Helping people with computers... one answer at a time.

When you have someone who helps manage your IT needs, you often give them a surprising amount of access. What happens if they turn evil?

I had employed an IT consultant to provide some advice about streamlining my various email accounts. I have four websites and various email addresses attached to these. He had suggested Gmail as a better option to Mozilla because it was cloud based. Yesterday, however, we had a falling out. He threatened to "turn-off" my emails and actually did this for a couple of hours today. In setting up the Gmail, I have allowed him to talk to my previous host and my ISP on my behalf. How do I prevent him from being able to do this? What steps can I take to retain total control over my websites and emails?

This is tough.

I play the role of IT consultant for a handful of folks and I have a pretty clear understanding of the responsibilities inherent in doing so. The amount of damage that an unethical and pissed-off or just plain evil IT consultant or sysadmin can do it pretty frightening.

And yet, there's a certain amount of access that they need just to do what you're expecting of them.

So, let's walk the list. There's a lot to be considered and it's going to take some work to regain sole control over your properties.

IT Consultant? Or Hacker?

As I wrote what follows, it dawned on me that the same set of instructions apply to a different yet related scenario.

That of a hacker gaining access to your information.

The gruesome reality is that an IT consultant that elects to side-step ethical behavior and start threatening you with things like shutting down your email or worse has become, in my opinion, the equivalent of a hacker; someone who has gained access to your information with malicious intent.

"It's time to run down the laundry list of everything that he's done for you ..."

It's actually a very good way to view the now-changed relationship and his or her role in it.

Secure Your Account With Your ISP

I had this lower on the list, but I moved it first. If your IT consultant / hacker has access to this, he could kick you off the internet with a phone call.

You need to login to your ISP's account management portal and confirm all the information associated with your account. You might just want to give them a call as well for safety.

You need to change your password, and any and all password recovery information associated with the account. Anything that isn't under your sole and direct control is suspect and could be used as means for your IT consultant to regain access to the account and, in turn, disable it or cause other problems.

Secure Your Gmail Account

Gmail is important because your email account is going to get many of the confirmation and verification emails resulting from what follows. You'll want to secure this as soon as possible.

Change the password. Immediately. Change it to something that is a good, strong password - something that you will remember and no one else could possibly guess.

But that's not enough.

You need to change any information associated with your account that could be used for password recovery. That could be your secret question. It could be a cell phone number associated with the account; if it's already yours, fine, but if it's the consultant's, not fine. It could be one or more alternate email addresses listed with the account; if they're yours, go through the process of securing those accounts as well, but if they're not yours, remove them.

The theme here is simple: anything that your IT person could use to perform a password reset on your account could allow them to regain access. Anything that would allow them to perform a password reset on any of the alternate email addresses associated with the account could also allow them to get your account back as well.

Secure Your Web Hosting Account and Servers

To begin with, this will be very similar to Gmail: login to your web hosting account and change your password. Then change anything that could be used to recover your password.

But your web host is more than just an account.

If your IT person had access to your web servers or web sites, then you need to go through and remove his account from those servers or sites, disable those accounts, or change their passwords (and recovery information like the associated email address).

If your IT person had low-level access to your server via something called "SSH", then there's one more thing you need to do that's pretty geeky: you need to scour the server for "authorized_keys" files and remove or comment out any entries that might belong to that person. This is an alternate, significantly more secure approach to logging in that bypasses the password. Unfortunately, it's also easily overlooked.

Naturally, if your IT person had access to any content management systems, blogging software, or any other tools that are hosted on your server or your behalf, you need to disable access to those as well by deactivating accounts, changing passwords and password recovery information, or doing whatever else makes sense for the given system.

Secure Your Domain Registration

This is one that many people overlook. Did you have your IT consultant register a domain for you? If so, you need to double check that you indeed own the domain, and not the consultant. Do a "whois" look up to see who the domain is registered to. If it's not you ... well, this might actually be the time to find an attorney.

If it is you, make sure that all the contact information is correct and is something under your sole control. If not, contact the registrar to change it.

At the same time, make sure that "DNS" settings for your domain are also handled by a service that you have access to and control of. Most often, that's the registrar, but DNS is also something that can easily be handled by a third party on your behalf. Your IT consultant could certainly be running his own DNS servers, and if so, he could quickly and easily take your domain off the internet.

Secure ... What Else?

Only you can really know everything that you've given your consultant access or implied access to. It's time to run down the laundry list of everything that he's done for you - perhaps with (dare I say it?) a more trustworthy consultant - and take careful stock of everything to which he might have access.

And then, remove that access.

I'll leave you with two final thoughts:

One: drop this guy. Now. No excuses, no second chances. He has proven that he is willing to cause disruption if he doesn't like something. That's completely and totally unacceptable.

Two: choose your next consultant wisely.

Article C4749 - February 24, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

12 Comments
Mark Shepherd
February 25, 2011 1:13 AM

Double check with the ISP, Hosting, Phone Company, and any company that you pay to have support (Special Software, salesforce, etc.) that the Hacker is REMOVED from the Authorized Contact List. You could end up getting alot of inflated bills that you will be liable for.

Dave Smithson
February 25, 2011 3:06 AM

Great article - just one point LEO - when changing all the information in the gmail account - its important to check the forwarding settings, automatically forwarding all incoming emails to a third party address, also each & every filter, potentially forwarding specific emails to third party addresses.

Hira G
March 1, 2011 10:22 AM

If you want to make Gmail account extra secure, you can set up 2-Step verification login. It requires an extra step, but is worth the hassle.

carol putman
March 1, 2011 11:50 AM

Very helpful article, but I think I'd do all of the above before I fired him, say on a weekend and then notify him first thing Monday morning of his termination and escort (or have security escort) him to collect his personal belongings from his work area and to the door. Based on his behavior so far, I think if he had any access to the accounts after his firing, he could cause some serious and irreparable retaliatory damage.
Remember, too, that he can log on to the business accounts from any computer, like at his home or on the weekend.

Gina
March 1, 2011 12:17 PM

If this person has a registered IT business (and is not just a former friend, acquaintance, etc. who has done this on the side for you), you should report him to the the state attorney general's office, the police, the Better Business Bureau, etc. Others need to know what this 'so-called' IT consultant is capable of. If he gets away with doing this to you, you can bet it won't be the last time he pulls this. Whatever credentials he has needs to be stripped to protect the public.

Unfortunately you don't need credentials, so stripping anything is someone ineffectual.
Leo
04-Mar-2011

Carlos The Gringo
March 1, 2011 12:47 PM

Whoaaaaaaaa - That has me livid that an idiot would be so unethical - I would have my own ways of dealing with people like that

Mike
March 2, 2011 8:42 AM

Just because there is a law, it doesn't mean that no one ever breaks it. But it seems odd to me that such a person would not be facing criminal prosecution for such action. After all, what's to keep other employees from doing similar things, such as accountants diverting company funds, lawyers from misusing power of attorney, ordinary employees from stealing inventory or money...?

Gina
March 4, 2011 2:19 PM

Leo,

Thank you for responding and letting everyone know that credentials aren't necessary (even though that shocks me). Although I will probably never have a need to hire an IT consultant, people who do should know this. I wish there is something that can be done to prosecute this person and expose him as the criminal he is to make such a threat. Perhaps there are charges that can be filed based on some of the things Mike mentioned? It can't hurt for the person who hired this guy to talk to a lawyer to find out if there are any options and/or rights he might have in his state.

codejockey
March 5, 2011 3:28 PM

Leo,

You make a number of excellent points. As a consultant, I would add that at the conclusion of an assignment, I always advise my clients to change passwords and to remove any access I may have been granted to their systems, web sites, data, etc. This protects both of us -- and in my experience, my clients appreciate it.

Tim
March 8, 2011 8:43 AM

Maybe there's a lesson in all this - introduce some form of regulatory framework for IT consultants.

I live and work in France as an IT consultant but before they would let me register as such, I had hoops to jump through - the powers that be needed to see certificates proving that I could do what I said I could. It's a bit of a hassle, but it stops many of the unqualified rogues.

PC Resolver
March 9, 2011 12:44 AM

I think it is interesting there has been no comment about the cause of the 'falling out'. I am a web designer and IT Consultant and I have 'fallen out' with one of my clients because they have not paid for the site (they paid the deposit). I have asked for a good will payment (50 Euro) to keep the site live and have received nothing for 6 months. Suspending the site and email facility is something I am considering. Would that be unethical?

Obviously falling out can be due to problems at either end - I simply took my reader at his word. If someone did it to me and I was the administrator on their site, I'd try every possible option, including legal action, before shutting down or defacing their site. It really depends on the degree of services you're providing - if they're on your server and they haven't paid, then I'd guess it's within your rights to shut 'em down. If it's more a case of design work on an pre-existing - perhaps I'd restore it to a snapshot I took before I started my work, but defacing the site, even "legitimately" while perhaps ethical could land you in legal hot water.
Leo
10-Mar-2011

Carol Putman
July 30, 2011 11:47 PM

I believe in California, the Department of Consumer Affairs will take a complaint in a case like this.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.