Fannie Mae Hit with More Troubles, from Inside

Ralph DeFrangesco

Mortgage giant Fannie Mae recently uncovered a logic bomb that could have destroyed or altered data on its servers. Rajendrasinh Makwana, a former computer contractor, was indicted earlier this week on computer intrusion charges. At the very least, Fannie Mae would have been down days or even a week cleaning its servers, rebuilding, and reloading data.


Makwana was a UNIX engineer with Fannie Mae. He had root access and the keys to the systems, and was able to install a logic bomb that was due to go off on January 31, 2009. Had the logic bomb gone off, anyone logged into the system on that day would have seen the message, "Server Graveyard."


Makwana was terminated in late October of 2008 for creating a script that changed the settings on a UNIX server at Fannie Mae without the proper authority. According to the court complaint, he was terminated and told to turn in his badge, laptop, etc., by the end of the day. Unfortunately, his privileged access was not terminated immediately. The procurement department, which controls computer access for contractors at Fannie Mae, did not put through the request to terminate his access until late that evening. The following day, a senior UNIX engineer discovered that Makwana had installed malicious code in the bottom of a valid script that would have caused damage.


I wrote in a previous post that companies that are going through tough times are the most at risk. This recent incident at Fannie Mae is a good example of a company moving fast to terminate an employee and not having proper controls in place. This could have turned out negatively for Fannie Mae if it weren't for some good work by another engineer. As the saying goes, "it takes an engineer to catch an engineer."

Add Comment      Leave a comment on this blog post
Feb 5, 2009 3:04 AM Mark McGilvray Mark McGilvray  says:

OK, but why would a contractor have root access (the permissions) to make a change that he did "without the proper authority"? He did have the "authority" or he would not have been able to make the change. 

The proper controls should be much further upstream. Change and Release Management and a separation of duties with the proper checks and balances, are one sure way to mitigate the risks to systems from disgruntled employees.

Feb 6, 2009 10:14 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Mark McGilvray


I don't know all of the specifics of the Fannie case, but I have worked in many places where contractors had root authority. It's not that unusual. When we say he did not have the authority, I am assuming that he did not go through proper change control. Something that everyone, FTE or contractor, should go through when making changes to the environment. So I agree with you the problem was upstream by not making sure that all changes were properly looked at and communicated.



Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.