Hack Attack
Learn more about your ad choices. Visit podcastchoices.com/adchoices
Listen and follow along
Transcript
A mysterious computer crash pushes a thriving manufacturing company to the brink of collapse, jeopardizing the jobs of dozens of employees.
There is no apparent cause, no obvious clues.
Forensic investigators had to find out whether the disaster was caused by a computer defect, human error, or sabotage.
Today there are over 700 million computers at work in the world.
Any one of those holds millions of records vital to people, governments, and industries.
But millions of pieces of information in one small box can make that information vulnerable.
Omega Engineering manufactured high-tech measurement devices for the United States Navy, NASA, and clients around the world.
A state-of-the-art computer system at their New Jersey plant enabled Omega to quickly customize their products to suit their customers' needs.
The business was growing, and revenues were up.
Then came July 31st, 1996.
It was a bad day at Omega on July 31st of 96.
One of their workers got in about 8, 8.30 in the morning, went to his or her workstation like they always did, and they flipped on the system.
They booted up the computer.
And instead of coming on, though, it said fixing.
And the worker didn't know what was going on, but fixing sounded pretty positive, so he let it run.
And within seconds, the machine was down.
But it wasn't that one machine that was in trouble.
The manufacturing equipment at Omega got its instructions from the computer server, the brains of a sophisticated system that could store over 1,000 different programs.
Those 1,000 programs built 25,000 different products, and they could customize those products into 500,000 different pieces.
So you're talking about everything that the company could make.
But now, in the span of just a few seconds, Omega's vital computer system had crashed.
The plant's manager tried to get the server up and running again with no luck.
Typically, crucial files are periodically copied from a server onto a backup tape.
Omega thought they could restore the missing programs from their backup.
And the backup tape was kept in a filing cabinet in the human resources office.
But the tape wasn't there.
With no computer programs to drive the manufacturing process, plant operators had only one option, to complete the jobs that had already been started before the crash.
Just to keep the machines running, to keep producing, to keep people working.
They just kept producing until they ran out of raw materials.
But they ultimately created such a vast inventory of those specific items that they couldn't justify continuing anymore, so they had to shut the plant down.
One big problem that Omega had was that they hadn't hired a new network administrator.
The former network administrator, a longtime employee named Tim Lloyd, was now working for another company.
He was the one who actually built the network in the OmegaS Health plant.
He was the genesis of their whole network.
He knew it inside and out.
He built it.
He was the designer for all the computer programming.
He was the overseer of their network.
The plant manager, Jim Ferguson, called Lloyd to see if he could help solve the serious problem with Omega's computer system.
Did you come across any, you mentioned that you might want to look in the basement?
You were going to look in the basement for some old tapes, some backup tape?
No looking.
Okay.
Was there one tape or two tapes of backups?
There was one tape that was in the
filing cabinet.
Right.
Omega was teetering on the brink of collapse with hundreds of jobs at stake and no clues about what had caused the catastrophic shutdown of the computers.
My very last words to her were, I love you.
And not a lot of parents ever get to say that, you know.
In 2010, Aubrey Sacco vanished while hiking in the Himalayas.
Now, after 15 years of searching, her parents share what they've uncovered in a three-episode special of Status Untraced.
Dads are supposed to find their daughters when they're in trouble.
Listen for free on the iHeartRadio app, Apple Podcasts, Spotify, or wherever you get your podcasts.
Omega Engineering faced a crisis so immense it could force the company out of business.
Two weeks earlier, the computer system that contained the plans for all their products had inexplicably crashed.
Time was running out.
If Omega couldn't get its computer system back up, layoffs would be inevitable.
What they lost was the ability to manufacture.
And when you're a manufacturing company, you're dead in the water.
Omega hired Kroll on Track, a Minnesota-based company that resurrects data from crashed computers all over the world.
Any kind of media that actually you store data onto,
anytime they lose access to this or for some reason becomes unreadable, we get involved to help restore the data.
Bob Hackett, a computer forensic expert, began by examining the hard drive on Omega's server.
The drive was physically undamaged, but retrieving the data would mean examining the electronic contents, contents that might reveal important evidence.
But Omega management now wondered if the crash might have been sabotage.
So to safeguard the hard drive, they turned it over to the Secret Service.
Experts in computer fraud, the Secret Service knew hunting for the lost programs might alter records on the drive.
Even just turning on a computer alters or overwrites some of the information.
From a forensic standpoint, you don't want to write to that hard drive.
The Secret Service made an exact digital replica of Omega's hard drive, a clone that enabled OnTrack to examine all the data stored in the original.
What OnTrack investigators discovered was startling.
All that remained was fragmented computer code, mostly unintelligible even to computer experts.
This indicated the programs had not been simply deleted.
Deleting a computer file erases only the name of the file.
The data actually remains in the computer's memory until it is replaced by something else, so it's often possible to recover the information.
But in this case, investigators discovered that Omega's programs had not only been deleted, They had also been purged.
If we take the analogy of a piece of paper on a desk, if I was to take that, crumple it up, and throw it in the wastebasket, that would be equivalent to a deletion on a computer system.
I could still go grab that piece of paper out of the garbage can, unfold it, and look at it.
A purge would take that same piece of paper, run it through a shredder, take what came out through the shredder, throw it up in the air.
Omega's data could never be recovered.
The focus now shifted to a forensic investigation into how and why the data was purged.
Greg Olson, an expert in the operating system used by Omega, examined the drive for signs of a virus.
A virus corrupts data by inserting its own code into whatever program is being run.
There are no viruses that would cause this particular damage.
User error was another possibility, an accidental deletion.
Very common we find that system administrators come in and reinstall an operated system or made a mistake by reformatting a hard drive.
And I was able to rule that out effectively by looking at the system that clearly that that did not happen.
Because the deletion was too surgical to be accidental.
Only the key manufacturing programs had been destroyed.
If it was intentional, it could mean it was an inside job.
It's not going to be some kid home alone after school who just randomly breaks into Omega system and knows where those specific files are.
You need someone who's on the inside, someone who knows where the keys to the castle are hidden and they know how to hurt the company.
The Secret Service first looked at Tim Lloyd, the man who had designed Omega's computer system.
He had recently left Omega for a job at another company.
Supervisors had given him a positive reference.
They said he was a good worker.
They said that he was excellent technically.
They didn't want to prevent him from getting another job.
Lloyd had left Omega three weeks before the computer crash, so he didn't have access to the building to purge the manufacturing programs on the day of the crash.
They thought maybe hacked in from the outside, but they said that they had disconnected any contact from an outside modem, so they knew that couldn't have been done.
Only supervisors had access to Omega's computer system at a level necessary to cause this much damage.
But there was a problem.
Just about everybody had supervisory rights and there were even some accounts that were set up with a name like 12345 with absolutely no password.
So there was no security on this.
Which meant that the perpetrator could have been anyone.
Six months after the massive computer crash, Omega was struggling to stay afloat.
How had its proprietary software been completely deleted?
Troll on Track's Greg Olson, an expert in the the Novell operating system that controlled the server, sifted the electronic flotsom of the company's hard drive.
The problem is, is when you do a delete and a purge, the entire roadmap to know where this data is is completely gone.
So it's literally a needle in the haystack and impossible to piece this information together.
All you're seeing is a collection of letters and numbers that don't really mean anything.
Olson relied on sophisticated software to help him search for any suspicious commands.
What I'm looking for is bits of code that I know in the computer world cause deletion.
In this particular case,
what I was zeroing in on was any type of a delete or even any type of a purge.
Eventually, Olson found a purge command tied to five other lines of code.
It was a dangerously efficient bit of programming.
We called it a time bomb, and the actual fuse was six lines of code.
And what it was is really a set of steps that the computer would go through, some checks.
The first line simply checked the date and compared it to July 30th, 1996, the day before the server crashed.
This fuse can be attached to anybody that's logging in.
So, when you come in, what the fuse does is it checks the date.
And if it's after the date in the fuse,
it would actually light the time bomb to actually do the deletion.
The second line of code accessed the server.
The third line was a logon command for the mysterious user 12345, a kind of computer ghost.
The unsuspecting user and 12345 were logged in on the same machine.
But 12345 provided the supervisory status needed to perform deletions.
The next line accessed the manufacturing programs.
The fifth line launched a program labeled fix.exe.
When Olson looked at the code for this program, he found a troubling clue.
The code had been generated from a commonly available deletion program, but it had been reconfigured to fool anyone using the system.
It didn't modify the intention of deletion, but the message that appears on the screen that would normally say deleting this file, deleting this file, actually said fixing this file, fixing this file.
The code was also rewritten to ignore safeguards, safeguards, automatically answering yes to the question, are you sure you want to delete these files?
The last line of code was the purge command, making the material unrecoverable.
It would happen relatively fast.
You could go get a cup of coffee, read the front page of the paper, and come back and it's all done.
It's all gone.
And all the user had to do was turn on the computer.
