[ISN] Defense: Government Was Out To Get UBS Sys Admin

From: InfoSec News (alerts@private)
Date: Thu Jul 13 2006 - 01:16:25 PDT


http://www.informationweek.com/security/showArticle.jhtml?articleID=190302340

By Sharon Gaudin
InformationWeek
July 12, 2006

NEWARK, N.J. -- After six weeks of trial, the UBS computer sabotage case 
went to the jury Tuesday, but not before the defense, in its closing 
arguments, charged that government investigators planted evidence, relied 
on "polluted" evidence, and ignored evidence contrary to its case, in an 
effort to frame the defendent, a former systems administrator for UBS 
PaineWebber.

Few of the government's witnesses escaped unscathed from defense attorney 
Chris Adams' attacks in his two-hour closing here in U.S. District Court.

But then the government's lead prosecutor, who gave his closing argument 
on Monday, came back in a rebuttal closing, and told the jury that the 
defense's arguments were a last-minute effort at a red herring.

To believe Adams' argument, said Assistant U.S. Attorney Mauro Wolfe, the 
jurors would have to believe in the existence of a massive, multilayered 
conspiracy between several private companies and law enforcement agencies, 
all focused on framing Roger Duronio.

Duronio, 63, of Bogota, N.J., is standing trial on federal charges in 
connection with the March 4, 2002, attack on UBS PaineWebber that took 
down nearly 2,000 servers and crippled some branch offices for up to 
several weeks. He is accused of computer sabotage, securities fraud and 
mail fraud.

On Tuesday morning, Adams came out swinging in his close.

"This is the quintessential example of hammering that square peg into a 
round hole, no matter how many times you tell them it's the wrong peg," 
said Adams, who is with Walder, Hayden & Brogan in Roseland, N.J. "You 
have to decide if this is out of control. I ask you to reject these 
charges as a matter of conscience."

Early on in his closing, Adams turned the full force of his attacks on 
Keith Jones, the government's star witness and forensics investigator. The 
defense attorney called Jones an unfair, biased man with an agenda that 
focused on pushing the government's case forward without regard to the 
evidence. "You remember his demeanor when I asked him questions?" Adams 
asked of the jury. "Remember when asked if there was anything in the world 
that would change his mind and he said no? ... Is that an indication of an 
expert who's open-minded? Or is that the indication of an expert with an 
agenda?"

Adams mocked Jones' assertion during part of his direct examination that 
whoever built and planted the malicious code at the heart of the attack 
had to have a password for several different operations to pull it off. 
The defense attorney pointed out that there was only one password for 
everything.

"These are all different doors, and you'd have to know where they are, and 
you'd have to have a key," Adams said. "It sounds complicated. But did 
[Jones] bother to check that there's one key to all these doors? Did he 
care? ... Not only do you get into the Unix world with the same key, but 
you get into the VPN with the same key. You get into the [main host 
server] with the same key and the dev servers with the same key. But don't 
bother him with that."

Adams added: "There's no one you met in this trial who's less open minded, 
who has more of an agenda." Adams accused Jones of having a vested 
interest in pushing this case through because he's a part owner of his 
company, Mandiant. "Everything he did said, 'Don't bother me with that. 
I've made up my mind.' "


A Setup

While Adams quickly described UBS's network security weaknesses, he spent 
a great deal of time telling the jury that the company actually was 
manufacturing a case against Duronio.

The defense attorney noted that a lot of the evidence came directly from 
UBS, that UBS had allegedly withheld information from the defense, and 
that UBS also got rid of what Adams called key pieces of 
evidence--workstations that had belonged to two other systems 
administrators, Charles Richards and William Robertson. Both men had been 
briefly interviewed about the March 4, 2002, attack. While no criminal 
evidence was found connected to either, both were put on leave and then 
let go from UBS the next year. Both men were said to be friends with 
Duronio.

"What's the common thread of what was withheld, destroyed, or avoided?" 
Adams asked. "Charles Richards and UBS. ... Why do that? Why the secrecy?"

Adams stayed with the Richards line of attack for a good part of his 
closing. It was a theme he had revisited time and again throughout the 
trial, saying that Richards had the knowledge to do the attack and he had 
access to the system. Two small strings of the malicious code were found 
in the swap space of Richards' workstation but investigators said there 
were legitimate reasons it could have gotten there since Richards had 
worked on bringing the system back up after the attack. There was no 
evidence produced that the man had done anything criminal.

But Adams has said there's more to the Richards story than UBS or the 
government is telling. And he suggested that they covered up that 
information to keep the case pointing at his client, Duronio. "What do 
they not want you to know about Charles Richards?" he asked the jury 
Tuesday.

The defense attorney also attacked Gerard Speziale, who worked as a 
financial adviser for UBS at the time of the attack. Speziale had 
testified about Duronio buying puts against UBS on a few different days, 
but particularly on the day that Duronio quit his job. Speziale had told 
the jury that Duronio told him that he was so angry at the company that 
"God only knew what he would do." But, later, during cross-examination, 
Speziale said he wasn't quoting Duronio verbatim.

Adams also criticized @Stake, a forensics company called in after the 
March 2002 incident. to investigate the downed servers. Karl Kasper, a 
former member of a well-known hacker think tank, headed up the 
investigation that had @Stake reviewing the digital wreckage and 
collecting backup tapes and other evidence for UBS and the government. All 
through the trial, Adams has questioned Kasper's involvement, saying that 
he tainted every piece of evidence he touched because he was a hacker.

"@Stake kept evidence, and @Stake chose what evidence to give to the 
government," said Adams. "The evidence was polluted."

And then Adams charged that Gregory O'Neil, the U.S. Secret Service agent 
in charge of the criminal investigation, knew that he was dealing with a 
hacker--someone Adams called unreliable and untrustworthy--but that O'Neil 
simply didn't care.

But he didn't stop there with O'Neil, who also was in charge of the search 
of Duronio's home where investigators found a printout of the malicious 
code in Duronio's bedroom, as well as the code in files in two of his home 
computers.

Adams told the jury they should consider that the Secret Service only 
found the code on Duronio's computers once they had removed the computers 
from the house and searched them back in their office. "Only after that 
point in time, do we know that code was found on Mr. Duronio's home 
computers. Only then," he said.

As for the hard copy of the code found on Duronio's dresser, Adams 
suggested the Secret Service agents also had something to do with getting 
it there.

"Where did the document come from, and how did it get there?" Adams asked 
the jury. "Was the document tested to see if it came from a home computer? 
They didn't. Did they test who doodled on the paper?"

And Adams also questioned how agents were able to take special note of 
this document with code on it when there were many papers with code taken 
from the house. O'Neil had testified that while he and the other agents 
had not seen a copy of the malicious code, this paper stood out because it 
was on the bedroom dresser and not in an office area. The paper also drew 
their attention because it contained the letters "mrm," which had been 
identified as part of the logic bomb.

"Not one other document was singled out like that. Not one," said Adams. 
"How on earth would anyone know what they're looking for without a copy. 
How? Those people had to have had a copy of it. They had to have had."


A Line In The Sand

When Assistant U.S. Attorney Wolfe stood up to deliver the government's 
rebuttal closing, he dragged his foot across the floor and told the jury 
that the defense had drawn a line in the sand.

"He said this is planted evidence," said Wolfe, holding up the printout of 
the code. "You'd have to believe the government planted the logic bomb 
code that Greg O'Neil testified to finding in Roger Duronio's home, on the 
dresser, in the bedroom. It isn't enough for the defense to argue the 
government's got it wrong. No, they said the government planted evidence."

That means, said Wolfe, that every witness the government put on the stand 
lied, and they fabricated evidence. And they did it all for one 
purpose--to get Duronio. "That's the line in the sand. And the question 
is, do you believe it?" he asked the jury.

Wolfe pointed out that for the defense's theory to work, UBS, Jones, the 
Secret Service and the government's prosecutors, all would have to be 
involved in covering up information to protect Richards and to sink 
Duronio.

"All of these players, entities and corporations all have to be dedicated 
to one operation--a massive case to fabricate evidence against Roger 
Duronio," he said. "Look at defense council's opening statement. Where did 
he say that the government planted evidence? Why did the defense wait 
until the last day, the last minute to throw this out there? It makes a 
good story but it's not the evidence in this case.

"This, ladies and gentlemen," said Wolfe, holding up the hard copy of the 
code, "this is the evidence."


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jul 13 2006 - 01:31:49 PDT