IT Breathes!

Note: I’m republishing this because my previous writeup was all messed up when I changed themes. It’s the exact same article as before.

A colleague of mine sent me an interesting article today from CIO.com, which was based off of this DC Examiner entry. While short on details the article was about how a programmer at Fannie Mae was able to place a logic bomb in some code at Fannie Mae which”:

“would have reduced if not shut down operations at Fannie Mae for at least a week. The total damage would include cleaning out and restoring of 4,000 servers, restoring and securing the automation of mortgages, and restoring all data that was erased.”

According to the actual FBI Complaint it would appear that the engineer, Makwana, was highly proficient at programming UNIX shell scripts. The complaint claims that Makwana’s program was set to run January 31, 2009, it would lock out the root account, disable all other accounts, find other servers on the network, copy over to those servers then zero out (write the byte 0 on the harddrive platters) the root partition. It was also setup to remove any records of Makwana’s account access.

At worst this would’ve cost Fannie Mae a week’s worth of down time, they would be forced to restore from backup. They might lose some customer data if databases running on their Unix servers were destroyed but at the most it would be a day or two old.

Another interesting part of the complaint is the fact that Makwana was terminated on the 24th of October at 1pm. His computer access was still activated until the end of the day (or even longer).

At the end of the day what the FBI Complaint describes is a Logic Bomb. A logic bomb is a program, script or hidden code that is set to activate (or explode, like a bomb, get it?) after a certain event happens.

Wikipedia: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met

Logic bombs are something every company needs to be weary of. Proper segregation of duties, code review, appropriate code testing and well trained system engineers can help catch logic bombs before they go off.

However, I wanted to comment on this last bit from the CIO article:

“The disgruntled employee is a real issue, and firms need to be thinking carefully about security issues, such as changing passwords and access control, in situations of layoffs, Cluley noted.”

while this statement is true, it has nothing to do with logic bombs and doesn’t reflect what happened at Fannie Mae. The real controls that are in place to help fight (or come back after) logic bombs are:

• Proper Segregation of Duties
• Good backup and recovery controls and testing
• Code review
• Proper change management for Unix scripts
• Disabling of accounts in a timely manner
• Script Reviews
• Monitoring Controls