A defense lawyer in an ongoing federal computer sabotage trial is pushing the idea that four years ago, a hacker masqueraded as his client to surreptitiously plant the logic bomb that took down thousands of servers at UBS PaineWebber, thus framing an innocent man.
Roger Duronio, a former systems administrator at UBS, is currently on trial in a District Court in Newark, N.J., for allegedly building and distributing the logic bomb that crippled the company's ability to do business for a day in some locations, and for as long as two to three weeks in others, costing UBS a reported $3.1 million in cleanup costs alone. If convicted, Duronio faces a maximum sentence of 30 years, fines of up to $1 million and restitution for the money UBS spent on recovery.
Chris Adams, Duronio's attorney and a partner at Walder Hayden & Brogan in Roseland, N.J., has been throwing a slew of who-done-it theories at the jury, including an outside hacker, another systems administrator or even a slip-up by Cisco Systems, Inc., which was doing a penetration test of the UBS network during the March 4, 2002 incident.
But one major theme that Adams keeps returning to is the idea of someone -- whether inside UBS or outside -- using IP spoofing to pretend to log into the company's Unix-based network from Duronio's home, using the defendant's own corporate VPN connection. That's Adam's explanation for why forensics examiners and federal investigators traced remote connections to the network directly back to Duronio's own IP address, during the times when pieces of the malicious code were being planted on the system. The problem with this theory, according to several security professionals and even one long-time hacker, is that, technically, it simply can't be done.
''Spoofing the IP address is not difficult,'' says Johannes Ullrich, chief research officer at the SANS Institute. ''The problem is transferring data with a spoofed IP address. It's close to impossible to do.'' Ullrich also is the chief technology officer for the Internet Storm Center, a cooperative cyber threat monitoring and alert system.
IP spoofing (short for Internet Protocol address spoofing) is a way to fool a computer into thinking that a packet is coming from machine A when it is really coming from machine B. The header of every IP packet contains its source address - normally the address that the packet was sent from. By putting a different address into the header, a hacker can give the appearance that the packet was sent from a different machine.
IP spoofing often is used for denial-of-service attacks because the attacker simply has to overwhelm a network with a flood of pings or useless traffic. explains Ken van Wyk, a 20-year IT security veteran and principal consultant with KRvW Associates, LLC of Alexandria, Va. A session doesn't have to be established. The attacker, simply put, has to pound on the door. He doesn't actually need to be let inside.
But Duronio's defense attorney has been asking various UBS witnesses who have taken the stand so far to talk about IP spoofing and sniffing, which is the act of capturing information - generally packets - as they go over the network. ''You can read the packets and use them to pretend you're coming from another IP address, can't you?''
Adams last week asked Rafael Mendez, who was UBS' division vice president for network services at the time of the attack. Mendez responded that spoofing becomes much more difficult to do if the packets are encrypted. He also said most ISPs set up sniffing roadblocks, blocking that kind of security problem.