Closing Case UBS PAINEWEBBER’S BUSINESS OPERATIONS DEBILITATED BY MALICIOUS CODE Employee (Allegedly) Planned to Crash All Computer Networks In June 2006, a former systems administrator at UBS PaineWebber, Roger Duronio, 63, was charged with building, planting, and setting off a software logic bomb designed to crash the network. His alleged motive was to get revenge for not being paid what he thought he was worth. He designed the logic bomb to delete all the files in the host server in the central data center and in every server in every U.S. branch office. Duronio was looking to 380 381 make up for some of the cash he felt he had been denied. He wanted to take home $175,000 a year. He had a base salary of $125,000 and a potential annual bonus of $50,000, but the actual bonus was $35,000. Duronio quit his job, went to a broker within hours, and bought stock options that would only pay out if the company’s stock plunged within 11 days. By setting a short expiration date of 11 days instead of a year, the gain from any payout would be much greater. He tried to ensure a stock price crash by crippling the company’s network to rock their financial stability. His “put” options expired worthless because the bank’s national network did go down, but not UBS stock. Discovering the Attack In a federal court, UBS PaineWebber’s IT manager Elvira Maria Rodriguez testified that on March 4, 2002, at 9:30 A.M. when the stock market opened for the day, she saw the words cannot find on her screen at the company’s Escalation Center in Weehawken, New Jersey. She hit the enter key to see the message again, but her screen was frozen. Rodriguez was in charge of maintaining the stability of the servers in the company’s branch offices. When the company’s servers went down that day in March 2002, about 17,000 brokers across the country were unable to make trades; the incident affected nearly 400 branch offices. Files were deleted. Backups went down within minutes of being run. Rodriguez, who had to clean up after the logic bomb, said, “How on earth were we going to bring them all back up? How was this going to affect the company? If I had a scale of 1 to 10, this would be a 10-plus.” The prosecutor, Assistant U.S. Attorney V. Grady O’Malley, told the jury: “It took hundreds of people, thousands of man hours and millions of dollars to correct.” The system was offline for more than a day, and UBS PaineWebber (renamed UBS Wealth Management USA in 2003) spent about $3.1 million in assessing and restoring the network. The company did not report how much was lost in business downtime and disruption. Tracking Down the Hacker A computer forensics expert testified that Duronio’s password and user account information were used to gain remote access to the areas where the malicious code was built inside the UBS network. The U.S. Secret Service agent who had investigated the case found a hard copy of the logic bomb’s source code on the defendant’s bedroom dresser. A computer forensics investigator found electronic copies of the code on two of his four home computers. Defense Blames UBS Security Holes Chris Adams, Duronio’s defense attorney, offered another scenario. Adams claimed that the code was planted by someone else to be a nuisance or prank. Adams also said the UBS system had many security holes and backdoors that gave easy access to attackers. Adams told the jury: UBS computer security had considerable holes. There are flaws in the system that compromise the ability to determine what is and isn’t true. Does the ability to walk around in the system undetected and masquerade as someone else affect your ability to say what has happened? He also claimed that UBS and @Stake, the first computer forensics company to work on the incident, withheld some information from the government and even destroyed some of the evidence. As for the stock options, Adams explained that they were neither risky bets nor part of a scheme, but rather a common investment practice. Disaster Recovery Efforts While trying to run a backup to get a main server up and functional, Rodriguez discovered that a line of code (MRM-r) was hanging up the system every time it ran. She renamed the command to hide it from the system and rebooted the server. This action stopped the server from deleting anything else. After testing to confirm the fix, backup tapes brought up the remaining 2,000 servers, and the line of code was deleted from each one. Restoring each server took from 30 minutes to 2 hours unless there was a complication. In those cases, restoration took up to 6 hours. UBS called in 200 IBM technicians to all the branch offices to expedite the recovery. Many of the servers were down a day and a half, but some servers in remote locations were down for weeks. The incident impacted all the brokers who were denied access to critical applications because the servers were down. 381 382 Minimizing Residual Damages UBS asked the judge to bar the public from Duronio’s trial to avoid “serious embarrassment” and “serious injury” to the bank and its clients and possibly reveal sensitive information about the UBS network and operations. UBS argued that documents it had provided to the court could help a criminal hack into the bank’s computer systems to destroy critical business information or to uncover confidential client information. Duronio faced federal charges, including mail fraud, securities fraud, and computer sabotage, which carry sentences of up to 30 years in jail, $1 million in fines, and restitution for recovery costs. Sources: Compiled from Gaudin (2006) and Whitman (2006). Class, the UBS PaineWebber Case is an example of what can happen when an employee (or someone who has inside access) decides to harm a business. Too many news stories contain similar situation, as such, we should be aware of the potential and prepare to prevent or mitigate adverse effects.
Questions 1. Do you agree with the defense lawyer's argument that anyone could have planted the logic bomb because UBS's computer security had considerable holes.
2. Given the breadth of known vulnerabilities, what sort of impact will any set of security standards have on the rise of cyber attacks?