Note to Fannie Mae: Dealing with Logic Bombs
Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks.
A Logic Bomb is a malicious piece of code inserted into a software system that executes when certain conditions are met most commonly a set date. A Logic Bomb that goes off on a particular date is called Time Bomb.
In this case the attack was successful because the contractor’s authorization to access systems was not revoked after he was let go. In technical identity management systems like ILM this is known as deprovisioning.
Logic Bombs are usually indistinguishable from normal code and are inserted into the system by a programmer who has authority to the system. They are a type of insidious attacks called insider attacks. These are the most difficult class of attacks to detect and mitigate. The CSI/FBI 2005 Computer Crime and Security Survey indicated that 56% of organizations reported some level of security breach from within their organization. So a note to all you CIOs/CSOs, if you think that only your internet facing assets face a high risk of attack… think again.
What can you do to avoid a fate like Fannie Mae. Sadly your options are limited and dependent on a strict adherence to process. This is what you can do (in order of immediate to long term):
- Deprovision user accounts for individuals who have been let go while they are on premises or even before you inform them
- For programmers, create a copy of their files and code before they leave. These can be compared with copies of files and code after a few days to look for changes.
- After a person with access to critical digital assets including systems and code leaves the org, invest in having a peer double check for logic bombs that may have been left behind
- Change access credentials to critical systems periodically and consider two factor authentication.
- Use an identity management system to manage provisioning & deprovisioning user accounts
- Invest in a multi-tiered logging and auditing systems with separation of duties between the monitored and monitoring parties. This ensures a trail of evidence for prosecution in the case that you are indicted.
Plan ahead to deny the ability to the disgruntled to plant log bombs; failing that defuse the logic bombs,;failing that hit the deck and hope that the script has a bug.
- Akshay
If you like this post, 
Subscribe in a reader
January 31, 2009 at 10:31 am
Nice writing. You are on my RSS reader now so I can read more from you down the road.
Allen Taylor
February 3, 2009 at 12:44 pm
Change access credentials to critical systems if they had access to them. If you disable their account but they happen to have the local admin password on the servers they can still do a lot of damage.
I would even go as far as to say that if you are a system administrator and leave for whatever reason you should make your employeer change the passwords on all systems you know. That removes alot of liability off of your sholders if they get hacked later.
February 3, 2009 at 10:00 pm
Good point Kevin. I agree that changing admin passwords is the right way to go.
On another note, I have recently come across an instance where the employee did not destroy data but rather started leaking data via a logic bomb.
February 26, 2009 at 10:57 pm
infosec…
Maybe, but I’m not sure it’for everyone….