Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks. Read more…
Akshay Aggarwal Practice Manager (North America & Latam)
PingBack from http://www.anith.com/?p=4159
The detailed FBI report about the incident is an interesting read. It would have been a real catastrophe had the script got executed. Lucky Fannie Mae :-)
One question though.. Do you think such a security design, where in one individual, if he desires, is allowed log on to and run a destructive code on all those 4000+ systems.
Also, some intergrity checking of the script files ( like MD5) just before initialization would be a nice idea( Agree to the fact that some one with sufficient access rights will be able to manipulate the checksum database too :-( )
Thanks for the post !
The FBI Report on the Fannie Mae incident is a good read. It really surprises that one individual has access to 4000+ systems with administrative rights. Is such a flat security design suggested ?
Also, wouldn't it be a nice practice to checksum the original critcal script files and verifying the scripts against the stored/protected checksums those checksum before initiating.
A flat security design such as this is a cause for concern. Many organizations use such security paradigms as they lack the discipline or maturity required to have stricter controls in place.
As Sree suggested above, maintaining a checksum of programs and scripts will raise the security bar and mitigate some of the risk. Generally I would recommend that organizations have well thought out deprovisioning processes and are ready with multiple layers of controls to deter/identify the cause of logic bomb attacks. This will deter a malicious employee significantly. Anything else will seem to draconian and may lead to unnecessary bureaucratic processes.