UBS Trial: Parts Of Attack Code Found At Defendant's Home - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance

UBS Trial: Parts Of Attack Code Found At Defendant's Home

A U.S. Secret Service agent testified that a search of Roger Duronio's home turned up part of a logic bomb on two of his home computers and in a printout found lying on top of a bedroom dresser. The defense, meanwhile, pounded away at UBS PaineWebber's security lapses.

Earlier in the week, the defense took two runs at Rafael Mendez, who was UBS' division vice president for network services at the time of the attack.

Adams, who is a partner at Walder, Hayden & Brogan in Roseland, N.J., pointed out repeatedly that in 2001 and 2002, UBS' security configuration allowed more than one person to log onto the system at the exact same time using the exact same user ID and password. He also pounded on the fact that root users all had the same root password. Adams asked Mendez if a root user had the ability to edit a VPN log, and Mendez said it could be done if the user had a ''specialized tool set.''

Alan Paller, director of research at the SANS Institute, said in an interview that having root users share a password isn't a good security practice, but it's far from being uncommon.

''One company that's a household word in America has thousands and thousands of servers, and one root password,'' said Paller. ''The systems administrator lives in a world where that is common. It's common because, historically, on Unix systems there was only one root account, and if three people wanted to manage a machine, they had to be root to do it.''

As for multiple users being able to log onto the system with the same ID and password at the exact same time, Paller said it's a problem, but again not one that's unique to UBS.

''It's a characteristic of Unix,'' he said. ''It's not a characteristic of UBS. You could have a policy to stop it but it's efficient for multiple people doing a lot of work.''

During re-direct, Assistant U.S. Attorney Mauro Wolfe, the lead prosecutor on the case, pointed out that many of the security problems that the defense was bringing up had been noted in a Year 2000 audit report, two years before the attack on the company's network. Mendez said the document specified that the password and user account administration issues, for example, would be assessed a few months after the report was released.

However, on re-cross examination, Adams asked Mendez if another audit report had been done to show that the problems had been fixed. Mendez said he did not know of any.

Adams then noted that the Post Mortem report on the attack, found that the UBS ''security group lacks power and resources.' He also noted that the report said, ''We know that there were problems with security but the reason we did not get to them was lack of resources and lack of organization. . .Productivity outweighed security.''

Adams also pointed to UBS' web-based applications, asking Mendez if security was as tight around accessing them, compared to accessing the company's VPN and internal network. Mendez agreed that security wasn't as tight for web apps, but later, on redirect, he noted that the web-based applications don't offer users access to the company's main host server or branch servers, which are protected by UBS perimeter defenses.

The defense also turned its attention on two companies outside of UBS PaineWebber.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 3
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Why IT Leaders Should Make Cloud Training a Top Priority
John Edwards, Technology Journalist & Author,  4/14/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Lessons I've Learned From My Career in Technology
Guest Commentary, Guest Commentary,  5/4/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll