![]() The effect to UBS/PW was, borrowing the words of General Curtis LeMay, to "bomb them into the Stone Age". For months the nested loops on these devices cycled, first through a month counter, a day counter, an hour counter, and finally a minute counter, ever closer to the 3/4/02 9:30am ET trigger date when those thousands of payloads executed simultaneously. With significantly privileged access to a vast majority of the UBS Paine Webber financial network, Roger used a series of work and personal systems to distribute and then hide several thousand copies of his sabotage device on a cold winter's night in 2001, just before the New Year, while most of the UBS/PW IT staff was out enjoying the company holidays. With the standard recursive option set (-r) and the failsafe disabled (-f), it was pointed at the UNIX root ("/"), the heart of the file system. The code's simplicity allowed one to clearly see why it was a dangerous: a single, lethal system command (rm) wrapped tightly, like a digital pipe bomb, in a short series of nested loops. The weapon was simple and elegant (a KISS practitioner would have been proud), contained around 50 lines of C code, and it had the benefit of a flawless delivery system (rsync or something similar) to distribute it. I had a chance to review the source code of Roger's logic bomb and hard drives affected by it. Forensic analysts from multiple agencies and institutions became involved and my task was to review the weight of the state's pending case as well as Roger's potential defense. ![]() The situation was eerily similar to the Fannie Mae near-disaster, the only difference being that Roger's device detonated on time and caused unbelievable financial losses in the blink of an eye (around 3 million dollars to regain functionality), followed by incidental losses over the course of years which were never reported by UBS/PW (I'm sure some folks here could guesstimate the final bill). In a stunning act of malicious insider sabotage and with both vengeful and financial motives, Roger brought a financial behemoth to its knees on March 4th, 2002.Īs those were my days in private investigation, I had the humbling opportunity to be intimately involved in this case. ![]() Before anyone dismisses this as a fancy "blue sky" exercise or pontification of FUD, simply consider the case of Roger Duronio of New Jersey. In most cases, however, our role will probably be to respond, assess, and report on the damage and determine its cause. This makes it all the more important for our community to be able to understand, identify, isolate, and yes, in some cases maybe even disarm such automatons. I have seen the devastating results of logic bomb "detonation" up close, and I can assure everyone that carefully prepared information weapons are far more damaging than almost any single Trojan, spyware infection, phishing attack, or virus outbreak one might encounter. Yet forensic analysts and incident response experts will have to continue to straddle both of these realms in the new millennium, as both fields continue to evolve and in many respects, converge. fraud), using computers and code as weapons themselves crosses into the realm of information warfare. ![]() While it is true a majority of forensics cases revolve around suspected wrongdoing involving a computer (e.g. Given the ongoing investigation at Fannie Mae, it seems appropriate to start waxing philosophical a bit on some recent evolutionary changes in the digital forensics world.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |