160 likes | 413 Views
Jamie Lyle (Cpsc 620) December 6, 2007. Logic Bombs: A closer look. Overview. Logic Bombs The story of Roger Duronio and UBS PaineWebber Defenses against logic bombs. Definition. Malicious program designed to violate security policy when some outside criteria is met.
E N D
Jamie Lyle (Cpsc 620) December 6, 2007 Logic Bombs: A closer look
Overview • Logic Bombs • The story of Roger Duronio and UBS PaineWebber • Defenses against logic bombs
Definition • Malicious program designed to violate security policy when some outside criteria is met
Example external critera • Certain amount of time passes without an event happening • Check of a database reveals a certain state • Just a certain time • Lack of deactivation • Any combination you can think of
Roger Duronio - the story • Systems administrator at UBS PaineWebber in New Jersey • Dissatisfied with wages and bonuses • Resigned Feb. 22, 2002
UBS PaineWebber – the story • March 4, 2002 • Servers went down • Backups were unavailable • Files were lost • Over 400 branch offices around the nation were affected
The Bomb - the story • Logic bomb had been installed on 2/3 of the company’s 1,500 machines • Purpose: to delete all the files in the host server in the central data centre and then every server in every branch • Estimated $3.1 million in damage from the attack
Back to Roger – the story • Duronio’s user account used to develop and install the crippling logic bomb • Direct link between Duronio’s home computer and the creation of the bomb • Follow the money
Still Roger – the story • Went to his broker’s office, fuming to get even • Purchased $23,000 worth of stock options in UBS PaineWebber • Stood to gain a lot of money if the stock dropped
UBS PaineWebber – the story • Managed to keep news of the successful attack from spreading • Stock prices didn’t drop
Conclusion of the story • July 2006 • Duronio denies all charges • Accuses UBS PaineWebber and its investigators of destroying evidence • Jury found Duronio guilty of one count of securities fraud and one count of computer fraud
Conclusion of the story • Sentenced to 97 months in prison • $3.1 million in restitution to UBS PaineWebber
Defenses • Hire the right people and treat them right • Technologies also available • Monitoring programs • Network surveillance programs • Properly enforced policies and procedures on software development • Proper backups for recovery
Wrap up • It’s hard to stop a determined individual who has access to the system. • Any Questions?