Feeds

back to article Fannie Mae logic-bomb saboteur convicted

A computer contractor has been convicted of planting a logic bomb on the servers of Fannie Mae, the financially troubled US housing and mortgage giant. Rajendrasinh Babubhai Makwana, 36, responded to the termination of his two-year-long spell as a software development contractor at Fannie Mae in October 2008 by planting a …

COMMENTS

This topic is closed for new posts.
Stop

Send him to gaol!

Anyone who takes action of this sort (assuming they're found guilty, of course) deserves prison. Some may view this action as 'sticking it to the man', but in reality 'the man' is generally unaffected. The customers, investors and subsequently-sacked employees that the company can no longer afford to keep (and their families) are all victims.

If he's guilty and sentenced I hope he goes down for a l-o-n-g time!

8
3

Betrayal of trust

Not only is he causing potential disruption to customers, etc. he is betraying the trust that was placed in him as a sys admin. As a unix admin, I have full access to all critical data and would never think of doing a thing like this. The fact that he's done it shows he is an untrustworthy individual.

7
2
Silver badge
Black Helicopters

If he was that good a programmer..

..he'd have known that a system like that would have been locked down, backed up, and with audit trails everywhere. How he thought he wouldn't get caught is probably more amazing than what he did.

Of course, he could have been the victim of a keylogger-based framing...

1
0

What a load of old Fannie

When a security incident of this nature occurs, we tend to file it away as an example of an ‘employee gone bad’. In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems.

It is also important to consider that in the case of Fannie Mae, this was not a direct employee, but rather a third-party contractor. Many companies treat non-employees (subcontractors, partners, customers etc) with different levels of trust compared to known and vetted direct employees. As such external parties are usually afforded differing levels of control and access as they are often more difficult to manage, sitting outside the traditional chain of company HR and administrative controls.

At a basic level, an organisation and its management has a financial responsibility as well as an administrative responsibility to ensure that access to critical information and applications is authorised and that it is continually monitored for all users, be they direct or indirect employees, to make sure the resulting activity is appropriate and permitted. The failure stems from the ‘perception of control’ an organisation has over their most sensitive networks, systems and devices.

Failure to control privileged identities and high-level access to systems has led to several instances of critical security failures in blue-chip companies in the past two years. In addition to the incident at Fannie Mae, the city of San Francisco was brought to its knees in 2008 because an employee locked down the city’s IT system through a privileged account. The former employee responsible for that, Terry Childs, was convicted and jailed for four years, but not before his actions cost San Francisco millions in lost productivity and court costs.

The conclusion of the Fannie Mae incident once again highlights the need for an integrated and managed view of what is appropriate user access and activity across the IT estate.

4
0
FAIL

I smell bean counter

" In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems.

"

Actually, no. They obviously did monitor him - which is why he got caught.

To me, the dumb thing that management did was allowing him to have admin access after he knew his contract was ending.

The rest of your post reads like a business case for "Lock IT Down - where every keystroke is vetted and approved by management" which works oh so well because every PHB knows what you should be doing....

0
0
Bronze badge
Unhappy

I could not agree more

This deserves jail, imagine someone whose contract is ended, raids the premises and burns everything down.

That would be destruction of private property, the same as if you manage to "logically" incapacitate the infrastructure nuking the server's HD Raids.

Bad, bad, bad, this guy is a shame to the profession.

2
2
Bronze badge

So this genius...

Did all his work from his own workstation?

"Subsequent forensic analysis of computer logs traced the attempted attack back to Makwana's workplace laptop"

Malicious, pathetic, and also stupid. Maybe he will find time to grow up in prison.

2
2
Flame

Too Bad He Got Caught!

Looks like someone REALLY took "Fight Club" to heart. If he were able to wipe both the servers AND the backups, a troubled homeowner could fight the remaining mortgage balance in court since they had nothing to back up their claims for the remaining balance.

Given that dozens of US banks are scrambling to fix (cover up) the fact that they "rubber stamped" foreclosure documents without even reviewing them and some homeowners weren't even behind on their mortgage, those bastards should get what they deserve.

Just my 2 cents, but it really is too bad he got caught. He might have gone on to work at a major credit card company and do all of us a HUGE favor.

2
7
Paris Hilton

It was even worse than that...

...Some of the houses that were foreclosed on, NEVER EVEN HAD MORTGAGES. They had been purchased with CASH!

PH, because she's as effing clueless as the banks.

0
1
FAIL

Duh

What a fail. If you're seriously mad enough to do that, you don't leave something that 'wipes everything', as that is trivially restored from backups. You make or alter a continuously running task that occasionally, but with increasing frequency, makes random updates to random records, and hope a while passes before someone digs sufficiently to figure out why nothing adds up any more. If he'd done -that-, and it had gone unnoticed for months at Fannie Mae, perhaps it would have brought about the downfall of western capitalism. Oh, and use your coworker's laptop, not your own...

2
0
Silver badge

He HAD contaminated the backups.

If you read the article in full, you realize that the logic bomb had slept for long enough to creep into the backups. Only later did it go off. When they tried to restore the backup, they restored the logic bomb with it, which went off. It was only through extensive tweaking that they were able to defuse the logic bomb from a backup and restore the system.

0
0
Anonymous Coward

I think...

I think that the problem is that the logic bomb was installed on the OS disks, so that once it'd been there for a while it was on all of the OS backups, if the OS was trashed and restored from tape, the logic bomb would trigger as soon as the server was booted. It'd likely take at least one restore before this was realised. At this point you'd either have to restore the OS and edit the startup scripts prior to boot (booted from another OS install), or build it from scratch and hope that the design documents are up to date with configuration settings, quite time consuming.

If the logic bomb also trashed the data disks, this would replicate from Prod to DR site, typically instantly for a company of this type/size, thus knocking out your DR position. There would maybe be disk snapshots which would allow a fast recovery point, but if not it would be back to tape. It's likely that only the really big/important systems have disk snapshots, so there would be a certain amount of going back to tape anyway. This would be time consuming.

Having said the above, I doubt that the logic bomb would actually cause loss of data, except that generated since the last backup, assuming that the backups worked ok. It would just have been a massive and expensive pain in the proverbial.

0
0
Anonymous Coward

Trusting SubKs

Until quite recently I worked with a "Big Blue" company. Our subcontractors were given all if not more access then regular employees.....

1
0
Grenade

This sort of thing is probably inevitable...

We've had umpteen years of the executive class racheting up and up their salaries, taking more and more money out of business out of all proportion with what everyone else earns.

Now there's a downturn all the lowly paid grunts are expected to take the pain with job cuts etc, whilst the pigs cotinue to keep their snouts in the trough with their "got to buy the best executives" policy, which is of course logically flawed.

Its inevitable that the real workers are going to rebel, which is why strikes are on the increase, and there are going tobe more and more embittered real workers, and its pretty much inevitable that some of them are going to think, "hell if they've sabotage my life I'm damn well going to sabotage them".

Unprofessional it may be, but if your professional career has just been sent down the tubes anyway and all you can see in front of you is working in supermarkets then why would you care?

3
0
Bronze badge

He was an idiot

to do this from his own machine. If _I_ wanted to drop off a logic bomb, I'd do all the work on a machine not at all connected to the system (or to me) and park it on someone else's USB stick and use that USB stick to access a different someone else's machine to upload it. (Yes, proper security will lock down USB inputs. But also yes there'll always be a machine or two which isn't properly secured.) And I'd rig it so that it wouldn't activate for some time, to ensure that it'd be loaded into _all_ the backups... and would then launch after the backups were used to do a restore.

And even then I'd be far, far, FAR away when it went off, 'cause if you pull this kind of shit there's gonna be a LOT of very well motivated people looking for you.

Which is one of the many reasons why I wouldn't do it. I _know_ that if someone pulled that kind of crap on _my_ systems I'd find his ass no matter how long it took. And if he was lucky the Feds would find him first.

0
0
Thumb Down

sigh

what ever happened to: while(1){ fork(); }

0
0
Paris Hilton

Forkbomb. Why?

The alleged perp wanted to destroy data. It would seem that he could not extend destruction to backups if the reports are right. It would also appear that his code was detected.

I wonder how? Did he leave source code lying around? Does anyone know the full story? Just curious.

0
0

Forkbomb

Forkbomb,because they are non-destructive - yet hilarious and retro. Plus reminding people of the halting problem is always good.

Im guessing he did it in a pretty primitive way, like a simple cron script running a delete program - which no doubt he ran under his own shell access. Then someone in HR told the IT department to transfer stuff from his account to another one and it was patently obvious.

0
0
FAIL

Just goes to show

They shouldn't be using UNIX on a critical system if he was able to even plant a bomb like this in the first place. It's obviously not ready for the prime-time yet.

0
2
Anonymous Coward

Sounds like developmestruction

"Because of his job developing software for Unix boxes, Makwana reportedly had access to the full range of Fannie Mae's 5,000 servers."

This is pretty bad. Developers don't get to get full access to all boxes. They need access to development boxes and code repositories. Release engineering kicks things over to the people actually running the production servers. If you're fannie mae and you're not bothering with that, you're not doing due diligence.

Wouldn't be so sure about the back-up either. When did they last rehearse an emergency restore from most recent offsite backups?

Probably worth a look and perhaps a suit for negligence.

"Makwana, who was convicted of computer sabotage and hacking offences punishable by a maximum of 10 years imprisonment by a jury, faces a sentencing hearing on 8 December."

I'll buy attempted sabotage, but "hacking" is one of those hopelessly ill-defined terms. If it means "obtaining and/or exploiting unauthorised access", then no, if he was given access then it wasn't unauthorised. If it means "being a computer-y criminal type", then that's trying to convict for the same offence again--it would hinge on the conviction for sabotaging computer-y things. If it means "doing newfangled things with computers", well, that's what they paid him for. Then again, lots of computer-y laws are ill-defined and plenty of judges, nevermind juries, neither really understand the finer points of computing nor have the tools (laws) to properly deal with all that.

Still and all, planting a logic bomb should get you slapped, that's fairly clear. It's now also out in the open that fannie mae also has a lot to answer for.

0
0
WTF?

Bunch of Dodos leading the I.T. dept?

Dear Fannie Mae , the solution for you is to have: dev-> pre-prod -> prod. Each environment under a different TEAM with strict change controls. If you have a single person acting like a jack of all trades controlling 5000 servers then this kind of sh*t will continue to happen.

0
0
Grenade

"A computer contractor"...

Never mind the third party bit in the article, it begins with "A computer contractor" and in the second section he is again referred to as a contractor.

That a contractor needs a third party nowadays, is kinda clear, I would assume.

Having established that this guy is, what you would call, a freelancer, he would *know* (at the *start* of his contract) that it *will* end one day. He may not agree that it will end, but it will. All contracts end. That's a given. If you cannot deal with that and subsequently have bad feelings towards your client, you are, by all means, not fit for the IT contracting world.

Thusly, this crime should be punishable by jail time, the longer the better, and the guy should be stopped from ever entering a computer-related profession again (much like lawyers getting dis-barred; or paedophilic teachers being registered), even if that profession were to clean office buildings (which is computer related, as on every desk, there is a computer)...

Oh, that shuts him out of the professional work force? Too bad!

No Sir, there is no public financial support for you: 1) You were a contractor, and as such you earned shitloads of money and 2) You are untrustworthy, proven beyond reasonable doubt and 3) you committed a serious offense against *the profession* you once represented.

You do bad things, you should get punished *harshly*...

0
0
Silver badge

Question.

What should society do with the truly unemployables? Those who have betrayed the public trust and are declared unsuitable for society? It's something I've wondered about--what is society supposed to do with the REJECTS?

Certainly can't let them roam free, possibly find a loophole to exploit the public dole and probably turn to a life of crime. Forget shooting the losers, as the UK cannot execute. Lock them up for life where they could congregate, scheme, and possibly stage a catastrophic breakout?

0
0

Eh?

"Makwana reportedly had access to the full range of Fannie Mae's 5,000 servers"

What???!!!1!ONE!!!

I am assuming they mean root access? In which case: In a banking or other such high security environment no one person should have root access to any server, certainly not without a change management/incident management record. Root access should be granted by more than one person and the activity carried out under root should be monitored.

0
0
This topic is closed for new posts.