Note to Fannie Mae: Dealing with Logic Bombs

Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks. Read more…

Akshay Aggarwal
Practice Manager (North America & Latam)

Comments (4)
  1. Sree says:

    The detailed FBI report about the incident is an interesting read. It would have been a real catastrophe had the script got executed. Lucky Fannie Mae πŸ™‚

    One question though.. Do you think such a security design, where in one individual, if he desires, is allowed log on to and run a destructive code on all those 4000+ systems.

    Also, some intergrity checking of the script files ( like MD5) just before initialization would be a nice idea( Agree to the fact that some one with sufficient access rights will be able to manipulate the checksum database too πŸ™ )

  2. sreekarun says:

    Thanks for the post !

    The FBI Report on the Fannie Mae incident is a good read. It really surprises that one individual has  access to 4000+ systems with administrative rights. Is such a flat security design suggested ?

    Also, wouldn’t it be a nice practice to checksum the original critcal script files and verifying the scripts against the stored/protected checksums those checksum before initiating.

  3. A flat security design such as this is a cause for concern. Many organizations use such security paradigms as they lack the discipline or maturity required to have stricter controls in place.

    As Sree suggested above, maintaining a checksum of programs and scripts will raise the security bar and mitigate some of the risk. Generally I would recommend that organizations have well thought out deprovisioning processes and are ready with multiple layers of controls to deter/identify the cause of logic bomb attacks. This will deter a malicious employee significantly. Anything else will seem to draconian and may lead to unnecessary bureaucratic processes.

Comments are closed.

Skip to main content