Read the “Case Study of Insider Sabotage: The Tim Lloyd / Omega Case”

Write a brief summary of this case study. In your summary, be sure to answer the following questions:

1. What happened at Omega?

2. What was lost/damaged/compromised?

3. Why was it so easy for Tim Lloyd able to do what he did?

4. How could the company have prevented such actions?

5. Why did the secret service get involved?

Your response should be at least 500 words, but no more than 1000. 

I will attached the file for Case Study of Insider Sabotage: The Tim Lloyd / Omega Case.

 

 

C A S E S T U D Y Case Study of Insider Sabotage:
The Tim Lloyd/Omega Case
By Sharon Gaudin
The government has just sent a message to every
would-be hacker or corporate computer saboteur: you
can be caught and put away.
That’s the word coming down after the May, 2000
conviction of a former corporate network administrator
in the first federal prosecution of computer sabotage.
“This tells everyone that we’re capable,” says Assistant U.S. Attorney V. Grady O’Malley, who prosecuted the case for four weeks in Newark District
Court. “There are people out there who believe they
can’t be caught. They think [the general public] isn’t
as smart as they are, and if they are, they’re not in the
government… This shows them that we can track
down the evidence, understand it and logically present it to a jury.”
O’Malley, working in conjunction with Special
Agents of the United States Secret Service, won the
conviction against Tim Lloyd, 37, of Wilmington,
Delaware. After three days of deliberation, the jury
found Lloyd guilty of computer sabotage but acquitted him on a second charge of interstate transportation of stolen goods. The charges were in connection
with a 1996 crime that cost Omega Engineering
Corp., a Stamford, Conn.-based high-tech measurement and instrumentation manufacturer, more than
$10 million, derailed its corporate growth strategy
and eventually led to the layoff of 80 workers.
The government laid out a story that spanned 11
years. It was the story of a trusted employee who rose
through the ranks of a relatively small company to
the point where he ultimately planned out and built
Omega’s first computer network for its Bridgeport,
N.J.-based manufacturing plant—the heart of this
manufacturing company. But as the company expanded into a global enterprise, Lloyd’s prominent
position slipped into that of a team player. Feeling
‘disrespected’, Lloyd turned on the company, plant- Computer Security Journal • Volume XVI, Number 3, 2000 ing a software time bomb that destroyed the hub of
the network that he himself created.
And that one move destroyed more than a thousand
programs that ran the company’s manufacturing machines. It also brought a global enterprise, one that
supplies instrumentation to NASA and the U.S. Navy,
to its knees. All in the matter of a few seconds.
Today, Omega still is struggling to right itself and reclaim its position in the market. And Lloyd, who maintains his innocence, awaits sentencing, which is slated for
July 31, four years to the day after Omega’s file server
crashed. He faces up to five years in federal prison.
Omega faces an untold number of years trying to rebuild.
“We will never recover,” Jim Ferguson, plant manager at Omega South, Omega’s Bridgeport manufacturing plant, told the jury.
Industry analysts note that the high-tech community has long scoffed at government efforts to keep
track of them or even to keep up with them.
That gap in knowledge and skill seems to be growing shorter.
Ken VanWyk, corporate vice president and chief
technology officer of Alexandria, Virginia-based ParaProtect, a computer security portal, said this case will
have historical and legal significance, setting a precedent for how computer security crimes are handled.
“You’re looking at a lot of damage here,” said VanWyk. “The company has been greatly damaged. How
easy is it to track down digital evidence? How easy is it
to find the culprit following a digital trail? How easy is
it to make a jury understand the technology? These are
all questions that are being answered.”
And O’Malley said the answer has come in loud
and clear.
“These people should realize they are no longer invulnerable,” he added. “This type of crime is no
longer a mystery and there is some bite to computer
crime statutes.” 1 C A S E S T U D Y Bomb cripples manufacturing body,” Ferguson told the jury. “We were just starting
It was the morning of July 31, 1996. The first worker
to get an idea of all the impact and what this was
in the door of the CNC (Computer Numeric Congoing to mean and how it was going to affect us.”
trol) department at Omega South fired up the Novell
It was only a matter of days before three different
NetWare 3.12 file server just as he always did. But this
people called in to do data recovery all reported that
time, the server didn’t boot up. Instead, a message
the programs were nowhere to be found.
popped up on the screen saying that a section of the
And that was the beginning of an IT nightmare
file server was being fixed. Then it crashed.
