Skip Nav | Home | Mobile | Editorial Guidelines | Mission Statement | About Us | Contact | Help | Security | Support Us

World

logic bombs against the city

anarcho | 05.02.2009 08:56 | Globalisation | Technology | World

A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week.

On the afternoon of Oct. 24, a Unix engineer was told he was being fired because of a scripting error he'd made earlier in the month, but he was allowed to work through the end of the day. Five days later, another Unix engineer at the data center discovered the malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m.

Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company's monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes.

The U.S. housing market lost $3.3 trillion in value last year and almost one in six owners with mortgages owed more than their homes were worth as the economy went into recession. The median estimated home price declined 11.6 percent in 2008 to $192,119 and homeowners lost $1.4 trillion in value in the fourth quarter alone. The U.S. economy shrank the most in the fourth quarter since 1982, contracting at a 3.8 percent annual pace, the Commerce Department said. Record foreclosures have pushed down prices as unemployment rose. More than 2.3 million properties got a default or auction notice or were seized by lenders last year.

anarcho

Comments

Hide the following 5 comments

Only people

05.02.2009 18:44

involved in the Fanny Mae scams would want to destroy all Fanny Mae's data or am I wrong ?

suspicious


all big companies have backups anyway

05.02.2009 19:56

All big companies have nightly backups of their servers anyway, so while this is a great symbolic act, it wouldn't do as much damage as some people might hope.

anon


lessons learnt

05.02.2009 20:57

So they sacked him because he wasn't very good at his job. He was upset and decided to wipe the computers out of spite. I used to think it was a bit harsh to have security escort people out of the building when they are dismissed, but now I see it makes perfect sense given what could happen.
Reminds me of a case where a guy started a fire when he was sacked, ended up killing several fellow employees.

code


Remove with force - conspiracy theory

06.02.2009 11:18

Nobody is ever sacked for a scripting error, that will be an excuse at best. You get sacked because people don't like you or don't trust you. I am much amused by people who sack you in the morning then ask you to work in the afternoon. It is the equivalent of saying "We are going to ruin your career tommorow but please do few hours work for us without pay". The person who says that should be sacked themselves.

"On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server," the affidavit states. "... IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. ... The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle."

NetRange 172.16.0.0 - 172.31.255.255 is a reseved block so this really was a Fannie Mae internal IP.

Development servers don't or shouldn't be able to access systems servers so accessing one should not have been able to decimate more than one server. If it can, the entire remaining staff should be sacked for incompetency. If any self-respecting intelliegent admin had gained access to a development server then they would have caused damage another way, not by placing a time-delayed script. You would have downloaded the info available, then one by one explored what other access you had to do the same. Or you would have slowly changed the data, imperceptably. Or you would do something else rather than what is alleged.

Smoking gun though is the user ID. When someone does get sacked, they hand in their keys and they're external access is cut - their passwords are deleted, their accounts suspended or deleted, their systems closed down. So they sacked this guy and left his passwords up? Why would they break standard practice like this? Did they also leave him a front door key?

The prosecution of this guy is bullshit. I've seen similar stuff in other places so here is my reconstruction.
The criminal gets this guy sacked for office politics (BOFH) reasons. It is someone in the IT dept or at least someone who has admin access to system servers. They then login using this guys account, maybe remotely or maybe in the guys cubicle directly through the IP cable. They add a script to the the end of one of his scripts, and do so leaving all the logs intact so that he can be blamed.

This sort of shit happens daily, careers get ruined but it never results in prosecution because it can't be proven not to be internal. It is a malicious prosecution for what is the companies current employeees fault one way or the other.




Funny story. To understand you first need to read this from wikipedia:
"rm -rf (variously, rm -rf /, rm -rf *, and others) is frequently used in jokes and anecdotes about Unix disasters. The rm -rf / variant of the command, if run by a superuser on the root directory, would cause the contents of every writable mounted filesystem on the computer to be deleted."

So anyway I'm sitting scripting on my Solaris test sparc, open-plan surrounded by the 'creme de la creme', and a developer/script-kiddie a few chairs up starts talking about when someone he worked with accidentally typed in rm -rf.

Because he is talking about it, it is at the back of his mind so at one point he types it in, and his sparc goes out. He loses his days work and has to get an admin to restore the previous data, which takes ten minutes but which is a huge embarrassment to him. Everyone is thinking 'Poor guy, what a fuck up for typing in rm -rf just because he was thinking about it'. Or at least that is what I was thinking when I typed in the same command. Not a career highlight, never got me sacked, took ten minutes to restore.

My point is 'Unix disasters' like this are recoverable delays at worst and no sabateur would limit themselves so. So, there is an implication of a third party disk-wiping software being used. Same again. a recoverable delay.




















































Because this is Indymedia and not a tech forum, I'll add this. 'How to seriously fuck up a company using IT'.

Packaging.

xMCSE


@xMCSE

09.02.2009 19:07

>>Nobody is ever sacked for a scripting error, that will be an excuse at best. You get sacked because people don't like you or don't trust you.

It depends. If the error was was of a great consequence/cost then you'd get sacked. But yes, one error wouldn't be a cause of a sacking in the most part. People also get sacked because they are incompetent, don't/can't do the job, turn up late, call in sick too often etc.

> I am much amused by people who sack you in the morning then ask you to work in the afternoon. It is the equivalent of saying "We are going to ruin your career tommorow but please do few hours work for us without pay". The person who says that should be sacked themselves.

Yes, it would be insane to sack someone and then let them continue working in IT. Thats generally why they escort you out of the building once you are dismissed. Not nice, but makes logical sense.

code


Publish

Publish your news

Do you need help with publishing?

/regional publish include --> /regional search include -->

World Topics

Afghanistan
Analysis
Animal Liberation
Anti-Nuclear
Anti-militarism
Anti-racism
Bio-technology
Climate Chaos
Culture
Ecology
Education
Energy Crisis
Fracking
Free Spaces
Gender
Globalisation
Health
History
Indymedia
Iraq
Migration
Ocean Defence
Other Press
Palestine
Policing
Public sector cuts
Repression
Social Struggles
Technology
Terror War
Workers' Movements
Zapatista

Kollektives

Birmingham
Cambridge
Liverpool
London
Oxford
Sheffield
South Coast
Wales
World

Other UK IMCs
Bristol/South West
London
Northern Indymedia
Scotland

Server Appeal Radio Page Video Page Indymedia Cinema Offline Newsheet

secure Encrypted Page

You are viewing this page using an encrypted connection. If you bookmark this page or send its address in an email you might want to use the un-encrypted address of this page.

If you recieved a warning about an untrusted root certificate please install the CAcert root certificate, for more information see the security page.

IMCs


www.indymedia.org

Projects
print
radio
satellite tv
video

Africa

Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia

Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela

Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney

South Asia
india


United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester

West Asia
Armenia
Beirut
Israel
Palestine

Topics
biotech

Process
fbi/legal updates
mailing lists
process & imc docs
tech