Things to do in Jersey When You’re Disgruntled

Dave G. | December 21st, 2006 | Filed Under: Industry Punditry

New Jersey doesn’t just grow amazing tomatoes, it also grows the most logic bombingest disgruntled admins in the USA (*). Today, the DOJ announced the arrest and indictment of Yung-Hsun “Andy” Lin. He is the third NJ disgruntled system administrator in 4 years who has tried to attack his employer via a logic bomb.

(*) This not fact checked statement.

The short story is that Mr. Lin wrote a logic bomb that was set to delete lots of business critical data (and more) on his birthday. Originally, the motivation was that he might get laid off. After he survived the layoffs, he didn’t remove the logic bomb, but eventually changed the date to go off one year later. Another admin found the destructive code and alerted the information security team. Let’s look at the timeline (I culled this from the indictment):

Medco Timeline

There are a couple of interesting parts about this timeline.

  1. Start of planning to indictment/arrest was 3 years.
  2. Malicious logic bomb sat in production for over a year undetected/reported.
  3. Detection to indictment was almost 2 years.

Point #2 is relevant for the rootkit discussion.  This logic bomb sat in production for a year, hiding in a shell script, not a hypervisor or kernel memory.

7 Comments so far

  • Chris R.

    December 21st, 2006 8:57 am

    I am originally from NJ, and I can tell you we have a lot more then tomatoes and disgruntled sys admins. Like the parkway, and uhhhh the turnpike, lets see what else, nevermind. The problem here is the human. And no security technology is going to outsmart that. This guy had legal, local authorized access to those systems, theres not much you can do about it if this guy was trusted at the time of code insertion. Its just a risk you take when you hire someone for the job.

  • wpn

    December 21st, 2006 10:39 am

    If it’s a trusted insider, the badness is ALL in the context. Are you going to try to detect and examine every instance of “rm -rf *” in every script in every directory on every one of your thousands of servers? And do it on a regular basis?

    This is a case where you have to manage the threats, not the vulnerabilities.

  • Chris

    December 21st, 2006 11:56 am

    @wpn:

    Trust isn’t binary.

    In an industry like Medco’s, I would expect something as simple as Tripwire to be used, or at least they could port BSD’s /etc/security shell script to HP-UX and email the output to a PHB. It would have caught the apparent mod to root’s crontab.

  • Dan Moniz

    December 21st, 2006 12:54 pm

    Who were the other two admins with similar indictments brought against them the last four years? Color me interested.

  • Anonymous Because I Need My Job

    December 21st, 2006 7:39 pm

    As a contract Unix Security Ops shell script/programming monkey for one of the major credit card companies, I can say hands down… this type of thing is more common than I would ever have imagined. I regularly clean up suspicious and outright malicious code found in in-house developed C, SH, and Perl. And that’s just the stuff *I* work on.

    The worst is, that I used to bring it to the attention of my management. But they pretty much shrugged it off. I “just fix it” now and go on about my business.

  • Dave G.

    December 22nd, 2006 12:52 am

    @dan:

    Ooops… 3 in 5 years…

    The New Jersey district has made three such prosecutions in five years, according to a press release. Just last week, 63-year-old Roger Duronio, a former systems administrator for UBS PaineWebber, landed a 97-month prison sentence after being convicted of placing malicious code on some 1,000 corporate computers, triggering more than $3 million in damage.

    In 2002, Timothy Allen Lloyd was sentenced to 41 months in prison after a Newark, N.J., jury convicted him of devising a “time bomb” that deleted programs on servers at the high-tech measurement company Omega Engineering. Prosecutors said that activity, which occurred 20 days after Lloyd’s departure from the company, cost the company $10 million.

  • dragonfrog

    December 22nd, 2006 4:12 pm

    @ Chris

    If the guy was the sysadmin, he’d just have to wait until he had a legitimate need to edit a boot script, and then make both the legit changes and the malicious ones.

    Even if someone was diligent enough to go through logs of when the Tripwire signatures are updated, every change would corelate nicely with a documented change. You’d have to keep full diffs on every major system file, and actually audit the diffs.

    And a clever mind could probably write the changes in such a way as to hide from casual diff analysis - find an existing rm -rf and change the conditions surrounding it, for example.

    There was a really nice example, I wish I could turn up references now, of hiding evil changes in diffs. I suppose it’s best considered apocryphal until someone can document it one way or another:

    Cable or satellite companies gradually made a long series of innocuous-looking changes to their signal scrambling; the folks that were ’stealing’ signal made the most obvious changes to adapt each time. The trick was that the cable companies maneuvered the modders into building a backdoor into their own equipment. Finally, they sent out a signal that would leave legit cable boxes intact, but turn the modded ones into bricks

    • Leave a reply