But Olson and Hackett found other purge commands as well.
Three similar sets of code dated for February, April, and May.
But they only deleted a useless test folder, which would have gone undetected by the company.
What I deduced from that is essentially this was somebody was doing some testing of the application, this particular time bomb, to make sure that it would work before it was truly implemented and ready to go.
It appeared the tests were done while Omega's former computer manager Tim Lloyd was still at the company.
The Secret Service ran a background check and learned that Lloyd had been disciplined for run-ins with coworkers shortly before leaving the company.
There was conflict that broke out between other employees, between management, between supervisors.
He would bottleneck projects just because he wasn't in charge of the projects, that he hadn't tested projects before they went into production, and so there were a lot of problems.
One person even testified that he had elbowed a female coworker in the workplace.
On August 21st, Secret Service agents searched Lloyd's home and garage, looking for evidence to tie him to the malicious code.
They found circuit boards, computers, more than 500 disks, several hard drives, and data tapes.
What immediately stuck out was a tape labeled Backup, with the dates May 14th, 1996 and July 1st, 1996.
Authorities suspected it was the missing backup tape from Omega, but it was blank.
We learned that the backup tape had been reformatted or essentially erased
a matter of days before
the search warrant was executed.
The next thing we had to do was try to establish additional evidence that would
support our theory that Lloyd was the guy.
So what we did was, for example, went to his time cards.
Lloyd's time card showed that he worked late on days in February, April, and May, each time just prior to the test runs of the time bomb.
Then Hackett and Olson found a copy of the time bomb on one of Lloyd's hard drives.
So the same lines of code that OnTrack had pieced together from the downed server, they found those lines intact in Tim's home.
A relatively new statute made computer sabotage a federal offense if it affected a computer used in interstate commerce and caused more than $5,000 worth of damage.
Tim Lloyd was indicted by a grand jury.
His case would be the first test of the new law.
Prosecutors in New Jersey say the computer crash devastated Omega Engineering, leading to $10 million of lost business, $2 million of reprogramming costs, and 80 employee layoffs.
Probably would have done less damage to the company if you had done it with a real bomb.
Doesn't matter really what happens to the building if your data is gone.
It is a white-collar crime, but it's a very serious crime.
It's a non-violent crime, but you know what?
You don't know what the implications are of people losing their jobs.
Timothy Lloyd's four-week trial began in April 1998.
It would be one of the first criminal cases to explore the arcane world of computer code.
How would an attorney who hadn't before this had a lot of technical expertise go into a really high-tech field and explain it to a jury?
At trial, prosecutors argued that Lloyd had fallen out of favor with his supervisors and grown resentful when he was reassigned.
Investigators had been able to prove that Lloyd developed the time bomb code at home, then worked late so that he could install and test the code in secret.
He planned on quitting and was in the process of interviewing with another company when he was fired.
In fact, he told a recruiter at his new company that everybody's job at Omega is in jeopardy.
He made the remark on July 31st, the same day the computer crashed.
How would he know that?
On the day that that time bombed, nobody even at Omega knew that.
They thought they had a computer problem.
That's all they knew.
But everybody's job, I think that that was a remarkable find and something that the jurors were able to pick up on.
But the most compelling evidence was the bits of code the computer experts found.
We were able to find a hard drive in his house that had that
command on it.
Had we not found that, then he would have gotten away with it.
The jury found Lloyd guilty.
Various appeals kept him free for almost four years.
But in 2002, he began serving a prison term of three and a half years and ordered to pay $2 million in restitution.
Lloyd claims he is innocent and that someone at Omega accidentally deleted the programs.
He says he could have proved that at trial, but his attorney advised him not to take the stand.
He's the consummate egotist.
I think he is absolutely livid that he was discovered.
I think that there was a point in time when he was actually prepared to say, I found it and I'll ride to the rescue.
But I think when Ferguson says we're bringing in the Secret Service.
We're at a very, very serious stage.
We're actually bringing in the federal authorities at this point.
You know, I don't blame you on that.
I think that that changed his mind.
Omega Engineering never fully recovered, but is still in business.
Kroll on Track was given an award by the Secret Service for the unique role they played in a case that paved new legal ground.
It was interesting simply because it was one of the first cases of its type that we had seen.
Omega made a lot of technical mistakes, but their biggest mistakes were caused by human factors.
It was because they trusted Tim, it was because they had real affection for Tim and they thought that he was family.
And you let family get away with a lot more than you would anybody else.
You give them a lot more rope to hang themselves with.