http://www.informationweek.com/security/showArticle.jhtml?articleID=188700855
By Sharon Gaudin InformationWeek Jun 1, 2006 A former systems administrator for financial giant UBS PaineWebber goes on trial Tuesday for allegedly sabotaging two-thirds of the company's computer network in what prosecutors say was a vengeful attempt to profit from a crashing stock price. Roger Duronio, 63, of Bogota, N.J., is facing federal charges in front of a U.S. District Court in Newark, in connection to the creation and planting of malicious code on more than 1,000 computers in the company's central office, as well as in approximately 370 branch offices. When the malicious code, or "logic bomb," was triggered on March 4, 2002, it began deleting files and data, taking down many PaineWebber computers across the United States and hindering trading for days in some branch offices and for several weeks in others, according to Assistant U.S. Attorney Mauro Wolfe, lead prosecutor on the case. The attack, according to the indictment, cost UBS PaineWebber, which was renamed UBS Wealth Management USA in 2003, $3 million just to assess and repair the damage. The company didn't submit a list of losses to the government based on business downtime or lost trading opportunities. Chris Adams, Duronio's defense attorney and a partner at Walder Hayden & Brogan in Roseland, N.J., says the government has the wrong man. Duronio has pleaded not guilty to all charges. He has been free on bail awaiting trial for the past four years. Adams says he's not working in an IT position at this time. According to Wolfe, Duronio is facing four counts--one count of computer intrusion, one count of mail fraud, and two counts of securities fraud. The government contends that Duronio tried to profit from the attack by manipulating the stock price of the global investment banking and securities firm with the attack on its network. The government contends that in the months leading up to the planting of the logic bomb and the subsequent attack, Duronio, using the U.S. postal system, bought more than $21,000 worth of 'put option' contracts for PaineWebber's parent company, UBS, A.G.'s stock. A put option is a type of stock that actually increases in value when the stock price drops. According to Wolfe, Duronio was betting the attack would cripple the company's network, and its stock would fall in the aftermath, allowing him to cash in. Because of this part of his alleged plan, Duronio is being charged with mail and securities fraud. ''Computers across the country pretty much all went down at once,'' says Wolfe. ''System administrators started to receive phone calls that morning that certain computers weren't working. Within minutes, it escalated from one phone call to 10, 60, 70... over 100 phone calls. At or about 10 o'clock they realized it wasn't an isolated issue but all the computers across the network. It was just too much of a coincidence for that to happen... This [network] was designed so everything would not crash at once. The same network designed to not suffer that problem was suffering that exact problem.'' And Wolfe says the man who was responsible for keeping that exact system up and running for three years was the one who ultimately took it down. ''The defendant was motivated by the fact that he was a disgruntled employee who was not happy with his salary,'' says Wolfe. ''He wanted an annual salary of $175,000 guaranteed. And I think for the year 2001 he was paid about $13,000 less than that.'' Insider Attacks Attacks by corporate insiders, even by IT professionals, is not an uncommon problem, according to last year's CSI/FBI Computer Crime Survey. With only slight variation from year to year, inside jobs occur as frequently as the highly publicized outside hacker attacks. Insider abuse, according to the survey, cost U.S. companies $6,856,450 last year. ''Insider attacks are definitely more dangerous,'' says Eric Maiwald, a senior analyst for Burton Group, a research and consulting firm based in Midvale, Utah. ''The average outside person generally doesn't have access to your systems. Their first job in attacking you is to get access, whereas the insider starts out with access. They're starting one step ahead of the game. You have some general expectation that they're not trying to cause you harm.'' John O'Leary, director of education at the San Francisco-based Computer Security Institute, says companies have more to fear from insiders in general because they know where the weak points in the network are, and where the critical information is stored. But he adds that executives have far more to fear from IT workers, because they not only know how to get to the information but have the tools and the access rights to do it easily. ''It's easy [to do] because we give our techs a lot of trust, but it's difficult because we generally put compensating controls in place,'' says O'Leary. ''Other [people] need to edit what these guys are doing. Someone needs to see what changes he made. If he could make changes without somebody noticing, then something is wrong.'' Maiwald, though, says it's exceedingly difficult for companies to put in enough processes and controls to completely shut down someone with system administrator-level authority and access. ''It's only the trusted individuals who can betray you at that level," says Maiwald. ''If someone is digging ditches for you, they don't have a lot of power. But your system administrator has a lot of power because it's part of the job. If you put too many controls on them, they can't do their jobs... There are controls that can be put in place to do such things but they require a company to be very watchful, along with additional staff, [and] specific procedures. And it's just not very easy to do that.'' The Duronio Case In this case, the government alleges that Duronio was a trusted employee - one with great access and authority -- who used that against PaineWebber. The charge of computer intrusion is based on the government's allegations that Duronio built the code for the logic bomb, installed it on Unix machines in PaineWebber's central office in Weehawkin, N.J., and then pushed it out to about 1,000 computers across the company's national network. Wolfe says the malicious code was planted ''from coast to coast." The logic bomb, which was made up of only 50 to 70 lines of code, was built to delete every file on the system, according to the prosecution. Duronio, who quit his job at PaineWebber a few weeks before the bomb went off, also allegedly planted the code on the system's backup servers so that when IT workers tried to restore operations using backup tapes, those files were deleted as well. The bomb was designed to go off every Monday at 9:30 a.m. - just as the stock market opened - in March, April and May of 2002. Trading, the lifeblood of the company, was interrupted because of the crippled network. PaineWebber reported to the government that trading was hindered for a few days in larger locations, and for as long as a few weeks in some branch offices. According to the prosecution, 350 IBM support personnel were brought in to aid with the nationwide recovery effort. ''Could they trade? Yes. Could they trade the way they normally traded? No,'' says Wolfe. ''Normally... the broker would sit at his desk and go online and trade for you... If the client didn't know what the balance of their account was, they couldn't trade for them.'' The government also contends that Duronio planted the code piecemeal during the previous November and December from a remote location. Wolfe says records show that Duronio's password and user account information were used to gain remote access to the areas where the malicious code was built inside the PaineWebber network. The U.S. Secret Service, which is frequently called in to conduct criminal investigations and specifically cyber crime, executed a warrant on March 21, 2002, and allegedly found hard copy of the logic bomb's source code on the defendant's bedroom dresser. They also allegedly found the source code on two of his four home computers. ''The defendant used the information of the impending logic bomb attack,'' says Wolfe. ''He purchased securities. He bet against the company that the company stock would drop... He engaged in an artifice or scheme to fraud investors.'' Computer sabotage is a federal offense if it affects a computer used in interstate commerce and causes more than $5,000 worth of damage to the company over a 12-month span. Duronio faces a maximim sentence of 30 years, fines of up to $1 million and restitution for the $3.2 million PaineWebber spent on recovery. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com