UBS Trial: Parts Of Attack Code Found At Defendant's Home - InformationWeek
Business & Finance
08:47 PM

UBS Trial: Parts Of Attack Code Found At Defendant's Home

A U.S. Secret Service agent testified that a search of Roger Duronio's home turned up part of a logic bomb on two of his home computers and in a printout found lying on top of a bedroom dresser. The defense, meanwhile, pounded away at UBS PaineWebber's security lapses.

Earlier in the week, the defense took two runs at Rafael Mendez, who was UBS' division vice president for network services at the time of the attack.

Adams, who is a partner at Walder, Hayden & Brogan in Roseland, N.J., pointed out repeatedly that in 2001 and 2002, UBS' security configuration allowed more than one person to log onto the system at the exact same time using the exact same user ID and password. He also pounded on the fact that root users all had the same root password. Adams asked Mendez if a root user had the ability to edit a VPN log, and Mendez said it could be done if the user had a ''specialized tool set.''

Alan Paller, director of research at the SANS Institute, said in an interview that having root users share a password isn't a good security practice, but it's far from being uncommon.

''One company that's a household word in America has thousands and thousands of servers, and one root password,'' said Paller. ''The systems administrator lives in a world where that is common. It's common because, historically, on Unix systems there was only one root account, and if three people wanted to manage a machine, they had to be root to do it.''

As for multiple users being able to log onto the system with the same ID and password at the exact same time, Paller said it's a problem, but again not one that's unique to UBS.

''It's a characteristic of Unix,'' he said. ''It's not a characteristic of UBS. You could have a policy to stop it but it's efficient for multiple people doing a lot of work.''

During re-direct, Assistant U.S. Attorney Mauro Wolfe, the lead prosecutor on the case, pointed out that many of the security problems that the defense was bringing up had been noted in a Year 2000 audit report, two years before the attack on the company's network. Mendez said the document specified that the password and user account administration issues, for example, would be assessed a few months after the report was released.

However, on re-cross examination, Adams asked Mendez if another audit report had been done to show that the problems had been fixed. Mendez said he did not know of any.

Adams then noted that the Post Mortem report on the attack, found that the UBS ''security group lacks power and resources.' He also noted that the report said, ''We know that there were problems with security but the reason we did not get to them was lack of resources and lack of organization. . .Productivity outweighed security.''

Adams also pointed to UBS' web-based applications, asking Mendez if security was as tight around accessing them, compared to accessing the company's VPN and internal network. Mendez agreed that security wasn't as tight for web apps, but later, on redirect, he noted that the web-based applications don't offer users access to the company's main host server or branch servers, which are protected by UBS perimeter defenses.

The defense also turned its attention on two companies outside of UBS PaineWebber.

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll