Fannie Mae hit by contractor 'logic bomb', as warnings are made on the importance of monitoring all privileged access

News by Dan Raywood

A former contractor at the US mortgage security firm Fannie Mae is facing up to ten years in jail after being convicted of attempting to destroy computer data.

A former contractor at the US mortgage security firm Fannie Mae is facing up to ten years in jail after being convicted of attempting to destroy computer data.

Rajendrasinh Babubhai Makwana worked as a UNIX engineer at the Federal National Mortgage Association from 2006 to late 2008 where he worked on around 5,000 servers.

Media reports claim that five days after he was fired, an engineer discovered a malicious software script known as a ‘logic bomb' in a routine program that was traced to Makwana's laptop. Even though he gave back all of his equipment after his employment ended, analysis of the script, computer logs and laptop showed he had transmitted the malicious script on the same day he was fired for making an unauthorised change to a different computer program, according to US Attorney's Office spokeswoman Marcia Murphy.

The indictment against him claims that the script was intended to go off on the 31st January 2009, and destroy all the financial, securities and mortgage information data throughout the Fannie Mae computer network.

Todd Chambers, chief marketing officer at Courion, said: “When a security incident of this nature occurs, we tend to file it away as an example of an ‘employee gone bad'. In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems.

“It is also important to consider that in the case of Fannie Mae, this was not an internal employee, but rather a third-party contractor. Many companies treat non-employees (subcontractors, partners, customers etc) with different levels of trust compared to known and vetted internal employees. As such, external parties are usually afforded differing levels of control and access as they are often more difficult to manage, sitting outside the traditional chain of company HR and administrative controls.”

He claimed that organisations and management have a financial and administrative responsibility to ensure that access to critical information and applications is authorised and continually monitored, as failure to control privileged identities and high-level access to systems has led to several instances of critical security failures in blue-chip companies in the past two years.

“The conclusion of the Fannie Mae incident once again highlights the need for an integrated and managed view of what is appropriate user access and activity across the IT estate,” said Chambers.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events