[ISN] UBS Trial: Defense Attacks 'Sloppy' Investigation

From: InfoSec News (isn@private)
Date: Thu Jun 22 2006 - 00:30:48 PDT


http://www.informationweek.com/management/showArticle.jhtml?articleID=189600069

By Sharon Gaudin
InformationWeek
Jun 21, 2006

Newark, N.J. -- After taking it on the chin last Friday, the defense
in a computer sabotage trial here pounded away at the Secret Service
agent on the stand, riding him on missteps in the investigation, and
once again attacking the fact that hackers worked at one of the
computer forensics companies involved in the case.

Special Agent Gregory O'Neil of the U.S. Secret Service was repeated
questioned by defense attorney Chris Adams about an initial forensic
report with a missing page, an unidentified latent fingerprint on a
key piece of evidence, and some incorrect dates on a Secret Service
report.

O'Neil, who was a lead investigator in the matter, took the stand as a
witness for the prosecution in the federal computer sabotage case.

Adams, a partner at Walder Hayden & Brogan in Roseland, N.J., is the
lead defense lawyer for Roger Duronio, the 63-year-old former systems
administrator accused of planting a logic bomb that crippled the
network at UBS PaineWebber four years ago.

Duronio is facing four charges in connection with allegedly writing
and planting malicious code on the Unix-based network at UBS
PaineWebber, where he had been working for three years. The attack
effectively took down about 2,000 of the company's servers, some of
which were brought back up in a day, but others remained down for two
to three weeks.

In his cross examination of O'Neil, Adams also focused his sights on
one specific forensic investigator who had been a hacker before
working at @Stake, Inc., the security company that UBS first called in
to check out the March 4, 2002 incident.

Karl Kasper, known in the industry as John Tan, identified himself to
the federal agent as John Tan, and signed documents with that name.  
The defense asked O'Neal why he would trust the word, or the work, of
someone who gave a false name to the Secret Service. O'Neal replied
that he didn't regard it as a false name, simply a name Kasper uses in
the trade.

And last Friday, O'Neil said that all roads in the investigation led
back to Duronio. First off, he had pointed out that a digital trail
led from Duronio's home IP address through the corporate VPN and into
the company's servers, on exactly the same dates and times that the
malicious code was planted or modified.

O'Neil also told the jury that during the execution of a search
warrant on the Duronio home, Secret Service agents found parts of the
malicious code on two of his home computers, as well as printed out in
a hardcopy that was found on his bedroom dresser.


Following the Money

When the trial resumed Tuesday morning, Agent O'Neil took the stand
for the second day, and laid out a summary of Duronio's trading
activity that he had put together based on the defendant's banking,
trading and mortgage information. He testified that Duronio bought a
total of 330 put options in the month before the security attack at
UBS. He had bought stocks before, but never puts, which basically are
a way to place bets that the company's stock will go down. The
investor only gets a payoff if the company stock drops.

Duronio, according to Agent O'Neil, spent $23,025,12 on puts between
Feb. 5, 2002 and March 1, 2002. While he bought a handful of puts on
other companies, like Merrill Lynch and Citigroup, 96% of them were
against UBS.

The agent also pointed out to the jury that Duronio, who allegedly
became disgruntled with the company when his annual bonus came in
$15,000 under expectations, had recently made two payments of
approximately $18,000 each to New York University for his oldest son's
tuition.


Hackers and Pseudonyms

During the cross, Adams lost no time in taking another swing at
@Stake, the first company on scene to do a forensics investigation.  
Last week, Adams repeatedly asked witnesses from UBS' IT department if
they trusted hackers or would hire a security company that employs
hackers.

The research labs in @Stake, which was bought by Symantec, Corp. in
2004, were headed up by Peiter C. Zatko (also known in the industry as
Mudge), the former CEO and chief scientist of the L0pht, a
high-profile hacker think tank. Zatko, however, worked his way into
the legitimate business world, testifying before a Senate Committee on
Government Affairs, and counseling President Clinton in the White
House on security issues.

Mendez testified that other Wall Street firms had recommended several
forensic companies, including @Stake, to UBS after their servers were
taken down.

In Tuesday's testimony, Agent O'Neil said he had received 10 items of
evidence from Kasper (John Tan), who worked at @Stake and was involved
in the UBS investigation. Adams projected a Documentation of Evidence
sheet onto a screen in front of the jurors that showed that Kasper had
signed his name as 'John Tan' on the official list that was handed
over to the government. He also had signed another Certified Inventory
of Evidence document with that name.

O'Neil said he had not been aware until late in 2004 or early in 2005
that John Tan actually is the screen name for Karl Kasper.

''He lied to you about the most basic information,'' Adams said. But
during repeated questioning about it, O'Neil replied, ''He used John
Tan to identify himself in his work at @Stake A fictitious name
doesn't affect what's in the evidence itself.'' But in a separate
interview, Johannes Ullrich, chief research officer at the SANS
Institute, said he was surprised that Kasper would use a nickname or
pseudonym when working with federal agents.

''I've never heard of that before,'' said Ullrich. ''A lot of people
go by hack names but to use it during an investigation, I wouldn't do
it. If you talk to the Secret Service, or to any client, it's not
professional.''

However, Alan Paller, director of research at the SANS Institute, was
much less surprised by it. In an interview, he said it's very common
for people to use their 'handles' whenever they're in a work-related
situation. ''It's like a woman using her maiden name even after she's
married, because everyone in the office knows her as Brenda Jones,''
said Paller. ''It's the mindset of the black hat community. It was
common to have a second life. You build up your reputation as a
security expert with that second name. It's quite natural that he used
his second name because that's the name with the security credibility
associated with it.''

Kasper, going by the name John Tan, has spoken at SANS and Black Hat
conferences. In 2005, he took a job with JP Morgan Chase doing
application security assessment/penetration testing.


On the Attack

The defense attorney didn't narrow his field of attack to Kasper.

Adams pointed out that the initial report that @Stake produced was
missing Page 17, but it was included in a later release of the report.  
Both O'Neil and the prosecutors took exception to Adams characterizing
the page as having been 'withheld.'

O'Neil said the information on that page was ''forward looking'' and
not pertinent to the criminal investigation.

Page 17, in part, refers to two other UBS employees who had been
investigated. O'Neil said he and other agents interviewed both men for
one to two hours each but there was no evidence of criminal activity.  
Then Adams asked if O'Neil knew that both men had been put on
administrative leave after their interviews with law enforcement and
then were let go from the company. O'Neil said he had not been aware
of that till much later.

Adams also asked him if he knew of any severance agreement that
precluded the two men from speaking about the investigation with
anyone outside of UBS or the government. O'Neil replied that he did
not know of any such agreement.

Duronio's defense attorney used the agent's time on the stand, as a
chance to point out that the government does not have reports from
Verizon, which was Duronio's ISP at the time of the attack, for
several dates when forensics showed that the malicious code was being
planted or modified on the company network. Under subpoena, Verizon
had produced records about the dates and times of some connections,
along with the IP addresses where the connections originated.

And Adams pounced on the fact that a latent fingerprint was found on
the hardcopy printout of the malicious code that was found on
Duronio's dresser. The print, O'Neil testified, did not belong to the
defendant or to two agents who handled the paper. He said he doesn't
know whose fingerprint it is.

Copyright © 2005 CMP Media LLC



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 22 2006 - 01:00:27 PDT