that still haunts Omega to this day, according to sevBut it didn’t just crash. When the server went down,
eral executives who testified in the trial.
it took nearly every program
Ralph Michel, Omega’s
down along with it, destroychief financial officer, testiFerguson, who had immediing any means of finding
fied that the software bomb
them and scattering the mildestroyed all the programs
ately been called when the
lions of lines of coding like a
and code generators that alserver crashed and failed to
handful of sand thrown
lowed the company to
reboot, said he went looking manufacture 25,000 differonto a beach.
for the backup tape while
Omega executives didn’t
ent products and to cusknow this yet, though. All
tomize those basic products
other workers tried to bring
they knew was that the server
into as many as 500,000
the server back up. Even if
was down and the manufacdifferent designs.
the
server
was
down,
the
turing machines were sitting
“That department gave
programs could be taken
idle, waiting for the tooling
us flexibility to modify our
programs that had been
products and gave us the
off the backup tape and the
stored on the file server.
ability to lower our costs,”
machines could run. The
Ferguson, who had imsaid Michel, who noted
backup tape was nowhere
mediately been called when
that Omega had shown 34
to be found, however.
the server crashed and failed
years of growth but started
to reboot, said he went
slipping after the computlooking for the backup tape
ers crashed. “We lost both
while other workers tried to bring the server back up.
of those advantages in July 1996. . . I believe the
Even if the server was down, the programs could be
server crash was one of the principal reasons for the
taken off the backup tape and the machines could run.
drop in sales, if not the reason.”
The backup tape was nowhere to be found, however.
Michel noted that Omega’s sales efforts took such a
Ferguson, as he testified in court, then went to the
hit because of the company’s inability to manufacture
individual workstations to retrieve any programs that
products without a long lead time that within two
workers had saved to their desktops. There was nothyears after the crash, Omega was showing a 9% drop,
ing for him to find there either.
which equals about a $10 million loss. And Michel
“It was an awful feeling,” Ferguson says.
added that Omega had shown only increases in annual
With no programs and no backup tapes, Ferguson
sales since 1962.
says he had few options but to order the machines to
run with the programs that already had been loaded
on them the day before. He had to keep his people
And while the company suffered financial and marworking, his machines pumping out products. And
ket hits, Ferguson and other plant managers looked
the machines did run like that—some for days, some
to retrieve the programs and get manufacturing on
for weeks. They ran like that until they choked invenits feet again.
tory or exhausted their raw materials.
And immediately, their attention turned to their for“We were doing everything we could. The other
mer network administrator—Tim Lloyd, who had been
step would have been to shut down and lay off every- Tracking down the cause of the crash 2 Computer Security Journal • Volume XVI, Number 3, 2000 C A S E S T U D Y What happened to Omega Engineering, Inc. could happen anywhere
Here are a list of ways to protect your system:
❏
❏
❏
❏ ❏
❏
❏
❏
❏
❏
❏
❏ ❏
❏ ❏
❏ ❏ ❏ Make sure no one person is controlling the system front to back;
Every logon should have a password;
As few people as possible should have supervisory rights;
Mission critical systems should be backed up every day, and every system should be backed up
weekly;
Have a strict sign-in/sign-out system for backup tapes;
Always have a current copy of the backup tape stored remotely;
Do backups of desktops and laptops, as well as servers;
Rotate backup tapes – don’t keep using the same one over and over again;
Change passwords every three months;
Keep servers in a secured area;
Stay up-to-date on software patches;
Use intrusion detection software that alerts you when you are being hit and make sure your
response time is faster than a fast penetration;
Code should not be put up unless at least two pairs of eyes have checked it over;
Have an information security department (at least one person and then one other for every
1,000 users) that is separate from the IT department and reports directly to the CIO;
At least 3% to 5% of the IS budget should be spent on information security;
Information security personnel should be aware of any employee who is showing signs of being
troubled or disgruntled, particularly if that employee holds an information-critical position;
Beef up security during certain events, such as mergers or downsizings, that could upset workers
and cause them to lash out at the company;
If an employee, particularly an IS employee, is becoming a problem, start locking down—
monitor the network, set up software that will alert you if she is in a different part of the net
work than unusual or if she’s working at a different time than usual. Also, scan email to see
