Fannie Mae logic bomb creator found guilty

by Steve Ragan - Oct 7 2010, 12:23

Rajendrasinh Babubha Makwana, a Fannie Mae contractor indicted earlier this year for creating a logic bomb after being terminated from his job, was found guilty this week by a federal jury in Maryland. The initial indictment raised several issues, including calls to examine the H1B Visa program, but the real problem was policy failure.

During the Makwana indictment, the court said that if the logic bomb had been successful, it would have “caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week.”

The logic bomb was set to execute on January 31, 2009. The first part of the malicious code would have halted Fannie Mae’s network monitors, then stripped access to the servers. After that was completed, its second stage would begin wiping data stored (OS and company related) on the servers – 4,000 servers in total – replacing it with zeros. A third stage would then turn the systems off.

Makwana planted the malicious code after he was fired from his long-term contract job for altering system settings on UNIX servers without permission. The only real saving grace for Fannie Mae was the fact that the logic bomb itself was faulty.

Fannie Mae’s engineers uncovered the logic bomb one week after Makwana planted it, embedded within a script that runs on a CRON at 9:00 a.m. every morning. The assumption is that the faulty code triggered unexpected system alerts, which in turn led to its discovery.

The entire issue could have been avoided, according to several opinions on the topic, if proper IT and HR policy had been in place. This is because Makwana was still allowed to work after his termination. Although he was ordered to surrender his company-issued laptop, his network access remained open.

“Despite Makwana’s termination, Makwana’s computer access was not immediately terminated,” outlined an FBI affidavit. “Access to [Fannie Mae’s] computers for contractor's employees was controlled by the [Fannie Mae’s] procurement department, which department did not terminate Makwana’s computer access until late in the evening on October 24, 2008.”

In essence, Makwana had an entire business day to access the network, something that should have been prevented by removing his access the moment he was informed his contract was ending.

The general rule is that when a person is meeting with their boss and HR (the meeting where they're informed of termination), their access to all systems is to be suspended. If you want to be nice, allow them access to send email, which is monitored.

At the time, it was amusing to see the number of vendors that used this particular case to push access controls. Nothing wrong with that, but in most cases each of the products pushed assumed too much. For one, the logic bombs were on UNIX systems, so Windows-only vendors really had no say in the issue.

Then again, most product pitches using the case failed to mention that network administrators are usually exempt from access controls (who do you think implements the access controls?). Makwana was a Fannie Mae network administrator, even if there was an audit trail for him, so his access was only flagged after the fact.

Facts in the case prove that Fannie Mae had strong logging processes. The initial affidavit says Makwana was singled out as the person who wrote the malicious script because logs revealed his username was the last to access the system where the logic bomb was located. In addition, he was the last to access the malicious file itself, and IP address assignment was used to show he did all of this from his company laptop.

Makwana’s nationality, the status of the H1B Visa program, or the outsourcing of work to foreign companies, had no role whatsoever in this incident, despite mainstream coverage. The issue is policy. He was fired, and was yet allowed full access to the systems. This failure, this oversight, however you choose to label it, is exactly the doomsday-like scenario that security trainers warn about when you learn how to write IT policy.

Makwana now faces a maximum sentence of 10 years in prison. U.S. District Judge J. Frederick Motz has scheduled sentencing for December 8, 2010 at 9:30 a.m.

Around the Web