A former programmer was convicted this week of planting a malicious script on the servers of the US’ Federal National Mortgage Association, known as Fannie Mae, after he was fired.
Rajendrasinh Babubhai Makwana of Montgomery County, Maryland was found guilty by a federal jury on 4 October. A contract worker, Makwana was employed as a UNIX engineer at Fannie Mae’s Urbana, Maryland facility from 2006 to until he was fired on 24 October, 2008.
Five days later, a Fannie Mae senior engineer discovered a malicious script embedded in a routine program, authorities said. A subsequent analysis of the script, computer logs, Makwana’s laptop and other evidence revealed that he had planted the malicious code the day he was fired, and that it was intended to execute on 31 January, 2009.
“When a security incident of this nature occurs, we tend to file it away as an example of an employee gone bad,” said Todd Chambers, chief marketing officer at identity management firm Courion. “In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems.”
Makwana is scheduled to be sentenced on 8 December, and faces a maximum of 10 years in prison.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
When a security incident of this nature occurs, we tend to file it away as an example of an ‘employee gone bad’. In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems.
It is also important to consider that in the case of Fannie Mae, this was not a direct employee, but rather a third-party contractor. Many companies treat non-employees (subcontractors, partners, customers etc) with different levels of trust compared to known and vetted direct employees. As such external parties are usually afforded differing levels of control and access as they are often more difficult to manage, sitting outside the traditional chain of company HR and administrative controls.
At a basic level, an organisation and its management has a financial responsibility as well as an administrative responsibility to ensure that access to critical information and applications is authorised and that it is continually monitored for all users, be they direct or indirect employees, to make sure the resulting activity is appropriate and permitted. The failure stems from the ‘perception of control’ an organisation has over their most sensitive networks, systems and devices.
Failure to control privileged identities and high-level access to systems has led to several instances of critical security failures in blue-chip companies in the past two years. In addition to the incident at Fannie Mae, the city of San Francisco was brought to its knees in 2008 because an employee locked down the city’s IT system through a privileged account. The former employee responsible for that, Terry Childs, was convicted and jailed for four years, but not before his actions cost San Francisco millions in lost productivity and court costs.
The conclusion of the Fannie Mae incident once again highlights the need for an integrated and managed view of what is appropriate user access and activity across the IT estate.