[ISN] Closing Arguments To Begin In Trial Of Former UBS Sys Admin

From: InfoSec News (alerts@private)
Date: Sun Jul 09 2006 - 23:03:32 PDT


By Sharon Gaudin
Jul 7, 2006

Newark, N.J. - The defense rested its case this week in the trial of a 
former systems administrator charged with four federal criminal offenses 
in association with a March 2002 attack on UBS PaineWebber's network.

Closing arguments are set to begin Monday morning.

Roger Duronio, 63, is charged with launching a logic bomb that took down 
nearly 2,000 of the company's servers, along with its ability to do 
business for up to three weeks in some branch offices.

In court on Thursday, the defense continued its argument that there simply 
wasn't enough evidence in hand to say who caused the incident. And the 
defense's forensics expert testified that he couldn't even say for sure 
that it was a logic bomb that caused the wreckage.

This was Duronio's fifth week on trial in U.S. District Court here. He 
faces four counts, including computer sabotage and securities fraud, in 
connection with a logic bomb that was detonated at UBS. Duronio worked at 
the financial company for three years, but quit his job a few weeks before 
the attack because he was angry that his annual bonus came up short.

The defense and the prosecution sparred for most of the day, with both 
firing questions to the second forensics expert to take the stand.

Kevin Faulkner, a senior consultant with Protiviti, a risk management 
consulting company, was the first defense witness to testify. He took the 
stand Wednesday and wrapped up his approximately six hours on direct and 
cross-examination Thursday. Faulkner told the jury there wasn't enough 
evidence--between log histories, incomplete backup tapes, and few 
forensics images--to say who was responsible for the UBS incident. He said 
he could only say that a root user was responsible for the malicious code, 
and then he said he couldn't verify the prosecutors' claims that the logic 
bomb they found on the servers was the cause of the network crash. "When 
dealing with evidence that is incomplete or you don't know who's touched 
it and when, then how can you know for certain what happened?" asked 
Faulkner. "There are always multiple explanations in every case."

A root user on a Unix system is a superuser with all-encompassing 
privileges. Whoever ran the code on the UBS system would need root user 
rights, according to Keith Jones, the government's forensics expert, who 
testified for five days. Jones is director of computer forensics and 
incident response at Mandiant, a computer security consulting company.

When the government's expert testified, he said there was a clear digital 
trail leading, in every case but one, directly from Duronio's home 
computer into the UBS network and onto the servers where the code was 
planted, exactly on the date and times when the code was planted. In the 
one exception, Duronio logged in to work on the malicious code from his 
workstation within the UBS facility, Jones said.

Faulkner disagreed with Jones' assessment, noting that Jones' analysis 
used VPN logs, as well as logs from WTMP files, which note the time of 
logins and logouts, and switch user logs, which record when users switch 
over to become a root user. Faulkner called that information unreliable 
because it can be edited by root, and it was designed for accounting 
purposes and not for forensics examinations.

Faulkner said he couldn't say who was responsible for the logic bomb 
because he didn't have a complete set of backup tapes to review for the 
damaged servers. While about 2,000 servers were damaged, the forensics 
experts were given the backup tapes from a smaller sampling of servers, 
representative of various time zones where the damage was done. Faulkner 
said he would want to see the complete set.

Faulkner also said the backup tapes he received didn't cover all the 
information that could have been stored on the damaged servers. It wasn't 
clear how much data was on each server immediately before the network was 
attacked, but the backup tapes didn't cover it all.

In contrast, Jones testified that he had been able to recover most of the 
data off the backup tapes and that it gave him a clear picture of what 
happened during the March 4, 2002, incident. He said the data he had to 
examine gave him a clear picture of who built and distributed the code. 
Jones said the attacker clearly was the person with the "rduronio" 
username, and it was clearly done from inside Duronio's home. More 
information would not detract from the evidence that he had already 
collected, Jones said.

According to various pieces of testimony, investigators were using backup 
tapes because most of the information, including all the files, had been 
destroyed on the damaged servers. There wouldn't have been much 
information to be gleaned off a bit-by-bit copy of a wiped-out server. 
Another reason backup tapes were used was because IT workers at UBS had 
spent the first hours and/or days of the incident trying to get the 
servers, and the business, back on-line. Those remediation efforts would 
have written over data left on the servers.

But with just backup tapes to work with, Faulkner said he could only nail 
the attacker's identity down to a root user.

On redirect, Chris Adams, an attorney with Walder, Hayden & Brogan and 
Duronio's defense attorney, asked Faulkner, "Do you have a bottom line as 
to which username is responsible for the logic bomb?"

"Root," Faulkner replied.

"Is there evidence which username, acting as root, was responsible?" Adams 

"No," said Faulkner. "There are holes. There are places where logs have 
been modified, or where people could log in and we wouldn't even know 
about them."

But when Assistant U.S. Attorney Mauro Wolfe stood up and posed one 
question on re-cross-examination, he asked Faulkner, "Bottom line...Root 
did it. Roger Duronio could have acted as root?"

"Yes," said Faulkner.

One Defense Theory

While the defense has thrown out a kitchen-sink list of theories (hackers, 
sniffers, forensics mishandling, investigative missteps) throughout the 
trial, one that came up repeatedly on Thursday was the suggestion that 
another UBS systems administrator, Charles Richards, was responsible for 
the attack.

In earlier testimony, it has been laid out that Richards worked with and 
was friends with Duronio. After the March 4 attack, investigators from 
@Stake, the first forensics company called in to work on the case, 
analyzed Richards' UBS workstation. While reporting that they found no 
criminal evidence on it, investigators did say they found a few small 
strings of code related to the logic bomb in the swap space of his 
computer. Swap space is where data is stored for programs running in 

Faulkner testified to several documents he put together in the last few 
weeks that showed what users were on the UBS system at various times when 
Jones' records show that Duronio had remotely logged in to work on the 
code. Richards' username, along with the usernames of many other UBS 
employees, was logged in on several occasions. Once any one of them became 
root, Faulkner said, it was impossible to tell which root user had built 
or modified the code.

Faulkner also told the jury there was one incident where a user who had 
logged in as "crichard" changed his username to "rduronio." Faulkner 
didn't say when that happened--if it was before, during, or after the code 
was written. But Adams pointed out that if Richards had been able to 
switch usernames once, he could have done it again and masqueraded as 

On cross-examination, Wolfe asked Faulkner, "In 2001, 'crichard' switched 
to the user 'rduronio.' You have no idea if the person behind 'crichard' 
was actually Roger Duronio, do you?"

"I don't know," Faulkner replied.

Wolfe's cross-examination focused greatly on Faulkner's background. 
Faulkner has only two and a half years of forensics experience overall and 
only eight or nine months of experience before starting his work on this 
case. Wolfe also zeroed in on the fact that Faulkner came to no 
conclusions about the attack in the analysis report that he submitted to 
the defense and to the government.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon Jul 10 2006 - 08:44:24 PDT