Slashdot Mirror
Fannie Mae Worker Indicted For Malicious Script
dfdashh writes "A former Fannie Mae contractor has been indicted by a federal grand jury in Baltimore, MD for computer intrusion. He attempted to propagate a malicious script throughout the company's 4,000 servers. The DC Examiner has details of the incident: 'Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week. ... The virus was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae's computer monitoring system and then cutting all access to the company's 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying "Server Graveyard." From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.'"
the only thing that matters to me... will it erase my mortgage??!??!
We've gotta wipe the system, man. Give everyone a blank slate!
http://www.chaotickingdoms.com
Either a laughing skull and bones or an animated version of him as a bobblehead that pisses off Samuel L. Jackson with his hacker crap?
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Leading to a downturn in mortgages issued to people who have no chance of paying them back.
Sounds like a white hat to me.
The "Fight Club" guy in me would like to have seen that particular bomb go off. I know the damage would not have been , permanent, perfect or complete (That's what backups are for... right?) but still. Taking those financial giants down a peg might have tickled me. (It damn sure wouldn't have taught anyone any moral lessons or anything.
Well now, if you are going to go big, go big or go home... this guy probably shouldn't have even left the house as he obviously wasn't smart enough to make the precautions that would have been necessary to hide his tracks..
Look like he was flying through a cyberspace version of his city while he was doing it???
A virus that can propagate through an entire enterprise's array of servers, and then wipe out all data?
Most enterprises comprise a heterogeneous mix of servers of differing breeds. Getting a program to run on all of them, and then to gain access to data and transform it all in a single virus would be a great piece of programming, and any enterprise looking to hire an efficient data migration specialist or integration architect should consider hiring...
What's the fuss all about? I'm sure they've got everything reliably backed up on tape...right? right???!?!?
He should have had it wipe out WINDOWS !
I hope this helps your next malicious script.
Yours In Socialism,
Kilgore Trout
Any comment at this point would bring the Political Correctness Police down on me like a horde of avenging non-denominational metaphysical winged beings.
If you were blocking sigs, you wouldn't have to read this.
Bruce Schneier is right; security is a process, not a product. The internal threats are just as great, if not greater, than the external ones.
...turned Fannie Mae into a financial failure.
Considering that Fannie Mae has been losing billions every week, the idea of only losing a few million for a week sounds like a great idea.
I am Jack's complete lack of surprise
Technically, all of the data in a computer is really just a bunch of ones and zeros, so assuming a fairly even mix of those two possibilities, writing over everything with zeros would only change half of their data.
One time I threw a brick at a duck.
Perl can do just about anything.
What could have been. On the other hand. It could also have been Fannie Mae execs attempting to cover up illegal activities and fraud. In that case, nice catch!
The report is obviously not a techy. Its "IP Address"!
But is the reporter a science guy?
If I have been able to see further than others, it is because I bought a pair of binoculars.
Of course it isn't verifiable, but I thought this was interesting:
H1B#36a: "What wasn't reported was that the contractor was fired for writing a script poorly, that caused the failover over of a number of High-Availablitity production servers. His "landmine/timebomb" script was found through his same poor scripting skills. Whatever doping manager that hired that guy should be fired too, along with his director and VP!"
-t.
Are you sure it was actually malicious?
I remember I was accused of malicious behaviour when my teacher say me writing HTML code. I was banned from use of any computer in the building until I hit high school.
(yea, yea.. this is a little more serious. I know.)
This is like if someone mixed the movies Office Space and Fight Club together!
Fannie Mae doesn't keep backups of their critical data? Awesome. No wonder they're so successful!
Maybe it would have gotten rid of them (should have happened when they went bankrupt, like what happens to most companies)...
Slightly sarcastic, but with a point.
The real question is how did they prove he was the person at the keyboard at the time the IP address was used?
ZING!!
Ascalante: Your bride is over 3,000 years old.
Kull: She told me she was 19!
It's high time for a public flogging.
Conservative, mod down for violating
They don't need to, I'm sure that:
1- he was fired that day
2- the edits came from his account
3- the login came from his workstation
Thats more than enough evidence to convict, unless he can prove otherwise. Don't think you need to be caught red-handed with photographic proof to be sent to prison. Circumstantial evidence is more than enough unless you have a good defense.
this is their business model over there.
if this is supposed to be a new economy, how come they still want my old fashioned money?
To have an affair with Barney Frank
Gosh, what would they do if they lost millions? They're so used to losing billions they'd probably keep accidentally adding extra zeros to the end.
I'm referring to the guy that pointed out the virus of course. The act of placing a virus to erase the data was an act of great heroism. It would have been great if it worked.
Comment removed based on user account deletion
cinema's next The Devil Wears Prada.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Mod parent up!
What about the billions or trillions of dollars of damage done to the taxpayers by Fannie Mae, and its incestuous twin, Freddie Mac? Anyone attempting to take out this job-killing, economically destructive abomination is a patriot.
Slashdot: Playing Favorites Since 1997
Land it in the Hudson.
The dangers of knowledge trigger emotional distress in human beings.
When the deed was recorded at the local records office, the fact that the bank has a lien on it is recorded along with it. The only way to clear that lien is to get the lienholder to have a letter saying so attached to your deed, or you have to have a court do it.
SirWired
couldn't somebody at the credit company do this...and not get caught?
The Kruger Dunning explains most post on
From there, the virus would wipe out all Fannie Mae data, replacing it with zeros
Wouldn't zero be an improvement over negative whatever?
Set your phasers on "funky"!
They might have gone down for a few days, but surely they have recent system back-ups to restore from, and daily backups to restore the data from. ...Right? Please?
A) "...all of the data in a computer ***ARE*** really just a bunch..."
B) "...just a bunch of ones ***OR*** zeros..."
I wonder, wouldn't this be a quite effective way to manipulate stock value?
Is it possible to short sell FNM, there were limitations on finance companies in place at some point?
I joined two users too late.
They fired him. And let him have some access before he left.
Not a good idea. Sadly, you have to be aware of the threat. If you're firing someone with admin access, you should meet with them in a room without a workstation, explain the situation, and send them back to their desk to clean it out - with a monitor to ensure their workstation stays turned off.
While you're having the meeting, someone shuts down their workstation, disables network access, and - if not concurrently - immediately revokes their privileges. You do not finish the meeting until you receive confirmation that they no longer have access. Usually you have to let them be interviewed before you can kill their access, since some people get suspicious when they can't sign on. Forbid that the Help Desk will assist them in resetting their password. You gotta kill their privileges. The ideal scenario is letting them sign on but have no access to anything. After they are gone, then you can reset the password. Some systems need the access left in place to do forensics or establish their replacement (a sign of inadequate documentation) and thus you have to resort to the password trick.
If in doubt, I've cut their network cable right off, or even superglued blank plugs in their office jacks while I go back over their privileges. I can replace the jacks easily.
An unfortunate oversight. Some places have this 'exit interview' with security present. Some, Like Fannie Mae back then, don't think it through.
Can't be too careful.
Here, I work in a fairly secure environment. In spite of that, some of my IDs got associated with another employee with the (mostly) same name, go figure. He left at the end of the year. I've been getting access established to many systems as our security group has dutifully deleted my access as his. Too damned efficient.
deleting the extra space after periods so i can stay relevant, yeah.
C) ***zeroes***
Damn, copy/paste
Yes. But what is the downside to all of this?
Hyperinflation will do that for you.
any hacker worth his/her salt should have changed all the ones to zeros and all the zeros to ones! N00BS!!
Astonishing isn't it? If you steal an apple from a street vendor you get the billyclub. This guy will probably be punished in some way. If you wreck an economy we will probably loan you more money to "fix" the problem, and at very worst we'll send you out the door with a really fat bonus. Oh the pain, the pain....
Depends on the jury you get.
Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
There's a perverse side of me that kinda wishes the guy had succeeded. I'd love to see the government brought down a couple of notches.
"Politicians always tell the truth, when they're calling each other liars."
The "Fight Club" style of "getting back at the Man" isn't very practical. There would be some period of disarray, but if you really want to screw things royally, you would introduce random, but very small data errors that hopefully get overlooked. Over time, these affect the balance sheets, the "business algorithms" in place, and generally make it a nightmare to figure out how to fix things. All of this "silent data corruption" would be propagated to disaster recovery systems. Your "backup tapes" would basically contain a perfect copy of bad data. Yes, eventually, you could find the point at which the "disaster" occurred and go back to that time, but if days, weeks, months have passed, how do you replay all of those transactions from that point on? The bank (market, economy, etc.) is screwed.
Yes, this is a little like the "Superman 3 Salami Slicing Fraud" but the only reason that gets flagged is because there is a net output from the balance sheet. If everything just got twisted up internal to the bank, it would be much easier to hide.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
Tyler Durden: You're not your job. You're not how much money you have in the bank. You're not the car you drive. You're not the contents of your wallet. You're not your fucking khakis. You're not an evil hacker that can take down a server farm. You're the all-singing, all-dancing crap of the world.
