Fannie Mae IT contractor indicted for planting malware; Mortgage giant didn't revoke server privileges

Fannie Mae IT contractor indicted for planting malware; Mortgage giant didn't revoke server privileges

Summary: A former Fannie Mae IT contractor has been indicted for planting a virus that would have nuked the mortgage agency's computers, caused millions of dollars in damages and even shut down operations. How'd this happen?

SHARE:

A former Fannie Mae IT contractor has been indicted for planting a virus that would have nuked the mortgage agency's computers, caused millions of dollars in damages and even shut down operations. How'd this happen? The contractor was terminated, but his server privileges were not.

Rajendrasinh Makwana was indicted on Tuesday in the U.S. District Court for Maryland (press reportscomplaint and indictment PDFs). From early 2006 to Oct. 24, Makwana was a contractor for Fannie Mae. According to the indictment, Makwana allegedly targeted Fannie Mae's network after he was terminated. The goal was to "cause damage to Fannie Mae's computer network by entering malicious code that was intended to execute on January 31, 2009." And given Fannie Mae--along with Freddie Mac--was nationalized in an effort to stabilize the mortgate market Makwana could caused a good bit of havoc. 

Makwana worked at Fannie Mae's data center in Urbana, MD as a Unix engineer as a contractor with a firm called OmniTech. He had root access to all Fannie Mae servers. 

The tale of Makwana malware bomb plot is a warning shot to all security teams and IT departments. Given the level of layoffs we've seen lately the ranks of disgruntled former employees is likely to grow. Is there any company NOT lopping off a big chunk of its workforce? And some of these workers may even have Makwana’s access privileges and knowledge of the corporate network. 

Sophos' Graham Cluley says:

As belts tighten and the credit crunch continues to hit around the world, more and more companies will be making the decision to make staff redundant. As we’ve written before, a disaffected employee could create havoc inside your organisation so make sure that appropriate security is in place.

Also seeAre you wary of the insider on the outside?

Indeed, Makwana had intended to do some serious damage such as "destroying and altering all of the data on all Fannie Mae servers." That quote puts it mildly. According to the initial complaint against Makwana, the former contractor's virus "would have caused millions of dollars of damage." Anyone that logged into the Fannie Mae network on Jan. 31 would have seen a message "Server Graveyard."

Details of Makwana’s alleged plot surfaced in a complaint that was initially sealed to protect the identity of Fannie Mae. In the complaint, Fannie Mae is referred to as "ABC," but defined as an outfit that facilitates mortgages. In a sworn statement, FBI agent Jessica Nye outlined the following:

Luckily, the Fannie Mae server scripts were returned to normal before mortgage chaos ensued. But the errors listed in the complaint are clear. The biggest problem: Makwana's access wasn't terminated when he was. He had access to Fannie Mae servers longer than he should have. 

Here's a look at the notable excerpts of the complaint. As you can see there were warning signs and mistakes made along the way. Emphasis is mine. 

 

So far so good right? Makwana screwed up, was terminated and had to turn in his gear and access privileges. 

Well that last part didn't go so well. 

The good news is that Makwana's access didn't go on indefinitely. I've known more than a few people that could access their former employer's network for months after they left the company. 

However, catching Makwana's script was really a function of luck.

There was also some good detective work too--the complaint details Makwana's techniques and script set-up--by the Fannie Mae security team. However, a lot of work could have been avoided if only Makwana's privileges were terminated when he was.

Topics: Banking, Hardware, Malware, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • Must Have Been A Windows Network

    Typical boot camp MCSE mentality.
    itanalyst2@...
    • Message has been deleted.

      .
      n0neXn0ne
    • LOL.. you apparently cant read. Read the article again.

      Then post something useful.
      Been_Done_Before
      • Why should he let facts get in the way of his trolling?

        Stupid is as stupid does.
        Hallowed are the Ori
    • Windows server.

      NO!!! The story plainly says UNIX.
      RobertMoore12@...
    • In this case...

      Typical Linux boot camp mentality.

