Business & Finance
News
7/7/2006
06:33 PM
Connect Directly
RSS
E-Mail
50%
50%

Closing Arguments To Begin In Trial Of Former UBS Sys Admin

As testimony concluded, the defense continued to try to show that the prosecution used unreliable evidence to charge the 63-year-old IT manager with introducing a logic bomb that brought down his former employer's network.

Newark, N.J. - The defense rested its case this week in the trial of a former systems administrator charged with four federal criminal offenses in association with a March 2002 attack on UBS PaineWebber's network.

Closing arguments are set to begin Monday morning.

Roger Duronio, 63, is charged with launching a logic bomb that took down nearly 2,000 of the company's servers, along with its ability to do business for up to three weeks in some branch offices.

In court on Thursday, the defense continued its argument that there simply wasn't enough evidence in hand to say who caused the incident. And the defense's forensics expert testified that he couldn't even say for sure that it was a logic bomb that caused the wreckage.

This was Duronio's fifth week on trial in U.S. District Court here. He faces four counts, including computer sabotage and securities fraud, in connection with a logic bomb that was detonated at UBS. Duronio worked at the financial company for three years, but quit his job a few weeks before the attack because he was angry that his annual bonus came up short.

The defense and the prosecution sparred for most of the day, with both firing questions to the second forensics expert to take the stand.

Kevin Faulkner, a senior consultant with Protiviti, a risk management consulting company, was the first defense witness to testify. He took the stand Wednesday and wrapped up his approximately six hours on direct and cross-examination Thursday. Faulkner told the jury there wasn't enough evidence--between log histories, incomplete backup tapes, and few forensics images--to say who was responsible for the UBS incident. He said he could only say that a root user was responsible for the malicious code, and then he said he couldn't verify the prosecutors' claims that the logic bomb they found on the servers was the cause of the network crash. "When dealing with evidence that is incomplete or you don't know who's touched it and when, then how can you know for certain what happened?" asked Faulkner. "There are always multiple explanations in every case."

A root user on a Unix system is a superuser with all-encompassing privileges. Whoever ran the code on the UBS system would need root user rights, according to Keith Jones, the government's forensics expert, who testified for five days. Jones is director of computer forensics and incident response at Mandiant, a computer security consulting company.

When the government's expert testified, he said there was a clear digital trail leading, in every case but one, directly from Duronio's home computer into the UBS network and onto the servers where the code was planted, exactly on the date and times when the code was planted. In the one exception, Duronio logged in to work on the malicious code from his workstation within the UBS facility, Jones said.

Faulkner disagreed with Jones' assessment, noting that Jones' analysis used VPN logs, as well as logs from WTMP files, which note the time of logins and logouts, and switch user logs, which record when users switch over to become a root user. Faulkner called that information unreliable because it can be edited by root, and it was designed for accounting purposes and not for forensics examinations.

Faulkner said he couldn't say who was responsible for the logic bomb because he didn't have a complete set of backup tapes to review for the damaged servers. While about 2,000 servers were damaged, the forensics experts were given the backup tapes from a smaller sampling of servers, representative of various time zones where the damage was done. Faulkner said he would want to see the complete set.

Faulkner also said the backup tapes he received didn't cover all the information that could have been stored on the damaged servers. It wasn't clear how much data was on each server immediately before the network was attacked, but the backup tapes didn't cover it all.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.