Forgot your password?
typodupeerror
Security News

Fannie Mae Worker Indicted For Malicious Script 325

Posted by Soulskill
from the good-thing-their-engineers-bailed-them-out dept.
dfdashh writes "A former Fannie Mae contractor has been indicted by a federal grand jury in Baltimore, MD for computer intrusion. He attempted to propagate a malicious script throughout the company's 4,000 servers. The DC Examiner has details of the incident: 'Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week. ... The virus was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae's computer monitoring system and then cutting all access to the company's 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying "Server Graveyard." From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.'"
This discussion has been archived. No new comments can be posted.

Fannie Mae Worker Indicted For Malicious Script

Comments Filter:
  • by tritonman (998572) on Thursday January 29, 2009 @01:25PM (#26655361)
    the only thing that matters to me... will it erase my mortgage??!??!
    • Re:erase my mortgage (Score:4, Interesting)

      by internerdj (1319281) on Thursday January 29, 2009 @01:30PM (#26655467)
      The more important question for me is if my mortgage gets erased do the records that I'm at least part owner of the property get erased or does the company just get the deed to my home? Well it was mortgaged, but we don't have the records anymore we'll just assume you owe the full purchase value of the property until you can prove otherwise.
      • Re:erase my mortgage (Score:5, Informative)

        by jeff4747 (256583) on Thursday January 29, 2009 @01:42PM (#26655639)

        There would be records proving you own the home.

        When you take out a mortgage, the deed is still in your name. That's one of the main reasons foreclosure is actually kind of a pain in the ass for banks. They have to get the house transferred to their ownership before they can sell it.

        The deed is on paper in a filing cabinet in some county office (It's also stored electronically by the county). You should also have received a copy of it when you signed the flurry of paperwork when you bought the house.

        • Re: (Score:2, Interesting)

          by Hal_Porter (817932)

          So if someone say nuked the Fannie Mae servers then millions of people would get free homes?

          • by TheCarp (96830) *

            I think they would go back to the paper copies...but first the backups. Really data corruption/erasure is best if you can do the corruption before the backup cycle and not have it noticed until afterwards... but even then its just a matter of using older backups.

            Barring that, I imagine they would go back to the paper docs. Of course, that wouldn't have payment history, so they would probably have to just assume that all the loans were current unless they could find evidence they were otherwise, and of cours

          • by sirwired (27582) on Thursday January 29, 2009 @02:11PM (#26656071)

            When the deed was recorded at the local records office, the fact that the bank has a lien on it is recorded along with it. The only way to clear that lien is to get the lienholder to have a letter saying so attached to your deed, or you have to have a court do it.

            SirWired

          • by Sun.Jedi (1280674)

            Ever hear of 'backups'? Even if Iron Mountain lost half the tapes on the way back to Fannie Mae (again)... there are digital records of your mortgage somewhere.

            Surely you have copies of your payments, insurance, property taxes, etc to prove you don't owe the full amount listed on the closing contract, yes?

            • Of course I do but that doesn't mean that everyone is as careful as me and that the mortgage company would treat me as if I owed them less than the full amount until I proved otherwise if they lost ALL their records.
          • by elrous0 (869638) * on Thursday January 29, 2009 @03:26PM (#26657169)

            You know, we slashdotters, as natural problem-solvers, should get together and work on a program to do that. It's a pretty pie-in-the-sky idea, though. Hey, that gives me an idea. We should call it "Pie-in-the-Sky."

            No, sounds too hokey. Need something more computer-sounding. How about "Skynet"?

            • Re: (Score:3, Funny)

              by hairyfeet (841228)
              Yeah, you think that is funny, but there is no telling how many guys are out there right now trying to cook up the Warhol Worm [berkeley.edu] just so they can say they "shut down the earth". Can you imagine if they figure out a way to get it to wipe out the databases while they are at it? While it would be a good money day for us tech guys can you imagine how long it would take to restore all those backup tapes? And they would have to probably pay us time and a half too......What the hell are you guys waiting for? Write t
      • by tritonman (998572) on Thursday January 29, 2009 @01:52PM (#26655801)
        even if that were true... erase my mortgage, take my house, I go buy one the same size for half the price now!
    • Return you to Year Zero? Be careful what you wish for.
    • Hyperinflation will do that for you.
  • by rhathar (1247530) on Thursday January 29, 2009 @01:25PM (#26655367) Homepage
    We've gotta wipe the system, man. Give everyone a blank slate!
  • by jollyreaper (513215) on Thursday January 29, 2009 @01:25PM (#26655371)

    Either a laughing skull and bones or an animated version of him as a bobblehead that pisses off Samuel L. Jackson with his hacker crap?

  • Disappointing... (Score:3, Interesting)

    by erroneus (253617) on Thursday January 29, 2009 @01:26PM (#26655381) Homepage

    The "Fight Club" guy in me would like to have seen that particular bomb go off. I know the damage would not have been , permanent, perfect or complete (That's what backups are for... right?) but still. Taking those financial giants down a peg might have tickled me. (It damn sure wouldn't have taught anyone any moral lessons or anything.

    • Re: (Score:2, Informative)

      by Slumdog (1460213)

      I know the damage would not have been , permanent, perfect or complete (That's what backups are for... right?)

      Big companies only report successes. They report failures if its too big to hide.

    • by Chyeld (713439) <chyeldNO@SPAMgmail.com> on Thursday January 29, 2009 @01:46PM (#26655705)

      I'm guessing you don't really understand what Fannie Mae does if you think the folk taken down a peg would be the banks.

      Fannie Mae purchased mortgages from banks to ensure the banks always had money on hand to make loans. They sold these mortgages as securities, guarantying the purchaser the money (paying it themselves if the mortgagee defaults).

      Them loosing their records would simply mean that suddenly the banks would run out of 'liquid assets' to make loans with. Who do you think that would hurt: The average joe or the banks?

      Let me give you a clue, it wouldn't be the banks. They'd just hold onto the mortgages they have and start foreclosing aggressively to come up with the assets they need.

      • Re:Disappointing... (Score:5, Interesting)

        by anagama (611277) <obamaisaneocon@nothingchanged.org> on Thursday January 29, 2009 @01:57PM (#26655901) Homepage

        Them loosing their records would simply mean that suddenly the banks would run out of 'liquid assets' to make loans with. Who do you think that would hurt: The average joe or the banks?

        It seems to me that banks making loans over the last four years IS THE major problem. Had they not been able to, we wouldn't have had a baseless boom, Angelo Mozillo, a gazillion dollar bailout of the wealthiest individuals, and schemes to assist the most foolish "housing investors" -- all at my expense. I too am rather disappointed the script was found and I don't even have a mortgage. I refused to get caught up in the housing bubble choosing instead to wait for a return to normalcy, which turned out to be a mistake. What I should have done is bought a house way more expensive than I could afford on a negative amortization loan and let the government modify my interest rate and principal balance. I now realize that in America, prudence is punished and stupidity rewarded. So yeah, I'm actually very depressed the script didn't execute.

        • by Chyeld (713439) <chyeldNO@SPAMgmail.com> on Thursday January 29, 2009 @02:05PM (#26656007)

          Fannie Mae was not the problem there, they only purchased "conforming" mortgages which matched their definition of a 'non-risky' loan.

          The problem was from the fact that the banks started moving from relying on Fannie Mae and started making "non-conforming" mortgages and selling them to other privately held companies. Once these mortgages started defaulting and housing prices started falling, even the "conforming" mortgages started having problems and the house of cards fell.

          Fannie Mae is a good scapegoat for people who want to pin this whole situation on one group, but that's all they really are, a scapegoat. They had their own problems (notably shady dealing in the upper echelons) but they weren't the ones who cause or even setup this scenario.

          • Re:Disappointing... (Score:5, Interesting)

            by anagama (611277) <obamaisaneocon@nothingchanged.org> on Thursday January 29, 2009 @02:43PM (#26656569) Homepage
            So if Fannie Mae had NOT been able to buy the conforming loans, banks making stupid loans would have had less money available to them because they'd have to hold the conforming loans, and as a result, those banks would have made fewer stupid loans. Sounds to me like FM was part of the problem. Honestly, I'm pissed. I'd like to see the entire banking industry lined up against the wall, because all it has amounted to recently is a Federally sanctioned highway robbery program targeted against people who live within their means and act responsibly.
            • by Aladrin (926209)

              The banks would have just sold those loans to someone other than FM instead. Preventing FM from buying loans doesn't solve anything.

              If anything, it makes it worse... Because then the banks feel no need to 'conform' to FM's standards and many more loans would have been stupid.

          • Re:Disappointing... (Score:4, Informative)

            by UnknowingFool (672806) on Thursday January 29, 2009 @02:53PM (#26656713)
            Totally agree. Fannie was stuck with the bad loans that other institutions made. For years banks and credit unions had to be conservative when lending because had to absorb any bad loans they made. What caused the housing mess was that mortgages and loans became speculative instruments that could be sold and bought like stocks. It suddenly didn't matter as much to a bank if the person getting a mortgage could not pay it off. The bank would have made their money by selling off the mortgage long before that happened. The institution that bought the loan would have sold it off too before that happened. Eventually someone would have to take the loss when the house was foreclosed. Unfortunately that institution was Fannie Mae as it was designed to guarantee mortgages.
          • Re:Disappointing... (Score:4, Interesting)

            by tnk1 (899206) on Thursday January 29, 2009 @04:00PM (#26657619)

            Don't go absolving Fannie Mae, their management was just as evil as anyone else's. Let's not forget their little, "oops we need to restate our income by a few billion dollars" fiasco. There were plenty of people in the FNMA Market Room who were playing fast and loose with mortgage backed securities.

        • by Archangel Michael (180766) on Thursday January 29, 2009 @03:58PM (#26657589) Journal

          Stupid SHOULD hurt. The government and the liberals don't realize this. And yes, I said Liberals ... not Democrats. There were plenty of LIBERAL (see compassionate conservatives) in the Republican Party too.

          And by "Stupid" I don't mean lack of intelligence (IQ), I mean DARWIN Award winners types. These are the people who have a brain, should know better, but don't F'in care about what they are doing and expect everyone else to clean up their mess.

          Sorry, but STUPID SHOULD HURT! Like when you stick your hand on the stove hurt. Like when you make stupid loans and bundle them into derivatives to leverage the stupidity and then re-bundle those into even more stupid derivatives. IT all works, until it doesn't, then everyone pays for the Ponzi Schemes.

          Which is why the stupid Bailouts to the same people that caused this mess is just stupidity on top of stupidity. We are now leveraging STUPID to try to stop the "HURT".

          And nobody is willing to tell it like it is. STUPID!

      • Banks need the money to make loans... which are usually for a mortgage.... so they would foreclose aggressively to then turn around and take more mortgages?
        • by Chyeld (713439)

          Banks don't make money (really, not much) on money sitting in their vaults. For them to make money, they have to invest it. Banks invest money by making loans. Some of those loans are home mortgages, some aren't.

          Loans come with the expectation that they will be repaid.

          In a 'nicer' time, banks might look at a person's situation before foreclosing after the first missed payment. But in lean times, missing a payment means distrupting the bank's own flow of money. It's better, in their head, to foreclose, sell

  • by Phoenixhawk (1188721) on Thursday January 29, 2009 @01:28PM (#26655411)
    Look like he was flying through a cyberspace version of his city while he was doing it???
  • A virus that can propagate through an entire enterprise's array of servers, and then wipe out all data?

    Most enterprises comprise a heterogeneous mix of servers of differing breeds. Getting a program to run on all of them, and then to gain access to data and transform it all in a single virus would be a great piece of programming, and any enterprise looking to hire an efficient data migration specialist or integration architect should consider hiring...

    • Re: (Score:3, Informative)

      by Opportunist (166417)

      Not in the financial business.

      Everything needs to be approved, certified and someone has to get a kickback. Only the former two are official, the third is most likely the reason for the first two because I, at least, couldn't find any other sensible explanation, but that's just how it is. To be allowed in some important network, this can be some auditing standard or information exchange, you almost certainly have to use one of the "approved" systems.

      So it's quite likely, actually, that you find a monocultur

    • Re: (Score:2, Insightful)

      by Lumpy (12016)

      Why?

      Fanne May more than likely uses Server 2003 with MSSQL. and I'm betting all on the same domain with a global user list.

      This would not a hard thing to do. 1 afternoon with VB and I can write the same thing. Hacker 101 stuff.

      Most financial places have REALLY SHITTY IT security.

    • Re:Really? (Score:5, Informative)

      by Anonymous Coward on Thursday January 29, 2009 @01:45PM (#26655675)

      Former FNMA employee here- I left a couple years ago.

      1- The vast majority of their servers run Solaris- this wasn't some sort of cross-platform attack.

      2- They have an infrastructure that allows a single admin server to execute commands on the entire farm simultaneously.

      Suddenly being able to wipe out everything doesn't sound too difficult does it? From what I heard from friends- it was just a couple lines of shell, and it was discovered because there was a typo, and script to failed. Not a virus by any stretch.

      Oh- and of course they have backups, but imagine restoring 2500+ servers from tape... Thats probably where the week of downtime came from, and it sounds accurate to me.

      • by powerlord (28156)

        1- The vast majority of their servers run Solaris- this wasn't some sort of cross-platform attack.

        Even if the vast majority are Solaris, a previous poster mentioned a fair amount of HP hardware may also be in the mix.

        Something we all would do well to recognize is that a shell script can easily be "cross platform", at least regarding all the flavors of *nix including Solaris, HPUX, Linux and BSD.

        (although I'd probably use perl to pull in the libraries and speed up development time)

        Heck, with only a little bi

    • Re:Really? (Score:5, Insightful)

      by nedlohs (1335013) on Thursday January 29, 2009 @01:45PM (#26655685)

      Obviously virus is what the idiot who wrote the article is calling it (and possibly a term used in whatever he has been charged with), but since he had root access to all the servers it wouldn't really be a virus. Just a script installed on them, probably run via plain old cron.

      When you terminate a contractor or employee it is wise to also terminate their access to your servers...

      #!/bin/sh
      for i in /dev/[sh]d*
      do
              cat /dev/zero >"$i" &
      done

      is not exactly a great piece of programming (and the above is obviously untested, and since he was a unix admin he would actually know what the drive device names are in the presence of wierdo RAID setups...)

    • Getting a program to run on all of them, and then to gain access to data and transform it all in a single virus would be a great piece of programming...

      You obviously underestimate the power of VB script my friend. :-)

  • Any comment at this point would bring the Political Correctness Police down on me like a horde of avenging non-denominational metaphysical winged beings.
  • by Petersko (564140) on Thursday January 29, 2009 @01:29PM (#26655451)
    ...turned Fannie Mae into a financial failure.
    • by hey! (33014) on Thursday January 29, 2009 @02:14PM (#26656133) Homepage Journal

      ...turned Fannie Mae into a financial failure

      ... which it never was during the 30 years from 1968 to 2000, roughly when banking deregulation took effect. It may be that such an institution is a bad idea, but you have to consider that financial institutions of all kinds are in desperate condition as well, so you can't use the financial disasters of 2008 as proof that Fannie is any worse an idea than, say, a private investment bank.

      The idea that Fannies failure shows that it ought never have been, applied consistently, would argue for nationalizing banks. I, as one who has been a staunch liberal though the long winter of liberal dispute, think nationalization is a terrible idea. This is not because the government is bad and business is good, but because government and business would be indistinguishable, leaving nobody to watch the foxes in the chicken coop.

      All in all, I think the widespread calamity in the financial sector more probably indicates that the particular kind of banking deregulation practiced in the post Gramm-Leach-Bliley era has at the very least unintended consequences.

      • Re: (Score:3, Insightful)

        I'm sympathetic to the idea that deregulation had a hand in the financial implosion but I'm not sure I understand the logic behind blaming "Gramm-Leach-Bliley" specifically. It seems that, in the early stages of the crisis before it cascaded to impact everyone it was the least diversified investment banks that were remnants of Glass-Stiegall that had, and caused, the most trouble and the most diversified banks that would have been illegal before Gramm were the healthiest and in a few cases because it wasn't
      • Re: (Score:3, Insightful)

        by khallow (566160)

        ... which it never was during the 30 years from 1968 to 2000, roughly when banking deregulation took effect. It may be that such an institution is a bad idea, but you have to consider that financial institutions of all kinds are in desperate condition as well, so you can't use the financial disasters of 2008 as proof that Fannie is any worse an idea than, say, a private investment bank.

        Fannie Mae and Freddie Mac served an unusual role. They were a huge source of poorly understood risk. And their special status with government resulted in their securities instruments being considered more sound than they actually were. They helped start the financial disaster. Frankly, due to their exceptional size, I think the economic problems now would be considerably better in their absence. Other banks would have taken their place and made the same bad decisions. But those private banks wouldn't have

        • Re: (Score:3, Interesting)

          by hey! (33014)

          True, but the wise men of wall street were supposed to have their exalted status because they knew how to grade and price risk better than ordinary mortals. If I were a Citibank investor, and Charlie Prince told me to my face that the reason my stock was in the toilet wast that Franklin Raines pulled a two bit Svengali act on him, I'd spit in Prince's eye.

          And with respect to Fannie and Freddie's "special status with the government", what, exactly is this special status they enjoy? That they are too big to

  • by cfulmer (3166) on Thursday January 29, 2009 @01:30PM (#26655453) Homepage Journal

    Considering that Fannie Mae has been losing billions every week, the idea of only losing a few million for a week sounds like a great idea.

    • Re: (Score:3, Funny)

      by Opportunist (166417)

      "Your honor, I didn't want to cause damage, actually, I wanted to help save a little money by only damaging them for a few millions so they cannot blow billions of taxpayer money this week"

  • I am .... (Score:5, Funny)

    by Anonymous Coward on Thursday January 29, 2009 @01:32PM (#26655487)

    I am Jack's complete lack of surprise

  • Technically (Score:5, Funny)

    by cowscows (103644) on Thursday January 29, 2009 @01:32PM (#26655493) Journal

    Technically, all of the data in a computer is really just a bunch of ones and zeros, so assuming a fairly even mix of those two possibilities, writing over everything with zeros would only change half of their data.