Has the F-M servers been running the latest NinnleBSD, they would have been inpenetrable. The new NinBuster protection suite would have been able to detect and disable the initial attack immediately thanks to its improved adaptive technology.
it's not a worm or a virus
its something more than a trojan
logic bomb?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
"a senior computer engineer discovered the virus Oct. 29. The malicious code was hidden after a blank page, and "it was only by chance" that the senior engineer scrolled down and found the virus .. An Internet Protocol address was eventually linked to Makwana's company-issued laptop"
Why didn't the 'computer monitoring system' detect him inserting the 'malicious script' and what kind of script hides after a 'blank page'?
davecb5620@gmail.com
...how about actually knowing what you're talking about? The grandparent was 100% correct in his original wording. 'Data' is one of those plural nouns which is treated as singular in a grammatical context. Therefore, "is" would be the correct verb in this instance. Secondly, using the word "or" in this context would imply a different--and bizarre--meaning from what the GP intended, because it would imply exclusivity; i.e. the "bunch" is either ones, or zeroes, as opposed to "and" which says that the "bunch" contains both ones and zeroes. Try making the changes you suggested and read it aloud to yourself. It sounds stupid and unnatural, doesn't it?
"They fired him. And let him have some access before he left"
.. :)
Interesting, if a little overkill, but why is your interesting post modded flamebait, go figure
davecb5620@gmail.com
While reading through the article, and some of the talkback, I stumbled across this document which contains results of the actual investigation. It has lots of actual details, and is worth a read. (meanwhile, the news articles are a little too dumbed-down to be of any real value or interest).
Very true. It amazes me that middle class anarchists believe that if the current society is obliterated it will be a net gain for them because a more equitable society will replace it. Historically you're much more likely to end up with a some sort of Pol Pot style nightmare.
Even as a hardcore liberal, that's my main argument in favor of gun ownership, a well-armed populace, with personal liberty and responsibility as our most essential civic virtues. Where guns are prohibited, the only people with guns are criminals... and the government. In Cambodia, the Khmer took the guns first, and then massacred 40% of their population.
I just wish other people looked at history and saw the same cautionary tales. The concept that democratic societies are somehow automagically inoculated against totalitarianism strikes me as hopelessly naive. For example, I'm really creeped out at the growing state-sponsored helplessness of our our brothers and sisters in the UK.
Just more proof that the motheaten left/right paradigm that talking heads are always blathering about hasn't been relevant since the French Revolution. We're all in this together as a society, and if you can't trust your law-abiding neighbors with guns, you need to get to know them better.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
Actually, the article in the DC Examiner follows generally accepted style guidelines for using initialisms and acronyms. You spell it out the first time the term is used, and follow the full term with the acronym or initialism in parentheses, e.g. "Internet Protocol (IP) address." If the initialism is used only once in a story (as it is here), it's also generally acceptable to omit the parenthetical after the full spelling.
Given that your 10-word criticism of the reporter's story contained no less than 3 grammar & spelling mistakes, perhaps you should fix up your own glass house before you throw stones at someone else's?
Maybe it was the same script that kept Congress from knowing what was going on there.
At the end companies have to trust somebody to run the show.
That somebody can do pretty much as he pleases.
I think the only way this will be addressed is by creating supervisory accounts which require the mutual acknowledgement of several people to run a script or command.
IANAL but write like a drunk one.
If you really think about, their idiotic top level management were still able to do more damage to the company than this virus would have. Now that's amazing!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
"A virus that can propagate through an entire enterprise's array of servers, and then wipe out all data?...Getting a program to run on all of them..."
Here's the code to wipe-out a database.
Generic SQL version:
drop database fanny_mae;
MSSQL2005 version:
alter database fanny_mae set single_user with rollback immediate;
go;
drop database fanny_mae;
go;
Any server level triggers to block or log this would also have to be disabled prior to issuing these commands, which is pretty trivial if you've got admin access which the guy did.
:-) Unfortunately, if hyperinflation hits, the banks will just raise your flexible interest rate loan to 10,000% or whatever.
Unity in Diversity
After reading how much time and thought was put into the scripts in question, and how awesomely they would have tore up the death star evil megalomaniac corporate satanic giant, I guess I am disappointed that it was stopped.
I secretly hope that there are other scripts that were not detected, or that another employee will finish off where our hero was martyred.
God Bless Freedom!
From reading the actual court complaint, it seems the hacker put his malicious script at the bottom of a valid script which ran at well determined times. If that work place is anything like the work places I've haunted, then that script was probably kept in CVS. No doubt the boss in question was looking at the script because he wondered what the just fired employee would have put in the script.
The court document is authored by Jessica A. Nye Science Gal.
