http://www.informationweek.com/news/showArticle.jhtml;?articleID=190301186 By Sharon Gaudin InformationWeek Jul 7, 2006 Newark, N.J. - The defense rested its case this week in the trial of a former systems administrator charged with four federal criminal offenses in association with a March 2002 attack on UBS PaineWebber's network. Closing arguments are set to begin Monday morning. Roger Duronio, 63, is charged with launching a logic bomb that took down nearly 2,000 of the company's servers, along with its ability to do business for up to three weeks in some branch offices. In court on Thursday, the defense continued its argument that there simply wasn't enough evidence in hand to say who caused the incident. And the defense's forensics expert testified that he couldn't even say for sure that it was a logic bomb that caused the wreckage. This was Duronio's fifth week on trial in U.S. District Court here. He faces four counts, including computer sabotage and securities fraud, in connection with a logic bomb that was detonated at UBS. Duronio worked at the financial company for three years, but quit his job a few weeks before the attack because he was angry that his annual bonus came up short. The defense and the prosecution sparred for most of the day, with both firing questions to the second forensics expert to take the stand. Kevin Faulkner, a senior consultant with Protiviti, a risk management consulting company, was the first defense witness to testify. He took the stand Wednesday and wrapped up his approximately six hours on direct and cross-examination Thursday. Faulkner told the jury there wasn't enough evidence--between log histories, incomplete backup tapes, and few forensics images--to say who was responsible for the UBS incident. He said he could only say that a root user was responsible for the malicious code, and then he said he couldn't verify the prosecutors' claims that the logic bomb they found on the servers was the cause of the network crash. "When dealing with evidence that is incomplete or you don't know who's touched it and when, then how can you know for certain what happened?" asked Faulkner. "There are always multiple explanations in every case." A root user on a Unix system is a superuser with all-encompassing privileges. Whoever ran the code on the UBS system would need root user rights, according to Keith Jones, the government's forensics expert, who testified for five days. Jones is director of computer forensics and incident response at Mandiant, a computer security consulting company. When the government's expert testified, he said there was a clear digital trail leading, in every case but one, directly from Duronio's home computer into the UBS network and onto the servers where the code was planted, exactly on the date and times when the code was planted. In the one exception, Duronio logged in to work on the malicious code from his workstation within the UBS facility, Jones said. Faulkner disagreed with Jones' assessment, noting that Jones' analysis used VPN logs, as well as logs from WTMP files, which note the time of logins and logouts, and switch user logs, which record when users switch over to become a root user. Faulkner called that information unreliable because it can be edited by root, and it was designed for accounting purposes and not for forensics examinations. Faulkner said he couldn't say who was responsible for the logic bomb because he didn't have a complete set of backup tapes to review for the damaged servers. While about 2,000 servers were damaged, the forensics experts were given the backup tapes from a smaller sampling of servers, representative of various time zones where the damage was done. Faulkner said he would want to see the complete set. Faulkner also said the backup tapes he received didn't cover all the information that could have been stored on the damaged servers. It wasn't clear how much data was on each server immediately before the network was attacked, but the backup tapes didn't cover it all. In contrast, Jones testified that he had been able to recover most of the data off the backup tapes and that it gave him a clear picture of what happened during the March 4, 2002, incident. He said the data he had to examine gave him a clear picture of who built and distributed the code. Jones said the attacker clearly was the person with the "rduronio" username, and it was clearly done from inside Duronio's home. More information would not detract from the evidence that he had already collected, Jones said. According to various pieces of testimony, investigators were using backup tapes because most of the information, including all the files, had been destroyed on the damaged servers. There wouldn't have been much information to be gleaned off a bit-by-bit copy of a wiped-out server. Another reason backup tapes were used was because IT workers at UBS had spent the first hours and/or days of the incident trying to get the servers, and the business, back on-line. Those remediation efforts would have written over data left on the servers. But with just backup tapes to work with, Faulkner said he could only nail the attacker's identity down to a root user. On redirect, Chris Adams, an attorney with Walder, Hayden & Brogan and Duronio's defense attorney, asked Faulkner, "Do you have a bottom line as to which username is responsible for the logic bomb?" "Root," Faulkner replied. "Is there evidence which username, acting as root, was responsible?" Adams asked. "No," said Faulkner. "There are holes. There are places where logs have been modified, or where people could log in and we wouldn't even know about them." But when Assistant U.S. Attorney Mauro Wolfe stood up and posed one question on re-cross-examination, he asked Faulkner, "Bottom line...Root did it. Roger Duronio could have acted as root?" "Yes," said Faulkner. One Defense Theory While the defense has thrown out a kitchen-sink list of theories (hackers, sniffers, forensics mishandling, investigative missteps) throughout the trial, one that came up repeatedly on Thursday was the suggestion that another UBS systems administrator, Charles Richards, was responsible for the attack. In earlier testimony, it has been laid out that Richards worked with and was friends with Duronio. After the March 4 attack, investigators from @Stake, the first forensics company called in to work on the case, analyzed Richards' UBS workstation. While reporting that they found no criminal evidence on it, investigators did say they found a few small strings of code related to the logic bomb in the swap space of his computer. Swap space is where data is stored for programs running in memory. Faulkner testified to several documents he put together in the last few weeks that showed what users were on the UBS system at various times when Jones' records show that Duronio had remotely logged in to work on the code. Richards' username, along with the usernames of many other UBS employees, was logged in on several occasions. Once any one of them became root, Faulkner said, it was impossible to tell which root user had built or modified the code. Faulkner also told the jury there was one incident where a user who had logged in as "crichard" changed his username to "rduronio." Faulkner didn't say when that happened--if it was before, during, or after the code was written. But Adams pointed out that if Richards had been able to switch usernames once, he could have done it again and masqueraded as Duronio. On cross-examination, Wolfe asked Faulkner, "In 2001, 'crichard' switched to the user 'rduronio.' You have no idea if the person behind 'crichard' was actually Roger Duronio, do you?" "I don't know," Faulkner replied. Wolfe's cross-examination focused greatly on Faulkner's background. Faulkner has only two and a half years of forensics experience overall and only eight or nine months of experience before starting his work on this case. Wolfe also zeroed in on the fact that Faulkner came to no conclusions about the attack in the analysis report that he submitted to the defense and to the government. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 10 2006 - 08:44:24 PDT