From: InfoSec News (alertsinfosecnews.org)
Date: Thu Jul 13 2006 - 03:16:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.informationweek.com/security/showArticle.jhtml?articleID=190302340

By Sharon Gaudin
InformationWeek
July 12, 2006

NEWARK, N.J. -- After six weeks of trial, the UBS computer sabotage case
went to the jury Tuesday, but not before the defense, in its closing
arguments, charged that government investigators planted evidence, relied
on "polluted" evidence, and ignored evidence contrary to its case, in an
effort to frame the defendent, a former systems administrator for UBS
PaineWebber.

Few of the government's witnesses escaped unscathed from defense attorney
Chris Adams' attacks in his two-hour closing here in U.S. District Court.

But then the government's lead prosecutor, who gave his closing argument
on Monday, came back in a rebuttal closing, and told the jury that the
defense's arguments were a last-minute effort at a red herring.

To believe Adams' argument, said Assistant U.S. Attorney Mauro Wolfe, the
jurors would have to believe in the existence of a massive, multilayered
conspiracy between several private companies and law enforcement agencies,
all focused on framing Roger Duronio.

Duronio, 63, of Bogota, N.J., is standing trial on federal charges in
connection with the March 4, 2002, attack on UBS PaineWebber that took
down nearly 2,000 servers and crippled some branch offices for up to
several weeks. He is accused of computer sabotage, securities fraud and
mail fraud.

On Tuesday morning, Adams came out swinging in his close.

"This is the quintessential example of hammering that square peg into a
round hole, no matter how many times you tell them it's the wrong peg,"
said Adams, who is with Walder, Hayden & Brogan in Roseland, N.J. "You
have to decide if this is out of control. I ask you to reject these
charges as a matter of conscience."

Early on in his closing, Adams turned the full force of his attacks on
Keith Jones, the government's star witness and forensics investigator. The
defense attorney called Jones an unfair, biased man with an agenda that
focused on pushing the government's case forward without regard to the
evidence. "You remember his demeanor when I asked him questions?" Adams
asked of the jury. "Remember when asked if there was anything in the world
that would change his mind and he said no? ... Is that an indication of an
expert who's open-minded? Or is that the indication of an expert with an
agenda?"

Adams mocked Jones' assertion during part of his direct examination that
whoever built and planted the malicious code at the heart of the attack
had to have a password for several different operations to pull it off.
The defense attorney pointed out that there was only one password for
everything.

"These are all different doors, and you'd have to know where they are, and
you'd have to have a key," Adams said. "It sounds complicated. But did
[Jones] bother to check that there's one key to all these doors? Did he
care? ... Not only do you get into the Unix world with the same key, but
you get into the VPN with the same key. You get into the [main host
server] with the same key and the dev servers with the same key. But don't
bother him with that."

Adams added: "There's no one you met in this trial who's less open minded,
who has more of an agenda." Adams accused Jones of having a vested
interest in pushing this case through because he's a part owner of his
company, Mandiant. "Everything he did said, 'Don't bother me with that.
I've made up my mind.' "

A Setup

While Adams quickly described UBS's network security weaknesses, he spent
a great deal of time telling the jury that the company actually was
manufacturing a case against Duronio.

The defense attorney noted that a lot of the evidence came directly from
UBS, that UBS had allegedly withheld information from the defense, and
that UBS also got rid of what Adams called key pieces of
evidence--workstations that had belonged to two other systems
administrators, Charles Richards and William Robertson. Both men had been
briefly interviewed about the March 4, 2002, attack. While no criminal
evidence was found connected to either, both were put on leave and then
let go from UBS the next year. Both men were said to be friends with
Duronio.

"What's the common thread of what was withheld, destroyed, or avoided?"
Adams asked. "Charles Richards and UBS. ... Why do that? Why the secrecy?"

Adams stayed with the Richards line of attack for a good part of his
closing. It was a theme he had revisited time and again throughout the
trial, saying that Richards had the knowledge to do the attack and he had
access to the system. Two small strings of the malicious code were found
in the swap space of Richards' workstation but investigators said there
were legitimate reasons it could have gotten there since Richards had
worked on bringing the system back up after the attack. There was no
evidence produced that the man had done anything criminal.

