Fired Engineer Tried To Wipe Out All Fannie Mae Computers

from the that-would've-been...-bad dept

Fri, Jan 30th 2009 5:19pm — Mike Masnick

We've seen plenty of stories of former disgruntled workers shutting down computer systems, locking others out or even running scams, but I don't think we've seen anything that had the potential to be as big a deal as the disgruntled tech who installed a logic bomb that would have wiped out all of Fannie Mae's computers, potentially shutting the organization down for at least a week to recover.

There are a few oddities here -- beyond just the simple question of how the system was set up in a way that would ever allow the ability to wipe out all machines in that way. First, the guy was fired -- but then allowed to finish up work that day, which gave him time to set the logic bomb. Why would you let someone who was fired (for a programming error) back to his computer to "finish" his day? These days it seems rather standard practice to escort fired employees off the premises. Next, the logic bomb wasn't spotted for five days. This turned out not to be a problem, since he had set the logic bomb to go off at the end of January (he was fired in October). Perhaps he did so to avoid having blame pointed in his direction, but if he had set it to go right away, or the next morning, it might have actually worked. Given Fannie Mae's role in the current financial mess, can you just imagine what would have happened if all their computers had melted down at once?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: disgruntled it workers
Companies: fannie mae

52 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 30 Jan 2009 @ 5:39pm

What a strange story
"Makwana, an Indian national, was a consultant who worked full time on-site at Fannie Mae"

- Probably an H1B on low wages

"he was being fired because of a scripting error"

- Wow, that's a bit harsh.
- note to self, do not ever work for Fannie Mae

- Something about this story just doesn't add up.
[ link to this | view in chronology ]
- Not believing all that is written, 30 Jan 2009 @ 10:18pm
  
  Re: What a strange story
  It does sound odd.
  [ link to this | view in chronology ]
- Anonymous Coward, 31 Jan 2009 @ 9:59pm
  
  Re: What a strange story
  >Probably an H1B on low wages
  How is this relevant in the context of story? I mean, dont you think you are missing the point here..
  [ link to this | view in chronology ]
  - Anonymous Coward, 1 Feb 2009 @ 8:13am
    
    Re: Re: What a strange story
    #27 -> ">Probably an H1B on low wages
    How is this relevant in the context of story? I mean, dont you think you are missing the point here.."
    
    I do not condone what this person did or what FM did.
    
    The whole point to the H1B program is to bring in foreign nationals and pay then much less than what is readily available in the marketplace.
    
    It is relevant because he thought he was being screwed over, how would you react ?
    [ link to this | view in chronology ]
- One line of code can equal millions of dollars, 1 Feb 2009 @ 6:46pm
  
  Re: What a strange story
  Its not harsh at all. Being who Fanny Mae was, one line of coded can introduce a bug that could cost millions of dollars in damages. I would suspect that the programming error he made was a bit more than just a JavaScript field validation method not checking email format correctly. Or possibly he has a pattern of bugs that make him detrimental to the company, and this was the straw that broke the camels back.
  [ link to this | view in chronology ]
Joel Coehoorn, 30 Jan 2009 @ 6:09pm

Not hard
I wanted to call out this remark:

> the simple question of how the system was set up in a way
> that would ever allow the ability to wipe out all machines
> in that way.

Pretty much every computer network out there ultimately allows this. Securing networks from someone who already has domain admin access is not trivial.
[ link to this | view in chronology ]
- Jesse McNelis, 30 Jan 2009 @ 7:08pm
  
  Re: Not hard
  The only reason it's not trivial is because the systems have been setup to allow this attack.
  If the systems had been setup correctly it becomes trivial to prevent this attack. But seeing as though the major OS don't do this, we all have to deal with it.
  
  I still find the way OSs just run whatever random code is given to them to be fairly disturbing. One wrong move and you're screwed and you probably won't even be able to detect it. Rootkit detectors aren't really useful unless you take the system offline, which you can't do in a production environment.
  [ link to this | view in chronology ]
- Pauli, 1 Feb 2009 @ 5:08pm
  
  Re: Not hard
  "Pretty much every computer network out there ultimately allows this. Securing networks from someone who already has domain admin access is not trivial."
  
  For starters, only one or two employees in any enterprise should have domain admin access. In my company, all the helpdesk guys (even 3rd level) use a specially written console to control other users' accounts. This lets them do their job without having admin access.
  
  One would assume that a giant financial institution would have processes that guaranteed this sort of security.
  [ link to this | view in chronology ]
  - Anonymous Coward, 2 Feb 2009 @ 5:26am
    
    Re: Re: Not hard
    "One would assume that a giant financial institution would have processes that guaranteed this sort of security"
    
    Maybe if it wasn't a Government run institution...oh wait, private doesn't work either...lol
    [ link to this | view in chronology ]
bish, 30 Jan 2009 @ 6:09pm

Finish up the day
It's actually NOT uncommon for terminated employees to be continue working. In the real world, that's a transitional time where the employee is expected to hand off all the current tasks in a proper and respectable manner -- I've seen some people working for 3 months after being given termination notice, and that's even before severance kicks in. Only at the pathetic sweatshops (some large, with well-known names, Hal) do they escort the poor schmo off the premises.

As someone whose employment was bought up by a sweatshop, I expect I'll be in the same boat as that H1B in but a month or 3. Pity the fool for his attempt at justice.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Jan 2009 @ 8:01pm
  
  Re: Finish up the day
  I worked one place for two years that had announced a planned termination before I was hired as a temp. Lots of seriously grumpy employees just holding out for the package. I got my first professional job that was a real resume builder.
  [ link to this | view in chronology ]
- Anonymous Coward, 30 Jan 2009 @ 8:49pm
  
  Re: Finish up the day
  There is a difference between terminated via layoff vs terminated for a screw up. Also it's very, very common for someone with admin access to just be escorted out immediately, even if they simply resign.
  [ link to this | view in chronology ]
- SweatShopBoss, 30 Jan 2009 @ 11:23pm
  
  Re: Finish up the day
  Seriously?? You've got to be kidding. When an employee at this level is termed - you call them in, explain the situation, have security or hr pack up his/her things pat them on the back and wish them well.
  [ link to this | view in chronology ]
- Sopor42, 31 Jan 2009 @ 6:46am
  
  Re: Finish up the day
  Are you in IT Bish? It is standard practice in IT, depending only slightly on the details of the termination, to get the employee off-sight as quickly as possible. Often, the employees accounts and access are locked down while he/she is talking to the boss, so they're not even able to do anything if they go back to their desk.
  [ link to this | view in chronology ]
Denny, 30 Jan 2009 @ 6:16pm

Does this mean my school loan would have been wiped from existence? *sigh* one can only dream.
[ link to this | view in chronology ]
Anonymous Coward, 30 Jan 2009 @ 6:22pm

What the 'f is a 'logic bomb'?
Sounds like a science fiction invention.

My guess is that he just put rm -rf / in the root crontab* that was copied to all Unix servers. Some 'bomb', it takes all of 30 seconds to do that.

*from the article: "malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m"
[ link to this | view in chronology ]
JoJo, 30 Jan 2009 @ 6:24pm

Re: Finish up the day
--It's actually NOT uncommon for terminated employees to be continue working.

There is a difference between fire and layoff. When an employee is being let go for financial reasons, yes, transitions are the norm and necessary and there are usually some niceties to try to help the person. If you fire someone, it is you f'ed up too big and you are done so letting him stick around is odd.
[ link to this | view in chronology ]
scott, 30 Jan 2009 @ 7:28pm

much more than a simple crontab
If you follow the chain of links back to the wired story and then the fbi doc it gives a fairly detailed description of how it all came about including numerous scripts this guy wrote and their details. It is quite involved. After reading about it along with some other details it doesn't see possible he did all this in a few hours form when he was first until he left the building - it seems more like he had this planned for a long time and then once fired just copied the files over.
[ link to this | view in chronology ]
Papafox, 30 Jan 2009 @ 10:15pm

"he was being fired because of a scripting error"
Actually, if you follow the links and read the FBI affidavit, you'll see that he was fired for a process violation - he made system changes without authorization.

It appears he was a bit of loose canon.
[ link to this | view in chronology ]
mark, 30 Jan 2009 @ 10:26pm

Consultant, huh....
[ link to this | view in chronology ]
TW Burger, 30 Jan 2009 @ 10:30pm

Lucky
If he was really good the code bomb would never have been found until it went off.

His career is over. No matter how badly you are treated a true IT professional would never damage a system.

