UBS Trial: Defense Attacks 'Sloppy' Investigation

A U.S. Secret Service agent came under intense cross-examination in a computer sabotage trial Tuesday. Days after testifying that agents found a printout of malicious code in the defendant's bedroom, the defense spent most of the day hammering the lead investigator.
But in a separate interview, Johannes Ullrich, chief research officer at the SANS Institute, said he was surprised that Kasper would use a nickname or pseudonym when working with federal agents.

''I've never heard of that before,'' said Ullrich. ''A lot of people go by hack names but to use it during an investigation, I wouldn't do it. If you talk to the Secret Service, or to any client, it's not professional.''

However, Alan Paller, director of research at the SANS Institute, was much less surprised by it. In an interview, he said it's very common for people to use their 'handles' whenever they're in a work-related situation. ''It's like a woman using her maiden name even after she's married, because everyone in the office knows her as Brenda Jones,'' said Paller. ''It's the mindset of the black hat community. It was common to have a second life. You build up your reputation as a security expert with that second name. It's quite natural that he used his second name because that's the name with the security credibility associated with it.''

Kasper, going by the name John Tan, has spoken at SANS and Black Hat conferences. In 2005, he took a job with JP Morgan Chase doing application security assessment/penetration testing.

On the Attack

The defense attorney didn't narrow his field of attack to Kasper.

Adams pointed out that the initial report that @Stake produced was missing Page 17, but it was included in a later release of the report. Both O'Neil and the prosecutors took exception to Adams characterizing the page as having been 'withheld.'

O'Neil said the information on that page was ''forward looking'' and not pertinent to the criminal investigation.

Page 17, in part, refers to two other UBS employees who had been investigated. O'Neil said he and other agents interviewed both men for one to two hours each but there was no evidence of criminal activity. Then Adams asked if O'Neil knew that both men had been put on administrative leave after their interviews with law enforcement and then were let go from the company. O'Neil said he had not been aware of that till much later.

Adams also asked him if he knew of any severance agreement that precluded the two men from speaking about the investigation with anyone outside of UBS or the government. O'Neil replied that he did not know of any such agreement.

Duronio's defense attorney used the agent's time on the stand, as a chance to point out that the government does not have reports from Verizon, which was Duronio's ISP at the time of the attack, for several dates when forensics showed that the malicious code was being planted or modified on the company network. Under subpoena, Verizon had produced records about the dates and times of some connections, along with the IP addresses where the connections originated.

And Adams pounced on the fact that a latent fingerprint was found on the hardcopy printout of the malicious code that was found on Duronio's dresser. The print, O'Neil testified, did not belong to the defendant or to two agents who handled the paper. He said he doesn't know whose fingerprint it is.