[ISN] PaineWebber Systems Admin Faces Trial For Computer Sabotage

From: InfoSec News (isn@private)
Date: Mon Jun 05 2006 - 01:26:21 PDT


http://www.informationweek.com/security/showArticle.jhtml?articleID=188700855

By Sharon Gaudin 
InformationWeek 
Jun 1, 2006 

A former systems administrator for financial giant UBS PaineWebber
goes on trial Tuesday for allegedly sabotaging two-thirds of the
company's computer network in what prosecutors say was a vengeful
attempt to profit from a crashing stock price.

Roger Duronio, 63, of Bogota, N.J., is facing federal charges in front
of a U.S. District Court in Newark, in connection to the creation and
planting of malicious code on more than 1,000 computers in the
company's central office, as well as in approximately 370 branch
offices. When the malicious code, or "logic bomb," was triggered on
March 4, 2002, it began deleting files and data, taking down many
PaineWebber computers across the United States and hindering trading
for days in some branch offices and for several weeks in others,
according to Assistant U.S. Attorney Mauro Wolfe, lead prosecutor on
the case.

The attack, according to the indictment, cost UBS PaineWebber, which
was renamed UBS Wealth Management USA in 2003, $3 million just to
assess and repair the damage. The company didn't submit a list of
losses to the government based on business downtime or lost trading
opportunities.

Chris Adams, Duronio's defense attorney and a partner at Walder Hayden
& Brogan in Roseland, N.J., says the government has the wrong man.  
Duronio has pleaded not guilty to all charges. He has been free on
bail awaiting trial for the past four years. Adams says he's not
working in an IT position at this time.

According to Wolfe, Duronio is facing four counts--one count of
computer intrusion, one count of mail fraud, and two counts of
securities fraud. The government contends that Duronio tried to profit
from the attack by manipulating the stock price of the global
investment banking and securities firm with the attack on its network.

The government contends that in the months leading up to the planting
of the logic bomb and the subsequent attack, Duronio, using the U.S.  
postal system, bought more than $21,000 worth of 'put option'
contracts for PaineWebber's parent company, UBS, A.G.'s stock. A put
option is a type of stock that actually increases in value when the
stock price drops. According to Wolfe, Duronio was betting the attack
would cripple the company's network, and its stock would fall in the
aftermath, allowing him to cash in.

Because of this part of his alleged plan, Duronio is being charged
with mail and securities fraud.

''Computers across the country pretty much all went down at once,''
says Wolfe. ''System administrators started to receive phone calls
that morning that certain computers weren't working. Within minutes,
it escalated from one phone call to 10, 60, 70... over 100 phone
calls.  At or about 10 o'clock they realized it wasn't an isolated
issue but all the computers across the network. It was just too much
of a coincidence for that to happen... This [network] was designed so
everything would not crash at once. The same network designed to not
suffer that problem was suffering that exact problem.''

And Wolfe says the man who was responsible for keeping that exact
system up and running for three years was the one who ultimately took
it down.

''The defendant was motivated by the fact that he was a disgruntled
employee who was not happy with his salary,'' says Wolfe. ''He wanted
an annual salary of $175,000 guaranteed. And I think for the year 2001
he was paid about $13,000 less than that.''


Insider Attacks

Attacks by corporate insiders, even by IT professionals, is not an
uncommon problem, according to last year's CSI/FBI Computer Crime
Survey. With only slight variation from year to year, inside jobs
occur as frequently as the highly publicized outside hacker attacks.  
Insider abuse, according to the survey, cost U.S. companies $6,856,450
last year.

''Insider attacks are definitely more dangerous,'' says Eric Maiwald,
a senior analyst for Burton Group, a research and consulting firm
based in Midvale, Utah. ''The average outside person generally doesn't
have access to your systems. Their first job in attacking you is to
get access, whereas the insider starts out with access. They're
starting one step ahead of the game. You have some general expectation
that they're not trying to cause you harm.''

John O'Leary, director of education at the San Francisco-based
Computer Security Institute, says companies have more to fear from
insiders in general because they know where the weak points in the
network are, and where the critical information is stored. But he adds
that executives have far more to fear from IT workers, because they
not only know how to get to the information but have the tools and the
access rights to do it easily.

''It's easy [to do] because we give our techs a lot of trust, but it's
difficult because we generally put compensating controls in place,''
says O'Leary. ''Other [people] need to edit what these guys are doing.  
Someone needs to see what changes he made. If he could make changes
without somebody noticing, then something is wrong.''

Maiwald, though, says it's exceedingly difficult for companies to put
in enough processes and controls to completely shut down someone with
system administrator-level authority and access.

''It's only the trusted individuals who can betray you at that level,"  
says Maiwald. ''If someone is digging ditches for you, they don't have
a lot of power. But your system administrator has a lot of power
because it's part of the job. If you put too many controls on them,
they can't do their jobs... There are controls that can be put in
place to do such things but they require a company to be very
watchful, along with additional staff, [and] specific procedures. And
it's just not very easy to do that.''


The Duronio Case

In this case, the government alleges that Duronio was a trusted
employee - one with great access and authority -- who used that
against PaineWebber. The charge of computer intrusion is based on the
government's allegations that Duronio built the code for the logic
bomb, installed it on Unix machines in PaineWebber's central office in
Weehawkin, N.J., and then pushed it out to about 1,000 computers
across the company's national network. Wolfe says the malicious code
was planted ''from coast to coast."

The logic bomb, which was made up of only 50 to 70 lines of code, was
built to delete every file on the system, according to the
prosecution. Duronio, who quit his job at PaineWebber a few weeks
before the bomb went off, also allegedly planted the code on the
system's backup servers so that when IT workers tried to restore
operations using backup tapes, those files were deleted as well. The
bomb was designed to go off every Monday at 9:30 a.m. - just as the
stock market opened - in March, April and May of 2002.

Trading, the lifeblood of the company, was interrupted because of the
crippled network. PaineWebber reported to the government that trading
was hindered for a few days in larger locations, and for as long as a
few weeks in some branch offices. According to the prosecution, 350
IBM support personnel were brought in to aid with the nationwide
recovery effort.

''Could they trade? Yes. Could they trade the way they normally
traded? No,'' says Wolfe. ''Normally... the broker would sit at his
desk and go online and trade for you... If the client didn't know what
the balance of their account was, they couldn't trade for them.''

The government also contends that Duronio planted the code piecemeal
during the previous November and December from a remote location.  
Wolfe says records show that Duronio's password and user account
information were used to gain remote access to the areas where the
malicious code was built inside the PaineWebber network. The U.S.  
Secret Service, which is frequently called in to conduct criminal
investigations and specifically cyber crime, executed a warrant on
March 21, 2002, and allegedly found hard copy of the logic bomb's
source code on the defendant's bedroom dresser. They also allegedly
found the source code on two of his four home computers.

''The defendant used the information of the impending logic bomb
attack,'' says Wolfe. ''He purchased securities. He bet against the
company that the company stock would drop... He engaged in an artifice
or scheme to fraud investors.''

Computer sabotage is a federal offense if it affects a computer used
in interstate commerce and causes more than $5,000 worth of damage to
the company over a 12-month span. Duronio faces a maximim sentence of
30 years, fines of up to $1 million and restitution for the $3.2
million PaineWebber spent on recovery.



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 05 2006 - 01:30:53 PDT