«
Home
»

When I Was In Radio…

By Mitch Berg

…stories of disc jockeys who took immense creative revenge on stations that fired them were legion; some locked themselves into the studios and staged epic rants (that, often, improved their careers); others merely beat the crap out of their management (or tried).  Smart management started making sure they had security on hand after a few of these stories.

A lesson that IT management seems to be  slow to learn:

Rajendrasinh Babubahai Makwana, 35, of Virginia, concealed the Unix script on Fannie Mae’s main administrative server on October 24, the same day the Unix engineer was terminated, according to court documents made public Tuesday. His script was programmed to remain dormant for three months, when it would greet administrators with a login message that read “Server Graveyard” and systematically replace all data with zeros on every production, administrative, and backup server in the company.Makwana was arrested on January 7 and released on $100,000 bond.

The plot?  Well, it might have done Chloe O’Brien proud:

The allegations also lay out a cautionary tale about the risk of lax security practices at highly sensitive enterprises. Despite his dismissal on October 24, Makwana’s highly privileged computer access wasn’t terminated until late into the evening because of bureaucratic procedures in Fannie’s procurement department, according to court documents.

Shortly after Makwana was informed he was being fired, he logged in to Fannie’s main development server and embedded a series of malicious scripts inside a legitimate program. To conceal the malicious payload, he created a page worth of blank lines between the legitimate code and the malicious code.

“When the program ascertained it was January 31, 2009, it would copy the rest of the files from the ‘.soti’ file from the dsysadm01 server and run the .y.sh script,” a FBI special agent wrote in a sworn statement that referred to Fannie as ABC to protect its identity. “The .y.sh script would place a blocker on the monitoring system disabling any ABC engineers from receiving a monitoring alert for any problems on any machines in the entire ABC environment for 61 minutes.”

Makwana’s script would then disable logins to Fannie’s administrative and backup production servers; remove the root password appliance access; rewrite all data, including backup software, with zeros; and target any “high availability” software. It would then replicate itself to each of Fannie’s 4,000 servers.

Maybe he needs a government gig.

This entry was posted by by Mitch Berg on Friday, January 30th, 2009 at 9:13 am and is filed under Crime and Punishment, Geekery. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “When I Was In Radio…”

  1. Chuck Says:
    January 30th, 2009 at 9:49 am

    Huh, I had an old employer who would lock up all of your computer access at a specified time. Then the manager would call you in to tell you that you are no longer an employee there. You would then be escorted out. They took no chances. But it made for very paranoid employees. Everytime someones computer would lock up, they’d get nervous and watch for the phone call to come into the office.

  2. Colleen Says:
    January 30th, 2009 at 9:51 am

    At our company, they come and tell you you’re done and stand there while you clean your desk out and then walk you out of the building. Seems simple enough.

  3. juanito Says:
    January 30th, 2009 at 10:00 am

    Nicely played. However, that’s just not cricket fellow. Well thought out. Perhaps too well thought out for just part of a day’s worth of time. I suspect he had that ready to roll in some form, and just needed the time to plant it. A bit more effort at disguising it, and he could have got it to work.

    Eerily similar to the plot of Clancy’s Debt of Honor, where the Sys Admin loads a new version of software in the servers of the NY Stock Exchange, that contains code that activates when certain trading conditions are meant. It basically wipes out an entire day’s worth of trades, after a foreign effort to crash the US Stock market, compounding all of the day’s mayhem.

  4. justplainangry Says:
    January 30th, 2009 at 10:02 am

    Hey! With servers down, Fannie would not be able to operate, ergo it wouldn’t be able to underwrite bogus mortgages! Damn, I wish this guy would have been terminated a couple of years ago and that script of his DID run!

  5. nerdbert Says:
    January 30th, 2009 at 12:26 pm

    A mensch would pull a Ken Thompson type hack. Seriously… A script “hidden” by prefixing it with a period? Where the idea of “hiding” what you’re doing is a “blank page”? This guy is little better than a script kiddie.

    The guy’s a loser. Not just as a failed employee, but as a hacker. Scripts are waaay to easy to find, and ssh-ing in to leave it there? From your work laptop? To really hide something you either go deep (i.e. put your hack into a device driver), or obfuscated so that it looks like a programming error rather than something malicious. Seriously, given the push distribution system they describe and lack of testing/oversight a small programming “error” to the update could have done exactly what he wanted.

    Of course, a good sysadmin could be framing him, too. It’s not magic to make the necessary log files to make it look like the loser was doing this, especially in a company so brain dead as to give a contractor root to all their production servers. If the guy’s got lawyers with half a brain they’ll challenge the evidence and point out chain of custody problems, etc. For criminal prosecution these kind of things are nearly impossible to prove unless you get them caught in the act. Think about it, who controls the logs and the backup tapes? The guys that fired him or got him fired. And you’re going to trust them to provide evidence that hasn’t been independently verified? And how hard is it to fake those logs or modify them? Bwahahaha! If you think it’s hard, you’ve never had root! Or been a BOFH.

  6. Lassie Says:
    January 30th, 2009 at 3:04 pm

    Indiana was full of David Letterman stories (he was fired a lot). He put firecrackers in a model of a TV station and blew it up while the National Anthem played before the station signed off, and at my station was fired for setting a newscaster’s copy on fire live on air. CBS will probably never fire him. 😀

  7. Amendment X Says:
    January 30th, 2009 at 6:27 pm

    I worked at an energy management/building services company that recruited me from a Fortune 50 company here in MN. I was out making sales calls in western MN and returned after the office closed late on Friday. My key didn’t work and I thought “I’m fired two months after they recruited me!?!” Found out that early that afternoon they fired one of the IT guys and the locksmith was there while the guy was in HR. They distributed new keys to the office while collecting all the old ones. I got a new key the following Monday.
    Seems that the government and even GSE’s are working as well as they ever did.

  8. zestro Says:
    January 30th, 2009 at 8:45 pm

    It’s all about trust in the job market and this guy has demonstrated criminal breach of trust if the allegations are true.
    I see he’s now working at Bank of America: http://www.loosewireblog.com/2009/01/the-hazards-of-recommending.html
    Even the hackers of the past took care to retain the trust of corporations. Dan Farmer may have played on the suspicion he was held to by corporations like SGI by naming his security audit SATAN. But through all his media antics he had a professional transparent attitude toward his work and was oriented around his clients’ needs. The same cannot be said about Rajendrasinh Babubhai Makwana.

Leave a Reply

You must be logged in to post a comment.

--> Site Meter -->