X

Ex-IT worker charged with sabotage

A former UBS PaineWebber system administrator appears in federal court on charges he sabotaged the firm's computer systems in an attempt to crash the company's stock price.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A former system administrator for UBS PaineWebber appeared in a New Jersey federal court Tuesday on charges of sabotaging two-thirds of the company's computer systems in an attempt to crash its stock price.

A two-count indictment charged 60-year-old Roger Duronio with being behind the more than $3 million in damage caused when malicious programs placed on some 1,000 of UBS PaineWebber's nearly 1,500 computers became active on March 4 and deleted files. The indictment alleges that the Bogota, N.J., resident, who had left UBS PaineWebber 10 days before the deletion of the files, would have profited if the company's stock had fallen as a result of the attack.

"Cybercrime against financial institutions is a significant issue," District Attorney Christopher J. Christie said in a statement. "Although the damage was contained in this case, the potential for catastrophic damage in other cases is always there."

Duronio posted a $1 million bond on Tuesday for his release, according to a representative of the U.S Attorney's Office for the District of New Jersey, the office prosecuting the case. Duronio's defense attorney, Justin Walder, could not be immediately reached for comment.

In a seven-page indictment, a federal grand jury charged Duronio with one count of securities fraud and one count of violating the Computer Fraud and Abuse Act.

The indictment alleges that in his role as a system administrator for UBS PaineWebber, Duronio used the company's secure network to plant "logic bombs"--destructive computer programs that are set to trigger at a specific time or as the result of a specific action--in nearly 1,000 of the company's approximately 1,500 networked computers located in 370 branch offices. The malicious program had instructions to delete all the files stored on the systems at 9:30 a.m. on every Monday in March, April and May of 2002.

Duronio had left the company on Feb. 22, 10 days before the first trigger date. He had allegedly complained repeatedly about his salary and bonuses from the company. Around the same time, Duronio purchased options to sell 31,800 shares of UBS stock at an average strike price of $42.91. Such options make money only if the stock price falls below the purchase price before the options expire. The indictment alleges that the former system administrator believed that crashing the company's systems would cause its stock price to plummet before his options expired on March 15.


News.com Special Report
Vision Series 3
20 minds on tech's future

The alleged plan in some ways resembles the Emulex fraud incident that caused that company's stock to fall by more than 50 percent.

Logic bombs have in the past been used by irate employees against their employers. In February, Timothy Allen Lloyd was sentence to 41 months in prison for leaving behind malicious programs that deleted critical data from the servers of high-tech measurement company Omega Engineering. Prosecutors in the case said the attack cost the company $10 million. Insider attacks are generally considered the most costly for companies.

The attack allegedly carried out by Duronio failed to have the desired effect, however. The attack was not made public at the time, and UBS's stock didn't fall below $45 in March 2002. On Wednesday, the stock stood at $49.34.

If found guilty, Duronio could serve as much as 20 years in prison and be subject to fines of more than $1.25 million.

Representatives of UBS PaineWebber could not be reached for comment.