[ISN] Ex-UBS Sys Admin Found Guilty, Prosecutors To Seek Maximum Sentence

From: InfoSec News (alerts@private)
Date: Fri Jul 21 2006 - 02:43:58 PDT


By Sharon Gaudin
July 19, 2006

The systems administrator found guilty Wednesday of launching an attack on 
UBS PaineWebber four years ago now faces a maximum of 6-1/2 to eight years 
in federal prison. And federal prosecutors say they will be asking for the 
maximum sentence.

After about 20 hours of deliberation, the jury returned a guilty verdict 
on two out of four charges for Roger Duronio, 63, of Bogota, N.J. Duronio 
was found guilty of computer sabotage and securities fraud. He was 
acquitted on two counts of mail fraud. He will be sentenced at a later 

Karina Byrne, a spokeswoman for UBS, said executives at the company 
appreciate the hard work the entire prosecution team put into the case and 
are just happy to get the incident behind them.

"UBS is committed to ensuring the safety and security of our computer 
system," she read from a prepared statement. "We're grateful for the hard 
work of the jury."

The six-week trial saw dueling forensics experts from the government and 
the defense take the stand. The government also put Duronio's former 
supervisor at UBS on the stand, along with UBS employees who worked on 
fixing the problem back in March of 2002, his two stock brokers, and the 
U.S. Secret Service agent who led the investigation. In sharp contrast, 
the defense only put on two witnesses--the forensics expert and a 
corporate lawyer from UBS who was questioned about documents the company 
was not able to supply and what happened to different computers after the 

UBS was hit on March 4, 2002, at 9:30 in the morning, just as the stock 
market opened for the day. Files were deleted from up to 2,000 servers in 
both the central data center in Weehawken, N.J., and in branch offices 
around the country. Company representatives never reported the cost of 
lost business but did say it cost the company more than $3.1 million to 
get the system back up and running.

Duronio worked at UBS as a systems administrator until he quit a few weeks 
before the attack. Witnesses testified that he quit because he was angry 
that he didn't receive as large an annual bonus as he expected. 
Investigators found copies of the malicious code on two of his home 
computers and on a printout sitting on his bedroom dresser.

The defense argued that the UBS network was riddled with security holes 
that would have allowed any number of people to masquerade as Duronio and 
move around the network unnoticed. They also argued that the evidence 
available--in the form of backup tapes for the damaged servers--was 
incomplete, leaving holes in the picture of what happened in the months 
before the security incident.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Fri Jul 21 2006 - 03:10:11 PDT