[ISN] Prosecutors: UBS Sysadmin Believed "He Had Created The Perfect Crime"

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 01:07:19 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=190301972

By Sharon Gaudin 
InformationWeek 
July 10, 2006 

Newark - In closing arguments, the prosecution told the jury Monday that 
the former systems administrator accused of planting a logic bomb on the 
UBS PaineWebber network four years ago thought he had committed the 
perfect crime -- mixing revenge with a scheme to cash in on the 
destruction he was causing.

Assistant U.S. Attorney Mauro Wolfe gave his closing arguments to the jury 
in U.S. District Court here for more than two hours Monday. He told jurors 
that Roger Duronio, the defendant in this computer sabotage case, was the 
man with the motive, the means and the ability to do the crime. And on top 
of that, copies of the trigger for the logic bomb were found in his home.

Duronio faces four federal criminal charges in connection with the March 
4, 2002 attack on UBS that took down nearly 2,000 servers and crippled its 
brokers' ability to do business. The trial has moved into its sixth week. 
The defense will have its turn at closing arguments Tuesday morning, and 
then the government will have an opportunity for a shorter rebuttal 
argument.

"In [Duronio's] mind, this was a gold mine," Wolfe told the jury. "The 
person who planted the logic bomb is the same person who intended to 
profit from it.... Let's make it clear. We submit to you ... the person 
who committed this crime is sitting right there. It's Roger Duronio."

Wolfe walked the jury through five weeks worth of witnesses and the 
evidence they presented. Laying out the government's case, he said Duronio 
was a dangerous combination of disgruntled employee and a man in financial 
straits. And those two aspects intersected when Duronio learned in the 
fall of 2001 that he would not be receiving the maximum annual bonus that 
he had been expecting. Needing the money for his son's tuition at NYU, an 
angry Duronio began building the code that would punish UBS at the same 
time it created a windfall for him and his family.

"Roger Duronio believed he was entitled to a certain compensation, even 
though the company wasn't doing well after Sept. 11," said Wolfe. "He 
still felt he was entitled. He was better than everybody. He was smarter 
than everybody."

Wolfe reminded the jury about the testimony of Rajeev Khanna, manager for 
UBS's Unix Systems Group at the time of the attack. Khanna had told the 
jury that Duronio went to him in 2000, saying he had "cash flow problems" 
and asking for a pay increase. Khanna said he had liked Duronio and went 
to bat for him, even though it was mid-year and an unusual time to ask 
for, or give out, a pay raise. Khanna got Duronio a $10,000 bump in 
salary. But Wolfe was quick Monday to remind the jury that Duronio had not 
been satisfied with it.

"It wasn't good enough," Wolfe told the jury. "The seeds were planted. He 
wasn't happy with what he was taking home."

Feb. 22, 2002 was the day the bonuses were handed out and for Duronio, it 
was the last straw, according to Wolfe.

Duronio's bonus was about $15,000 shy of the maximum. While that meant he 
would take home about $160,000 that year, it was not the full $175,000 he 
had wanted. Angry, he went to Khanna and demanded a contract for the full 
$175,000, telling his supervisor that without a contract that very day, he 
would quit his job, Khanna testified earlier in the trial. The supervisor 
tried to get Duronio the contract but it didn't go through and when he 
went to tell the bad news to Duronio, Khanna saw that his systems 
administrator had already packed his things and was ready to leave.

The discrepancy is Duronio's bonus was roughly the same as Duronio's son's 
school tuition, Wolfe said. "Maybe that's why he's upset. That's the 
motive, ladies and gentlemen," he said.


Pain and Profit

But Wolfe said Duronio had been expecting this day for many months before. 
And he had been plotting out the course he would take.

The November and December before Duronio quit his job, he systematically 
went to work building the logic bomb, according to the government.

Mainly working remotely on the UBS system from his home, Duronio allegedly 
piece-by-piece built the four separate components of the malicious code. 
He built the payload -- the destructive portion of the code that would 
tell the servers to delete all files. He also allegedly built the 
distribution component, which pushed the bomb from the central server in 
the company's data center out to the 370 branch offices scattered across 
the country; and the persistence component, which kept the bomb running 
despite reboots and any loss of power. And then to make sure there was no 
mistake, Wolfe said Duronio built not one, but two triggers for the logic 
bomb. If one trigger was accidentally discovered and deleted off the 
system, another one would be silently waiting to go off, setting a 
destructive chain of events into motion.

But making the company suffer wasn't enough.

Wolfe said Duronio's was a two-pronged plan. Revenge was just the first 
part. Profit was the second.

Duronio set off on what witnesses called a pricey and risky buying spree 
in February 2002 - a month or less from the time the bomb would go off. He 
bought "puts," a high-risk, high-payoff type of trade where the buyer 
profits if the company stock goes down. Between Feb. 5 and the end of that 
month, Duronio bought 330 puts - almost all of them against UBS. He had 
never bought one before that month. And he never bought another one 
afterward.

Wolfe said, in total, Duronio spent nearly $25,000 on the puts. To pay for 
the puts, he even cashed out the IRA he shared with his wife. In his 
closing, Wolfe pointed out to the jury that six business days before the 
logic bomb went off, Duronio bought 20 more puts. Two days before it went 
off, he bought 120. And then one business day before the attack, he bought 
187 puts.

"His brokers basically said, 'Why don't you take out your cash and put it 
on the fire?'" said Wolfe. "Why would he do that? Roger Duronio was 60 
years old. He was a man with modest means. He had no trading history with 
puts."

Wolfe added, "In his mind, he wasn't taking a risk.... In his mind, he 
wasn't gambling. He was betting on a sure thing.... He had created the 
perfect crime."


Dismissing Conspiracies

Wolfe also used his closing arguments to attempt to rebut defense 
theories. Chris Adams, Duronio's attorney, has argued that hackers could 
have been responsible for the attack. He also argued that another systems 
administrator, Charles Richards, did the attack, or that it was a 
penetration test gone awry by Cisco Systems. The attorney at different 
times went after the first forensics company to work on the case, @Stake, 
Inc., saying that they couldn't be trusted because hackers worked for the 
company. Then he claimed the U.S. Secret Service, called in to investigate 
the case, did sloppy investigative work, as did the government's forensics 
expert, Keith Jones.

The defense's forensics expert, Kevin Faulkner, even testified that he 
couldn't be sure that the logic bomb was responsible for the damage to the 
UBS system.

On Monday, Wolfe called each one of these theories red herrings, meant to 
throw the jury off the trail.

"This case is not about Roger Duronio being the target of some conspiracy 
or multiple conspiracies, as a matter of fact," said Wolfe. "Remember 
[Adams saying] hackers are bad people? Hackers are unreliable. Hackers 
steal your lunch money." He said the defense's theories -- blaming 
hackers, Richards, Cisco and the Secret Service -- simply don't work 
together. One cancels out another. ''It just can't be all of them,'' Wolfe 
said. "But it just can't be all of them," Wolfe said.

Copyright 2005 CMP Media LLC


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 01:26:16 PDT