Ex-UBS Systems Admin Sentenced To 97 Months InJail

Roger Duronio was found guilty of computer sabotage andsecurities fraud for writing, planting, and disseminating maliciouscode that took down up to 2,000 servers. The former systemsadministrator convicted this past summer of launching an attack onUBS PaineWebber four years ago was sentenced to 97 months in jailin U.S. District Court in Newark, N.J., on Wednesday. RogerDuronio, 63, of Bogota, N.J., stood quietly and didn't react asJudge Joseph Greenaway Jr. handed down the sentence. "This is asophisticated crime," said the judge. "This wasn't an instance whenan individual argues that 'I had a bad day and I made a mistake.'Its undoubtedly that Mr. Duronio, having felt wronged, came up withan elaborate, sophisticated scheme to take down a company." JudgeGreeaway added that he was struck by Duronio's attempt to not onlydisrupt the company but to derive financial benefit from it.

Duronio was found guilty of computer sabotage and securitiesfraud for writing, planting, and disseminating malicious code -- aso-called logic bomb -- that took down up to 2,000 servers in bothUBS PaineWebber's central data center in Weehawken, N.J., and inbranch offices around the country. The attack left the financialgiant's traders unable to make trades, the lifeblood of thecompany, for a day in some offices and for several weeks inothers.

Executives at UBS, which was renamed UBS Wealth Management USAin 2003, never reported the cost of lost business, but did say theattack cost the company more than $3.1 million to get the systemback up and running. "If it doesn't send a message, people aren'tlistening," said Assistant U.S. Attorney V. Grady O'Malley, aprosecutor on the case. "If giving the maximum for this crimedoesn't send a message to people with the ability to commit a crimeand to the people who employ them, they're not paying attention.The potential for the impact of an insider is uncalculable."

In his first statement in open court, Duronio called himself asimple man who led a simple, productive life. "In theJudeo-Christian way of looking at things the just thing to do wouldbe to be merciful. I hope to have the opportunity to keep makingcontributions." UBS was hit on March 4, 2002, at 9:30 in themorning, just as the stock market opened for the day. Elvira MariaRodriguez, an IT manager in charge of maintaining the stability ofthe servers in the branch offices, testified during the trial thatshe was working when the servers began to go down. She told thecourt that she heard her computer beep, saw the words "cannot find"on the screen, and then her system froze. Then she glanced at herphone, which generally might have two or three lights flashing, andsaw that 60 calls had come in at once. That happened when 17,000brokers suddenly discovered they were unable to make trades.

Rodriguez also testified that UBS is still suffering damage fouryears after the attack. Some of the information on theapproximately 2,000 Unix-based servers in the home office and the370 branch offices that were hit by the malicious code was neverfully restored. "I don't believe we were ever back to that point,"said Rodriguez during the trial. "We were always having issues withthese large-scale servers [after the attack]. We never had theluxury to focus on completely going over all the servers. We justdidn't have the time."

Duronio worked at UBS as a systems administrator until he quit afew weeks before the attack. Witnesses testified that he quitbecause he was angry he didn't receive as large an annual bonus ashe expected. The government argued that Duronio wasn't just lookingto cause trouble for UBS, he also was looking to cash in. Duroniobuilt and planted the time bomb ahead of time and then bought stockoptions -- using money that he got cashing out his and his wife's$20,000 IRA -- that would only pay out if the company's stock tooka dive within 11 days. By laying out a short expiration date -- 11days instead of maybe a year or two -- the gain from any payoutwould be much greater.

Prosecutors argued that Duronio planned on making sure thatthat's exactly what would happen by crippling the company'snetwork. During the investigation, U.S. Secret Service agents foundcopies of the malicious code on two of Duronio's home computers andon a printout sitting on his bedroom dresser. Keith Jones, thegovernment's expert witness and a 10-year forensics professional,spent more than three years analyzing backup tapes, logs, andsource code from UBS's network. Jones testified during the trialthat he not only found the malicious code, but he also linked itdirectly back to Duronio's home computer.

The defense argued that the UBS network was riddled withsecurity holes that would have allowed any number of people tomasquerade as Duronio and move around the network unnoticed. Theyalso argued that the evidence available -- in the form of backuptapes for the damaged servers -- was incomplete, leaving holes inthe picture of what happened in the months before the securityincident. The jury deliberated for 20 hours before delivering theverdict, which included an acquittal on two charges of mailfraud.

Duronio was ordered to make restitution, but it is unlikely thatUBS will ever get the $3.1 million they paid out in cleanup costs.Duronio also was banned from working as a systems administrator,network administrator, or computer consultant. He will report tothe prison system in about 45 days.

UBS Trial Puts Insider Security Threats At CenterStage

Chaos After the Attack

What's beyond dispute are the problems caused by the attack, andthe trial offers a rare glimpse into an IT team in full crisismode. Rodriguez, who was in charge of maintaining the stability ofthe branch servers, got on a conference call that night with someof the 200 IBM tech workers who immediately were sent to thecompany's branch offices. Rodriguez didn't go to bed that night;she stayed on the conference call the rest of the night. She hadplenty of company. Rajeev Khanna, manager for UBS's Unix systemsgroup at the time of the attack, also didn't go home the night ofMarch 4, 2002. Khanna, who oversaw the recovery process, didn't gohome for three days, as his team redirected 400 to 500 UBSworkers--application developers, project managers, systemsadministrators, and database administrators--from their normal jobsto work on the restoration.

"The most important thing was for users to be able to log in totheir desktops," he testified. "They couldn't log in. They couldn'tdo the work they do on a daily basis, in terms of pulling data ontheir clients, making trades, and checking market data." Theproblem wasn't just downed servers. There was mounting chaos in thedata center and the Escalation Center, as system administrators andother IT workers flooded in, yelling out questions and suggestions.A room where six or seven people usually work teemed with 20 or 30by midmorning. By noon, 50 people were working on the downednetwork, and just an hour later, hundreds were involved across thecountry.

The problem led to a grim annual ritual for the IT team. Toavoid a repeat of the incident, for the next two- or three-yearsRodriguez prepared to fend off a similar attack before every March4--taking critical servers offline so that if any malicious codestill lurked on the network, at least those servers wouldn't beaffected. "We had to make sure there was no more business impact,"she said.

Beware the Inside Job

Computer attacks by insiders, even by IT professionals, aren'tuncommon. With only slight variation from year to year, inside jobsoccur as frequently as highly publicized external attacks. Insiderscan be more dangerous because of their access privileges andbecause they're not suspected. "Your system administrators have alot of power because it's part of the job," says Burton Groupanalyst Eric Maiwald. "You have some general expectation thatthey're not trying to cause you harm. If you put too many controlson them, they can't do their jobs.'' Put too few, however, and manysleepless nights may lie ahead.

Question: What were the issues with the UBSresponse?