Jamie Lyle (Cpsc 620) December 6, 2007
LOGIC BOMBS: A CLOSER LOOK
Overview
 Logic Bombs
 The story of Roger Duronio and UBS
PaineWebber
 Defenses against logic bombs
Definition
 Malicious program designed to violate
security policy when some outside criteria is
met
Example external critera
 Certain amount of time passes without an




event happening
Check of a database reveals a certain state
Just a certain time
Lack of deactivation
Any combination you can think of
Roger Duronio - the story
 Systems administrator at UBS PaineWebber
in New Jersey
 Dissatisfied with wages and bonuses
 Resigned Feb. 22, 2002
UBS PaineWebber – the story
 March 4, 2002
 Servers went down
 Backups were unavailable
 Files were lost
 Over 400 branch offices around the nation
were affected
The Bomb - the story
 Logic bomb had been installed on 2/3 of the
company’s 1,500 machines
 Purpose: to delete all the files in the host
server in the central data centre and then
every server in every branch
 Estimated $3.1 million in damage from the
attack
Back to Roger – the story
 Duronio’s user account used to develop and
install the crippling logic bomb
 Direct link between Duronio’s home
computer and the creation of the bomb
 Follow the money
Still Roger – the story
 Went to his broker’s office, fuming to get
even
 Purchased $23,000 worth of stock options in
UBS PaineWebber
 Stood to gain a lot of money if the stock
dropped
UBS PaineWebber – the story
 Managed to keep news of the successful
attack from spreading
 Stock prices didn’t drop
Conclusion of the story
 July 2006
 Duronio denies all charges
 Accuses UBS PaineWebber and its
investigators of destroying evidence
 Jury found Duronio guilty of one count of
securities fraud and one count of computer
fraud
Conclusion of the story
 Sentenced to 97 months in prison
 $3.1 million in restitution to UBS
PaineWebber
Defenses
 Hire the right people and treat them right
 Technologies also available
 Monitoring programs
 Network surveillance programs
 Properly enforced policies and procedures on
software development
 Proper backups for recovery
Wrap up
 It’s hard to stop a determined individual who
has access to the system.
 Any Questions?