Sponsored By

UBS Trial: Defense Attacks 'Sloppy' Investigation

A U.S. Secret Service agent came under intense cross-examination in a computer sabotage trial Tuesday. Days after testifying that agents found a printout of malicious code in the defendant's bedroom, the defense spent most of the day hammering the lead investigator.

Sharon Gaudin

June 21, 2006

7 Min Read

Newark, N.J. -- After taking it on the chin last Friday, the defense in a computer sabotage trial here pounded away at the Secret Service agent on the stand, riding him on missteps in the investigation, and once again attacking the fact that hackers worked at one of the computer forensics companies involved in the case.

Special Agent Gregory O'Neil of the U.S. Secret Service was repeated questioned by defense attorney Chris Adams about an initial forensic report with a missing page, an unidentified latent fingerprint on a key piece of evidence, and some incorrect dates on a Secret Service report.

O'Neil, who was a lead investigator in the matter, took the stand as a witness for the prosecution in the federal computer sabotage case.

Adams, a partner at Walder Hayden & Brogan in Roseland, N.J., is the lead defense lawyer for Roger Duronio, the 63-year-old former systems administrator accused of planting a logic bomb that crippled the network at UBS PaineWebber four years ago.

Duronio is facing four charges in connection with allegedly writing and planting malicious code on the Unix-based network at UBS PaineWebber, where he had been working for three years. The attack effectively took down about 2,000 of the company's servers, some of which were brought back up in a day, but others remained down for two to three weeks.

In his cross examination of O'Neil, Adams also focused his sights on one specific forensic investigator who had been a hacker before working at @Stake, Inc., the security company that UBS first called in to check out the March 4, 2002 incident.

Karl Kasper, known in the industry as John Tan, identified himself to the federal agent as John Tan, and signed documents with that name. The defense asked O'Neal why he would trust the word, or the work, of someone who gave a false name to the Secret Service. O'Neal replied that he didn't regard it as a false name, simply a name Kasper uses in the trade.

And last Friday, O'Neil said that all roads in the investigation led back to Duronio. First off, he had pointed out that a digital trail led from Duronio's home IP address through the corporate VPN and into the company's servers, on exactly the same dates and times that the malicious code was planted or modified.

O'Neil also told the jury that during the execution of a search warrant on the Duronio home, Secret Service agents found parts of the malicious code on two of his home computers, as well as printed out in a hardcopy that was found on his bedroom dresser. Following the Money

When the trial resumed Tuesday morning, Agent O'Neil took the stand for the second day, and laid out a summary of Duronio's trading activity that he had put together based on the defendant's banking, trading and mortgage information. He testified that Duronio bought a total of 330 put options in the month before the security attack at UBS. He had bought stocks before, but never puts, which basically are a way to place bets that the company's stock will go down. The investor only gets a payoff if the company stock drops.

Duronio, according to Agent O'Neil, spent $23,025,12 on puts between Feb. 5, 2002 and March 1, 2002. While he bought a handful of puts on other companies, like Merrill Lynch and Citigroup, 96% of them were against UBS.

The agent also pointed out to the jury that Duronio, who allegedly became disgruntled with the company when his annual bonus came in $15,000 under expectations, had recently made two payments of approximately $18,000 each to New York University for his oldest son's tuition.

Hackers and Pseudonyms

During the cross, Adams lost no time in taking another swing at @Stake, the first company on scene to do a forensics investigation. Last week, Adams repeatedly asked witnesses from UBS' IT department if they trusted hackers or would hire a security company that employs hackers.

The research labs in @Stake, which was bought by Symantec, Corp. in 2004, were headed up by Peiter C. Zatko (also known in the industry as Mudge), the former CEO and chief scientist of the L0pht, a high-profile hacker think tank. Zatko, however, worked his way into the legitimate business world, testifying before a Senate Committee on Government Affairs, and counseling President Clinton in the White House on security issues.

Mendez testified that other Wall Street firms had recommended several forensic companies, including @Stake, to UBS after their servers were taken down.

In Tuesday's testimony, Agent O'Neil said he had received 10 items of evidence from Kasper (John Tan), who worked at @Stake and was involved in the UBS investigation. Adams projected a Documentation of Evidence sheet onto a screen in front of the jurors that showed that Kasper had signed his name as 'John Tan' on the official list that was handed over to the government. He also had signed another Certified Inventory of Evidence document with that name.

O'Neil said he had not been aware until late in 2004 or early in 2005 that John Tan actually is the screen name for Karl Kasper.

''He lied to you about the most basic information,'' Adams said. But during repeated questioning about it, O'Neil replied, ''He used John Tan to identify himself in his work at @Stake A fictitious name doesn't affect what's in the evidence itself.'' But in a separate interview, Johannes Ullrich, chief research officer at the SANS Institute, said he was surprised that Kasper would use a nickname or pseudonym when working with federal agents.

''I've never heard of that before,'' said Ullrich. ''A lot of people go by hack names but to use it during an investigation, I wouldn't do it. If you talk to the Secret Service, or to any client, it's not professional.''

However, Alan Paller, director of research at the SANS Institute, was much less surprised by it. In an interview, he said it's very common for people to use their 'handles' whenever they're in a work-related situation. ''It's like a woman using her maiden name even after she's married, because everyone in the office knows her as Brenda Jones,'' said Paller. ''It's the mindset of the black hat community. It was common to have a second life. You build up your reputation as a security expert with that second name. It's quite natural that he used his second name because that's the name with the security credibility associated with it.''

Kasper, going by the name John Tan, has spoken at SANS and Black Hat conferences. In 2005, he took a job with JP Morgan Chase doing application security assessment/penetration testing.

On the Attack

The defense attorney didn't narrow his field of attack to Kasper.

Adams pointed out that the initial report that @Stake produced was missing Page 17, but it was included in a later release of the report. Both O'Neil and the prosecutors took exception to Adams characterizing the page as having been 'withheld.'

O'Neil said the information on that page was ''forward looking'' and not pertinent to the criminal investigation.

Page 17, in part, refers to two other UBS employees who had been investigated. O'Neil said he and other agents interviewed both men for one to two hours each but there was no evidence of criminal activity. Then Adams asked if O'Neil knew that both men had been put on administrative leave after their interviews with law enforcement and then were let go from the company. O'Neil said he had not been aware of that till much later.

Adams also asked him if he knew of any severance agreement that precluded the two men from speaking about the investigation with anyone outside of UBS or the government. O'Neil replied that he did not know of any such agreement.

Duronio's defense attorney used the agent's time on the stand, as a chance to point out that the government does not have reports from Verizon, which was Duronio's ISP at the time of the attack, for several dates when forensics showed that the malicious code was being planted or modified on the company network. Under subpoena, Verizon had produced records about the dates and times of some connections, along with the IP addresses where the connections originated.

And Adams pounced on the fact that a latent fingerprint was found on the hardcopy printout of the malicious code that was found on Duronio's dresser. The print, O'Neil testified, did not belong to the defendant or to two agents who handled the paper. He said he doesn't know whose fingerprint it is.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights