 |
|
|
|
|
|
|
The Malicious
“Almost all of these people are loyal at the time of hiring, so this isn't a matter of screening them out."
- Jerrold M. Post, former CIA Psychologist
The case of Timothy Allen Lloyd offers a good example of how psychological stressors and triggers can play a role in malicious insider attacks. It is also the very first insider sabotage case investigated by the U.S. Secret Service.
For 11 years, Lloyd worked his way up the corporate ladder at Omega Engineering Corp., a Bridgeport, New Jersey-based manufacturer of high-tech industrial process measurement and control devices for the U.S. Navy and NASA. He started with the company as a machinist, but by 1994 he had earned the title of chief system administrator for the company's Novell network.
But Lloyd's career was about to take a drastic turn for the worst. Employees reported that he repeatedly elbowed, shoved, and bumped colleagues in the hallways, and that he became verbally abusive. He would be counseled on several occasions about these problems, but managers reported that he never improved his behavior. In May 1995, because of his continuing interpersonal problems, Lloyd's supervisor, James Ferguson, informed him that he was being transferred from supervisor of Omega's CNC Department (the manufacturing side of Omega's plant, where machines created the thousands of products that comprised Omega's inventory) to a position as a manufacturing engineering support specialist. Ferguson assured Lloyd that this was a lateral move. In reality, the change was a demotion. And Lloyd knew it. The loss of supervisory responsibilities and the knowledge that Courtney Walsh, a former subordinate of Lloyd's, had taken over his position did not sit well with Lloyd.
Lloyd's supervisors had hoped that the change of position would send Lloyd the message that his behavior and social skills had to improve. They also hoped that the job change would help spur that improvement. But it had the opposite effect on Lloyd, and his interpersonal problems with fellow workers increased in number and severity.
Lloyd underwent a performance appraisal in Feb. 1996. He received a ranking of 7 out of a possible score of 10. He received a 4% cost of living raise in salary, which was significantly lower than the annual raises he received in previous years. The intent of Lloyd's managers was to send the signal to the troubled employee that his time left at Omega was short.
Four months after his performance appraisal, Lloyd instituted a policy to “clean up” all of the computers in Omega's CNC Division. The “policy” forced all employees to save their work on a centralized file server and prohibited them from making their own backups. Lloyd also removed portions of computer programs that deal with safety precautions from user workstations and saved them on a central file server. Walsh protested, fearing that removing the files from user systems could cause a major system failure. Lloyd, however, continued making the changes.
By July 1996, Lloyd's behavior had become too much of a liability for Omega's management. As a result, Ferguson and another Omega manager met with Lloyd on July 10 and informed him that his history of interpersonal problems with managers and fellow employees, including incidents of intimidation, could no longer be tolerated. He was fired on the spot and escorted out of the building.
Shortly after 8 o'clock in the morning on July 31, technicians at Omega informed Ferguson that the division's file server would not boot up. They tried everything they could think of. Nothing worked. Finally, Ferguson made the decision to reload the system from the emergency backup tapes that were maintained under lock and key in the human resources department. So to the human resources department he went. But when he got there he couldn't believe his eyes. The secure file cabinet was empty. The emergency backup tapes, which stored the company's 1,000 manufacturing and tooling programs, were gone.
Ferguson called Lloyd on the telephone. He was frantic.
“Tim, Tim, do you have the backup tapes?” Ferguson asked frantically.
Lloyd said he didn't have the tapes and that he had left them in his desk drawer at Omega.
“Tim, we need those tapes. Are you sure you don't have them?”
“No,” said Lloyd.
Ferguson then hired local data recovery experts to help retrieve the critical files that had been deleted. To their dismay, the files had been purged and rendered unusable. The purge had been accomplished by somebody with supervisory level access to the system and was clearly intentional as far as the experts who were assisting Omega were concerned. And at Omega, there was only one Novell system administrator with supervisory level access. And that one person was Timothy Lloyd.
On August 23, the U.S. Secret Service executed a search warrant of Lloyd's home and recovered two Omega emergency backup tapes that had been reformatted, a master hard drive from another Omega system and various other pieces of hardware and software belonging to the company - nearly 700 pieces of evidence in all.
Eventually, data recovery experts from Ontrack Data International began the painstaking process of digging through the electronic ground zero that was now Omega's file server. They were searching for evidence to support the Secret Service's strong suspicion that Lloyd had deliberately obliterated the company's files. The clue that told them this was a deliberate act came from six strings of data that, when taken together, pointed to Lloyd and to a deliberate act of sabotage.
First, the technicians uncovered a date - the day before the catastrophe struck. The next item was a supervisory logon account (12345 with no password). They then discovered a line of code that referred to all of the data stored on the server and a “/Y” command that instructs a program to default to “yes” when confronted with a logic expression. Finally, the last thing that the Ontrack experts discovered was the “purge” command followed by “F:\,” which pointed to the Omega server and everything on it.
Then things got really interesting for the Ontrack investigators. They uncovered a mysterious command named FIX.exe, which was not a known Novell executable file. Upon testing the DOS-based command DELTREE.exe, which allows an administrator to delete files from a Microsoft Windows operating system, they discovered that DELTREE.exe returned the expression “Fixing…” rather than “Deleting…” Somebody had modified the DELTREE.exe file to disguise its true function. The user, therefore, would have no clue as to what was actually happening to the system.
This was literally the 'ticking time bomb' that the Secret Service was looking for. It was a logic bomb designed to go off upon boot up regardless of which user logged onto the system. And to the delight of the Secret Service, the same time bomb code that had obliterated Omega's file server was found on one of Lloyd's personal hard drives that had been confiscated during the search of his home. The Secret Service had their man.
The government prosecutor told the jury that it could not have been anyone other than Lloyd who could have conducted such an organized, well-planned and rehearsed attack on the Omega file server. "Was the real guy sitting next to Tim Lloyd and fiddling with the system and changing dates?" the prosecutor asked the jury. "I suggest not. Who could do all this and not be questioned by the administrator? No one. It was the administrator. He was setting this up months in advance. This was his parting shot to a company he was leaving, a going-away gift. . . . And it was almost a perfect crime."
Lloyd's lawyer challenged the prosecution's witnesses on almost all accounts and even produced ten former Omega employees who testified that they had never witnessed or were made aware of behavior problems relating to Lloyd. In addition, Lloyd gave Network World magazine an exclusive interview in which he denied having anything to do with the incident and also denied having ever been a system administrator.
The jury deliberated for 12 hours over the course of three days. They convicted Lloyd on one count of computer sabotage and acquitted him on the other count related to transportation of stolen goods.
On Feb. 26, 2002, a judge sentenced Lloyd to 41 months in prison, three years of probation and ordered him to pay more than $2 million in damages to Omega. But that was a paltry sum compared to the actual damages incurred by the company. Executives testified that Lloyd's actions cost the firm $10 million in damages and another $2 million in re-programming costs. In addition, 80 Omega employees lost their jobs as a result of the financial damages caused by the attack.
|
|
|
|
|
