UBS Trial: Parts Of Attack Code Found At Defendant's Home

A U.S. Secret Service agent testified that a search of Roger Duronio's home turned up part of a logic bomb on two of his home computers and in a printout found lying on top of a bedroom dresser. The defense, meanwhile, pounded away at UBS PaineWebber's security lapses.



Newark, N.J. --- Efforts by the defense in the UBS PaineWebber computer sabotage trial to foist blame elsewhere, took a hit Friday, after testimony from a U.S. Secret Service agent revealed that parts of the code used to bring down the UBS network four years ago, was found on two of the defendant's home computers, as well as in a hardcopy printout lying on top of his bedroom dresser.

The Secret Service testimony ended what had been a week of contentious arguments on a strong note for the prosecution

Secret Service agents executed a warrant and searched the Bogota, N.J. home of Roger Duronio, on March 21, 2002 -- 17 days after the financial giant was hit by what prosecutors are calling a logic bomb. The segment of coding found in his home was part of the 50 to 70 lines of malicious code that was used to take down about 2,000 servers, including UBS' main host server in its Weehawkin, N.J. data center, along with branch servers in about 370 offices around the country in the March 4, 2002 incident.

Duronio, 63, is facing four federal criminal charges, including computer sabotage, securities fraud and mail fraud. The government contends he crippled the company's network in a vengeful plot aimed at making money by buying stock options that would pay off if the company's stock dropped " something he allegedly tried to make happen by shutting down UBS' ability to do business for anywhere between a day and several weeks, depending on the location.

While cross-examining other witnesses in court this past week, Chris Adams, Duronio's defense attorney hammered away at what he's calling significant weaknesses in UBS' security. He says the network was riddled with holes that could have allowed a hacker or another system administrator to plant the malicious code.

Adams has thrown a slew of possible who-done-it theories at the jury, including repeated suggestions that the damage was caused by Cisco Systems, Inc. during a planned penetration test of the UBS network that month, or that there was some impropriety by @Stake, Inc., the first forensic team called in on the case.

However, in his testimony Thursday, Secret Service Special Agent Gregory O'Neil said all trails led to Duronio.

He told the jury that a team of 14 agents conducted the four-hour search that led them to a folded up piece of paper with scribbles on the back of it. The paper, which sat on the dresser in Duronio's master bedroom, had the code for the logic bomb's trigger mechanism printed out on it.

O'Neil said several pieces of the coding on the paper quickly jumped out at him: mon; hour >= 9; min >= 30; mrm.

''I knew UBS' computer system had gone down on a Monday at 9:30 [a.m.] and I knew 'mrm' was identified as part of the malicious code,'' he told the jury. ''It was the source code for the trigger of the logic bomb.'' There was a line at the very top of the printout: wait_tst.c.txt. Agent O'Neil also said the Secret Service seized four computers from Duronio's home that day. They subsequently found the wait_tst.c.txt file on two of the seven hard drives that were contained in the four machines. The code on the computer files was the ''identical'' chain of code that had been found printed out in the bedroom, he testified.

Earlier in the week, the defense took two runs at Rafael Mendez, who was UBS' division vice president for network services at the time of the attack.

Adams, who is a partner at Walder, Hayden & Brogan in Roseland, N.J., pointed out repeatedly that in 2001 and 2002, UBS' security configuration allowed more than one person to log onto the system at the exact same time using the exact same user ID and password. He also pounded on the fact that root users all had the same root password. Adams asked Mendez if a root user had the ability to edit a VPN log, and Mendez said it could be done if the user had a ''specialized tool set.''

Alan Paller, director of research at the SANS Institute, said in an interview that having root users share a password isn't a good security practice, but it's far from being uncommon.

''One company that's a household word in America has thousands and thousands of servers, and one root password,'' said Paller. ''The systems administrator lives in a world where that is common. It's common because, historically, on Unix systems there was only one root account, and if three people wanted to manage a machine, they had to be root to do it.''

As for multiple users being able to log onto the system with the same ID and password at the exact same time, Paller said it's a problem, but again not one that's unique to UBS.

''It's a characteristic of Unix,'' he said. ''It's not a characteristic of UBS. You could have a policy to stop it but it's efficient for multiple people doing a lot of work.''

During re-direct, Assistant U.S. Attorney Mauro Wolfe, the lead prosecutor on the case, pointed out that many of the security problems that the defense was bringing up had been noted in a Year 2000 audit report, two years before the attack on the company's network. Mendez said the document specified that the password and user account administration issues, for example, would be assessed a few months after the report was released.

However, on re-cross examination, Adams asked Mendez if another audit report had been done to show that the problems had been fixed. Mendez said he did not know of any.

Adams then noted that the Post Mortem report on the attack, found that the UBS ''security group lacks power and resources.' He also noted that the report said, ''We know that there were problems with security but the reason we did not get to them was lack of resources and lack of organization. . .Productivity outweighed security.''

Adams also pointed to UBS' web-based applications, asking Mendez if security was as tight around accessing them, compared to accessing the company's VPN and internal network. Mendez agreed that security wasn't as tight for web apps, but later, on redirect, he noted that the web-based applications don't offer users access to the company's main host server or branch servers, which are protected by UBS perimeter defenses.

The defense also turned its attention on two companies outside of UBS PaineWebber.



Over the course of cross-examining several witnesses, Adams repeatedly brought up the point that former hackers work at @Stake, Inc., the company that UBS initially brought in to do forensic work immediately after the incident. ''Are hackers good people?'' he asked. ''Are hackers reliable?''

The research labs in @Stake, which was bought by Symantec, Corp. in 2004, were headed up by Peiter C. Zatko (also known in the industry as Mudge), the former CEO and chief scientist of the L0pht, a high-profile hacker think tank. Mudge, however, worked his way into the legitimate business world, testifying before a Senate Committee on Government Affairs, and counseling President Clinton in the White House on security issues.

Mendez testified that other Wall Street firms had recommended several forensic companies, including @Stake, to UBS after their servers were taken down. In 2004, Mudge reportedly became a division scientist working at government contractor, BBN Technologies.

''In my opinion, it's generally a bad idea to bring in old hackers because they have habits that are hard to break,'' said Paller in a separate interview. ''From that perspective, they would be a bad bet for analysis of a company's security. But for forensics, they are often the best idea. There's the old statement about 'it takes one to know one'. Somebody who has broken into computers is more likely to see the evidence of a break-in. For forensics, when they are tightly managed, it's a great idea.''

The defense also took several stabs at suggesting that Cisco Systems, a networking industry giant, might have been responsible for taking down the UBS network during a penetration test that was ongoing during the March 4, 2002 incident.

Never actually coming out and accusing Cisco directly of the take-down, Adams repeatedly asked witnesses if they knew that Cisco had been hired to do the penetration test between February and March of 2002.

''Would it have been helpful to know Cisco was trying to test and bring down the network and operations?'' Adams asked Rajeev Khanna, manager for UBS's Unix Systems Group at the time of the attack. Khanna replied that he did not know about the test at the time.

In a written statement to InformationWeek.com, a spokesman for Cisco said, ''While Cisco does not disclose details of the work we perform for our customers, we are unaware of any issues related to any service Cisco has performed for UBS.''

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service