By Sharon Gaudin
Jul 7, 2006
Newark, N.J. - The defense rested its case this week in the trial of a
former systems administrator charged with four federal criminal offenses
in association with a March 2002 attack on UBS PaineWebber's network.
Closing arguments are set to begin Monday morning.
Roger Duronio, 63, is charged with launching a logic bomb that took down
nearly 2,000 of the company's servers, along with its ability to do
business for up to three weeks in some branch offices.
In court on Thursday, the defense continued its argument that there simply
wasn't enough evidence in hand to say who caused the incident. And the
defense's forensics expert testified that he couldn't even say for sure
that it was a logic bomb that caused the wreckage.
This was Duronio's fifth week on trial in U.S. District Court here. He
faces four counts, including computer sabotage and securities fraud, in
connection with a logic bomb that was detonated at UBS. Duronio worked at
the financial company for three years, but quit his job a few weeks before
the attack because he was angry that his annual bonus came up short.
The defense and the prosecution sparred for most of the day, with both
firing questions to the second forensics expert to take the stand.
Kevin Faulkner, a senior consultant with Protiviti, a risk management
consulting company, was the first defense witness to testify. He took the
stand Wednesday and wrapped up his approximately six hours on direct and
cross-examination Thursday. Faulkner told the jury there wasn't enough
evidence--between log histories, incomplete backup tapes, and few
forensics images--to say who was responsible for the UBS incident. He said
he could only say that a root user was responsible for the malicious code,
and then he said he couldn't verify the prosecutors' claims that the logic
bomb they found on the servers was the cause of the network crash. "When
dealing with evidence that is incomplete or you don't know who's touched
it and when, then how can you know for certain what happened?" asked
Faulkner. "There are always multiple explanations in every case."
A root user on a Unix system is a superuser with all-encompassing
privileges. Whoever ran the code on the UBS system would need root user
rights, according to Keith Jones, the government's forensics expert, who
testified for five days. Jones is director of computer forensics and
incident response at Mandiant, a computer security consulting company.
When the government's expert testified, he said there was a clear digital
trail leading, in every case but one, directly from Duronio's home
computer into the UBS network and onto the servers where the code was
planted, exactly on the date and times when the code was planted. In the
one exception, Duronio logged in to work on the malicious code from his
workstation within the UBS facility, Jones said.
Faulkner disagreed with Jones' assessment, noting that Jones' analysis
used VPN logs, as well as logs from WTMP files, which note the time of
logins and logouts, and switch user logs, which record when users switch
over to become a root user. Faulkner called that information unreliable
because it can be edited by root, and it was designed for accounting
purposes and not for forensics examinations.
Faulkner said he couldn't say who was responsible for the logic bomb
because he didn't have a complete set of backup tapes to review for the
damaged servers. While about 2,000 servers were damaged, the forensics
experts were given the backup tapes from a smaller sampling of servers,
representative of various time zones where the damage was done. Faulkner
said he would want to see the complete set.
Faulkner also said the backup tapes he received didn't cover all the
information that could have been stored on the damaged servers. It wasn't
clear how much data was on each server immediately before the network was
attacked, but the backup tapes didn't cover it all.
In contrast, Jones testified that he had been able to recover most of the
data off the backup tapes and that it gave him a clear picture of what
happened during the March 4, 2002, incident. He said the data he had to
examine gave him a clear picture of who built and distributed the code.
Jones said the attacker clearly was the person with the "rduronio"
username, and it was clearly done from inside Duronio's home. More
information would not detract from the evidence that he had already
collected, Jones said.
According to various pieces of testimony, investigators were using backup
tapes because most of the information, including all the files, had been
destroyed on the damaged servers. There wouldn't have been much
information to be gleaned off a bit-by-bit copy of a wiped-out server.
Another reason backup tapes were used was because IT workers at UBS had
spent the first hours and/or days of the incident trying to get the
servers, and the business, back on-line. Those remediation efforts would
have written over data left on the servers.
But with just backup tapes to work with, Faulkner said he could only nail
the attacker's identity down to a root user.
On redirect, Chris Adams, an attorney with Walder, Hayden & Brogan and
Duronio's defense attorney, asked Faulkner, "Do you have a bottom line as
to which username is responsible for the logic bomb?"
"Root," Faulkner replied.
"Is there evidence which username, acting as root, was responsible?" Adams
"No," said Faulkner. "There are holes. There are places where logs have
been modified, or where people could log in and we wouldn't even know
But when Assistant U.S. Attorney Mauro Wolfe stood up and posed one
question on re-cross-examination, he asked Faulkner, "Bottom line...Root
did it. Roger Duronio could have acted as root?"
"Yes," said Faulkner.
One Defense Theory
While the defense has thrown out a kitchen-sink list of theories (hackers,
sniffers, forensics mishandling, investigative missteps) throughout the
trial, one that came up repeatedly on Thursday was the suggestion that
another UBS systems administrator, Charles Richards, was responsible for
In earlier testimony, it has been laid out that Richards worked with and
was friends with Duronio. After the March 4 attack, investigators from
@Stake, the first forensics company called in to work on the case,
analyzed Richards' UBS workstation. While reporting that they found no
criminal evidence on it, investigators did say they found a few small
strings of code related to the logic bomb in the swap space of his
computer. Swap space is where data is stored for programs running in
Faulkner testified to several documents he put together in the last few
weeks that showed what users were on the UBS system at various times when
Jones' records show that Duronio had remotely logged in to work on the
code. Richards' username, along with the usernames of many other UBS
employees, was logged in on several occasions. Once any one of them became
root, Faulkner said, it was impossible to tell which root user had built
or modified the code.
Faulkner also told the jury there was one incident where a user who had
logged in as "crichard" changed his username to "rduronio." Faulkner
didn't say when that happened--if it was before, during, or after the code
was written. But Adams pointed out that if Richards had been able to
switch usernames once, he could have done it again and masqueraded as
On cross-examination, Wolfe asked Faulkner, "In 2001, 'crichard' switched
to the user 'rduronio.' You have no idea if the person behind 'crichard'
was actually Roger Duronio, do you?"
"I don't know," Faulkner replied.
Wolfe's cross-examination focused greatly on Faulkner's background.
Faulkner has only two and a half years of forensics experience overall and
only eight or nine months of experience before starting his work on this
case. Wolfe also zeroed in on the fact that Faulkner came to no
conclusions about the attack in the analysis report that he submitted to
the defense and to the government.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.