So a Unix scripting consultant with root access to 4000 of Fannie Mae's servers (somewhat doubtful that was 4000 Unix servers, but maybe the script was cross platform) inserts code into a SAN connectivity monitoring script in order to embarrass Fannie Mae and wipe their data on the day he is let go.
Pertinent info (this all happens on October 24th), he was let go at 2:30 pm, started working on the "virus" at 2:53 pm, last known access was at 4:30pm and he returned his laptop at 4:45 pm. "Late in the evening" his access was terminated.
On October 29th a senior Unix administrator finds the "virus" by accident.
The "virus" was set to go off on January 31st.
Wow just wow... He had a little less than a 2 hour window to conceive of, write and implement his "virus". So either he had started ahead of time, he is a pretty solid scripter or it wasn't very well written/proofed code. I tend to believe options 1 or 2 as his code did manage to run for 5 days without raising any alarms and he couldn't have had a lot of testing time.
He started working on it 23 minutes after he was let go and completed it 97 minutes later.
Lessons learned?
-For people with this level of access (or pretty much any tech worker) their access should be revoked during their exit interview.
-After their exit interview they should be escorted at all times and certainly should not be allowed to finish out the day.
-For an organization this size (4000 servers) it makes sense to put this stuff in version control and do occasional audits between version control and the production environment.
-Any senior administrator worth their salt (which it appears they had) is going to check the logs and make sure this guy didn't do anything suspicious in that 97 minutes. Presumably he didn't spend a whole lot of time saying goodbye...
-Wouldn't have helped in this case. But people should only have the absolute minimum level of access that they need to perform their jobs efficiently.
No comments:
Post a Comment