    • by wren337 (182018) on Thursday January 29, 2009 @02:24PM (#26656261) Homepage

      Great defense.
      "In fairness, a lot of those were zeros already."

    • any hacker worth his/her salt should have changed all the ones to zeros and all the zeros to ones! N00BS!!

  • by tristanreid (182859) on Thursday January 29, 2009 @01:36PM (#26655541)

    Of course it isn't verifiable, but I thought this was interesting:

    H1B#36a: "What wasn't reported was that the contractor was fired for writing a script poorly, that caused the failover over of a number of High-Availablitity production servers. His "landmine/timebomb" script was found through his same poor scripting skills. Whatever doping manager that hired that guy should be fired too, along with his director and VP!"

    -t.

  • Woah (Score:5, Funny)

    by bFusion (1433853) on Thursday January 29, 2009 @01:39PM (#26655577) Homepage
    This is like if someone mixed the movies Office Space and Fight Club together!
  • Maybe it would have gotten rid of them (should have happened when they went bankrupt, like what happens to most companies)...

    Slightly sarcastic, but with a point.

  • this is their business model over there.

  • cinema's next The Devil Wears Prada.

  • What about the billions or trillions of dollars of damage done to the taxpayers by Fannie Mae, and its incestuous twin, Freddie Mac? Anyone attempting to take out this job-killing, economically destructive abomination is a patriot.
  • Why oh why (Score:4, Funny)

    by geekoid (135745) <dadinportland @ y a hoo.com> on Thursday January 29, 2009 @02:13PM (#26656111) Homepage Journal

    couldn't somebody at the credit company do this...and not get caught?

    • by Mista2 (1093071)

      Thats the problem, you have to trust your Engineers to do their job. Sometimes that trust is breached. To me a dirty engineer is almost as bad as a dirty cop.

  • by srussia (884021) on Thursday January 29, 2009 @02:14PM (#26656135)
    From there, the virus would wipe out all Fannie Mae data, replacing it with zeros

    Wouldn't zero be an improvement over negative whatever?
  • They might have gone down for a few days, but surely they have recent system back-ups to restore from, and daily backups to restore the data from. ...Right? Please?

    • by Greyfox (87712)
      I'm going to guess based on every company that I've ever worked for that execution of this script would have been followed by the sinking realization that the backups were for some reason or other not viable.

      Furthermore based on the level of ineptitude already displayed by Fannie Mae, I wouldn't hold out much hope that they even run backups.

      They can probably go back and get all the information off paper records though...

  • by rickb928 (945187)

    They fired him. And let him have some access before he left.

    Not a good idea. Sadly, you have to be aware of the threat. If you're firing someone with admin access, you should meet with them in a room without a workstation, explain the situation, and send them back to their desk to clean it out - with a monitor to ensure their workstation stays turned off.

    While you're having the meeting, someone shuts down their workstation, disables network access, and - if not concurrently - immediately revokes their pr

    • Re: (Score:3, Insightful)

      I was just coming here to post something similar to this

      Over the years, there have been numerous "ASK SLASHDOT" and otherwise categorized posts here on the subject of discharge procedures. "I got laid off, and they made me pack up my stuff in front of someone who watched me and then escorted me out of the building. It was humiliating." That kind of thing.

      Well, this event illustrates why some places decide to do it that way. FNMA didn't do it that way with this guy, and he took advantage of the time

    • by couchslug (175151) on Thursday January 29, 2009 @05:55PM (#26659215)

      Of course, the way around this would be a "deadman switch" that required input NOT to trash the system.

  • The "Fight Club" style of "getting back at the Man" isn't very practical. There would be some period of disarray, but if you really want to screw things royally, you would introduce random, but very small data errors that hopefully get overlooked. Over time, these affect the balance sheets, the "business algorithms" in place, and generally make it a nightmare to figure out how to fix things. All of this "silent data corruption" would be propagated to disaster recovery systems. Your "backup tapes" would

    • by WilyCoder (736280)

      Congratulations! You have won today's daily "evil bastard" award :) or should that be >;)

  • by Octorian (14086) on Thursday January 29, 2009 @03:21PM (#26657103) Homepage

    While reading through the article, and some of the talkback, I stumbled across this document [zdnet.com] which contains results of the actual investigation. It has lots of actual details, and is worth a read. (meanwhile, the news articles are a little too dumbed-down to be of any real value or interest).

In order to dial out, it is necessary to broaden one's dimension.

Working...