He must have been really abused by Fannie Mae to do it, but it's still not right.
[ link to this | view in chronology ]
- Pauli, 1 Feb 2009 @ 5:14pm
  
  Re: Lucky
  "His career is over."
  
  Really? Since his name isn't in the article, it would be difficult to know that the bright IT Pro in the interview chair is actually the guy who tried to destroy data at FM.
  [ link to this | view in chronology ]
  - Laws Are our friends, 1 Feb 2009 @ 6:50pm
    
    Re: Re: Lucky
    Well this is going to be considered hacking, by law he is going to be banned from using computers for a good while. So yeah, career is over.
    [ link to this | view in chronology ]
Dick Carlson, 31 Jan 2009 @ 5:23am

Would It Have Been Worse?
Considering how effective Fannie May had been, wiping out all their data and putting them out of business for a week might have actually saved us tax payers some money.
[ link to this | view in chronology ]
- Totally Paranoid, 31 Jan 2009 @ 5:36am
  
  Re: Would It Have Been Worse?
  Perhaps he's the fall guy in a botched attempt to hide something else?
  [ link to this | view in chronology ]
NullOp, 31 Jan 2009 @ 5:44am

Let go...
Here is how it works in my play book:

1. You let me go without making arrangements for consulting then you get zip. If you want answers, you pay, period. Those that tout loyalty in business always expect you to be loyal to them, not visa-versa.

2. Errors happen. Sometimes it takes years for the right set of conditions to occur that triggers the error. You don't fire someone over it.

3. You don't 'retaliate' for managements apparent stupidity or lack of common sense. Retaliation just gives them a reason to call the lawyers.

4. Document testing done on code. Get signatures stating the testing was reviewed.

5. Attempts to defend yourself should be adequate but minimal. Use lawyers. A company will never understand your point-of-view unless its being stated by a lawyer.

6. Always keep the resume up-to-date.

I've found these rules work well. Its stupid and futile to try to hurt the company by damaging the systems and it just gives them legal ammunition. In short, be a pro!
[ link to this | view in chronology ]
Bradley Stewart, 31 Jan 2009 @ 6:34am

WE ARE GOING TO SEE A LOT MORE
of this sort of thing. People are really angry and they are getting a lot more upset. I believe society in the US which in the best of times is one of the most violent society's on Earth is going to get a lot more violent. People will start making company's pay whether its justified or not.
[ link to this | view in chronology ]
- EPitts, 2 Feb 2009 @ 5:27am
  
  Re: WE ARE GOING TO SEE A LOT MORE
  WTF are you smoking? (can i have some?)
  [ link to this | view in chronology ]
Get off the property you evil do-er!, 31 Jan 2009 @ 7:28am

Escorts
I had plenty of jobs in HS where I was escorted off the property. These were menial jobs like warehouse work, retail, etc. Each firing was because I would call out too much, show up late, etc. Like I said they were after school type jobs. I just always thought it was funny that they would have people escorted outside like I'm going to go berserk getting let go from a $5/hour job! Being walked outside like an infant is what makes me want to sneak back in and spray the entire place with cheeze wiz. ;-D
[ link to this | view in chronology ]
Blitz, 31 Jan 2009 @ 12:12pm

Planned...
most likely the guy already had the script set and ready to go before he got fired or wrote it when he found out he didnt have permissions that he thought he "deserved" lol... going to school with many programmers, i know for a fact over half of them have these scripts already wrote and ready to go if their employer does something unrespectful...
[ link to this | view in chronology ]
Anonymous Coward, 31 Jan 2009 @ 1:03pm

Foriegn National
"Makwana, an Indian national, was a consultant who worked full time on-site at Fannie Mae's massive data center in Urbana, Maryland, for three years."

I find it disturbing that a foriegn national was given that level of access to what appears to be a crucial resource.

I realize that outsourcing is the big rage, but this looks like gross mismanagement in the IT dept and possibly in the security dept also. I would expect termination of some middle management types, but that probably will not haqppen.
[ link to this | view in chronology ]
- Anon, 31 Jan 2009 @ 10:02pm
  
  Re: Foriegn National
  >I find it disturbing that a foriegn national was given that level of access to what appears to be a crucial resource.
  
  With all due respect Sir, but these are guys who run the IT part of things, not only in US but elsewhere too. And I am sure this is not exactly the time to event to for a heightened sense of patriotism.
  [ link to this | view in chronology ]
  - Anonymous Coward, 1 Feb 2009 @ 8:23am
    
    Re: Re: Foriegn National
    #28 -> "With all due respect Sir, but these are guys who run the IT part of things, not only in US but elsewhere too. And I am sure this is not exactly the time to event to for a heightened sense of patriotism."
    
    The comment was not intended to inspire any sort of patriotism. It was more in line with pragmatism.
    
    I'm not sure what you mean by
    "these are guys who run the IT part of things"
    like no one else is capable of such tasks - get real.
    The only reason this guy was there is because FM was cutting corners and didn't want to pay anyone what the job is worth.
    [ link to this | view in chronology ]
- Shohat, 1 Feb 2009 @ 4:43am
  
  Re: Foriegn National
  I find it disturbing that a foriegn national was given that level of access to what appears to be a crucial resource.
  
  I know what you mean :). While managing the deployment of a major IT project in Russia, someone decided to parachute in an American consultant (QA/Standardization).
  Everyone just smiled and nodded for a few weeks while denying him access to anything meaningful.
  [ link to this | view in chronology ]
Patric, 31 Jan 2009 @ 6:22pm

Disturbing
I do find it a bit disturbing that they are outsourcing this type of high level work. Either way I do not agree with trying to get back at an employer, it seems pretty childish and very unprofessional.

These days companies are looking for anything they can hold over our heads in court, so don't give them something they can use to tie you to the stake.
-----------
Patric H.
Real Estate License Direct
[ link to this | view in chronology ]
Zeather, 31 Jan 2009 @ 6:38pm

Fate of data?
I read that his password was not canceled for over two weeks.

Question: If this had been successful, what would have been the result for Fannie Mae--and its customers--besides the week-long fix? Would a lot of data have been lost?
[ link to this | view in chronology ]
- Snipergod87, 31 Jan 2009 @ 7:56pm
  
  Re: Fate of data?
  Probably not much, as there is software that allows you to recover all deleted data from a hard disk, which I myself have used in the past very successfully. However it does take a awhile to recover the data. They may have also had previous backup's off site as this is a standard pratice for IT. The main concern for the company would be wha the customers thought of it if this attack went through, I think the "Millions of dollar's in damage" would have been customers leaving and income lost due to downtime.
  [ link to this | view in chronology ]
E JAy, 1 Feb 2009 @ 12:25am

Re: Foriegn National
>>I find it disturbing that a foriegn national was given that level of access to what appears to be a crucial resource.

Hmmm, no "American" would do such a thing would they.

Typical comment from the typical US citizen.

BTW, thanks for the global recession.
[ link to this | view in chronology ]
- Anonymous Coward, 1 Feb 2009 @ 8:31am
  
  Re: Re: Foriegn National
  E JAy -> "Hmmm, no "American" would do such a thing would they.
  
  - Interesting that you would think that, but no, I neither said that nor intended same. Certainly this has happened in many places perpetrateed by many differnet people.
  
  Typical comment from the typical US citizen.
  BTW, thanks for the global recession."
  
  - Wow, got issues? And who is assuming that I am from any particular country? Oh, and btw ... I had nothing to do with the major screw up by ultra rich assholes across the globe to which you refer.
  [ link to this | view in chronology ]
- Anonymous Coward, 1 Feb 2009 @ 8:39am
  
  Re: Re: Foriegn National
  Worse things have happened dear...Have you hear about Bernie Madoff?
  [ link to this | view in chronology ]
- A. Coward, 1 Feb 2009 @ 8:17pm
  
  Re: Re: Foriegn National
  >>I find it disturbing that a foriegn national was given that level of access to what appears to be a crucial resource.
  
  >Hmmm, no "American" would do such a thing would they.
  
  No... we've *never* heard of 'mericuns doing horrific things in these situations... no-one *has* ever gone postal...
  [ link to this | view in chronology ]
- chris (profile), 3 Feb 2009 @ 6:22am
  
  Re: Re: Foriegn National
  >>I find it disturbing that a foriegn national was given that level of access to what appears to be a crucial resource.
  
  Hmmm, no "American" would do such a thing would they.
  
  Typical comment from the typical US citizen.
  
  IF the perpetrator is a foreign national on a work visa, and IF he lost his job, chances are he's in danger of getting shipped back to wherever he's from.
  
  that means he has [potentially] more to lose than a local national, and has the potential to be miles away when the logic bomb goes off.
  
  i didn't see much (if any) nationalism in the original statement. i think a lot of americans would be tempted to seek revenge on a employer if they had the option of leaving the country.
  [ link to this | view in chronology ]
meddows, 1 Feb 2009 @ 4:51am

I was there....
I worked the Fannie Mae contract while this guy was there, but left long before he did. I was in a different location (Reston VA), but remember seeing this guy's name on our call-out list. All of the data/network guys were on speed-dial for us. When I left FM, I came back a day or so later, and spent a few hours, without supervision, at my desk getting "personal items". I made back ups of emails, saved other data I thought I might need for a rainy day, and otherwise had infinite time to do whatever I wanted. I didn't do anything malicious (in fact, the called 9 mos later and offered me a better position at a different location), but could have done some nasty things in my time there. I imagine their termination policy it much tighter, now, but considering how it was during my time, I am not surprised this happened-- but am surprised that it didn't happen sooner. They let people go constantly, and it was only a matter of time.
[ link to this | view in chronology ]
Mr.Database, 1 Feb 2009 @ 7:07am

Hire Better IT Staff
This is why you pay your IT staff more. I believe they under payed there IT staff because the executives didn't believe this could happen. They need to fire there IT staff and hire someone like myself to come in and set standards.

All passwords should have been reset immediately and he should have been walked out of the office.

I wonder how they stumbled upon the script...This doesn't make sense. If all passwords were reset then when the script started it would have displayed in the event logs as "ACCESS DENIED." Therefore, his replacement would see the alert and figure out where it came from. Fannie Mae might have covered the story up and said that the script was found ahead of time....When in fact the script probably executed and displayed in the logs access "ACCESS DENIED."
[ link to this | view in chronology ]
Lick my balls, 1 Feb 2009 @ 8:17am

Dam IT I wish it had worked.
[ link to this | view in chronology ]
Overcast, 1 Feb 2009 @ 9:47am

The joys of outsourcing!
[ link to this | view in chronology ]
shaman, 1 Feb 2009 @ 10:20am

Is my memory foggy?
Is this the same fannie mae that almost went bankrupt a few months ago, avoiding it by getting bailed out by the american taxpayers - or is my memory foggy? These things speak to deep seated upper management problems, not out sourced employees, who do not set policy and protocol, or create and implement appropiate safe guards to prevent either technological or financial disasters. He may well have been a loose cannon, but he was also not managed in an effective manner.
[ link to this | view in chronology ]
ed, 1 Feb 2009 @ 1:24pm

This man is guilty of attempted murder. Had his plot worked, he would have been responsible for billions of dollars in lost productivity, which is money, which takes time from life to earn. Taking life, even a portion, is murder. Therefore, attempting to do so is attempted murder. Time for a lynching.
[ link to this | view in chronology ]
Twinrova, 2 Feb 2009 @ 4:39am

If only to dream.
"can you just imagine what would have happened if all their computers had melted down at once?"
Actually, I do. And not just from Fannie Mae.

I was watching a show recently talking about the computer attacks of the future and how easy it is to do today. While companies struggle with protecting their sites, it's a constant, never-ending battle.

I expect this day to come in the future. I expect people pissed off at "online disputes" to begin "fighting back" with attacks against corporate computers.

Personally, I can not begin to fathom why anyone would want to do this, despite how angry they are. The consequences of such actions would be far worse than being fired/disgruntled at the company.

On a personal note, I sometimes feel computers place a great distance between consumers and customer service. It seems "contacts" are now nothing more than emails, and trying to talk with anyone live seems to disappear every day.
[ link to this | view in chronology ]
anita, 2 Feb 2009 @ 8:47am

He is from Omnitech
Just another of million consulting gigs started by ex-employees/contractors of fannie..
[ link to this | view in chronology ]
- anita, 2 Feb 2009 @ 8:48am
  
  Re: He is from Omnitech
  http://www.eweek.com/c/a/Security/Fired-Engineer-at-Fannie-Mae-Accused-of-Planting-Malware-Time-Bomb /
  
  the eweek story
  [ link to this | view in chronology ]
chad, 10 Feb 2009 @ 12:43am

Software QA
You mean he actually coded on a live system and no subversioning was involved along with quality testing of his code before going to the live servers with it? One would think that FM being a bank would have a database management system with built in audit trails and roll back capability. I smell a patsy!
[ link to this | view in chronology ]