http://www.informationweek.com/news/showArticle.jhtml?articleID=201807613 By Sharon Gaudin InformationWeek September 19, 2007 A former systems administrator at Medco Health Solutions pleaded guilty in federal court Wednesday to writing and planting malicious code that could have crippled a network that maintains customer health care information. Yung-Hsun Lin, of Montville, N.J., pleaded guilty in U.S. District Court in Newark, N.J. to the charge of transmitting code that would cause damage to a protected computer. The charge carries a maximum sentence of 10 years, but the plea deal sets a guideline of 30 to 37 months. The judge, who will levy the sentence on Jan. 8, is not bound to the guidelines. "Had this gone off, the damage to Medco's reputation could have been catastrophic," Assistant U.S. Attorney Erez Liebermann told InformationWeek. "I look at this as one of the most significant [computer sabotage] cases because it could have done more than financial damage." Lin admitted to creating and planting the malicious code, or logic bomb, on Medco's computer network because he feared he would lose his job in an expected round of layoffs. Another systems administrator at the company, however, foiled his plan when he discovered the logic bomb before it went off. If it had been detonated, prosecutors say the code would have eliminated pharmacists' ability to know if a new prescription would dangerously interact with a patient's current prescriptions. They also say it would have caused widespread financial damages to the company. Even though it didn't go off, Medco reported that it cost them between $70,000 and $120,000 to clean up the problem. "What this individual did was severely threaten a critical infrastructure -- healthcare," said Liebermann. "The only way to make sure all the drugs you've received don't conflict is to have something like Medco doing an across-the-board check. ... This could have led to the damage of people trying to get their prescriptions filled. It's a new level of risk. It's not just a financial crime. It could have damaged life and limb. It shows the impact of cyber crime." Lin, who is known as Andy Lin, had access to the company's network of about 70 HP (HP) Unix servers, according to the indictment. The network handled Medco's billing, corporate financial, and employee payroll information, as well as the Drug Utilization Review, a database of patient-specific information on conflicting drug interactions. Lin, created the logic bomb early on Oct. 3, 2003, just days before a planned layoff was due to happen. Medco had just spun off from Merck & Co. and was going through a restructuring. The Medco Unix group was merging with the e-commerce group to form a corporate Unix group, the government reported. Several systems administrators were laid off on Oct. 6. Lin was not one of them. The indictment pointed out that the month before the layoffs were made, Lin sent out e-mails discussing the anticipated layoffs. In one e-mail, he indicated he was unsure whether he would survive the downsizing, according to government documents. The logic bomb was set to automatically deploy on April 23, 2004, which was Lin's birthday. The code was triggered that day, prosecutors report, but it failed to take down the servers because of a coding error. The government says Lin later modified the code in September of 2004, correcting the error and resetting it to go off on April 23, 2005. Lin told the court he retriggered the logic bomb because of continued pressure from the layoffs. Liebermann said Lin designed the logic bomb so it would shut off access to other administrators while it was running. He also changed the time date on each file so if anyone found the code, it would look like it was created and modified at different times and on different days -- maybe not correlating to times that he was on the system. "It was very clever, though he couldn't change the backup logs that showed otherwise," said Liebermann. Soraya Balzac, a spokeswoman for Medco, pointed out in an interview that the company detected and neutralized the threat. "As a company, we're vigilant in protecting our systems and data," she added. "We view the defendant's guilty plea and expected high sentence as a strong message that there is zero tolerance for this type of conduct -- any threat to our system." Liebermann praised Medco for contacting and working with law enforcement in this case. "This represents a successful partnership between private industry and law enforcement, and we need more such partnerships if we are to successfully deter and prosecute these saboteurs." __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Wed Sep 19 2007 - 23:24:18 PDT