Slashdot Mirror
Fannie Mae Worker Indicted For Malicious Script
dfdashh writes "A former Fannie Mae contractor has been indicted by a federal grand jury in Baltimore, MD for computer intrusion. He attempted to propagate a malicious script throughout the company's 4,000 servers. The DC Examiner has details of the incident: 'Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week. ... The virus was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae's computer monitoring system and then cutting all access to the company's 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying "Server Graveyard." From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.'"
the only thing that matters to me... will it erase my mortgage??!??!
We've gotta wipe the system, man. Give everyone a blank slate!
http://www.chaotickingdoms.com
Either a laughing skull and bones or an animated version of him as a bobblehead that pisses off Samuel L. Jackson with his hacker crap?
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Leading to a downturn in mortgages issued to people who have no chance of paying them back.
Sounds like a white hat to me.
The "Fight Club" guy in me would like to have seen that particular bomb go off. I know the damage would not have been , permanent, perfect or complete (That's what backups are for... right?) but still. Taking those financial giants down a peg might have tickled me. (It damn sure wouldn't have taught anyone any moral lessons or anything.
Look like he was flying through a cyberspace version of his city while he was doing it???
A virus that can propagate through an entire enterprise's array of servers, and then wipe out all data?
Most enterprises comprise a heterogeneous mix of servers of differing breeds. Getting a program to run on all of them, and then to gain access to data and transform it all in a single virus would be a great piece of programming, and any enterprise looking to hire an efficient data migration specialist or integration architect should consider hiring...
Any comment at this point would bring the Political Correctness Police down on me like a horde of avenging non-denominational metaphysical winged beings.
If you were blocking sigs, you wouldn't have to read this.
...turned Fannie Mae into a financial failure.
Considering that Fannie Mae has been losing billions every week, the idea of only losing a few million for a week sounds like a great idea.
I am Jack's complete lack of surprise
Technically, all of the data in a computer is really just a bunch of ones and zeros, so assuming a fairly even mix of those two possibilities, writing over everything with zeros would only change half of their data.
One time I threw a brick at a duck.
What could have been. On the other hand. It could also have been Fannie Mae execs attempting to cover up illegal activities and fraud. In that case, nice catch!
The report is obviously not a techy. Its "IP Address"!
But is the reporter a science guy?
If I have been able to see further than others, it is because I bought a pair of binoculars.
Of course it isn't verifiable, but I thought this was interesting:
H1B#36a: "What wasn't reported was that the contractor was fired for writing a script poorly, that caused the failover over of a number of High-Availablitity production servers. His "landmine/timebomb" script was found through his same poor scripting skills. Whatever doping manager that hired that guy should be fired too, along with his director and VP!"
-t.
Bruce Schneier is right; security is a process, not a product. The internal threats are just as great, if not greater, than the external ones.
And it appears their security process was rather good - they caught and stopped the threat in time.
This is like if someone mixed the movies Office Space and Fight Club together!
Fannie Mae doesn't keep backups of their critical data? Awesome. No wonder they're so successful!
Maybe it would have gotten rid of them (should have happened when they went bankrupt, like what happens to most companies)...
Slightly sarcastic, but with a point.
The real question is how did they prove he was the person at the keyboard at the time the IP address was used?
ZING!!
Ascalante: Your bride is over 3,000 years old.
Kull: She told me she was 19!
I'm pretty sure they were going to do an rm -rf* on all data anyway, as part of the ongoing write-downs....
Back to a more serious note. The summary does hint it would have taken them down for a week, so I assume they have some form of backup and recovery in place...
It's high time for a public flogging.
Conservative, mod down for violating
They don't need to, I'm sure that:
1- he was fired that day
2- the edits came from his account
3- the login came from his workstation
Thats more than enough evidence to convict, unless he can prove otherwise. Don't think you need to be caught red-handed with photographic proof to be sent to prison. Circumstantial evidence is more than enough unless you have a good defense.
this is their business model over there.
if this is supposed to be a new economy, how come they still want my old fashioned money?
To have an affair with Barney Frank
Comment removed based on user account deletion
cinema's next The Devil Wears Prada.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
What about the billions or trillions of dollars of damage done to the taxpayers by Fannie Mae, and its incestuous twin, Freddie Mac? Anyone attempting to take out this job-killing, economically destructive abomination is a patriot.
Slashdot: Playing Favorites Since 1997
Land it in the Hudson.
The dangers of knowledge trigger emotional distress in human beings.
When the deed was recorded at the local records office, the fact that the bank has a lien on it is recorded along with it. The only way to clear that lien is to get the lienholder to have a letter saying so attached to your deed, or you have to have a court do it.
SirWired
couldn't somebody at the credit company do this...and not get caught?
The Kruger Dunning explains most post on
From there, the virus would wipe out all Fannie Mae data, replacing it with zeros
Wouldn't zero be an improvement over negative whatever?
Set your phasers on "funky"!
They might have gone down for a few days, but surely they have recent system back-ups to restore from, and daily backups to restore the data from. ...Right? Please?
I wonder, wouldn't this be a quite effective way to manipulate stock value?
Is it possible to short sell FNM, there were limitations on finance companies in place at some point?
I joined two users too late.
They fired him. And let him have some access before he left.
Not a good idea. Sadly, you have to be aware of the threat. If you're firing someone with admin access, you should meet with them in a room without a workstation, explain the situation, and send them back to their desk to clean it out - with a monitor to ensure their workstation stays turned off.
While you're having the meeting, someone shuts down their workstation, disables network access, and - if not concurrently - immediately revokes their privileges. You do not finish the meeting until you receive confirmation that they no longer have access. Usually you have to let them be interviewed before you can kill their access, since some people get suspicious when they can't sign on. Forbid that the Help Desk will assist them in resetting their password. You gotta kill their privileges. The ideal scenario is letting them sign on but have no access to anything. After they are gone, then you can reset the password. Some systems need the access left in place to do forensics or establish their replacement (a sign of inadequate documentation) and thus you have to resort to the password trick.
If in doubt, I've cut their network cable right off, or even superglued blank plugs in their office jacks while I go back over their privileges. I can replace the jacks easily.
An unfortunate oversight. Some places have this 'exit interview' with security present. Some, Like Fannie Mae back then, don't think it through.
Can't be too careful.
Here, I work in a fairly secure environment. In spite of that, some of my IDs got associated with another employee with the (mostly) same name, go figure. He left at the end of the year. I've been getting access established to many systems as our security group has dutifully deleted my access as his. Too damned efficient.
deleting the extra space after periods so i can stay relevant, yeah.
Because of a bug in the script which made it error...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
C) ***zeroes***
Damn, copy/paste
One would think if the sys admin's who opted in reporting this issue and provided technical details to law enforcement would know whether it was actually malicious.
If you were caught using a blink or marquee tag, then you owe your teacher a debt of gratitude.
I got a hearing front of the superintendent for ctrl-C'n out of a batch login prompt, and playing a $5 star trek diskette from a magazine type distribution. They threatened expulsion, but settled for a string of Saturday detentions. I'm glad that happened in the mid 90's, cause who knows the string of felonies you'd be hit with now on it.
brandelf -t FreeBSD
Thanks.
One time I threw a brick at a duck.
Hyperinflation will do that for you.
any hacker worth his/her salt should have changed all the ones to zeros and all the zeros to ones! N00BS!!
Depends on the jury you get.
Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
There's a perverse side of me that kinda wishes the guy had succeeded. I'd love to see the government brought down a couple of notches.
"Politicians always tell the truth, when they're calling each other liars."
The "Fight Club" style of "getting back at the Man" isn't very practical. There would be some period of disarray, but if you really want to screw things royally, you would introduce random, but very small data errors that hopefully get overlooked. Over time, these affect the balance sheets, the "business algorithms" in place, and generally make it a nightmare to figure out how to fix things. All of this "silent data corruption" would be propagated to disaster recovery systems. Your "backup tapes" would basically contain a perfect copy of bad data. Yes, eventually, you could find the point at which the "disaster" occurred and go back to that time, but if days, weeks, months have passed, how do you replay all of those transactions from that point on? The bank (market, economy, etc.) is screwed.
Yes, this is a little like the "Superman 3 Salami Slicing Fraud" but the only reason that gets flagged is because there is a net output from the balance sheet. If everything just got twisted up internal to the bank, it would be much easier to hide.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
You are wrong on both counts (as grammar nazis often are).
A) I am aware that "data" was originally the plural of "datum", but its use as a plural is largely antiquated. Its current most common usage is as an uncountable quantity just like "water". It sounds just as weird to say that you have "five data" as to say you have "five waters". You instead have "10GB of data" or "1L of water".
B) Saying that your data is a bunch of ones and zeroes is absolutely correct. "The animals in the zoo are mammals and reptiles" makes more sense than "mammals or reptiles", doesn't it? " Mammals or reptiles" sounds like it's one or the other and you aren't sure which.
ZFS: because love is never having to say fsck
I think you may be wrong there.
would you say:
a) "all of the data in a computer is crap"
b) "all of the data in a computer are crap"
I know that 'data' is technically a plural, but it's not treated that way by most people.
also - "ones and zeros" is correct. If you were asked "what numbers are there in that hard-drive", you would not answer "ones or zeros"
also, to the other replier - "zeros" and "zeroes" are both correct.
http://www.bartleby.com/68/49/6649.html
Tyler Durden: You're not your job. You're not how much money you have in the bank. You're not the car you drive. You're not the contents of your wallet. You're not your fucking khakis. You're not an evil hacker that can take down a server farm. You're the all-singing, all-dancing crap of the world.
"a senior computer engineer discovered the virus Oct. 29. The malicious code was hidden after a blank page, and "it was only by chance" that the senior engineer scrolled down and found the virus .. An Internet Protocol address was eventually linked to Makwana's company-issued laptop"
Why didn't the 'computer monitoring system' detect him inserting the 'malicious script' and what kind of script hides after a 'blank page'?
davecb5620@gmail.com
Which is obviously part of their overall security policy, to only hire incompetent programmers.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
...how about actually knowing what you're talking about? The grandparent was 100% correct in his original wording. 'Data' is one of those plural nouns which is treated as singular in a grammatical context. Therefore, "is" would be the correct verb in this instance. Secondly, using the word "or" in this context would imply a different--and bizarre--meaning from what the GP intended, because it would imply exclusivity; i.e. the "bunch" is either ones, or zeroes, as opposed to "and" which says that the "bunch" contains both ones and zeroes. Try making the changes you suggested and read it aloud to yourself. It sounds stupid and unnatural, doesn't it?
"They fired him. And let him have some access before he left"
.. :)
Interesting, if a little overkill, but why is your interesting post modded flamebait, go figure
davecb5620@gmail.com
While reading through the article, and some of the talkback, I stumbled across this document which contains results of the actual investigation. It has lots of actual details, and is worth a read. (meanwhile, the news articles are a little too dumbed-down to be of any real value or interest).
Very true. It amazes me that middle class anarchists believe that if the current society is obliterated it will be a net gain for them because a more equitable society will replace it. Historically you're much more likely to end up with a some sort of Pol Pot style nightmare.
Even as a hardcore liberal, that's my main argument in favor of gun ownership, a well-armed populace, with personal liberty and responsibility as our most essential civic virtues. Where guns are prohibited, the only people with guns are criminals... and the government. In Cambodia, the Khmer took the guns first, and then massacred 40% of their population.
I just wish other people looked at history and saw the same cautionary tales. The concept that democratic societies are somehow automagically inoculated against totalitarianism strikes me as hopelessly naive. For example, I'm really creeped out at the growing state-sponsored helplessness of our our brothers and sisters in the UK.
Just more proof that the motheaten left/right paradigm that talking heads are always blathering about hasn't been relevant since the French Revolution. We're all in this together as a society, and if you can't trust your law-abiding neighbors with guns, you need to get to know them better.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
it's not a worm or a virus
its something more than a trojan
logic bomb?
Malicious Program?
"Obscenity is the crutch of the inarticulate motherfucker." - cloak42
Way back in the day, I confused a teacher. I was playing with Quickbasic on I think a Win3.1 box. I made a silly random graphic thing, at 640x480 resolution. It would draw lines on the screen, and throw random blocks of color around. I was bored.
Random characters went well, until it hit the bell character. :) The beep gave me away at first, so I changed it to just do the blocks at random coordinates.
The teacher came by, saw what I was doing, and asked.
"Oh, I was just writing a little program to make something pretty on the screen. I was bored."
This was a beginning computer class. The teacher was sure that it was impossible, so I broke it and showed him the code. I was told not to do it any more.
Ya, I remember why I didn't like school much. It was boring.
Serious? Seriousness is well above my pay grade.
Actually, the article in the DC Examiner follows generally accepted style guidelines for using initialisms and acronyms. You spell it out the first time the term is used, and follow the full term with the acronym or initialism in parentheses, e.g. "Internet Protocol (IP) address." If the initialism is used only once in a story (as it is here), it's also generally acceptable to omit the parenthetical after the full spelling.
Given that your 10-word criticism of the reporter's story contained no less than 3 grammar & spelling mistakes, perhaps you should fix up your own glass house before you throw stones at someone else's?
At the end companies have to trust somebody to run the show.
That somebody can do pretty much as he pleases.
I think the only way this will be addressed is by creating supervisory accounts which require the mutual acknowledgement of several people to run a script or command.
IANAL but write like a drunk one.
If you really think about, their idiotic top level management were still able to do more damage to the company than this virus would have. Now that's amazing!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
"A virus that can propagate through an entire enterprise's array of servers, and then wipe out all data?...Getting a program to run on all of them..."
Here's the code to wipe-out a database.
Generic SQL version:
drop database fanny_mae;
MSSQL2005 version:
alter database fanny_mae set single_user with rollback immediate;
go;
drop database fanny_mae;
go;
Any server level triggers to block or log this would also have to be disabled prior to issuing these commands, which is pretty trivial if you've got admin access which the guy did.
:-) Unfortunately, if hyperinflation hits, the banks will just raise your flexible interest rate loan to 10,000% or whatever.
Unity in Diversity
From reading the actual court complaint, it seems the hacker put his malicious script at the bottom of a valid script which ran at well determined times. If that work place is anything like the work places I've haunted, then that script was probably kept in CVS. No doubt the boss in question was looking at the script because he wondered what the just fired employee would have put in the script.
Then again, we're talking Fannie Mae here. They couldn't even run their normal business operations competently, blew away BILLIONS of dollars and staffed most of these critical IT positions with H1-B employees who had no loyalty to the organization. And in a previous post, a former Fannie Mae employee said they gave just about everyone root access to all servers in the farm. With a track record like this, what gives you any confidence that they maintained a reliable backup strategy as well?
Bruce Schneier is right; security is a process, not a product. The internal threats are just as great, if not greater, than the external ones.
Internal threats are easily greater than external threats.
The only saving grace is that internal threats are generally less likely to be malicious.
Its current most common usage is as an uncountable quantity just like "water".
I wondered for a long time if there was a term for this sort of noun. I don't remember how I discovered it, but the type of noun you're describing is called a mass noun. Its opposite is called a count noun. I'm not correcting you or anything, just passing along some info.
The court document is authored by Jessica A. Nye Science Gal.
:-)
Perhaps that was your joke?
Not being able to buy conforming loans is not an option for Fannie Mae or Freddie Mac. The bank goes, "Here is a consolidated loan that meets the specs. Give me money." They have a little control over why types of loans and the ratio mix they currently accept, but much of the control over what is rejected is based on the conformity.
I remember that FM in the beginning stated that due to the newly realized risk (which the banks actually restated), they would have to cut down on the number of subprime and similar loans accepted by them to reduce the over all reassessed risk of its assets. But then the government stepped in and said no, as that would adversely effect the current messed up market. A kind of "Keep doing the wrong thing, maybe it will blow over."
There are many parties involved here well beyond FM. The largest blame goes to banks and the real estate industry which in some cases, fudged the load parameters to pass the conformity as they knew NO one else would buy that crappy $500k loan to the guy who made $30k a year. The bank always took the blunt of the liability (due to the load structure w/ FM), but they got greedy thinking the house comes with the liability, and if the house appreciates, they come out way on top. The house estimates weren't realistic as they were based on the past few years of performance and not actual market conditions (key factor: rate of increase in people's salaries). The agents enticed the home owners and sellers to buy or sell on this false home evaluation.
China and US are also to blame as the former kept buying the securities backed by the US. China owns the majority of US debt through the securities. Normally what would have happened is that a buyer of a loan will eventually go "You got enough debt, I don't think you can afford anymore." or "I hold enough of your debt, and cash, you got to give me a far better return." Instead, China just kept regulating their currency, keeping the dollar well over valued and kept buying securities. On the flip side, the seller of the loan, not being able to make payments would have either stopped asking for crack money (reduce riskly loans) or default on many of the loans. But instead we stole money from those who still had it, to keep the lender happy and STILL asked for a shit load of loans (FM tax bailout by government via infusion of cash).
Home owners and home builders are to blame. People don't like this idea but the majority of the owners who can't pay fall into two groups: those who were stupid, and those who saw it as a great short term investment. Both of these should have done more homework. The later deserve losing their assets and the bankruptcy. And stupidity doesn't mean you get a bailout. Instead of letting these folks fall into bankruptcy (remember, this is a viable option in the US), we want to protect them and keep them in their homes. What people don't realize is that bankruptcy gives you a clean slate, quickly resets assets to their correct values, and teaches a valuable lesson. But instead we would rather protect them from a lesson learned, keep the home price overinflated (the perpetuating cause of this mess) and require overinflated loans to continue the mess. So basically we let the idiots keep the homes, new owners (includes honest, responsible ppl) out in the cold (plus we take their money through taxes), and reward poor decisions (some of them being mistakes is irrelevant). Our HOPE is that dollar inflation (bailouts, government overspending not compensated via taxes, overvalued assets, and China floating their currency) will devalue the homes and increase salaries (not actual value) enough to make us whole again. The retarded home builders didn't think, "There are 10 skyscrapers being built in Atlanta, will there be a market for a 11th?" or "I am building 500 overpriced $500k homes here, are there that many buyers in this area?" Their business cycles are in terms of 3-5 years, yet they based their estimates AT most on the last 6?!!! If they looked further back, ins
I'm sure an alleged cyberterrorist named Rajendrasinh Babubaha Makwana will get a swift trial in a U.S. court.
Sorry, I meant to put this disclaimer in, but forgot.
I used to work at Fannie Mae through a contracted company. We did Regulations work. On that, I would say FM has its problems, just like all companies do, but as per their management, they were probable somewhere between a government entity and private sector.
Also on the article, I think we are missing quite a bit of information. Knowing their systems and the external cash flow relationships, I think what is simply stated is actually quite impossible. I doubt it would have been as simple to make a virus, and get away with it.
Remind me--shutting down Fannie Mae is bad in what sense?
Yes, if you forge a Notary stamp, it is fairly trivial to get the Deeds office to record whatever you want them to record.
However, eventually the bank will notice when you stop paying them and they attempt to foreclose. Also, this is the sort of crime the local DA usually does find time to prosecute.
As with society, this mechanism relies on the vast majority of the populace being honest. Just like the locks on my house are no real deterrent to a determined thief, the requirement to have a Notary stamp is no real barrier to somebody who would like to commit title fraud.
This sort of crime is also while virtually all mortgage banks require the purchase of title insurance when buying a house.
SirWired
Sabotage maybe? Doesn't that imply coming from within?
Billy Brown rides on. Yolanda Green bypasses Gary White.
I wonder how much Rep. Barney Frank (D-MA) paid him?
"Finally, the virus would shut down the servers."
Jeeez.. even virusses go green these days..
Sabotage maybe? Doesn't that imply coming from within?
<kirk>I'm sure you mean sabataje!</kirk>
"Obscenity is the crutch of the inarticulate motherfucker." - cloak42