what’s going out of the company, double check backup tapes and have someone else do the
backups if that person is the one in question fired three weeks before the crash.
Lloyd, who had started out at Omega in 1985 as a
machinist, had worked his way up the line until he was
the sole person in charge of the network—the network
he created. Lloyd handed out passwords, maintained
the server, loaded new programs and worked on any expansions. He also was in charge of doing backups and,
as Ferguson later discovered, had recently taken programs off the workstations and centralized them on the
one file server, telling workers not to store them locally
any longer. Computer Security Journal • Volume XVI, Number 3, 2000 “I had trusted Tim Lloyd completely,” Ferguson told
the jury. “We relied on Tim Lloyd… I trusted Tim to
maintain the backup tape. He was responsible for the
security of the system.”
And Lloyd had taken out the backup tape on July 1.
Now, weeks later, with the system down, the tape was
nowhere to be found.
“Tim, Tim do you have the backup tapes?” says
O’Malley describing Ferguson’s desperate call to Lloyd
after the crash. “Tim, we need those tapes. Are you sure
you don’t have the tapes?” 3 C A S E S T U D Y The Code and How it Works
1. 7/30/96
n The date is the triggering point in the code string, executing the rest of the commands as
long as it is after July 30, 1996.
2. F:
n This line of the code gives access to the server. 3. F:\LOGIN\LOGIN 12345
n This automatically piggybacks User 12345, which has supervisory rights and no password
security, with whichever user first logs in on the file server.
4. CD \PUBLIC
n This line gives access to the public directory, a common storage area on the file server.
5. FIX.EXE /Y F:\*.*
n FIX.EXE is a DOS-based executable that served as the deletion command but showed the
word ‘fixing’ on the screen instead of ‘deleting.’ This is a slightly modified version of
Microsoft DOS’ Deltree.exe.
n /Y answers ‘yes’ to the implied question of ‘Do you want to delete these files?’
n F:\*.* refers to all files and folders on the entire server volume
6. PURGE F:\ /ALL
n This line calls for all of the deleted information to be immediately purged. Ferguson says Lloyd told him he didn’t have the
backup tape. Lloyd, according to testimony, says he left
them in the upper left-hand corner drawer of his desk at
Omega. But Ferguson himself had helped clean out
Lloyd’s desk. There was no backup tape there.
Ferguson called Lloyd again and again. Once, Lloyd
said he would check around his house but never called
back. Ferguson called again and Lloyd said he hadn’t
had a chance to check. Ferguson called again and Lloyd
told him he had some tapes but not Omega’s tapes. Ferguson then recorded one of his calls and went to Lloyd’s
house to plead in person. While he was there, Lloyd
handed over a pneumatic pump, a computer case and a
power cord. No backup tape. 4 The plant manager says even while he was pleading
with Lloyd for information about the tape, he still was
having a hard time imaging that Lloyd would have damaged the system. Ferguson had held on to that kind of
trust even when Lloyd had become a problem employee.
About a year earlier, Lloyd went from being a star
employee to an angry man who lashed out, verbally
and physically, at his co-workers, bottlenecked projects simply because he wasn’t in charge of them, and
even knowingly loaded fault programs to make coworkers look bad, according to Omega executives. In
that year, he had received verbal warnings, was written up twice and demoted.
Lloyd was lashing out at his co-workers, as O’Malley Computer Security Journal • Volume XVI, Number 3, 2000 C A S E S T U D Y told the jury, because his ego was bruised. He was the
not an accident,” says Hoffman. “The files that had
genesis of the network and suddenly his status and clout
been deleted were surgically removed from the datawere slipping away from him. And a team player he did
base. They specifically were the files the company
not want to be.
needed to survive.”
The prosecution contends that Lloyd, who had
And early on, the evidence pointed directly at Lloyd.
started interviewing for a new job early in June of 1996,
Hoffman pointed out that Lloyd had Novell certificahad started planning to leave Omega months before he
tion training; he had complete access to the system,
was fired. Either way he was going out the door, he was
and he was the last one with the backup tape.
planning on leaving a parting gift for the company that
Hoffman also notes that they checked out Ray
had “disrespected” him, according to O’Malley.
Nab, another former Omega employee. Nab, who
On July 10, 1996, Lloyd was fired. “The day I fired
was a friend of Lloyd’s, had been a CNC programTim Lloyd wasn’t a happy day,” says Ferguson. “Here
mer and had quit the day the file server crashed.
was an individual I worked
Nab, however, took and
with for 11 years. I was very
passed a lie detector test.
The plant manager says even And Hoffman says Secret
frustrated with how things
while he was pleading with
worked out toward the end.”
Service agents searched
And during all of this, no