      As the Linux geeks always like to say -- RTFM -- or, in this case -- READ THE F'ing Article...
      Marty R. Milette
    • Remind me not to hire itanalyst2

      Reading comprehension level appears too low.
      Dr_Zinj
  • RE: Fannie Mae IT contractor indicted for planting malware; Mortgage giant didn

    They must implement a HR Policy that require that every employee or contractor must not have root access to their servers. Implement rigurously procedures that require every change from a development environment to production must be aproved, like when IT deploys new software releases. And remove/block or change password to those user accounts that those employees or contractors doesn?t works any more.

    Also, define IT policies in their contract.
    disgen@...
    • They do

      A lot of what you mention is in place, contractually at least, and there are rigorous background checks. I represent a firm that is under contract with Fannie Mae.

      I must say though, that working for various clients where my employees have high level server access, the inconvenience of password resets seems small in comparison to the potential damage a rogue consultant could cause.
      letranger66
    • Gee -- that'd work REAL GOOD...

      Yep, don't give ANYONE root access.

      Of course that would make it somewhat more difficult to maintain the servers -- wouldn't it?

      As for changing accounts -- don't get your hopes up their either. There are PLENTY of 'service' accounts that most administrators know the credentials to -- in addition to 'extra' back-door accounts that would be created between the time the pink slip hits the desk and the a$$ is out the door. (If not before.)

      The ONLY way to be sure is to force an immediate account audit and change the passwords for EVERY account on the system.

      Relatively easy for the user accounts, but not so much fun for the service accounts and applications/roles.
      Marty R. Milette
  • RE: Fannie Mae IT contractor indicted for planting malware; Mortgage giant didn

    I guess that one UNIX engineer didn't revoke the contractor's privileges. Don't put him on a holier-than-Microsoft pedestal just yet...
    aspit
    • LDAP is a pain to setup and maintain...

      so it can be time consuming to revoke privileges in an organization that doesn't have centralized access control or a poorly maintained one.
      rdiekema@...
      • Even so...

        this incident proves that every responsible IT organization will bite that bullet and live with the 'pain' of setting up LDAP rather than risk a repeat of this Fannie-Mae near disaster.
        mejohnsn
      • That's what it sounds like.

        You would think that SOP for termination of an employee/contractor of this type would be:
        Determine termination.
        Setup access termination.
        Coordinate schedule.
        Execute termination of emplyee and access at the same time.

        Codify this. It would save a lot of people from poor choices and legal fees.
        zclayton2
    • Fannie Mae is not in the stone age

      give me a break, do you really think Fannie has no LDAP? Centralized access? Long before the govt took over, Fannie came under the watchful eye of SOX and Security audit; and LDAP was in place even long before that.
      nadofurtado
  • RE: Fannie Mae IT contractor indicted for planting malware; Mortgage giant didn

    Quite honestly, the focus and spin of this article seems a bit out-of-focus and sensational. I would love to read less preaching about the "devils inside your company, waiting to destroy your business", and have a larger conversation about outsourcing, IT management practice, and business strategies that rely heavily on technology.

    But then again, this is ZDNet; let the terror reign on.
    jhampton@...
    • Change Management

      LoL, Jhampton. You'll need to go over to an ISACA or ISC2 forum for that kind of discussion. Obviously Fannie Mae's IT department has some lax change management policies if a contract Unix Engineer can make modifications straight to a prod box. I guess ZDNet has to consider their audience, though, and dumb it down a bit. :)
      IanF
      • Government run (imagine that)...

        The Government is great at wasting tax dollars, allowing ANYONE access to critical systems.....

        And imagine it being Fannie Mae cooked up from the Democrats who led this disaster into meltdown...

        Now with our new socialist dictator he will lead us into tax heaven.
        Christian_<><
    • Internal Threats

      Despite being a business/technology lawyer, I've remained an optimist, but I try to work with clients to plan for the worst. In this regard, I usually believe people, i.e., employees, will do the right thing (it's bad Karma not to, right?). But I know that they won't always do the right thing, as illustrated by this post, which, coincidentally, fit in as a perfect example for my post: http://jshinn.wordpress.com/2009/01/31/preventing-data-breaches-on-the-cheap/. Thanks.
      jshinn
    • This kind of stuff is VERY real...

      I've been in the position of having to axe four sys admins in the last 10 years -- and out of the four, THREE of them tried to sabbotage the network -- either before they left or after.

      The odds are NOT in your favor.
      Marty R. Milette