January 29th, 2009

Fannie Mae IT contractor indicted for planting malware; Mortgage giant didn't revoke server privileges

Posted by Larry Dignan @ 6:46 am

Categories: General, Government, IT Management, Security

Tags: Fannie Mae, Information Technology, Malware, Mortgages, Servers, Finance, Capital Structures, Hardware, Larry Dignan

A former Fannie Mae IT contractor has been indicted for planting a virus that would have nuked the mortgage agency’s computers, caused millions of dollars in damages and even shut down operations. How’d this happen? The contractor was terminated, but his server privileges were not.

Rajendrasinh Makwana was indicted on Tuesday in the U.S. District Court for Maryland (press reports, complaint and indictment PDFs). From early 2006 to Oct. 24, Makwana was a contractor for Fannie Mae. According to the indictment, Makwana allegedly targeted Fannie Mae’s network after he was terminated. The goal was to “cause damage to Fannie Mae’s computer network by entering malicious code that was intended to execute on January 31, 2009.” And given Fannie Mae–along with Freddie Mac–was nationalized in an effort to stabilize the mortgate market Makwana could caused a good bit of havoc. 

Makwana worked at Fannie Mae’s data center in Urbana, MD as a Unix engineer as a contractor with a firm called OmniTech. He had root access to all Fannie Mae servers. 

The tale of Makwana malware bomb plot is a warning shot to all security teams and IT departments. Given the level of layoffs we’ve seen lately the ranks of disgruntled former employees is likely to grow. Is there any company NOT lopping off a big chunk of its workforce? And some of these workers may even have Makwana’s access privileges and knowledge of the corporate network. 

Sophos’ Graham Cluley says:

As belts tighten and the credit crunch continues to hit around the world, more and more companies will be making the decision to make staff redundant. As we’ve written before, a disaffected employee could create havoc inside your organisation so make sure that appropriate security is in place.

Also see: Are you wary of the insider on the outside?

Indeed, Makwana had intended to do some serious damage such as “destroying and altering all of the data on all Fannie Mae servers.” That quote puts it mildly. According to the initial complaint against Makwana, the former contractor’s virus “would have caused millions of dollars of damage.” Anyone that logged into the Fannie Mae network on Jan. 31 would have seen a message “Server Graveyard.”

Details of Makwana’s alleged plot surfaced in a complaint that was initially sealed to protect the identity of Fannie Mae. In the complaint, Fannie Mae is referred to as “ABC,” but defined as an outfit that facilitates mortgages. In a sworn statement, FBI agent Jessica Nye outlined the following:

Luckily, the Fannie Mae server scripts were returned to normal before mortgage chaos ensued. But the errors listed in the complaint are clear. The biggest problem: Makwana’s access wasn’t terminated when he was. He had access to Fannie Mae servers longer than he should have. 

Here’s a look at the notable excerpts of the complaint. As you can see there were warning signs and mistakes made along the way. Emphasis is mine. 

So far so good right? Makwana screwed up, was terminated and had to turn in his gear and access privileges. 

Well that last part didn’t go so well. 

The good news is that Makwana’s access didn’t go on indefinitely. I’ve known more than a few people that could access their former employer’s network for months after they left the company. 

However, catching Makwana’s script was really a function of luck.

There was also some good detective work too–the complaint details Makwana’s techniques and script set-up–by the Fannie Mae security team. However, a lot of work could have been avoided if only Makwana’s privileges were terminated when he was.