Nab’s house and didn’t
Lloyd for information about
one at Omega assigned somefind anything connected
the tape, he still was having
one other than Lloyd to do
to the crash or to Omega.
a hard time imaging that
the backups. No one checked
Hoffman, along with sevLloyd
would
have
damaged
the file server before or after
eral other Secret Service
he left. No one even hired a
agents, conducted a search
the system. Ferguson had
new network administrator
warrant on Lloyd’s home
held on to that kind of trust
after Lloyd was terminated,
Aug. 21, 1996. The agents
even when Lloyd had become
assuming that all it needed
seized about 700 pieces of
a problem employee.
was simple maintenance and
potential evidence. That
an outside contractor could
haul included computers,
take care of that. The comapny was running on trust.
motherboards, keyboards, more than 500 disks, CDROMs, 12 hard drives and tapes.
“It was enormous,” says Hoffman.
What immediately stuck out from that haul were
On Aug. 12, 1996, Omega executives called in the U.S.
two backup tapes, which had both been erased. One
Secret Service, which splits its time between protective
was labeled Backup with the dates 5/14/96 and
service and conducting financial and high-tech fraud7/1/96 and the words Tim Lloyd. July 1, 1996 was the
related criminal investigations. The Secret Service is
date that Lloyd had asked for and been given Omega’s
one of the government’s biggest weapons against
backup tape. Both had been reformatted, which erases
computer crime. A relatively new statute makes comthe tapes, the day before Ferguson visited Lloyd’s
puter sabotage a federal offense if it affects a computer
house asking about the tapes.
used in interstate commerce and causes more than
“The moment I found out the backup tapes had
$5,000 worth of damage to the company in a 12been reformatted, my level of suspicion was elevated
month span of time.
dramatically,” says Hoffman.
On Aug. 14, Special Agent William D. Hoffman arrived at Omega and began an investigation that would
span the next four years. Hoffman, who has been with
While Hoffman was tracking down physical evidence,
the agency for four years, began by interviewing about
technicians at Ontrack Data International Inc., a data
50 Omega employees, everyone from company owners
recovery firm out of Eden Prairie, Minnesota, were
to people working the lathe machines on the shop floor.
searching what basically was a digital debris field on a
“It was apparent to me very early on that this was The Secret Service takes over the investigation Tracking down the destructive code Computer Security Journal • Volume XVI, Number 3, 2000 5 C A S E S T U D Y mirror image of the damaged file server. Omega had
thing unusual is the fifth line that refers to all the data
called in Ontrack about a week after the server crashed
on the server and /Y is a common command line
to try to recover the missing programs.
switch to make the program default to yes.
Months into the effort, Ontrack conceded that the
“This is the type of stuff you’d find in a utility to do
programs simply were not recoverable. Then they turned
mass something,” Olson adds. “The last thing is the
the copy of the server over to Greg Olson, director of
PURGE. Having the PURGE there with the F:\ refers
Ontrack’s Worldwide Data Recovery Services. Olson was
to the server and everything on it. And combined with
focused on finding out what caused the crash.
that date, it was very unusual. You’re not going to go into
“We do data recoveries when companies are losing
another company’s file server and find that combination
millions of dollars a day,” says Olson, who has written
of strings. That was definitely a red flag situation.”
data recovery tools for the NetWare operating system
And from there, Olson set out to determine what
and even was brought in by the U.S. government to
part FIX.EXE, which is not a NetWare executable so
recover files off of some of Kuwait’s computers damwould not normally be found on a NetWare system,
aged during the Gulf War. “It’s not uncommon for
played in the string. The way the strings were set up,
me to be working with
he says he knew FIX.EXE
people in panic mode
must have deletion powers
but… I’ve never seen this
but now it was a matter of
“It was apparent to me
massive of a deletion in my
proving it.
very early on that this was
10 years of experience.”
So Olson went out on the
not an accident,’’ says HoffOlson says there were
drive and pulled off 670 raw
man. “The files that had
several things that raised
executables. He tested each
been deleted were surgired flags for him right from
and found one that appeared
the start.
to be DELTREE.EXE, a
cally removed from the
“It was odd that the user
DOS-based command that
database. They specifically
accounts, most of them, had
enables administrators to
were the files the company
supervisory rights,” he exdelete files off Windows opneeded to survive.’’
plains. “It’s odd that Acerating systems.
count 12345 had super“I pulled DELTREE and
visory rights and no passexecuted it with these comword… Our system administrators would freak out if
mand lines to see what would happen,” says Olson. “I
they knew there were half a dozen accounts with superwas shocked when the normal DELTREE function,
visory access… It violated the principles of security.”
saying ‘deleting this, deleting this’, was replaced with
With these red flags in the back of his mind, Olson
‘fixing this, fixing this’… I knew I was on to somestarted out doing searches for common commands or
thing there.”
phrases used in deletions, such as DEL /S; \*.*, DEL
What he knew was that the DELTREE executable
F:, DELTREE F: and PURGE F:\.
had been modified to disguise its deleting message by
“I was just thinking of common things to search for
dropping in a ‘fixing’ message in its place. That was
and these were taking hits,” says Olson. “Immediately,
FIX.EXE. That one step camouflaged the deletion
I knew this was hot when I saw PURGE take a hit.”
process so the user logging onto the system would
Olson continued to systematically pull programnever know what was actually happening.
ming strings, sitting in their raw form, out of the code
wreckage until he had pieced together six lines—six
lines that looked like they could do some real damage.
To test the code, Olson took an exact copy of the
“What’s unusual are these six strings together,” he says.
Omega file server and set up a test environment with
“First of all, the date was meaningful because the data
an attached workstation. He then set out configuring
loss was the next day. The second thing was this login
the system for various dates prior to the July 30, 1996
account 12345, which had supervisory rights and no
date at the beginning of the code string.
password. We’ll say that’s not recommended. The next Testing the six-line program 6 Computer Security Journal • Volume XVI, Number 3, 2000 C A S E S T U D Y caused this massive deletion. When he called us, we
Olson configured the system for Jan. 1, 1996 and
logged in. Nothing unusual happened.
had intent.”
Then he configured the system for April 30, 1996 and
With the code in hand, Olson went looking
logged in. Nothing unusual happened.
through the rest of the hard drives that Hoffman had
He then tried July 29, 1996. Nothing unusual
given him to examine. And in that pile, he found
happened.
those exact same six lines of code on one of Lloyd’s
Olson then tested July 30, 1996, matching the conpersonal hard drives that also stored his PR photos, his
figuration date up with the date in the code. Nothing.
checkbook software and personal letters.
Then he configured the system for July 31, 1996,
“That’s when I knew we had our guy,” Hoffman says.
one day after the date in the code and the exact date
Lloyd was indicted on Jan. 28, 1998. After several
of the crash at Omega. “I logged on and everything
postponements, the trial started on April 17 of this year.
on the system was deleted,” he told the jury. “On the
During the trial, Lloyd’s attorneys told the jury that
screen, it was saying it was
this is the case of a comfixing an area of the system,
puter that simply crashed.
What he knew was that the
but actually it was deleting
They also said this is the
DELTREE executable had
everything…
Everything
case of Omega executives,
was gone.”
who had been lax in their
been modified to disguise
“The puzzle had been put
own jobs, casting aspersions
its deleting message by
together,” he adds. “There’s
on someone else to cover
dropping in a ‘fixing’ mesabsolutely no doubt in my
up their own failings. Desage
in
its
place.
That
was
mind that this is what
fense contends that the
caused the data loss.”
crash could have been
FIX.EXE. That one step
And Olson says some
caused by an outside
camouflaged the deletion
planning went into this.
hacker, by another empro-cess
so
the
user
logging
Along with the six lines of
ployee or by a virus.
onto the system would
code that did the damage,
Lloyd, who did not testify,
Olson also found three simisaid in an interview after the
never know what was
lar test programs. Those
verdict came in that he is inactually happening.
three programs, each similar
nocent of the crime.
to the six lines of code in the
“There’s no way in the
damaging program, were dated Feb. 21, 1996, April
world I did this,” says Lloyd. “I had complete access
21, 1996 and May 30, 1996. The first two programs
to the mainframe system from home… If I was a vinhad only one line that was dissimilar from the damagdictive person, do you think I’d go after a teeny, tiny
ing code. That one line substituted a simple test folder,
little network?”
which could have held as little as one word, for the line
But O’Malley told the jury it could not have been
in the damaging code that called for everything on the
anyone other than Lloyd who could have taken that file
server to be deleted. The third test program dated for
server down in such a strategic and calculated fashion.
May 30 was set up exactly as the code that brought
“Was the real guy sitting next to Tim Lloyd and fiddown the system.
dling with the system and changing dates?” O’Malley
asked the jury. “I suggest not. Who could do all this...

Attachments:

• 1493107940-Case Study of Insider Sabotage.pdf