On December 19, 2006, a computer systems administrator, Andy Lin, for Medco Health Solutions, Inc. was indicted by a federal grand jury in the U.S. District Court for the District of New Jersey for attempting to disable his employer’s corporate computer servers through the use of a concealed malicious software program.
Today (January 3) Lin is being arraigned. If convicted, he could get 20 years in prison and a fine of $500,000; $250,000 for each of the two charges.
The US DOJ indictment provides a fascinating chonology of the events:
Count 1:
“The Destructive Computer Code Embedded in the Medco Servers
2. Beginning at least as early as in or about September 2003, e-mails were circulated among Defendant Lin and others discussing the anticipated layoffs of Medco computer system administrators.
3. On or about October 2, 2003, Defendant Lin sent an e-mail to an individual identified as T.W. indicating that he was unsure whether he would survive the anticipated layoffs at Medco.
4. On or about October 3, 2003, Defendant Lin modified existing computer code and inserted new computer code into pre-existing scripts on the Medco Servers, which collectively were designed to delete virtually all of the information on those servers once triggered (the ‚ÄúDestructive Code‚Äù). Among other information, the Destructive Code was designed to delete the DUR, as well as databases identifying subscribers, plan coverage, prescription administration, and billing data. Part of the new computer code Defendant Lin programmed and inserted included a script designed to deploy the Destructive Code automatically on April 23, 2004, Defendant Lin’s birthday.
5. On or about October 6, 2003, Medco laid off four system administrators in the Unix group. Defendant Lin was not laid off.
6. On or about November 5, 2003, Defendant Lin edited the script triggering the Destructive Code, which was still set to deploy on April 23, 2004.
7. On or about April 23, 2004, the Destructive Code was triggered, but because of an error in the code, it failed to deploy and delete the information stored on the Medco Servers.
8. Between on or about September 20, 2004 and on or about September 22, 2004, Defendant Lin modified the Destructive Code to correct the error which prevented the code from executing as planned. After the correction, the Destructive Code was set to deploy on April 23, 2005.
9. On or about January 1, 2005, a Medco computer systems administrator investigating a system error discovered the Destructive Code embedded within other scripts on the Medco Servers. Medco Information Technology security personnel subsequently neutralized the Destructive Code.
10. From on or about October 3, 2003 to on or about September 22, 2004, in Bergen County, in the District of New Jersey and elsewhere, defendant YUNG-HSUN LIN, a/k/a “Andy Lin” knowingly and willfully attempted to cause the transmission of a program, information, code, and command, and as a result of such conduct, intended to cause damage without authorization to a protected computer, that is, one which was used in interstate commerce and communication, and by such conduct, if completed, would have caused loss to one or more persons during a 1-year period aggregating at least $5,000 in value, contrary to Title 18, United States Code, Sections 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), and 1030(c)(4)(A). In violation of Title 18, United States Code, Sections 1030(b) and 2.”
COUNT 2:
“1. The allegations contained in Paragraphs 1 through 9 of Count 1 are realleged and incorporated herein.
2. From on or about October 3, 2003 to on or about September 22, 2004, in Bergen County, in the District of New Jersey and elsewhere, defendant YUNG-HSUN LIN, a/k/a “Andy Lin” knowingly and willfully attempted to cause the transmission of a program, information, code, and command, and as a result of such conduct, intended to cause damage without authorization to a protected computer, that is, one which was used in interstate commerce and communication, and by such conduct, if completed, would have caused the modification and impairment, or potential modification and impairment, of the medical examination, diagnosis, treatment, and care of one or more individuals, contrary to Title 18, United States Code, Sections 1030(a)(5)(A)(i), 1030(a)(5)(B)(ii), and 1030(c)(4)(A). In violation of Title 18, United States Code, Sections 1030(b) and 2.”
This is a good illustration of what trusted insiders with significant systems and applications authorizations can do, or in this case attempt to do, under circumstances where they are motivated to do bad things.
In this case it appears that a potential layoff motivated Lin to plant the destructive code. What is interesting in this case is that Lin did not remove the destructive code after surviving the layoffs and, even more fascinating, he tried to correct the code and have it destruct again…the next year on the same original date…after his first attempt failed because of his programming error.
Imagine the impact it could have had on the company if the logic bomb was successful. It could have brought the company’s operations to a grinding halt and caused potentially millions of dollars in damage from lost data, system downtime, recovery and repair.
Imagine the impact it could have had on patients if it had been successful. As reported in Information Week:
“”The potential impact, had it gone off, would have been devastating. And more so, it would have been devastating to patients,” says Assistant U.S. Attorney Erez Lieberman, who is prosecuting the case, along with Assistant U.S. Attorney Marc Ferzan. “Taking a logic bomb and putting it in a system where it could not just cause financial harm but could also harm databases, which he knows and administers, that affect patient drug information, adds to the enormity of the situation. The impact obviously could affect real lives, real time.””
A few lessons learned:
* Implement additional controls for personnel with excessive access authority to systems, databases and applications. Log their network activity and audit regularly.
* Make sure you have a strong change management system and procedure in place. Lin should not have been able to modify code and put it into production with out having it reviewed and the changes authorized by someone else.
* Provide periodic training and ongoing awareness information and activities to all personnel, particularly those with access to sensitive information and with significant systems, database and applications access authorities. Besides providing information about how to secure information, provide them with information about how to spot suspicious behavior and the red flags within human behavior as well as systems and applications activity that could indicate insiders are doing bad things.
Tags: awareness and training, Information Security, insider threat, IT compliance, logic bomb, privacy, privacy breach