By Sharon Gaudin
Dec 13, 2006
The former systems administrator convicted this past summer of launching
an attack on UBS PaineWebber four years ago was sentenced to 97 months
in jail in U.S. District Court in Newark, N.J., on Wednesday.
Roger Duronio, 63, of Bogota, N.J., stood quietly and didn't react as
Judge Joseph Greenaway Jr. handed down the sentence. "This is a
sophisticated crime," said the judge. "This wasn't an instance when an
individual argues that 'I had a bad day and I made a mistake.' Its
undoubtedly that Mr. Duronio, having felt wronged, came up with an
elaborate, sophisticated scheme to take down a company." Judge Greeaway
added that he was struck by Duronio's attempt to not only disrupt the
company but to derive financial benefit from it.
Duronio was found guilty of computer sabotage and securities fraud for
writing, planting, and disseminating malicious code -- a so-called logic
bomb -- that took down up to 2,000 servers in both UBS PaineWebber's
central data center in Weehawken, N.J., and in branch offices around the
country. The attack left the financial giant's traders unable to make
trades, the lifeblood of the company, for a day in some offices and for
several weeks in others.
Executives at UBS, which was renamed UBS Wealth Management USA in 2003,
never reported the cost of lost business, but did say the attack cost
the company more than $3.1 million to get the system back up and
"If it doesn't send a message, people aren't listening," said Assistant
U.S. Attorney V. Grady O'Malley, a prosecutor on the case. "If giving
the maximum for this crime doesn't send a message to people with the
ability to commit a crime and to the people who employ them, they're not
paying attention. The potential for the impact of an insider is
In his first statement in open court, Duronio called himself a simple
man who lead a simple, productive life. "In the Judeo-Christian way of
looking at things the just thing to do would be to be merciful. I hope
to have the opportunity to keep making contributions." UBS was hit on
March 4, 2002, at 9:30 in the morning, just as the stock market opened
for the day. Elvira Maria Rodriguez, an IT manager in charge of
maintaining the stability of the servers in the branch offices,
testified during the trial that she was working when the servers began
to go down. She told the court that she heard her computer beep, saw the
words "cannot find" on the screen, and then her system froze. Then she
glanced at her phone, which generally might have two or three lights
flashing, and saw that 60 calls had come in at once.
That happened when 17,000 brokers suddenly discovered they were unable
to make trades.
Rodriguez also testified that UBS is still suffering damage four years
after the attack. Some of the information on the approximately 2,000
Unix-based servers in the home office and the 370 branch offices that
were hit by the malicious code was never fully restored.
"I don't believe we were ever back to that point," said Rodriguez during
the trial. "We were always having issues with these large-scale servers
[after the attack]. We never had the luxury to focus on completely going
over all the servers. We just didn't have the time."
Duronio worked at UBS as a systems administrator until he quit a few
weeks before the attack. Witnesses testified that he quit because he was
angry he didn't receive as large an annual bonus as he expected. The
government argued that Duronio wasn't just looking to cause trouble for
UBS, he also was looking to cash in. Duronio built and planted the time
bomb ahead of time and then bought stock options -- using money that he
got cashing out his and his wife's $20,000 IRA -- that would only pay
out if the company's stock took a dive within 11 days. By laying out a
short expiration date -- 11 days instead of maybe a year or two -- the
gain from any payout would be much greater.
Prosecutors argued that Duronio planned on making sure that that's
exactly what would happen by crippling the company's network.
During the investigation, U.S. Secret Service agents found copies of the
malicious code on two of Duronio's home computers and on a printout
sitting on his bedroom dresser.
Keith Jones, the government's expert witness and a 10-year forensics
professional, spent more than three years analyzing backup tapes, logs,
and source code from UBS's network. Jones testified during the trial
that he not only found the malicious code, but he also linked it
directly back to Duronio's home computer.
The defense argued that the UBS network was riddled with security holes
that would have allowed any number of people to masquerade as Duronio
and move around the network unnoticed. They also argued that the
evidence available -- in the form of backup tapes for the damaged
servers -- was incomplete, leaving holes in the picture of what happened
in the months before the security incident. The jury deliberated for 20
hours before delivering the verdict, which included an acquittal on two
charges of mail fraud.
Duronio was ordered to make restitution, but it is unlikely that UBS
will ever get the $3.1 million they paid out in cleanup costs. Duronio
also was banned from working as a systems administrator, network
administrator, or computer consultant. He will report to the prison
system in about 45 days.
Subscribe to InfoSec News