UBS Trial Puts Insider Security Threats At Center Stage
Prosecutors say the accused caused chaos by planting simple code. The defense says dozens of people had the access to cause the problem without being identified
It's human nature to trust your fellow employees--the people at the coffee pot, on your company softball team, down the hall. That's why it's so natural for IT managers to focus their network defenses on outside rather than inside threats.
What hit UBS PaineWebber on March 4, 2002, shows just how dangerous that one-sided thinking can be. Nothing more than 50 to 70 lines of malicious code--a "logic bomb" that U.S. prosecutors claim was planted by a disgruntled employee--took down about 2,000 servers, leaving 8,000 brokers across the country unable to work. IT teams spent sleepless nights on conference calls with IBM and scrambled to reset servers, trying to undo damage that still, four years later, hasn't been completely repaired.
The details of what happened are pouring out of a trial that began last week in U.S. District Court in New Jersey, where a former systems administrator, Roger Duronio, is charged with computer sabotage and securities fraud. The case paints a nightmare scenario for any IT team: a system failure that forced at least 400 employees to drop what they were doing and troubleshoot. Assessing and repairing the damage cost $3.1 million. In some cases, brokers were down for days, even weeks, depending on how badly their machines were hit, how remote the offices were, and if the branch's backup tapes could be found. The company, now called UBS Wealth Management USA, hasn't put a price on its lost business.
"It was the magnitude of it. How on earth were we going to bring them all back up? How was this going to affect the company?" testified UBS IT manager Elvira Maria Rodriguez, the first witness for the prosecution. "If I had a scale of 1 to 10, this would be a 10-plus."
Trading resumed in the days after the attack, but some servers hit by the malicious code were never fully restored, largely because about 20% didn't have backup tapes. "We were always having issues with these large-scale servers" after the attack, Rodriguez said. It would have taken about a year, she estimated, to make all the servers right again, even if that was all she did. "We just had to learn to live with it," she said.
Money And Revenge
Prosecutors claim that Duronio, 63, of Bogota, N.J., sought revenge against his employer by building, planting, and disseminating a logic bomb (see story, Software Bombs: Simply Tricky) to delete all the files in the central data center's host server and in every server in every U.S. branch office. His motivation allegedly was money and revenge. Assistant U.S. Attorney V. Grady O'Malley said in his opening statements that Duronio wanted to take home $175,000 a year from a base salary of $125,000 and a maximum annual bonus of $50,000. In February 2002, that bonus came in about $15,000 shy of his expectations.
Did Duronio do it--or a prank-minded colleague?
Photo by James Leynse
Here's how the prosecution, led by Assistant U.S. Attorney Mauro Wolfe, alleges Duronio committed the crimes: Logging in to the central host server from his home VPN connection, Duronio planted the malicious code months ahead. When he found out that his bonus wasn't all he'd hoped it would be, he demanded that the company give him a contract for a full $175,000 or he'd walk out that day. UBS didn't give him a contract, and Duronio was escorted out the door. But the logic bomb was already planted and the trigger set to go off on March 4 at 9:30 a.m.--just as the stock market opened and trading began. Prosecutors said in court that investigators executing a search warrant at Duronio's home found pieces of the malicious code on his personal computers and in hard copy on his dresser.
According to prosecutors, Duronio intended to profit by buying put options on UBS stock--using $20,000 cashed out of an IRA--that would pay off only if the company's stock took a dive within 11 days. "If he wasn't going to receive that [bonus], he was going to level a catastrophe against UBS that would rock their financial stability--and that would get him the biggest payday of his life," O'Malley told jurors. Despite the attack, UBS's stock didn't drop, and Duronio's investments didn't pay off.
Duronio's defense will point to UBS's inadequate security. Duronio isn't to blame for this "unsophisticated and sophomoric" code that was most likely planted as a prank, said Chris Adams, Duronio's attorney and a partner at Walder, Hayden & Brogan. The real problem, he laid out in opening statements, was that UBS's network was riddled with security holes that left the company open to attack.
Adams hasn't conceded that the code was an inside job, but he's trying to convince the jury that other employees were responsible. Weaknesses in UBS's IT system let someone else using Duronio's ID and password move around undetected in the network, Adams said.
A January 2002 internal audit of the UBS PaineWebber IT department found there were issues with the company's Unix and Sybase security, specifically involving passwords, Adams said. Forty administrators could gain root access using the same password, affecting the system's ability to tell which root user was giving commands, he told jurors.
Rodriguez testified that immediately after the attack began, she stepped out of her office and used an open root access on another systems administrator's computer to monitor what was happening on the network. Asked if it was company policy for an administrator to walk away and leave root access up on a computer, Rodriguez said it wasn't policy, but she wasn't surprised it happened.
Adams asserted that a March 2000 review of the financial firm's VPN showed that another session could open under a user name and password that already was in use. Rodriguez said she wasn't sure if that could be done at the time of the attack, but it can't be done now.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.