Slashdot Mirror
Fannie Mae Worker Indicted For Malicious Script
dfdashh writes "A former Fannie Mae contractor has been indicted by a federal grand jury in Baltimore, MD for computer intrusion. He attempted to propagate a malicious script throughout the company's 4,000 servers. The DC Examiner has details of the incident: 'Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week. ... The virus was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae's computer monitoring system and then cutting all access to the company's 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying "Server Graveyard." From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.'"
Bruce Schneier is right; security is a process, not a product. The internal threats are just as great, if not greater, than the external ones.
And it appears their security process was rather good - they caught and stopped the threat in time.
Why?
Fanne May more than likely uses Server 2003 with MSSQL. and I'm betting all on the same domain with a global user list.
This would not a hard thing to do. 1 afternoon with VB and I can write the same thing. Hacker 101 stuff.
Most financial places have REALLY SHITTY IT security.
Do not look at laser with remaining good eye.
Obviously virus is what the idiot who wrote the article is calling it (and possibly a term used in whatever he has been charged with), but since he had root access to all the servers it wouldn't really be a virus. Just a script installed on them, probably run via plain old cron.
When you terminate a contractor or employee it is wise to also terminate their access to your servers...
#!/bin/sh /dev/[sh]d* /dev/zero >"$i" &
for i in
do
cat
done
is not exactly a great piece of programming (and the above is obviously untested, and since he was a unix admin he would actually know what the drive device names are in the presence of wierdo RAID setups...)
I'm guessing you don't really understand what Fannie Mae does if you think the folk taken down a peg would be the banks.
Fannie Mae purchased mortgages from banks to ensure the banks always had money on hand to make loans. They sold these mortgages as securities, guarantying the purchaser the money (paying it themselves if the mortgagee defaults).
Them loosing their records would simply mean that suddenly the banks would run out of 'liquid assets' to make loans with. Who do you think that would hurt: The average joe or the banks?
Let me give you a clue, it wouldn't be the banks. They'd just hold onto the mortgages they have and start foreclosing aggressively to come up with the assets they need.
Fannie Mae was not the problem there, they only purchased "conforming" mortgages which matched their definition of a 'non-risky' loan.
The problem was from the fact that the banks started moving from relying on Fannie Mae and started making "non-conforming" mortgages and selling them to other privately held companies. Once these mortgages started defaulting and housing prices started falling, even the "conforming" mortgages started having problems and the house of cards fell.
Fannie Mae is a good scapegoat for people who want to pin this whole situation on one group, but that's all they really are, a scapegoat. They had their own problems (notably shady dealing in the upper echelons) but they weren't the ones who cause or even setup this scenario.
They fired him. And let him have some access before he left.
Not a good idea. Sadly, you have to be aware of the threat. If you're firing someone with admin access, you should meet with them in a room without a workstation, explain the situation, and send them back to their desk to clean it out - with a monitor to ensure their workstation stays turned off.
While you're having the meeting, someone shuts down their workstation, disables network access, and - if not concurrently - immediately revokes their privileges. You do not finish the meeting until you receive confirmation that they no longer have access. Usually you have to let them be interviewed before you can kill their access, since some people get suspicious when they can't sign on. Forbid that the Help Desk will assist them in resetting their password. You gotta kill their privileges. The ideal scenario is letting them sign on but have no access to anything. After they are gone, then you can reset the password. Some systems need the access left in place to do forensics or establish their replacement (a sign of inadequate documentation) and thus you have to resort to the password trick.
If in doubt, I've cut their network cable right off, or even superglued blank plugs in their office jacks while I go back over their privileges. I can replace the jacks easily.
An unfortunate oversight. Some places have this 'exit interview' with security present. Some, Like Fannie Mae back then, don't think it through.
Can't be too careful.
Here, I work in a fairly secure environment. In spite of that, some of my IDs got associated with another employee with the (mostly) same name, go figure. He left at the end of the year. I've been getting access established to many systems as our security group has dutifully deleted my access as his. Too damned efficient.
deleting the extra space after periods so i can stay relevant, yeah.
Because of a bug in the script which made it error...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Depends on the jury you get.
Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
I'm sympathetic to the idea that deregulation had a hand in the financial implosion but I'm not sure I understand the logic behind blaming "Gramm-Leach-Bliley" specifically. It seems that, in the early stages of the crisis before it cascaded to impact everyone it was the least diversified investment banks that were remnants of Glass-Stiegall that had, and caused, the most trouble and the most diversified banks that would have been illegal before Gramm were the healthiest and in a few cases because it wasn't illegal (as it would have been without Gramm) were able to ride to the rescue of the more strictly focussed investment banks that were at the financial ground zero. It seems there are probably other decisions having to do with regulating mortgage backed securities, or the degree to which banks could leverage their assets that are more to blame. (Though I can understand the a political logic behind blaming "Gramm" it since Gramm was one of McCain's advisors so it's politically convenient to use "Gramm" as shorthand for deregulation generally even though Gramm's bill itself was probably only a minor contributor to the problem, or perhaps even mitigated some of the damage.)
Considering Fannie and Freddie's part in the mortguage/financial meltdown currently in session. Maybe wiping it out for a spell wouldn't necessarily be a bad thing?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
... which it never was during the 30 years from 1968 to 2000, roughly when banking deregulation took effect. It may be that such an institution is a bad idea, but you have to consider that financial institutions of all kinds are in desperate condition as well, so you can't use the financial disasters of 2008 as proof that Fannie is any worse an idea than, say, a private investment bank.
Fannie Mae and Freddie Mac served an unusual role. They were a huge source of poorly understood risk. And their special status with government resulted in their securities instruments being considered more sound than they actually were. They helped start the financial disaster. Frankly, due to their exceptional size, I think the economic problems now would be considerably better in their absence. Other banks would have taken their place and made the same bad decisions. But those private banks wouldn't have the same access to capital.
Considering Fannie and Freddie's part in the mortguage/financial meltdown currently in session. Maybe wiping it out for a spell wouldn't necessarily be a bad thing?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Truing to prove your sig? :-)
Many lenders only offer mortgages because they know there is an organization like Fannie Mae who will or at least could buy their mortgages. That would pretty much end mortgage lending in the US, or at least make it much, much more expensive. The democrats would never let this happen, since it would disproportionately affect their voting base.
I don't know, but it works for me.
Very true. It amazes me that middle class anarchists believe that if the current society is obliterated it will be a net gain for them because a more equitable society will replace it. Historically you're much more likely to end up with a some sort of Pol Pot style nightmare.
Even as a hardcore liberal, that's my main argument in favor of gun ownership, a well-armed populace, with personal liberty and responsibility as our most essential civic virtues. Where guns are prohibited, the only people with guns are criminals... and the government. In Cambodia, the Khmer took the guns first, and then massacred 40% of their population.
I just wish other people looked at history and saw the same cautionary tales. The concept that democratic societies are somehow automagically inoculated against totalitarianism strikes me as hopelessly naive. For example, I'm really creeped out at the growing state-sponsored helplessness of our our brothers and sisters in the UK.
Just more proof that the motheaten left/right paradigm that talking heads are always blathering about hasn't been relevant since the French Revolution. We're all in this together as a society, and if you can't trust your law-abiding neighbors with guns, you need to get to know them better.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
Don't you think the forgery would come to light when the bank started a foreclosure on you for not paying your mortgage?
It's not like they'd just say, "Huh, coulda sworn this guy owed us money, must've been mistaken," and walk away...
Some bring out the best in others, some the worst. Some bring out far more.
Stupid SHOULD hurt. The government and the liberals don't realize this. And yes, I said Liberals ... not Democrats. There were plenty of LIBERAL (see compassionate conservatives) in the Republican Party too.
And by "Stupid" I don't mean lack of intelligence (IQ), I mean DARWIN Award winners types. These are the people who have a brain, should know better, but don't F'in care about what they are doing and expect everyone else to clean up their mess.
Sorry, but STUPID SHOULD HURT! Like when you stick your hand on the stove hurt. Like when you make stupid loans and bundle them into derivatives to leverage the stupidity and then re-bundle those into even more stupid derivatives. IT all works, until it doesn't, then everyone pays for the Ponzi Schemes.
