logic bombs against the city
anarcho | 05.02.2009 08:56 | Globalisation | Technology | World
A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week.
On the afternoon of Oct. 24, a Unix engineer was told he was being fired because of a scripting error he'd made earlier in the month, but he was allowed to work through the end of the day. Five days later, another Unix engineer at the data center discovered the malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m.
Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company's monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes.
The U.S. housing market lost $3.3 trillion in value last year and almost one in six owners with mortgages owed more than their homes were worth as the economy went into recession. The median estimated home price declined 11.6 percent in 2008 to $192,119 and homeowners lost $1.4 trillion in value in the fourth quarter alone. The U.S. economy shrank the most in the fourth quarter since 1982, contracting at a 3.8 percent annual pace, the Commerce Department said. Record foreclosures have pushed down prices as unemployment rose. More than 2.3 million properties got a default or auction notice or were seized by lenders last year.
Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company's monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes.
The U.S. housing market lost $3.3 trillion in value last year and almost one in six owners with mortgages owed more than their homes were worth as the economy went into recession. The median estimated home price declined 11.6 percent in 2008 to $192,119 and homeowners lost $1.4 trillion in value in the fourth quarter alone. The U.S. economy shrank the most in the fourth quarter since 1982, contracting at a 3.8 percent annual pace, the Commerce Department said. Record foreclosures have pushed down prices as unemployment rose. More than 2.3 million properties got a default or auction notice or were seized by lenders last year.
anarcho
Comments
Hide the following 5 comments
Only people
05.02.2009 18:44
suspicious
all big companies have backups anyway
05.02.2009 19:56
anon
lessons learnt
05.02.2009 20:57
Reminds me of a case where a guy started a fire when he was sacked, ended up killing several fellow employees.
code
Remove with force - conspiracy theory
06.02.2009 11:18
"On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server," the affidavit states. "... IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. ... The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle."
NetRange 172.16.0.0 - 172.31.255.255 is a reseved block so this really was a Fannie Mae internal IP.
Development servers don't or shouldn't be able to access systems servers so accessing one should not have been able to decimate more than one server. If it can, the entire remaining staff should be sacked for incompetency. If any self-respecting intelliegent admin had gained access to a development server then they would have caused damage another way, not by placing a time-delayed script. You would have downloaded the info available, then one by one explored what other access you had to do the same. Or you would have slowly changed the data, imperceptably. Or you would do something else rather than what is alleged.
Smoking gun though is the user ID. When someone does get sacked, they hand in their keys and they're external access is cut - their passwords are deleted, their accounts suspended or deleted, their systems closed down. So they sacked this guy and left his passwords up? Why would they break standard practice like this? Did they also leave him a front door key?
The prosecution of this guy is bullshit. I've seen similar stuff in other places so here is my reconstruction.
The criminal gets this guy sacked for office politics (BOFH) reasons. It is someone in the IT dept or at least someone who has admin access to system servers. They then login using this guys account, maybe remotely or maybe in the guys cubicle directly through the IP cable. They add a script to the the end of one of his scripts, and do so leaving all the logs intact so that he can be blamed.
This sort of shit happens daily, careers get ruined but it never results in prosecution because it can't be proven not to be internal. It is a malicious prosecution for what is the companies current employeees fault one way or the other.
Funny story. To understand you first need to read this from wikipedia:
"rm -rf (variously, rm -rf /, rm -rf *, and others) is frequently used in jokes and anecdotes about Unix disasters. The rm -rf / variant of the command, if run by a superuser on the root directory, would cause the contents of every writable mounted filesystem on the computer to be deleted."
So anyway I'm sitting scripting on my Solaris test sparc, open-plan surrounded by the 'creme de la creme', and a developer/script-kiddie a few chairs up starts talking about when someone he worked with accidentally typed in rm -rf.
Because he is talking about it, it is at the back of his mind so at one point he types it in, and his sparc goes out. He loses his days work and has to get an admin to restore the previous data, which takes ten minutes but which is a huge embarrassment to him. Everyone is thinking 'Poor guy, what a fuck up for typing in rm -rf just because he was thinking about it'. Or at least that is what I was thinking when I typed in the same command. Not a career highlight, never got me sacked, took ten minutes to restore.
My point is 'Unix disasters' like this are recoverable delays at worst and no sabateur would limit themselves so. So, there is an implication of a third party disk-wiping software being used. Same again. a recoverable delay.
Because this is Indymedia and not a tech forum, I'll add this. 'How to seriously fuck up a company using IT'.
Packaging.
xMCSE
@xMCSE
09.02.2009 19:07
It depends. If the error was was of a great consequence/cost then you'd get sacked. But yes, one error wouldn't be a cause of a sacking in the most part. People also get sacked because they are incompetent, don't/can't do the job, turn up late, call in sick too often etc.
> I am much amused by people who sack you in the morning then ask you to work in the afternoon. It is the equivalent of saying "We are going to ruin your career tommorow but please do few hours work for us without pay". The person who says that should be sacked themselves.
Yes, it would be insane to sack someone and then let them continue working in IT. Thats generally why they escort you out of the building once you are dismissed. Not nice, but makes logical sense.
code