[ISN] Medco Sys Admin Pleads Guilty To Computer Sabotage

From: InfoSec News (alerts@private)
Date: Wed Sep 19 2007 - 23:03:07 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=201807613

By Sharon Gaudin
InformationWeek
September 19, 2007

A former systems administrator at Medco Health Solutions pleaded guilty 
in federal court Wednesday to writing and planting malicious code that 
could have crippled a network that maintains customer health care 
information.

Yung-Hsun Lin, of Montville, N.J., pleaded guilty in U.S. District Court 
in Newark, N.J. to the charge of transmitting code that would cause 
damage to a protected computer. The charge carries a maximum sentence of 
10 years, but the plea deal sets a guideline of 30 to 37 months. The 
judge, who will levy the sentence on Jan. 8, is not bound to the 
guidelines.

"Had this gone off, the damage to Medco's reputation could have been 
catastrophic," Assistant U.S. Attorney Erez Liebermann told 
InformationWeek. "I look at this as one of the most significant 
[computer sabotage] cases because it could have done more than financial 
damage."

Lin admitted to creating and planting the malicious code, or logic bomb, 
on Medco's computer network because he feared he would lose his job in 
an expected round of layoffs. Another systems administrator at the 
company, however, foiled his plan when he discovered the logic bomb 
before it went off.

If it had been detonated, prosecutors say the code would have eliminated 
pharmacists' ability to know if a new prescription would dangerously 
interact with a patient's current prescriptions. They also say it would 
have caused widespread financial damages to the company. Even though it 
didn't go off, Medco reported that it cost them between $70,000 and 
$120,000 to clean up the problem.

"What this individual did was severely threaten a critical 
infrastructure -- healthcare," said Liebermann. "The only way to make 
sure all the drugs you've received don't conflict is to have something 
like Medco doing an across-the-board check. ... This could have led to 
the damage of people trying to get their prescriptions filled. It's a 
new level of risk. It's not just a financial crime. It could have 
damaged life and limb. It shows the impact of cyber crime."

Lin, who is known as Andy Lin, had access to the company's network of 
about 70 HP (HP) Unix servers, according to the indictment. The network 
handled Medco's billing, corporate financial, and employee payroll 
information, as well as the Drug Utilization Review, a database of 
patient-specific information on conflicting drug interactions.

Lin, created the logic bomb early on Oct. 3, 2003, just days before a 
planned layoff was due to happen. Medco had just spun off from Merck & 
Co. and was going through a restructuring. The Medco Unix group was 
merging with the e-commerce group to form a corporate Unix group, the 
government reported.

Several systems administrators were laid off on Oct. 6. Lin was not one 
of them.

The indictment pointed out that the month before the layoffs were made, 
Lin sent out e-mails discussing the anticipated layoffs. In one e-mail, 
he indicated he was unsure whether he would survive the downsizing, 
according to government documents.

The logic bomb was set to automatically deploy on April 23, 2004, which 
was Lin's birthday. The code was triggered that day, prosecutors report, 
but it failed to take down the servers because of a coding error. The 
government says Lin later modified the code in September of 2004, 
correcting the error and resetting it to go off on April 23, 2005.

Lin told the court he retriggered the logic bomb because of continued 
pressure from the layoffs.

Liebermann said Lin designed the logic bomb so it would shut off access 
to other administrators while it was running. He also changed the time 
date on each file so if anyone found the code, it would look like it was 
created and modified at different times and on different days -- maybe 
not correlating to times that he was on the system.

"It was very clever, though he couldn't change the backup logs that 
showed otherwise," said Liebermann.

Soraya Balzac, a spokeswoman for Medco, pointed out in an interview that 
the company detected and neutralized the threat. "As a company, we're 
vigilant in protecting our systems and data," she added. "We view the 
defendant's guilty plea and expected high sentence as a strong message 
that there is zero tolerance for this type of conduct -- any threat to 
our system."

Liebermann praised Medco for contacting and working with law enforcement 
in this case. "This represents a successful partnership between private 
industry and law enforcement, and we need more such partnerships if we 
are to successfully deter and prosecute these saboteurs."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Sep 19 2007 - 23:24:18 PDT