A contract worker at Fannie Mae, a government-sponsored enterprise that helps Americans buy houses, has been charged with planting malicious script that would have taken down all the organization’s 4,000 servers this Saturday morning, January 31.
Rajendrasinh Babubhai Makwana pleaded not guilty today in the U.S. District Court for the District of Maryland to one count of computer intrusion arising from the transmission of malicious script.
Makwana, 35, was a UNIX programmer working for Fannie Mae outsourcing contractor OmniTech. He had worked at Fannie Mae’s Urbana, Md. facility from 2006 to October 24, 2008, Rod Rosenstein, the U.S. Attorney for the District of Maryland, said in a statement.
He appeared in court on a grand jury indictment returned earlier this week, and has been released under certain conditions. “We don’t have bail here,” Marcia Murphy, the public affairs specialist in Rosenstein’s office, told InternetNews.com. However, she did not know the conditions of his release.
A date for the next court hearing has not yet been set.
Makwana’s public defender, Christopher Nieto, did not return calls requesting comment by press time.
According to an affidavit from Jessica Nye, a special agent in the FBI’s Baltimore field office who investigated the case, Makwana was a UNIX engineer at Fannie Mae’s Urbana, Md. facility. He had full access to its servers. The affidavit referred throughout to Fannie Mae as ABC.
Nye’s affidavit alleges that, on October 24, 2008, Makwana was terminated because he had erroneously created a computer script that changed the settings on Fannie Mae’s UNIX servers without proper authorization in October. However, this script was not maliciously created.
Makwana was later told to turn in all Fannie Mae equipment by the end of the day, but his computer access was not terminated. A little over two hours later, he turned in his security badge and corporate laptop, according to Nye’s affidavit.
Orphaned accounts a danger
That delay highlights the danger of orphaned accounts, which are computer accounts on which access rights are not revoked after the account holders leave a company or are transferred. Security experts say such a lapse can lead to security and compliance breaches.
One suggestion offered by these experts is that enterprises improve access control and provisioning processes. Several vendors have begun offering products for this and has led CA (NYSE: CA) and others to offer products that manage governance, risk and compliance (GRC).
The next morning, a senior Fannie Mae UNIX engineer, who was not named in Nye’s affidavit, accidentally discovered malicious script embedded within an existing legitimate script that runs at 9 a.m. daily.
The legitimate script was removed and archived, all access to servers was locked down, and Fannie Mae’s UNIX engineers began an investigation, Nye’s affidavit said. This showed the malicious script was created on one particular server that Makwana had accessed.
The malicious script would block the monitoring system for 61 minutes and disable two production servers so no one could log in to them. It would then wipe out data and destroy backup software and logs on Fannie Mae’s 4,000 servers, and power them off so they could not be turned on remotely, Nye’s affidavit said.
“Had this malicious script executed, [Fannie Mae’s] engineers expect it would have caused millions of dollars of damage and reduced, if not shut down, operations at [Fannie Mae] for at least one week,” Nye’s affidavit said.
Nye’s affidavit was dated January 6.
A Fannie Mae spokesperson declined to comment.
If Makwana’s logic bomb had gone off, it could have further hit the housing market, which is reeling from the mortgage crisis. Millions of home owners’ mortgage data would have been wiped out.
The extent of the possible damage could lead the judge hearing the case to impose an aggressive sentence, Scott Christie, a partner in law firm McCarter & English and a former Federal prosecutor specializing in cybercrime cases, told InternetNews.com. Christie said Makwana could face up to 10 years in prison if convicted.