Forensics Expert Attempts To Link UBS Attack And Defendant - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure

Forensics Expert Attempts To Link UBS Attack And Defendant

In the ongoing UBS computer sabotage trial, the government's forensics expert testified that he connected defendant Roger Duronio's username and home computer directly to the logic bomb that took down the company network.

Newark, N.J. - The government's forensics expert in the ongoing UBS computer sabotage trial testified Thursday that he not only found the malicious code that took down about 2,000 of UBS PaineWebber's servers four years ago, but he also "directly linked" it back to the defendant's home computer.

Keith Jones, director of computer forensics and incident response at Mandiant, an information security company, testified that he found the trigger mechanism for the logic bomb installed on machines across the company's national network, and that he connected defendant Roger Duronio's username and home computer directly to its creation, modification, distribution, and execution.

Keith Jones

Keith Jones
Duronio, a former systems administrator for UBS, is facing four federal criminal charges in connection with the March 4, 2002 attack that took the company's brokers offline for a day to three weeks. The attack cost the company $3.1 million in cleanup alone.

Jones explained to the jury how he began hunting for the trigger code and how it worked. Answering questions from Assistant U.S. Attorney Mauro Wolfe, Jones said the government brought him in to work on the case a little more than a year after the incident, and that he immediately started searching for files and pieces of code associated with the logic bomb.

"I started with a clean slate," said Jones, who has 10 years of computer forensics experience. "A lot of times a company doesn't know what's going on. They're in a 'let's get things back up and running' mode. I came in to find out what was happening in the system."

Early on in his testimony, Jones testified about conclusions that he reached after his three-year investigation into the UBS incident. As the government flashed accompanying slides on a screen for the jury, the witness said he found the 25 lines of the bomb's timer on two of Duronio's home computers, which the U.S. Secret Service had seized from his house. He also said the hard-copy printout of the trigger that set off the logic bomb, which federal agents found on Duronio's bedroom dresser, was an exact match for what was in the computers.

Next, Jones said the code caused the massive file deletion that took down the network. The forensic exam, he added, also revealed that the timer for the logic bomb, which Jones dubbed "the Duronio Trigger," was distributed and intentionally installed on the company's main host server, as well as on servers in approximately 370 branch offices.

Finally, Jones, who has written his own open-source forensics tools, said he concluded that Duronio's username and home computers were "directly linked" to the building of the logic bomb and to its presence on UBS's nationwide Unix-based network.

Jones had to explain to a jury of technical laymen the basics of computer code and forensics, source code, binary code, and compilers.

Jones has 10 years of experience as a forensics examiner and has worked on Unix since he was 16. He holds three college degrees, including a bachelors in computer engineering and a masters in electrical engineering. A former systems administrator himself, he also has written three books, including Real Digital Forensics and The Anti-Hacker Toolkit.

The defense maintains that the government focused its investigation on the wrong man. Duronio's attorney has said UBS erred when hiring @Stake, the first forensics team on the case, because the firm employed well-known hackers. And Duronio's team also criticized the Secret Service and how agents handled evidence and other interviews.

Recovery Costs

Earlier in the day, the prosecution put Nancy Bagli, an assistant vice president with UBS, on the stand.

Bagli, who has been with UBS since 1997, worked in the company's Contract and Sourcing department at the time of the 2002 attack. She testified that she worked with group managers to figure out what they needed for hardware and services to recover from the attack. She also kept track of what UBS spent on the cleanup.

UBS spent $898,780 on hardware, including IBM and Sun Microsystems servers; $260,473 on investigative services; and $1,987,036 on technical consultants, who were mainly from IBM and went out to help bring the branch offices back up. The company bought refurbished equipment if it could get it faster than new, Bagli said.

That adds up to a total of $3,146,289 spent on recovery costs alone. UBS has never reported the price of down business time.

The trial is nearing the end of its third week. Jones is the prosecution's last witness and will take the stand again Friday morning. The defense will present its own slate of witnesses starting next week.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Slideshows
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Commentary
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
News
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll