Prosecution Witness: UBS PaineWebber Network Still Suffering Four Years After Attack - InformationWeek
11:05 PM

Prosecution Witness: UBS PaineWebber Network Still Suffering Four Years After Attack

The logic bomb had a "catastrophic impact," bringing operations to a standstill and wiping out servers around the country, according to testimony from an IT manager for the company.

She and her team of 13 IT professionals worked full-time on the incident until June 2 of that year.

Part of the problem, she said, was that about 20% of the downed servers didn't have backup tapes. That multiplied the trouble they had bringing the machines back to life and at times made it impossible to restore all the information that had been wiped out when the logic bomb was triggered at 9:30 that morning--just as trading started on the stock market.

"There were a lot of problems," said Rodriguez. "Some branches didn't have backup. There were no tapes to go to. We continued to encounter problems for the next year at least."

Rajeev Khanna, manager for UBS's Unix Systems Group at the time of the attack, also didn't get any sleep that night or for the next two nights. Khanna, who oversaw the recovery process, testified Wednesday that 400 to 500 UBS workers--application developers, project managers, systems administrators, and database administrators--were pulled off their normal jobs to work on the restoration.

"The most important thing was for users to be able to log in to their desktops," he said. "They couldn't log in. They couldn't do the work they do on a daily basis, in terms of pulling data on their clients, making trades, and checking market data."

UBS hasn't reported how much money was lost in business because of the server and broker downtime.

To avoid a repeat of the incident, Rodriguez said, for the next two or three years she prepared to fend off a similar attack before every March 4. She took critical servers offline, so if there was any malicious code still lurking on the network, at least those servers wouldn't be affected. "We had to make sure there was no more business impact," she said.

Security Problems

On his cross-examination of Rodriguez, Adams read down through a help desk log from the day the malicious code was triggered. While the logic bomb went off at 9:30 that morning, the log showed there were reports of much smaller incidents before that. For instance, a Sybase server was having trouble at 7:14 that morning. A user was having trouble logging in to a branch server at 7:39. And there was more trouble with the Sybase server at 8:19 a.m.

Rodriguez called the problems "routine support."

Later in his testimony, Khanna said he was generally only notified of a problem if the systems administrators were unable to handle it on their own. And he added that before 9:30 on March 4, 2002, he hadn't received calls about any trouble on the network or with the servers.

But Adams pressed Rodriguez about the company's computer security.

The defense attorney noted that in a January 2002 group internal audit report on the UBS PaineWebber IT department, it said there were issues with the company's Unix and Sybase security, specifically involving passwords.

And during Rodriguez's testimony, she said that immediately after the attack began, she stepped out of the office and used the open "root" access on another systems administrator's computer to monitor what was happening on the network.

When asked if it was company policy for an administrator to walk away and leave root access up on a computer, she said it wasn't policy, but she wasn't surprised it happened.

"I found an open session, so obviously that time [the policy] was not followed," she said, adding that she "would not be surprised" if it happened on another occasion.

And Adams asserted that a March 2000 review of the UBS virtual private network showed that another session could open under a username and password that was already in use. Rodriguez said she wasn't sure if that could be done at the time, but it can't be done now.

Testimony continues Thursday morning.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll