Fannie Mae logic-bomb saboteur convicted

What a load of old Fannie

When a security incident of this nature occurs, we tend to file it away as an example of an ‘employee gone bad’. In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems.

It is also important to consider that in the case of Fannie Mae, this was not a direct employee, but rather a third-party contractor. Many companies treat non-employees (subcontractors, partners, customers etc) with different levels of trust compared to known and vetted direct employees. As such external parties are usually afforded differing levels of control and access as they are often more difficult to manage, sitting outside the traditional chain of company HR and administrative controls.

At a basic level, an organisation and its management has a financial responsibility as well as an administrative responsibility to ensure that access to critical information and applications is authorised and that it is continually monitored for all users, be they direct or indirect employees, to make sure the resulting activity is appropriate and permitted. The failure stems from the ‘perception of control’ an organisation has over their most sensitive networks, systems and devices.

Failure to control privileged identities and high-level access to systems has led to several instances of critical security failures in blue-chip companies in the past two years. In addition to the incident at Fannie Mae, the city of San Francisco was brought to its knees in 2008 because an employee locked down the city’s IT system through a privileged account. The former employee responsible for that, Terry Childs, was convicted and jailed for four years, but not before his actions cost San Francisco millions in lost productivity and court costs.

The conclusion of the Fannie Mae incident once again highlights the need for an integrated and managed view of what is appropriate user access and activity across the IT estate.

So this genius...

Did all his work from his own workstation?

"Subsequent forensic analysis of computer logs traced the attempted attack back to Makwana's workplace laptop"

Malicious, pathetic, and also stupid. Maybe he will find time to grow up in prison.

Trusting SubKs

Until quite recently I worked with a "Big Blue" company. Our subcontractors were given all if not more access then regular employees.....

He was an idiot

to do this from his own machine. If _I_ wanted to drop off a logic bomb, I'd do all the work on a machine not at all connected to the system (or to me) and park it on someone else's USB stick and use that USB stick to access a different someone else's machine to upload it. (Yes, proper security will lock down USB inputs. But also yes there'll always be a machine or two which isn't properly secured.) And I'd rig it so that it wouldn't activate for some time, to ensure that it'd be loaded into _all_ the backups... and would then launch after the backups were used to do a restore.

And even then I'd be far, far, FAR away when it went off, 'cause if you pull this kind of shit there's gonna be a LOT of very well motivated people looking for you.

Which is one of the many reasons why I wouldn't do it. I _know_ that if someone pulled that kind of crap on _my_ systems I'd find his ass no matter how long it took. And if he was lucky the Feds would find him first.

Sounds like developmestruction

"Because of his job developing software for Unix boxes, Makwana reportedly had access to the full range of Fannie Mae's 5,000 servers."

This is pretty bad. Developers don't get to get full access to all boxes. They need access to development boxes and code repositories. Release engineering kicks things over to the people actually running the production servers. If you're fannie mae and you're not bothering with that, you're not doing due diligence.

Wouldn't be so sure about the back-up either. When did they last rehearse an emergency restore from most recent offsite backups?

Probably worth a look and perhaps a suit for negligence.

"Makwana, who was convicted of computer sabotage and hacking offences punishable by a maximum of 10 years imprisonment by a jury, faces a sentencing hearing on 8 December."

I'll buy attempted sabotage, but "hacking" is one of those hopelessly ill-defined terms. If it means "obtaining and/or exploiting unauthorised access", then no, if he was given access then it wasn't unauthorised. If it means "being a computer-y criminal type", then that's trying to convict for the same offence again--it would hinge on the conviction for sabotaging computer-y things. If it means "doing newfangled things with computers", well, that's what they paid him for. Then again, lots of computer-y laws are ill-defined and plenty of judges, nevermind juries, neither really understand the finer points of computing nor have the tools (laws) to properly deal with all that.

Still and all, planting a logic bomb should get you slapped, that's fairly clear. It's now also out in the open that fannie mae also has a lot to answer for.

Eh?

"Makwana reportedly had access to the full range of Fannie Mae's 5,000 servers"

What???!!!1!ONE!!!

I am assuming they mean root access? In which case: In a banking or other such high security environment no one person should have root access to any server, certainly not without a change management/incident management record. Root access should be granted by more than one person and the activity carried out under root should be monitored.