137Theory to Practice
that he would make money when the stock lost value due to his logic bomb
attack. UBS-PW reported a $3 million loss
*
in recovery from this attack.
7.4.3 The Trial
Mr. Jones, the forensics expert for the prosecution, had his work cut out for
him. He had to piece together the puzzle that proved the deceptive actions
of Duronio as well as present the facts of the case in a way that could be
understood by the jury. The forensic expert for the defense, Kevin Faulkner,
had to prove the opposite. The trial went on for ve weeks.
7.4.3.1 The Defense
The goal of the defense was to show that evidence presented by the pros-
ecution was incomplete and unreliable. Their main focus was on the fact
that there was no mirror image of the data and consequently no way to
prove that Duronio was the attacker. In reference to the fact that there
were only backup tapes of the hard disk les to analyze because a foren-
sic image (a bit-for-bit copy) of the drive was not taken, Mr. Faulker said,
“Icouldnt look at all of the data.” He stated, “To preserve digital evidence,
a forensic image is best practice.” He only had 6.5 gigabytes of data from a
30 gigabyte capacity server to analyze. The defense attorney questioning
Faulkner attempted to assert that a forensic analysis of backup tapes is
not sufcient to make any hard conclusions. In addition, the attorney was
putting into question the chain-of-custody of the data because the backup
tapes were handled by another forensics company no longer involved in
the case. This former forensics company also had a reputation of hiring
hackers which, in their opinion, put the integrity of the forensics company
as well as the integrity of the data previously handled by hackers into
question.
The defense attorney also questioned Mr. Jones about the validity of the
analysis using only backup tapes of hard disk les instead of a bit-for-bit copy
of the servers. Mr. Jones testied that taking an image of damaged servers
would not have aided in the success of the analysis. He felt the amount of
data available was sufcient to draw conclusions.
7.4.3.2 The Prosecution
Over ve days, Mr. Jones testied that Duronios actions caused the
UBS-PW stock trading servers to be inoperable. He was able to extract
IP address, date, and time information that connected the attacker to the
specic servers and conrmed when and where the attacker had planted
*
The loss included $898,780 on servers, $260,473 on investigative services, and $1,987,036 on
technical consultants to help with the recovery.
138 What Every Engineer Should Know About Cyber Security
the logic bomb. The IP address pointed directly to Duronio’s home in all
cases but one. The exception pointed to Duronios workstation at UBS-PW.
The US Secret Service also found parts of the logic bomb code on two
machineswithin Duronios home in addition to a hard copy printout of
the code.
Mr. Faulkner pointed out the alleged holes in the prosecutions testimony.
He testied that the log data in general are poor forensic evidence. The logs
that were used by the prosecution were the VPN, WTMP, and SU (switch
user logs show when users switch to root user
*
access). It is important to note
here that root user access, which Duronio had, would be necessary to plant
a logic bomb. Mr. Faulkner also provided a few other facts that attempted to
put the attacker ID into question:
1. The log data are not reliable, as they can be edited by the root user.
2. The log les data would not be able to identify whether someone
accessed the server using a back door.
3. There was, in fact, back door entry to the server in question.
4. Although the time of their access was not identied to match the
time of the logic bomb insert, two people (only identied via login
ID) accessed the server using the back door.
5. There were two other current systems administrators who were also
employed at UBS at the time of the attack who could have been the
attacker. However, the two other system administrators were cleared
of any suspicion of direct involvement after the rst forensic investi-
gation team (no longer working on the case) analyzed their machines.
That company did nd a few strings of the logic bomb code in the
swap space
on one of the systems administrator’s machines. But there
was no other criminal evidence found on that machine. They also did
not nd any other information to show that the code bomb existed
on that machine. Interestingly, the data from those two machines
were destroyed when the rst forensic company (recall the chain-of-
custody issue mentioned earlier) was bought out by another company.
The testimony of Mr. Jones claried that the data analyzed pointed to the
user with the ID of “rduronio.” The log data showed that this user was
accessing the server from inside Duronio’s home. Mr. Jones also claried
that the reason backup tapes were used instead of a bit-for-bit copy of the
data was that the server data were damaged—so an image would not have
been helpful. In addition, the IT workers at UBS were focusing on getting the
system back online at the time of the attack, so the recovery efforts would
*
Root user is a special user account on a UNIX system with the highest privilege level.
A back door refers to an unauthorized way to access a computer system.
Swap space is where inactive memory pages are held to free up physical memory for more
active processes.
139Theory to Practice
have written over data left on the server. Mr. Jones felt strongly that anything
additional from a bit-for-bit copy would not contradict what was already
discovered on the backup tapes anyway.
During the redirect
*
questioning, Mr. Faulkner was asked by the defense
attorney, “Do you have a bottom line as to which username is responsible for
the logic bomb?”
Mr. Faulker replied, “Root.
Since there were other system administrators with root access, the defense
attorney asked a follow-up question, “Is there evidence which username,
acting as root, was responsible?”
Mr. Faulker replied, “No.
Assistant US Attorney Mauro Wolf asked one additional question that
turned it all around, “Bottom lineroot did it. Roger Duronio could have
acted as root?
Mr. Faulker replied, “Yes.
7.4.3.3 Other Strategies to Win the Case
1. Defense: It was a conspiracy against Roger Duronio.
a. The US Secret Service must have planted the evidence in
Duronios home. First, there was an unknown ngerprint on
the hard copy of the code found in the house. Second, theSecret
Service removed the computers from the house before the
forensic image was taken of the machine. This may have been
the reason they discovered the logic bomb code on the computers
back in their ofce instead of in Duronio’s homebecause they
put it there!
b. The expert witness for the prosecution was biased and had an
agenda because he was part owner of the company hired to do
the forensic analysis.
c. UBS was hiding evidence. The data from the workstations of
the other two systems administrators were destroyed. Therst
forensics company was bought out and the evidence was
destroyed in the process; this was not the doing of UBS. In addi-
tion, recall that the rst forensics company hired hackers; there-
fore, the evidence they touched must be polluted.
d. At one point, the defense also attempted to blame a scheduled
penetration test of their system by Cisco.
2. Prosecution: Not much is needed here as they already had discovered
enough data to convict Duronio. So, they pointed out that the back-
ground of the defense’s forensic examiner was weak.
*
Redirect questioning is the part of the trial process where the witness has an opportunity to
refute information that may have damaged his or her testimony.
140 What Every Engineer Should Know About Cyber Security
a. He had 2.5 years of forensics experience, most of which was
gained during this case.
b. The defense’s forensic examiner did not come to any conclusions
following his forensic analysis.
c. The theories of the defense were all red herrings.
*
Why would
all of those people (UBS, US Secret Service, Cisco, and the rst
forensics company) be after Roger Duronio?!
7.4.3.4 Verdict
Roger Duronio was found guilty. He was sentenced to 97 months without
parole. He was also ordered to make $3.1 million in restitution to UBS Pain
Webber.
7.4.4 After Action Report
7.4.4.1 What Worked Well for UBS-PW?
1. Resources: The UBS IT executives had a plan and were able to get the
system back up and running with the help of hundreds of consultants
from IBM as well as hundreds of people from their own staff.
2. Look for outside help: They used a third party to lead the recovery
effort (IBM) as well as a third party to do the investigation. Outsiders
take an objective view of the problem. This is critical when an insider
is suspected to be the cause of the problem.
3. Find the problem and go nonstop: The dedicated staff that worked
nonstop on the problem was very effective in addressing the issue.
They also did not stop until the problem was eradicated and the
system was recovered.
4. Backup: The backup tapes restored the servers that were damaged.
5. Learn from the experience: UBS-PW did a postmortem on the event
to learn from the experience.
7.4.4.2 What to Do Differently Next Time
1. Remember that humans are the weakest link: From weak pass-
words to disgruntled employees with access to critical systems—do
not discount the damage that can be done.
2. Enhance log reports: The logs were good but could have been better.
For example, they showed who switched to the root but not which
commands the root ran on the system.
*
Red herrings are issues that are distractions to the real issue.
After three years of analyzing the UBS data, forensics expert Keith Jones came up with ve
points that helped UBS recover, as well as ve points that will help them in the future.
141Theory to Practice
3. Limit root privileges: Systems administrators should have root
privileges only necessary to do their jobs. They do not need access to
the whole system.
4. Break the trust relationship: Use better authentication between
branch servers. In this situation, no authentication was required, so
the logic bomb was easily pushed out to each server from the central
server.
5. Use encrypted protocols: Use secure sockets layer (SSL) when
allowing remote access to computers.
References
Burson, S. 2010. Outsourcing information security. CIO Magazine, January 19.
Condon, R. 2007. How to mitigate the security risks of outsourcing. ComputerWeekly.
com, December 5.
Kerth, N. n.d. An approach to postmorta, postparta, and post project reviews. http://
c2.com/doc/ppm.pdf (retrieved February 12, 2013).
Ponemon Institute, LLC. March 2012. 2011 Cost of data breach study.
Schwartz, M. 2012. LinkedIn breach: Leading CISOs share 9 protection tips.
InformationWeekSecurity, June 29.
US v. Duronio. Indictment USAO#2002R00528/JWD United States District Court,
District of New Jersey.
Bibliography
Gaudin, S. 2006. Defense witness in UBS trial says not enough evidence to make the
case. InformationWeek, July 5.
———. 2006. Closing arguments to begin in trial of former UBS sys admin.
InformationWeek, July 7.
———. 2006. At a glance: The UBS computer sabotage trial. InformationWeek, July 10.
———. 2006. Prosecutors: UBS sys admin believed “he had created the perfect crime.”
InformationWeek, July 10.
———. 2006. Defense: Government was out to get UBS sys admin. InformationWeek,
July 12.
———. 2006. UBS trial aftermath: Top 10 tips for a successful postmortem.
InformationWeek, July 21.
———. 2006. UBS trial aftermath: Five things UBS did right, and ve things to
improve on. InformationWeek, July 29.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.247.31