember and no one else could possibly guess.
But that's not enough.
You need to change any information associated with your account that could be used for password recovery. That could be your secret question. It could be a cell phone number associated with the account; if it's already yours, fine, but if it's the consultant's, not fine. It could be one or more alternate email addresses listed with the account; if they're yours, go through the process of securing those accounts as well, but if they're not yours, remove them.
The theme here is simple: anything that your IT person could use to perform a password reset on your account could allow them to regain access. Anything that would allow them to perform a password reset on any of the alternate email addresses associated with the account could also allow them to get your account back as well.
To begin with, this will be very similar to Gmail: login to your web hosting account and change your password. Then change anything that could be used to recover your password.
But your web host is more than just an account.
If your IT person had access to your web servers or web sites, then you need to go through and remove his account from those servers or sites, disable those accounts, or change their passwords (and recovery information like the associated email address).
If your IT person had low-level access to your server via something called "SSH", then there's one more thing you need to do that's pretty geeky: you need to scour the server for "authorized_keys" files and remove or comment out any entries that might belong to that person. This is an alternate, significantly more secure approach to logging in that bypasses the password. Unfortunately, it's also easily overlooked.
Naturally, if your IT person had access to any content management systems, blogging software, or any other tools that are hosted on your server or your behalf, you need to disable access to those as well by deactivating accounts, changing passwords and password recovery information, or doing whatever else makes sense for the given system.
This is one that many people overlook. Did you have your IT consultant register a domain for you? If so, you need to double check that you indeed own the domain, and not the consultant. Do a "whois" look up to see who the domain is registered to. If it's not you ... well, this might actually be the time to find an attorney.
If it is you, make sure that all the contact information is correct and is something under your sole control. If not, contact the registrar to change it.
At the same time, make sure that "DNS" settings for your domain are also handled by a service that you have access to and control of. Most often, that's the registrar, but DNS is also something that can easily be handled by a third party on your behalf. Your IT consultant could certainly be running his own DNS servers, and if so, he could quickly and easily take your domain off the internet.
Only you can really know everything that you've given your consultant access or implied access to. It's time to run down the laundry list of everything that he's done for you - perhaps with (dare I say it?) a more trustworthy consultant - and take careful stock of everything to which he might have access.
And then, remove that access.
I'll leave you with two final thoughts:
One: drop this guy. Now. No excuses, no second chances. He has proven that he is willing to cause disruption if he doesn't like something. That's completely and totally unacceptable.
Two: choose your next consultant wisely.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.