Fannie Mae dodges a contractor's logic bomb
A disgruntled contractor at Fannie Mae, fired for coding incompetence, attempted to stash a logic bomb on the mortgage giant's servers. Fortunately, it was incompetently implemented, and the 35-year-old accused man is in custody.
Rajendrasinh Babubha Makwana, an Indian national, was employed by a subcontractor for OmniTech as a Unix engineer at Fannie Mae's Urbana, Maryland facility, according to an affidavit sworn by the FBI agent investigating the case. On October 24 at about 1:30 pm, Makwana was fired by Fannie Mae for inadvertently writing a script that switched up permissions on the company's Unix servers. He told his supervisors at OmniTech and turned in his badge and laptop to Fannie Mae around 4:45 pm that day.
On the 29th, a Fannie Mae-employed engineer noticed by chance that a previously legit script had a blank page near the end...and after that page, there was another script, not so legit. The necessary sysadmin pandemonium ensued as staff locked down access to all servers to see what else might be lurking. In addition, they checked the server logs and found...you know where this is going...access by Makwana's "s9urbm" account to the server on which the poisoned file had turned up. It was uploaded mid-afternoon on the 24th, after Makwana's talk with HR.
The script itself was a nasty little thing, set to go off on January 31, 2009 (a Saturday, for maximum IT harassment). The script intended to disable the monitoring system Fannie Mae's sysadmins use to get pinged by the system when it was in distress. After that, it would disable login to two production servers, followed by the logins to all production, contingency and backup servers. It would clean out the logs to those servers, eliminating "s9urbm's" digital footprints.
And the fun would continue. After removing the root password appliance access to the server, the script would build a list of all servers with Fannie Mae data and start replacing the data with zeroes. The backup software would also be destroyed right about now. Finally, the script would power off the servers, disabling the ability for sysadmins to remotely restart Fannie Mae's 4,000 servers. (It's not knowable, though rather creepy to think about, whether the perpetrator had some sort of "plans" for those sysadmins forced to drive to the data centers to restart those machines.)
And then the script would do it all from another production server, just in case anything was left standing.
The scheme was foiled by one Unix engineer who apparently noticed that the "end" of the legit script didn't seem to be the final screen of the file, and one hopes that Fannie Mae's doing something nice for that observant person, known only as "SK" in the affidavit. But could anything have been done to neutralize Makwana's allegedly bad intentions?
Parhaps a word with HR is in order. If you read the story above carefully, you saw where the mayhem began -- during the three hours during which Makwana was fired but not corralled.
In fact, the affidavit says, Makwana was able to e-mail his company from his Fannie Mae laptop at around 2:00 pm to tell them of his termination. Someone at Fannie Mae told Makwana a little after that that he would have to turn over his laptop and badge by day's end, but he had network access, according to the affidavit, until 4:30 pm that day. And it wasn't until later still that evening that his network access was terminated.
Comparatively speaking, Fannie Mae wasn't so slow on the draw; a study last May by Symark International indicated that over 30% of companies take at least three days to terminate accounts for canned employees, and 12% said it takes their firms longer than a month. More disturbingly, 15% of companies surveyed said that accounts "orphaned" by departing employees have been used at their company to access information on company servers.
If you've ever been privy to a sysadmin firing in which network and hardware access was terminated by the time the HR chat was done, and in which guards escort the former employee out the door, you know it's stressful for everyone. But on balance, it's probably cheaper than the thousands of dollars Fannie Mae says it cost them to shut their servers down and scour them -- and certainly cheaper than the millions of dollars it would have cost if the script hadn't been spotted.
Makwana is being held on $100,000 bail pending trial. The public defender representing him says that his client will plead not guilty to the crime.