But Adams has said there's more to the Richards story than UBS or the
government is telling. And he suggested that they covered up that
information to keep the case pointing at his client, Duronio. "What do
they not want you to know about Charles Richards?" he asked the jury
Tuesday.

The defense attorney also attacked Gerard Speziale, who worked as a
financial adviser for UBS at the time of the attack. Speziale had
testified about Duronio buying puts against UBS on a few different days,
but particularly on the day that Duronio quit his job. Speziale had told
the jury that Duronio told him that he was so angry at the company that
"God only knew what he would do." But, later, during cross-examination,
Speziale said he wasn't quoting Duronio verbatim.

Adams also criticized Stake, a forensics company called in after the
March 2002 incident. to investigate the downed servers. Karl Kasper, a
former member of a well-known hacker think tank, headed up the
investigation that had Stake reviewing the digital wreckage and
collecting backup tapes and other evidence for UBS and the government. All
through the trial, Adams has questioned Kasper's involvement, saying that
he tainted every piece of evidence he touched because he was a hacker.

"Stake kept evidence, and Stake chose what evidence to give to the
government," said Adams. "The evidence was polluted."

And then Adams charged that Gregory O'Neil, the U.S. Secret Service agent
in charge of the criminal investigation, knew that he was dealing with a
hacker--someone Adams called unreliable and untrustworthy--but that O'Neil
simply didn't care.

But he didn't stop there with O'Neil, who also was in charge of the search
of Duronio's home where investigators found a printout of the malicious
code in Duronio's bedroom, as well as the code in files in two of his home
computers.

Adams told the jury they should consider that the Secret Service only
found the code on Duronio's computers once they had removed the computers
from the house and searched them back in their office. "Only after that
point in time, do we know that code was found on Mr. Duronio's home
computers. Only then," he said.

As for the hard copy of the code found on Duronio's dresser, Adams
suggested the Secret Service agents also had something to do with getting
it there.

"Where did the document come from, and how did it get there?" Adams asked
the jury. "Was the document tested to see if it came from a home computer?
They didn't. Did they test who doodled on the paper?"

And Adams also questioned how agents were able to take special note of
this document with code on it when there were many papers with code taken
from the house. O'Neil had testified that while he and the other agents
had not seen a copy of the malicious code, this paper stood out because it
was on the bedroom dresser and not in an office area. The paper also drew
their attention because it contained the letters "mrm," which had been
identified as part of the logic bomb.

"Not one other document was singled out like that. Not one," said Adams.
"How on earth would anyone know what they're looking for without a copy.
How? Those people had to have had a copy of it. They had to have had."

A Line In The Sand

When Assistant U.S. Attorney Wolfe stood up to deliver the government's
rebuttal closing, he dragged his foot across the floor and told the jury
that the defense had drawn a line in the sand.

"He said this is planted evidence," said Wolfe, holding up the printout of
the code. "You'd have to believe the government planted the logic bomb
code that Greg O'Neil testified to finding in Roger Duronio's home, on the
dresser, in the bedroom. It isn't enough for the defense to argue the
government's got it wrong. No, they said the government planted evidence."

That means, said Wolfe, that every witness the government put on the stand
lied, and they fabricated evidence. And they did it all for one
purpose--to get Duronio. "That's the line in the sand. And the question
is, do you believe it?" he asked the jury.

Wolfe pointed out that for the defense's theory to work, UBS, Jones, the
Secret Service and the government's prosecutors, all would have to be
involved in covering up information to protect Richards and to sink
Duronio.

"All of these players, entities and corporations all have to be dedicated
to one operation--a massive case to fabricate evidence against Roger
Duronio," he said. "Look at defense council's opening statement. Where did
he say that the government planted evidence? Why did the defense wait
until the last day, the last minute to throw this out there? It makes a
good story but it's not the evidence in this case.

"This, ladies and gentlemen," said Wolfe, holding up the hard copy of the
code, "this is the evidence."

_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]