[ISN] Ex-UBS Systems Admin Sentenced To 97 Months In Jail

From: InfoSec News (alerts@private)
Date: Thu Dec 14 2006 - 00:33:53 PST


http://www.informationweek.com/news/showArticle.jhtml?articleID=196603888

By Sharon Gaudin
InformationWeek
Dec 13, 2006

The former systems administrator convicted this past summer of launching 
an attack on UBS PaineWebber four years ago was sentenced to 97 months 
in jail in U.S. District Court in Newark, N.J., on Wednesday.

Roger Duronio, 63, of Bogota, N.J., stood quietly and didn't react as 
Judge Joseph Greenaway Jr. handed down the sentence. "This is a 
sophisticated crime," said the judge. "This wasn't an instance when an 
individual argues that 'I had a bad day and I made a mistake.' Its 
undoubtedly that Mr. Duronio, having felt wronged, came up with an 
elaborate, sophisticated scheme to take down a company." Judge Greeaway 
added that he was struck by Duronio's attempt to not only disrupt the 
company but to derive financial benefit from it.

Duronio was found guilty of computer sabotage and securities fraud for 
writing, planting, and disseminating malicious code -- a so-called logic 
bomb -- that took down up to 2,000 servers in both UBS PaineWebber's 
central data center in Weehawken, N.J., and in branch offices around the 
country. The attack left the financial giant's traders unable to make 
trades, the lifeblood of the company, for a day in some offices and for 
several weeks in others.

Executives at UBS, which was renamed UBS Wealth Management USA in 2003, 
never reported the cost of lost business, but did say the attack cost 
the company more than $3.1 million to get the system back up and 
running.

"If it doesn't send a message, people aren't listening," said Assistant 
U.S. Attorney V. Grady O'Malley, a prosecutor on the case. "If giving 
the maximum for this crime doesn't send a message to people with the 
ability to commit a crime and to the people who employ them, they're not 
paying attention. The potential for the impact of an insider is 
uncalculable."

In his first statement in open court, Duronio called himself a simple 
man who lead a simple, productive life. "In the Judeo-Christian way of 
looking at things the just thing to do would be to be merciful. I hope 
to have the opportunity to keep making contributions." UBS was hit on 
March 4, 2002, at 9:30 in the morning, just as the stock market opened 
for the day. Elvira Maria Rodriguez, an IT manager in charge of 
maintaining the stability of the servers in the branch offices, 
testified during the trial that she was working when the servers began 
to go down. She told the court that she heard her computer beep, saw the 
words "cannot find" on the screen, and then her system froze. Then she 
glanced at her phone, which generally might have two or three lights 
flashing, and saw that 60 calls had come in at once.

That happened when 17,000 brokers suddenly discovered they were unable 
to make trades.

Rodriguez also testified that UBS is still suffering damage four years 
after the attack. Some of the information on the approximately 2,000 
Unix-based servers in the home office and the 370 branch offices that 
were hit by the malicious code was never fully restored.

"I don't believe we were ever back to that point," said Rodriguez during 
the trial. "We were always having issues with these large-scale servers 
[after the attack]. We never had the luxury to focus on completely going 
over all the servers. We just didn't have the time."

Duronio worked at UBS as a systems administrator until he quit a few 
weeks before the attack. Witnesses testified that he quit because he was 
angry he didn't receive as large an annual bonus as he expected. The 
government argued that Duronio wasn't just looking to cause trouble for 
UBS, he also was looking to cash in. Duronio built and planted the time 
bomb ahead of time and then bought stock options -- using money that he 
got cashing out his and his wife's $20,000 IRA -- that would only pay 
out if the company's stock took a dive within 11 days. By laying out a 
short expiration date -- 11 days instead of maybe a year or two -- the 
gain from any payout would be much greater.

Prosecutors argued that Duronio planned on making sure that that's 
exactly what would happen by crippling the company's network.

During the investigation, U.S. Secret Service agents found copies of the 
malicious code on two of Duronio's home computers and on a printout 
sitting on his bedroom dresser.

Keith Jones, the government's expert witness and a 10-year forensics 
professional, spent more than three years analyzing backup tapes, logs, 
and source code from UBS's network. Jones testified during the trial 
that he not only found the malicious code, but he also linked it 
directly back to Duronio's home computer.

The defense argued that the UBS network was riddled with security holes 
that would have allowed any number of people to masquerade as Duronio 
and move around the network unnoticed. They also argued that the 
evidence available -- in the form of backup tapes for the damaged 
servers -- was incomplete, leaving holes in the picture of what happened 
in the months before the security incident. The jury deliberated for 20 
hours before delivering the verdict, which included an acquittal on two 
charges of mail fraud.

Duronio was ordered to make restitution, but it is unlikely that UBS 
will ever get the $3.1 million they paid out in cleanup costs. Duronio 
also was banned from working as a systems administrator, network 
administrator, or computer consultant. He will report to the prison 
system in about 45 days.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Thu Dec 14 2006 - 00:49:50 PST