138 What Every Engineer Should Know About Cyber Security
the logic bomb. The IP address pointed directly to Duronio’s home in all
cases but one. The exception pointed to Duronio’s workstation at UBS-PW.
The US Secret Service also found parts of the logic bomb code on two
machineswithin Duronio’s home in addition to a hard copy printout of
the code.
Mr. Faulkner pointed out the alleged holes in the prosecution’s testimony.
He testied that the log data in general are poor forensic evidence. The logs
that were used by the prosecution were the VPN, WTMP, and SU (switch
user logs show when users switch to root user
*
access). It is important to note
here that root user access, which Duronio had, would be necessary to plant
a logic bomb. Mr. Faulkner also provided a few other facts that attempted to
put the attacker ID into question:
1. The log data are not reliable, as they can be edited by the root user.
2. The log les data would not be able to identify whether someone
accessed the server using a back door.
†
3. There was, in fact, back door entry to the server in question.
4. Although the time of their access was not identied to match the
time of the logic bomb insert, two people (only identied via login
ID) accessed the server using the back door.
5. There were two other current systems administrators who were also
employed at UBS at the time of the attack who could have been the
attacker. However, the two other system administrators were cleared
of any suspicion of direct involvement after the rst forensic investi-
gation team (no longer working on the case) analyzed their machines.
That company did nd a few strings of the logic bomb code in the
swap space
‡
on one of the systems administrator’s machines. But there
was no other criminal evidence found on that machine. They also did
not nd any other information to show that the code bomb existed
on that machine. Interestingly, the data from those two machines
were destroyed when the rst forensic company (recall the chain-of-
custody issue mentioned earlier) was bought out by another company.
The testimony of Mr. Jones claried that the data analyzed pointed to the
user with the ID of “rduronio.” The log data showed that this user was
accessing the server from inside Duronio’s home. Mr. Jones also claried
that the reason backup tapes were used instead of a bit-for-bit copy of the
data was that the server data were damaged—so an image would not have
been helpful. In addition, the IT workers at UBS were focusing on getting the
system back online at the time of the attack, so the recovery efforts would
*
Root user is a special user account on a UNIX system with the highest privilege level.
†
A back door refers to an unauthorized way to access a computer system.
‡
Swap space is where inactive memory pages are held to free up physical memory for more
active processes.