:-)
Perhaps that was your joke?
reminds me a the end a fight club when the worlds top banks all get blown up and all the credit is erased.
HAHA NOW THERES A SOLUTION
Not being able to buy conforming loans is not an option for Fannie Mae or Freddie Mac. The bank goes, "Here is a consolidated loan that meets the specs. Give me money." They have a little control over why types of loans and the ratio mix they currently accept, but much of the control over what is rejected is based on the conformity.
I remember that FM in the beginning stated that due to the newly realized risk (which the banks actually restated), they would have to cut down on the number of subprime and similar loans accepted by them to reduce the over all reassessed risk of its assets. But then the government stepped in and said no, as that would adversely effect the current messed up market. A kind of "Keep doing the wrong thing, maybe it will blow over."
There are many parties involved here well beyond FM. The largest blame goes to banks and the real estate industry which in some cases, fudged the load parameters to pass the conformity as they knew NO one else would buy that crappy $500k loan to the guy who made $30k a year. The bank always took the blunt of the liability (due to the load structure w/ FM), but they got greedy thinking the house comes with the liability, and if the house appreciates, they come out way on top. The house estimates weren't realistic as they were based on the past few years of performance and not actual market conditions (key factor: rate of increase in people's salaries). The agents enticed the home owners and sellers to buy or sell on this false home evaluation.
China and US are also to blame as the former kept buying the securities backed by the US. China owns the majority of US debt through the securities. Normally what would have happened is that a buyer of a loan will eventually go "You got enough debt, I don't think you can afford anymore." or "I hold enough of your debt, and cash, you got to give me a far better return." Instead, China just kept regulating their currency, keeping the dollar well over valued and kept buying securities. On the flip side, the seller of the loan, not being able to make payments would have either stopped asking for crack money (reduce riskly loans) or default on many of the loans. But instead we stole money from those who still had it, to keep the lender happy and STILL asked for a shit load of loans (FM tax bailout by government via infusion of cash).
Home owners and home builders are to blame. People don't like this idea but the majority of the owners who can't pay fall into two groups: those who were stupid, and those who saw it as a great short term investment. Both of these should have done more homework. The later deserve losing their assets and the bankruptcy. And stupidity doesn't mean you get a bailout. Instead of letting these folks fall into bankruptcy (remember, this is a viable option in the US), we want to protect them and keep them in their homes. What people don't realize is that bankruptcy gives you a clean slate, quickly resets assets to their correct values, and teaches a valuable lesson. But instead we would rather protect them from a lesson learned, keep the home price overinflated (the perpetuating cause of this mess) and require overinflated loans to continue the mess. So basically we let the idiots keep the homes, new owners (includes honest, responsible ppl) out in the cold (plus we take their money through taxes), and reward poor decisions (some of them being mistakes is irrelevant). Our HOPE is that dollar inflation (bailouts, government overspending not compensated via taxes, overvalued assets, and China floating their currency) will devalue the homes and increase salaries (not actual value) enough to make us whole again. The retarded home builders didn't think, "There are 10 skyscrapers being built in Atlanta, will there be a market for a 11th?" or "I am building 500 overpriced $500k homes here, are there that many buyers in this area?" Their business cycles are in terms of 3-5 years, yet they based their estimates AT most on the last 6?!!! If they looked further back, ins
I'm sure an alleged cyberterrorist named Rajendrasinh Babubaha Makwana will get a swift trial in a U.S. court.
Sorry, I meant to put this disclaimer in, but forgot.
I used to work at Fannie Mae through a contracted company. We did Regulations work. On that, I would say FM has its problems, just like all companies do, but as per their management, they were probable somewhere between a government entity and private sector.
Also on the article, I think we are missing quite a bit of information. Knowing their systems and the external cash flow relationships, I think what is simply stated is actually quite impossible. I doubt it would have been as simple to make a virus, and get away with it.
Remind me--shutting down Fannie Mae is bad in what sense?
Yes, if you forge a Notary stamp, it is fairly trivial to get the Deeds office to record whatever you want them to record.
However, eventually the bank will notice when you stop paying them and they attempt to foreclose. Also, this is the sort of crime the local DA usually does find time to prosecute.
As with society, this mechanism relies on the vast majority of the populace being honest. Just like the locks on my house are no real deterrent to a determined thief, the requirement to have a Notary stamp is no real barrier to somebody who would like to commit title fraud.
This sort of crime is also while virtually all mortgage banks require the purchase of title insurance when buying a house.
SirWired
I wonder how much Rep. Barney Frank (D-MA) paid him?
"Finally, the virus would shut down the servers."
Jeeez.. even virusses go green these days..