Results 1 to 10 of 10

Thread: Always a good reason to remove access when you fire someone

  1. #1
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    Always a good reason to remove access when you fire someone

    Nye goes on to explain that access to Fannie Mae's computers for contractors' employees was controlled by the company's procurement department, which did not terminate Makwana’s computer access until late in the evening Oct. 24.
    Five days later, another Unix engineer discovered the malicious script embedded within a pre-existing, legitimate script. According to a federal affidavit, the legitimate script runs every morning at 9 a.m. and validates that there are two storage area network paths running correctly and operationally through all Fannie Mae servers. The malicious script was at the bottom of the legitimate script and was separated by roughly one page of blank lines in an apparent attempt to hide the malicious script within a legitimate script.
    http://www.eweek.com/c/a/Security/Fi...AV01302009STR1

    sneaky sneaky

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  2. #2
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246
    Ha! I was just about to post this.

    Sounds harsh, but lockout your ex-employees the second they're given their walking papers. Kudos to the attentive admin.

  3. #3
    Junior Member
    Join Date
    Jan 2009
    Location
    Canada
    Posts
    4
    That's great. Does this script just damage the data on all 4000 computers? Or is it snooping? Anyone have any details?

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm,

    Sorry to be cynical (the hell I am!) but why?

    If you actually work in IT, and have a brain, aren't you going to see the writing on the wall, and take a few "precautions" in case the parting of the ways isn't to your satisfaction?

    That stuff was installed way before he got fired, but there are still scumbags getting big dollars because they are the big cheeses and know jack $h1t about IT?

    They are the ones who screwed the basic security? They had no model.

    Way too PR and plausible to the idiot public for me...............I am getting old

  5. #5
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Even if you have policy to disable accounts "immediate upon termination", compliance is not always 100%.

    I run a daily diff (acutally sdiff... easier to read) on all production directories comparing yesterday's diff to today's. Looking for any source changes which are compared to change mgt reports. Always manage to catch a few "emergency" changes that have downstream impacts and an occasional rouge contractor/employee.

    A corollary to my "In God we trust..." theorem is..."trust, but verify"... Ronald Reagan

    csr
    In God We Trust....Everything else we backup.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Federal officials said Makwana was terminated because on or about Oct. 10 or Oct. 11 he created a computer script that changed the setting on the Unix servers without getting the nod of his supervisor. That script was not malicious.
    So, you let junior contractor's staff modify your production environment on the fly, and think that the solution is to make sure that their access is cancelled when they leave?

    Am I the only person who sees that there is a somewhat larger governance and security issue here?

  7. #7
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Am I the only person who sees that there is a somewhat larger governance and security issue here?
    Your not alone old man.

    The business stakeholders in MANY of the smaller shops I have worked in refuse to fund the necessary infrastructure (e.g. governance, change mgt) and then when their inaction causes a problem, they just blame the IT guy.

    But I'm not complaining. If they were too efficient and effective, they wouldnt need me.
    In God We Trust....Everything else we backup.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK, I agree that it is not uncommon in smaller shops and in manufacturing, engineering retail and the like, where IT is not considered that important.

    Fannie Mae is a major financial institution............... the rules should be different there.

    Also the rules for contractors should be different. The one thing you are sure of is that they will leave at the end of their contract, amicably or otherwise.

    They should not have direct access to the production environment and their activities should be reviewed by a permanent member of staff to ensure that they are appropriate, properly documented and fully understood.

    This isn't just a security issue, it is one of basic functionality. How can you support, maintain and enhance things if you don't know how they work? You might let your own staff get away with a few "emergency adjustments", not that I have ever done such a thing (much ) but you must never let contractors do it unless, of course, you have outsourced. In the case of outsourcing you should satisfy yourself that the contractor has suitable processes and procedures to control their staff and protect your systems before taking them on?

  9. #9
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    However, after his termination, Makwana's access to the computer systems did not immediately end, and he retained full access rights until at least 10 p.m. that evening, according to an FBI affidavit. Makwana used his extended legitimate access to clear out all logs that revealed his access to the server, eliminating any "footprint" of his malicious activities on Oct. 24. He then gained launch code that would allow him access to Fannie Mae's servers remotely. Upon gaining root access to Fannie Mae's system, Makwana created a file in which he developed the malicious code on Oct. 25, the day after his termination.
    http://www.crn.com/security/212903585

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    "This is definitely an access governance control failure," Cleary said.
    Absolutely!

    Cleary said that contracted employees will likely become a bigger security threat
    That is a bit obvious? the more contractors you have the greater the probability that a contractor will be a security threat. Having said that, contractors expect to move on, so are much less likely to be disgruntled than a permanent employee who is laid off?

    And again, an employee looking for another job is likely to want a good reference, which a federal indictment is not?

    An examination of Makwana's e-mails in the days before he created the malicious code indicated that he instructed relatives in India not to return to the U.S., the FBI affidavit said.
    Looks like he had something in mind prior to the event?

    He then gained launch code that would allow him access to Fannie Mae's servers remotely.
    That sentence doesn't really make sense. I suppose it means that he planted a backdoor? This seems like a better description:

    Makwana was told of his termination on Oct. 24 at about 2 p.m., after which he surrendered his badge and left the Urbana facility at about 4:45 p.m. that same day, according to an FBI affidavit. However, Makwana's server access was not terminated until 10 p.m. later that evening. Makwana used his extended access to reset the company's servers that would eliminate his "footprint" and impede security alerts that would ordinarily warn Fannie Mae engineers of an intruder's continued access to the servers. Makwana then launched code that would enable him to access the servers remotely, and created the logic bomb the following day, Oct. 25.
    It sounds as if he had already created the backdoor? When you fire somebody you have a member of staff remain with them until they leave the premises, and how would he know that he would be able to access the server after he had left?

    It would probably be best practice to revoke the authorities before informing the person of their termination. Follow that with an audit of what they have been doing and had access to, which does seem to be what happened, because I don't think that you would discover something like that by accident.

Similar Threads

  1. Terrorism
    By Tedob1 in forum Cosmos
    Replies: 9
    Last Post: May 7th, 2006, 05:06 AM
  2. Spyware/Maleware User Agreements
    By moxnix in forum Spyware / Adware
    Replies: 7
    Last Post: July 8th, 2004, 01:42 PM
  3. The Bulgarian and Soviet Virus Factories
    By foxdie in forum AntiVirus Discussions
    Replies: 11
    Last Post: April 4th, 2004, 02:52 AM
  4. Chapter 6 - Newbie Questions Answered
    By uraloony in forum The Security Tutorials Forum
    Replies: 2
    Last Post: January 2nd, 2002, 03:40 PM
  5. Newbie Questions Answered - Chapter 4
    By uraloony in forum The Security Tutorials Forum
    Replies: 3
    Last Post: December 19th, 2001, 02:50 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •