http://www.informationweek.com/ma
nagement/showArticle.jhtml?articleID=189600779
By Sharon Gaudin
InformationWeek
June 22, 2006
Newark, N.J. - The government's forensics expert in the
ongoing UBS
computer sabotage trial testified Thursday that he not only
found the
malicious code that took down about 2,000 of UBS
PaineWebber's servers
four years ago, but he also "directly linked" it
back to the
defendant's home computer.
Keith Jones, director of computer forensics and incident
response at
Mandiant, an information security company, testified that he
found the
trigger mechanism for the logic bomb installed on machines
across the
company's national network, and that he connected defendant
Roger
Duronio's user name and home computer directly to its
creation,
modification, distribution and execution.
Duronio, a former systems administrator for UBS, is facing
four
federal, criminal charges in connection with the March 4,
2002 attack
that took the company's brokers offline for a day to three
weeks. The
attack cost the company $3.1 million in cleanup costs alone.
Jones explained to the jury how he began hunting for the
trigger code
and how it worked. Answering questions from Assistant U.S.
Attorney
Mauro Wolfe, Jones said the government brought him in to
work on the
case a little more than a year after the incident, and he
immediately
started searching for files and pieces of code associated
with the
logic bomb.
"I started with a clean slate," said Jones, who
has 10 years of
computer forensics experience. "A lot of times a
company doesn't know
what's going on. They're in a 'let's get things back up
and running'
mode. I came in to find out what was happening in the
system."
Early on in his testimony, Jones testified about conclusions
that he
reached after his three-year investigation into the UBS
incident. As
the government flashed accompanying slides on a screen for
the jury,
the witness said he found the 25 lines of the bomb's timer
on two of
Duronio's home computers, which the U.S. Secret Service had
seized
from his house. He also said the hardcopy printout of the
code that
federal agents found on Duronio's bedroom dresser was an
exact match
for what was in the computers.
Next, Jones said the code caused the massive file deletion
that took
down the network. The forensic exam, he added, also revealed
that the
timer for the logic bomb, which Jones dubbed "the
Duronio Trigger,"
was distributed and intentionally installed on the
company's main host
server, as well as on servers in approximately 370 branch
offices.
Finally, Jones, who has written his own open-source
forensics tools,
said he concluded that Duronio's user name and home
computers were
"directly linked" to the building of the logic
bomb and to its
presence on UBS's nationwide Unix-based network.
Jones had to explain, to a jury of technical laymen, the
basics of
computer code and forensics, source code, binary code, and
compilers.
Jones has 10 years experience as a forensics examiner, and
has worked
on Unix since he was 16. He holds three college degrees,
including a
bachelors in computer engineering and a masters in
electrical
engineering. A former systems administrator himself, he also
has
written three books, including Real Digital Forensics and
The
Anti-Hacker Toolkit.
The defense maintains that the government focused its
investigation on
the wrong man. Duronio's attorney has said UBS erred when
hiring
 Stake, the first forensics team on the case, because
the firm
employed well-known hackers. And Duronio's team also
criticized the
Secret Service and how agents handled evidence and other
interviews.
Recovery Costs
Earlier in the day, the prosecution put Nancy Bagli, an
assistant vice
president with UBS, on the stand.
Bagli, who has been with UBS since 1997, worked in the
company's
Contract and Sourcing department at the time of the 2002
attack. She
testified that she worked with group managers to figure out
what they
needed for hardware and services to recover from the attack.
She also
kept track of what UBS spent on the cleanup.
UBS spent $898,780 on hardware, including IBM and Sun
Microsystems
servers; $260,473 on investigative services; and $1,987,036
on
technical consultants, who mainly were from IBM and went out
to help
bring the branch offices back up. The company bought
refurbished
equipment if they could get it faster than new, Bagli said
That adds up to a total of $3,146,289 spent on recovery
costs alone.
UBS has never reported the price of down business time.
The trial is nearing the end of its third week. Jones is the
prosecution's last witness and will take the stand again
Friday
morning. The defense will present its own slate of witnesses
starting
next week.
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|