TMCnews


TMCnews Featured Article


June 03, 2011

Enterprise Password Management At Heart Of Recent Foiled Fannie Mae Major Attack

By David Sims, TMCnet Contributing Editor


If you’re in the IT industry you know about the threat of insider attacks. Still, there are insider attacks and then, hoo boy, there are insider attacks to remember.

According to a recent Centrify blog posting, a former UNIX engineer at mortgage giant Fannie Mae was charged in Federal Court with planting a logic bomb that would have effectively shut down all 4,000 servers at Fannie.

An FBI affidavit says this logic bomb planted in a script would have "caused millions of dollars of damage and reduced, if not shut down, operations" for at least one week. Total damage would include cleaning out and restoring all 4,000 ABC servers, restoring and securing the automation of mortgages, and restoring all data that was erased.

Somebody wanted to go out with a bang. Evidently this was a UNIX engineer terminated because he had "erroneously created a computer script that changed the settings on the Unix servers without the proper authority of his supervisor."

But here’s where enterprise password management comes into play: He was terminated between 1 and 1:30 p.m. Between 2 and 2:30 he was told to turn in all of his FNMA equipment, including his badge and laptop, by the end of the day." He turned in his laptop at 4:45 p.m. and left the building -- but his account was still active until late that evening which gave him more than enough time to work his mischief.

You can read the affidavit for the gruesome details, but it would have been bad. Really bad, including replacing all the data with zeroes. It was only discovered by chance by another engineer.

Part of it is just how cumbersome the system was. Centrify says it took over 10 hours to disable the UNIX engineer's access, well after he had left the building.

Prompt, efficient enterprise password management, of the kind offered by the vendor, includes tools to address such a situation, including DirectAudit, which “helps you spot suspicious activity by showing which users accessed what systems, what commands they executed, and what changes they made to key files and data.”

In the case of Fannie, Centrify officials say, “the UNIX engineer's every keystroke and the actual text of the script he was editing would have been captured and the FBI would be able to play back, like TiVo (News - Alert), in court the session in which the UNIX engineer created the logic bomb and implanted it in the maintenance script.

Much of the problem is simply that the root password on a UNIX box has no real identity associated with it and is typically problematic to manage, Centrify officials say, explaining that the root account is the “God” account on UNIX systems and has unlimited power and no accountability. This is a big problem for auditing and compliance, and makes it difficult to automate password changes for root accounts.  

Centrify offers ways to use custom SSH command sets to allow UNIX root passwords to be checked and changed, and schedules to be set for password changes, stating “UNIX root passwords can even be changed immediately after an admin uses them.”


David Sims is a contributing editor for TMCnet. To read more of David’s articles, please visit his columnist page. He also blogs for TMCnet here.

Edited by Jamie Epstein