Which is why the stupid Bailouts to the same people that caused this mess is just stupidity on top of stupidity. We are now leveraging STUPID to try to stop the "HURT".
And nobody is willing to tell it like it is. STUPID!
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
You know what would happen if mortgage lending ended? Houses would lower in price to a level affordable without 30 year financing.
No, actually, it wouldn't...
What would happen is that the real estate market would pretty much freeze. You could buy a house if you had one to sell; otherwise, you'd rent. If you inherited a house from someone else, you might sell it (to someone who could pay for it out-of-pocket), and then buy another... but the ability to buy and sell houses would be limited to those who already owned one to sell for the money, and/or had cash in hand.
Granted, this would dramatically lower prices, but not to the point where people who can currently afford to buy with a multi-decade mortgage would be able to buy one without it. Land prices are pretty stable over time.
Of course, if the mortgage industry disappeared, it would only be a little while before someone would come up with a new way of having it... like rent-to-own, for example. If mortgages didn't exist, someone would have to invent them.
Don't you wish your girlfriend was a geek like me?
Not being able to buy conforming loans is not an option for Fannie Mae or Freddie Mac. The bank goes, "Here is a consolidated loan that meets the specs. Give me money." They have a little control over why types of loans and the ratio mix they currently accept, but much of the control over what is rejected is based on the conformity.
I remember that FM in the beginning stated that due to the newly realized risk (which the banks actually restated), they would have to cut down on the number of subprime and similar loans accepted by them to reduce the over all reassessed risk of its assets. But then the government stepped in and said no, as that would adversely effect the current messed up market. A kind of "Keep doing the wrong thing, maybe it will blow over."
There are many parties involved here well beyond FM. The largest blame goes to banks and the real estate industry which in some cases, fudged the load parameters to pass the conformity as they knew NO one else would buy that crappy $500k loan to the guy who made $30k a year. The bank always took the blunt of the liability (due to the load structure w/ FM), but they got greedy thinking the house comes with the liability, and if the house appreciates, they come out way on top. The house estimates weren't realistic as they were based on the past few years of performance and not actual market conditions (key factor: rate of increase in people's salaries). The agents enticed the home owners and sellers to buy or sell on this false home evaluation.
China and US are also to blame as the former kept buying the securities backed by the US. China owns the majority of US debt through the securities. Normally what would have happened is that a buyer of a loan will eventually go "You got enough debt, I don't think you can afford anymore." or "I hold enough of your debt, and cash, you got to give me a far better return." Instead, China just kept regulating their currency, keeping the dollar well over valued and kept buying securities. On the flip side, the seller of the loan, not being able to make payments would have either stopped asking for crack money (reduce riskly loans) or default on many of the loans. But instead we stole money from those who still had it, to keep the lender happy and STILL asked for a shit load of loans (FM tax bailout by government via infusion of cash).
Home owners and home builders are to blame. People don't like this idea but the majority of the owners who can't pay fall into two groups: those who were stupid, and those who saw it as a great short term investment. Both of these should have done more homework. The later deserve losing their assets and the bankruptcy. And stupidity doesn't mean you get a bailout. Instead of letting these folks fall into bankruptcy (remember, this is a viable option in the US), we want to protect them and keep them in their homes. What people don't realize is that bankruptcy gives you a clean slate, quickly resets assets to their correct values, and teaches a valuable lesson. But instead we would rather protect them from a lesson learned, keep the home price overinflated (the perpetuating cause of this mess) and require overinflated loans to continue the mess. So basically we let the idiots keep the homes, new owners (includes honest, responsible ppl) out in the cold (plus we take their money through taxes), and reward poor decisions (some of them being mistakes is irrelevant). Our HOPE is that dollar inflation (bailouts, government overspending not compensated via taxes, overvalued assets, and China floating their currency) will devalue the homes and increase salaries (not actual value) enough to make us whole again. The retarded home builders didn't think, "There are 10 skyscrapers being built in Atlanta, will there be a market for a 11th?" or "I am building 500 overpriced $500k homes here, are there that many buyers in this area?" Their business cycles are in terms of 3-5 years, yet they based their estimates AT most on the last 6?!!! If they looked further back, ins