This was originally posted at ZDNet's Between the Lines.
A former Fannie Mae IT contractor has been indicted on charges of planting a virus that would have nuked the mortgage agency's computers, caused millions of dollars in damages, and even shut down operations. How might this have occurred? The contractor was terminated, but his server privileges were not.
Rajendrasinh Makwana was indicted on Tuesday in the U.S. District Court for Maryland (press report, complaint PDF, and indictment PDF). From early 2006 to Oct. 24, Makwana was a contractor for Fannie Mae. According to the indictment, Makwana allegedly targeted Fannie Mae's network after he was terminated. The goal was to "cause damage to Fannie Mae's computer network by entering malicious code that was intended to execute on January 31, 2009." And given that Fannie Mae--along with Freddie Mac--was nationalized in an effort to stabilize the mortgage market, a malware intrusion could have caused a good bit of havoc.
Makwana worked at Fannie Mae's data center in Urbana, Md., as a Unix engineer, as a contractor with a firm called OmniTech. He had root access to all Fannie Mae servers.
The tale of the malware bomb plot is a warning shot to all security teams and IT departments. Given the level of layoffs we've seen lately, the ranks of disgruntled former employees is likely to grow. Is there any company NOT lopping off a big chunk of its workforce? And some of these workers may even have Makwana's access privileges and knowledge of the corporate network.
Sophos' Graham Cluley says:
As belts tighten and the credit crunch continues to hit around the world, more and more companies will be making the decision to make staff redundant. As we've written before, a disaffected employee could create havoc inside your organisation so make sure that appropriate security is in place.
Indeed, Makwana allegedly had intended to do some serious damage such as "destroying and altering all of the data on all Fannie Mae servers." That quote from the indictment puts it mildly. According to the initial complaint against Makwana, the former contractor's virus "would have caused millions of dollars of damage." Anyone who logged into the Fannie Mae network on Jan. 31 would have seen a message "Server Graveyard."
Details of Makwana's alleged plot surfaced in a complaint that was initially sealed to protect the identity of Fannie Mae. In the complaint, Fannie Mae is referred to as "ABC," but defined as an outfit that facilitates mortgages. In a sworn statement, FBI agent Jessica Nye outlined the following:
Luckily, the Fannie Mae server scripts were returned to normal before mortgage chaos ensued. But the errors listed in the complaint are clear. The biggest problem: Makwana's access wasn't terminated when he was. He had access to Fannie Mae servers longer than he should have.
Here's a look at the notable excerpts of the complaint. As you can see there were warning signs and mistakes made along the way. Emphasis is mine.
So far so good right? Makwana screwed up, was terminated, and had to turn in his gear and access privileges.
Well, that last part didn't go so well.
The good news is that Makwana's access didn't go on indefinitely. I've known more than a few people who could access their former employer's network for months after they left the company.
However, catching the malware script was really a function of luck.
There was also some good detective work too--the complaint details Makwana's alleged techniques and script set-up--by the Fannie Mae security team. However, a lot of work could have been avoided if only Makwana's privileges were terminated when he was.