- Wednesday, 10 February 2010
- INQ Mobile
- RSS
He is drinking at the Harrow when he should be at the plough
Contractor indicted for logic bomb
A FORMER IT CONTRACT WORKER at the giant US mortgage bank known as Fannie Mae* was indicted last week for having planted – on the day he was fired last October – a logic bomb that would have trashed all 4,000 of its production servers tomorrow if it hadn't been found.
Rajendrasinh Babubaha Makwana, an Indian national in the country on a work visa and employed by a contracting firm at the Fannie Mae data centre in Urbana, Maryland as a computer engineer, was terminated on October 24 for having made unauthorised system changes, according to a sworn complaint and attached affidavit (PDF) by FBI agent Jessica Nye.
Makwana was a member of the Fannie Mae computer centre operations staff. On October 10 or 11, Makwana had put into production a script without proper authorisation from his supervisor. For that transgression, his permission to turn over scripts into production was withdrawn, but the passwords which gave him the actual capability to do so were not changed.
That was the company's first mistake, not changing the production server passwords to lock him out of the systems that he no longer had permission to administer. However, we imagine that his superiors still trusted him, sort of, while they mulled over whether or not to fire him, so they didn't immediately change the production control systems' root passwords.
Makwana was told he was being terminated early in the afternoon of October 24, but he was permitted to remain at his desk until the end of the day, and his computer access was not immediately terminated.
That was their second mistake, not immediately removing him from the operations area. During the next three hours he sent an email to his contract employers to advise them of his termination. And he had time to plant several malicious scripts in Fannie Mae's server complex, according to agent Nye's affidavit.
Five days later, a senior Unix engineer happened to discover one of Makwana's malicious scripts, which was appended to an operations script that runs every morning at 9:00 am to verify that two SAN paths are operational. Upon locking down all production servers and investigating, the operations staff soon discovered four additional malicious scripts.
The first script was coded to remain dormant until January 31, 2009. When triggered, it was crafted to copy and run the other four scripts.
The second script would block the monitoring system to prevent system engineers from receiving any problem alerts from production servers for 61 minutes. It would also build a list of all the servers in the data centre and disable logins to the production control server and its backup server.
The third script would build a list of all Fannie Mae production, contingency and backup servers and run the fourth script on all servers.
The fourth script would first disable all logins and clear all server logs, thus removing all traces of Makwana's activities. It would then set all systems' login messages to "Server Graveyard", remove the root password appliance access so no one could change the root password from it, wipe out all data on all Fannie Mae servers and replace it with zeros, remove the 'High Availability' software from all critical servers that contained it, and finally, power off all of the Fannie Mae servers it could find.
The fourth script was also set up to run on the backup production control server to trash any systems it might have missed while running on the other server, then wipe clean that backup server and power it off, too.
The only more thorough trashing of Fannie Mae's data centre we might possibly imagine would have to entail something on the order of an actual bomb.
Makwana is free on $100,000 bail, but we doubt he'll be flying back to India for a while. µ
*Fannie Mae is one of two (along with Freddie Mac) huge US secondary market mortgage holders that was taken into receivership by the US government during the Wall Street meltdown last Fall. The name Fannie Mae stems from the acronym for its name, FNMA, which stands for Federal National Mortgage Association. Fannie Mae currently holds millions of US home mortgages, several trillion dollars worth. To say it's a large financial operation is an understatement.
L'Inq
The Examiner
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
If he could code that much in a day, they should have promoted him.
But if it was pre-planned, that's a wee bit different.
Do ya think he was a wee bit disgruntled at being fired ??
Well, he could always be employed by the US government & sent to kill servers of governments they dont like ;)
I am surprised at the level of root access one person was given. Root access to 4000 production servers, including their backup, contingency and monitoring machines, is way too much. Also, a person with this level of access is exactly the type you want to lock out before they are informed of being fired. What were they thinking?
Even at the small company I use to work at your network access was gone before you were. He could not have wrote and tested all those scripts in one day if so I bet the first one would have crashed with a syntax error!
There are a lot of Indians at Freddie Mac...many of them good, but more are clueless.
If this guy is smart he'll be nowhere to be found ...
...think of all the money they saved on the H1B! Executives - another bonus please. More homeless americans, who cares.
Goddamn idiot government bureaucrats! Why the hell are they letting a foreign national work on key government systems?
They should fire the dickheads who allowed him into the systems in the first place. Never mind he was working for a contractor; I've been into enough situations where I had to certify my US citizenship before I'd be allowed access, no matter for whom I was working.
Since this was indeed a key government system, this could be viewed as a premeditated terrorist act, since the bloke was fired for executing an unauthorized script in the first place. The unauthorized script he was fired for executing was probably a dry run for what he intended to do in the first place- a premeditated plan to wipe out the Servers at Freddie Mac. He's not going to make it back to India.....
I hadn't considered the terrorist angle. The contractor probably didn't realize that as one of the largest databases of financial assets and transactions a catastrophic attack on the Fannie Mae systems would be considered a national security threat due to its economic impact. So the consequences may be much worse than if he had just attempted to nuke the computers at some small company. He could potentially do some hard time for this one. What an idiot.
Good grief - this contractor wasn't immediately revoked of all access.. just his "permission" was pulled. Typically expected separation of duties and basic provisioning controls should've prevented this near-miss from even being a possibility- especially after revoking access. This malicious setup would’ve been very bad under normal circumstances- much worst with the entire mortgage industry tipped sideways. Hopefully management is getting after this with improved controls – how about hiring improvements for a starter – to help prevent a next-time.
This Week in Security
http://thisweekinsecurity.blogspot.com
a href="http://thisweekinsecurity.blogspot.com" This Week in Security /a
Rich, you really think that of all things, the problem here was that he was Indian? I guess your idea of security is all about checking nationalities, since of course no US citizen would ever do such a thing, right? A xenophobic moron is what you are.
Well, yes, there *was*, on surface reading, an accusatory tone implicating premeditated terrorist tragedy perpetrated by an Indian, a foreigner, brought into broad server admin rights by work-opportunity (presumably) which is too poor to afford hiring from the unemployed locals.
I don't think that's quite what Rich Wargo made it about though. He especially didn't just make it about being "Indian". "Foreign national" was the thrust of the contribution there, but more emphasis (including his comment title) is placed on punishing, firing, ranting at the local government employees that permitted such a condition (as opposed to hating varied opportunities across borders or threatening to root out all the treacherous demons posing as Indian terrorists in this life, bombs, brimstone, etc.). Maybe he's actually saying "of course *way too many a* US citizen would ever do such a thing" by poorly working for government (which may be a *worse* thing to him than being a "foreign national" or "Indian" that ignited you).
Then maybe the word xenophobic is necessarily a little too close to technically hollowing its own meaning by automatically applying to any existent application of xenophobia as itself a mildly derogatory categorization of any categorization that is (at least) mildly derogatory. There's a rabbit-hole.
So are you a "xenophobic moron" for calling someone a "xenophobic moron"? I guess it depends how you look at it.
I'd say probably not, because you brought out a latent sub-text of the thread that is understandably hot && can be awkward to have veiled in non-inflammable gown, but I don't know if you went about it in a way that got your point across much better than just *being* the purple elephant in the room. It could go either way, if my opinion on your "xenophobic moron" score was sufficiently significant to you (or hopefully, more accurately, my explanations && justifications behind any particular scoring might be more significant to you, being about what has been communicated by you && others).
There's my 8-bits byting. L8r.
-Pip