UBS Trial: Parts Of Attack Code Found At Defendant's Home
A U.S. Secret Service agent testified that a search of Roger Duronio's home turned up part of a logic bomb on two of his home computers and in a printout found lying on top of a bedroom dresser. The defense, meanwhile, pounded away at UBS PaineWebber's security lapses.
Earlier in the week, the defense took two runs at Rafael Mendez, who was UBS' division vice president for network services at the time of the attack.
Adams, who is a partner at Walder, Hayden & Brogan in Roseland, N.J., pointed out repeatedly that in 2001 and 2002, UBS' security configuration allowed more than one person to log onto the system at the exact same time using the exact same user ID and password. He also pounded on the fact that root users all had the same root password. Adams asked Mendez if a root user had the ability to edit a VPN log, and Mendez said it could be done if the user had a ''specialized tool set.''
Alan Paller, director of research at the SANS Institute, said in an interview that having root users share a password isn't a good security practice, but it's far from being uncommon.
''One company that's a household word in America has thousands and thousands of servers, and one root password,'' said Paller. ''The systems administrator lives in a world where that is common. It's common because, historically, on Unix systems there was only one root account, and if three people wanted to manage a machine, they had to be root to do it.''
As for multiple users being able to log onto the system with the same ID and password at the exact same time, Paller said it's a problem, but again not one that's unique to UBS.
''It's a characteristic of Unix,'' he said. ''It's not a characteristic of UBS. You could have a policy to stop it but it's efficient for multiple people doing a lot of work.''
During re-direct, Assistant U.S. Attorney Mauro Wolfe, the lead prosecutor on the case, pointed out that many of the security problems that the defense was bringing up had been noted in a Year 2000 audit report, two years before the attack on the company's network. Mendez said the document specified that the password and user account administration issues, for example, would be assessed a few months after the report was released.
However, on re-cross examination, Adams asked Mendez if another audit report had been done to show that the problems had been fixed. Mendez said he did not know of any.
Adams then noted that the Post Mortem report on the attack, found that the UBS ''security group lacks power and resources.' He also noted that the report said, ''We know that there were problems with security but the reason we did not get to them was lack of resources and lack of organization. . .Productivity outweighed security.''
Adams also pointed to UBS' web-based applications, asking Mendez if security was as tight around accessing them, compared to accessing the company's VPN and internal network. Mendez agreed that security wasn't as tight for web apps, but later, on redirect, he noted that the web-based applications don't offer users access to the company's main host server or branch servers, which are protected by UBS perimeter defenses.
The defense also turned its attention on two companies outside of UBS PaineWebber.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.