http://www.informationweek.com/security/showArticle.jhtml?articleID=190302340 By Sharon Gaudin InformationWeek July 12, 2006 NEWARK, N.J. -- After six weeks of trial, the UBS computer sabotage case went to the jury Tuesday, but not before the defense, in its closing arguments, charged that government investigators planted evidence, relied on "polluted" evidence, and ignored evidence contrary to its case, in an effort to frame the defendent, a former systems administrator for UBS PaineWebber. Few of the government's witnesses escaped unscathed from defense attorney Chris Adams' attacks in his two-hour closing here in U.S. District Court. But then the government's lead prosecutor, who gave his closing argument on Monday, came back in a rebuttal closing, and told the jury that the defense's arguments were a last-minute effort at a red herring. To believe Adams' argument, said Assistant U.S. Attorney Mauro Wolfe, the jurors would have to believe in the existence of a massive, multilayered conspiracy between several private companies and law enforcement agencies, all focused on framing Roger Duronio. Duronio, 63, of Bogota, N.J., is standing trial on federal charges in connection with the March 4, 2002, attack on UBS PaineWebber that took down nearly 2,000 servers and crippled some branch offices for up to several weeks. He is accused of computer sabotage, securities fraud and mail fraud. On Tuesday morning, Adams came out swinging in his close. "This is the quintessential example of hammering that square peg into a round hole, no matter how many times you tell them it's the wrong peg," said Adams, who is with Walder, Hayden & Brogan in Roseland, N.J. "You have to decide if this is out of control. I ask you to reject these charges as a matter of conscience." Early on in his closing, Adams turned the full force of his attacks on Keith Jones, the government's star witness and forensics investigator. The defense attorney called Jones an unfair, biased man with an agenda that focused on pushing the government's case forward without regard to the evidence. "You remember his demeanor when I asked him questions?" Adams asked of the jury. "Remember when asked if there was anything in the world that would change his mind and he said no? ... Is that an indication of an expert who's open-minded? Or is that the indication of an expert with an agenda?" Adams mocked Jones' assertion during part of his direct examination that whoever built and planted the malicious code at the heart of the attack had to have a password for several different operations to pull it off. The defense attorney pointed out that there was only one password for everything. "These are all different doors, and you'd have to know where they are, and you'd have to have a key," Adams said. "It sounds complicated. But did [Jones] bother to check that there's one key to all these doors? Did he care? ... Not only do you get into the Unix world with the same key, but you get into the VPN with the same key. You get into the [main host server] with the same key and the dev servers with the same key. But don't bother him with that." Adams added: "There's no one you met in this trial who's less open minded, who has more of an agenda." Adams accused Jones of having a vested interest in pushing this case through because he's a part owner of his company, Mandiant. "Everything he did said, 'Don't bother me with that. I've made up my mind.' " A Setup While Adams quickly described UBS's network security weaknesses, he spent a great deal of time telling the jury that the company actually was manufacturing a case against Duronio. The defense attorney noted that a lot of the evidence came directly from UBS, that UBS had allegedly withheld information from the defense, and that UBS also got rid of what Adams called key pieces of evidence--workstations that had belonged to two other systems administrators, Charles Richards and William Robertson. Both men had been briefly interviewed about the March 4, 2002, attack. While no criminal evidence was found connected to either, both were put on leave and then let go from UBS the next year. Both men were said to be friends with Duronio. "What's the common thread of what was withheld, destroyed, or avoided?" Adams asked. "Charles Richards and UBS. ... Why do that? Why the secrecy?" Adams stayed with the Richards line of attack for a good part of his closing. It was a theme he had revisited time and again throughout the trial, saying that Richards had the knowledge to do the attack and he had access to the system. Two small strings of the malicious code were found in the swap space of Richards' workstation but investigators said there were legitimate reasons it could have gotten there since Richards had worked on bringing the system back up after the attack. There was no evidence produced that the man had done anything criminal. But Adams has said there's more to the Richards story than UBS or the government is telling. And he suggested that they covered up that information to keep the case pointing at his client, Duronio. "What do they not want you to know about Charles Richards?" he asked the jury Tuesday. The defense attorney also attacked Gerard Speziale, who worked as a financial adviser for UBS at the time of the attack. Speziale had testified about Duronio buying puts against UBS on a few different days, but particularly on the day that Duronio quit his job. Speziale had told the jury that Duronio told him that he was so angry at the company that "God only knew what he would do." But, later, during cross-examination, Speziale said he wasn't quoting Duronio verbatim. Adams also criticized @Stake, a forensics company called in after the March 2002 incident. to investigate the downed servers. Karl Kasper, a former member of a well-known hacker think tank, headed up the investigation that had @Stake reviewing the digital wreckage and collecting backup tapes and other evidence for UBS and the government. All through the trial, Adams has questioned Kasper's involvement, saying that he tainted every piece of evidence he touched because he was a hacker. "@Stake kept evidence, and @Stake chose what evidence to give to the government," said Adams. "The evidence was polluted." And then Adams charged that Gregory O'Neil, the U.S. Secret Service agent in charge of the criminal investigation, knew that he was dealing with a hacker--someone Adams called unreliable and untrustworthy--but that O'Neil simply didn't care. But he didn't stop there with O'Neil, who also was in charge of the search of Duronio's home where investigators found a printout of the malicious code in Duronio's bedroom, as well as the code in files in two of his home computers. Adams told the jury they should consider that the Secret Service only found the code on Duronio's computers once they had removed the computers from the house and searched them back in their office. "Only after that point in time, do we know that code was found on Mr. Duronio's home computers. Only then," he said. As for the hard copy of the code found on Duronio's dresser, Adams suggested the Secret Service agents also had something to do with getting it there. "Where did the document come from, and how did it get there?" Adams asked the jury. "Was the document tested to see if it came from a home computer? They didn't. Did they test who doodled on the paper?" And Adams also questioned how agents were able to take special note of this document with code on it when there were many papers with code taken from the house. O'Neil had testified that while he and the other agents had not seen a copy of the malicious code, this paper stood out because it was on the bedroom dresser and not in an office area. The paper also drew their attention because it contained the letters "mrm," which had been identified as part of the logic bomb. "Not one other document was singled out like that. Not one," said Adams. "How on earth would anyone know what they're looking for without a copy. How? Those people had to have had a copy of it. They had to have had." A Line In The Sand When Assistant U.S. Attorney Wolfe stood up to deliver the government's rebuttal closing, he dragged his foot across the floor and told the jury that the defense had drawn a line in the sand. "He said this is planted evidence," said Wolfe, holding up the printout of the code. "You'd have to believe the government planted the logic bomb code that Greg O'Neil testified to finding in Roger Duronio's home, on the dresser, in the bedroom. It isn't enough for the defense to argue the government's got it wrong. No, they said the government planted evidence." That means, said Wolfe, that every witness the government put on the stand lied, and they fabricated evidence. And they did it all for one purpose--to get Duronio. "That's the line in the sand. And the question is, do you believe it?" he asked the jury. Wolfe pointed out that for the defense's theory to work, UBS, Jones, the Secret Service and the government's prosecutors, all would have to be involved in covering up information to protect Richards and to sink Duronio. "All of these players, entities and corporations all have to be dedicated to one operation--a massive case to fabricate evidence against Roger Duronio," he said. "Look at defense council's opening statement. Where did he say that the government planted evidence? Why did the defense wait until the last day, the last minute to throw this out there? It makes a good story but it's not the evidence in this case. "This, ladies and gentlemen," said Wolfe, holding up the hard copy of the code, "this is the evidence." _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jul 13 2006 - 01:31:49 PDT