[ISN] UBS Trial: Parts of Attack Code Found At Defendant's Home

From: InfoSec News (isn@private)
Date: Mon Jun 19 2006 - 00:44:09 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=189500138

By Sharon Gaudin
InformationWeek
June 16, 2006

Newark, N.J. --- Efforts by the defense in the UBS PaineWebber
computer sabotage trial to foist blame elsewhere, took a hit Friday,
after testimony from a U.S. Secret Service agent revealed that parts
of the code used to bring down the UBS network four years ago, was
found on two of the defendant's home computers, as well as in a
hardcopy printout lying on top of his bedroom dresser.

The Secret Service testimony ended what had been a week of contentious
arguments on a strong note for the prosecution

Secret Service agents executed a warrant and searched the Bogota, N.J.  
home of Roger Duronio, on March 21, 2002 -- 17 days after the
financial giant was hit by what prosecutors are calling a logic bomb.  
The segment of coding found in his home was part of the 50 to 70 lines
of malicious code that was used to take down about 2,000 servers,
including UBS' main host server in its Weehawkin, N.J. data center,
along with branch servers in about 370 offices around the country in
the March 4, 2002 incident.

Duronio, 63, is facing four federal criminal charges, including
computer sabotage, securities fraud and mail fraud. The government
contends he crippled the company's network in a vengeful plot aimed at
making money by buying stock options that would pay off if the
company's stock dropped " something he allegedly tried to make happen
by shutting down UBS' ability to do business for anywhere between a
day and several weeks, depending on the location.

While cross-examining other witnesses in court this past week, Chris
Adams, Duronio's defense attorney hammered away at what he's calling
significant weaknesses in UBS' security. He says the network was
riddled with holes that could have allowed a hacker or another system
administrator to plant the malicious code.

Adams has thrown a slew of possible who-done-it theories at the jury,
including repeated suggestions that the damage was caused by Cisco
Systems, Inc. during a planned penetration test of the UBS network
that month, or that there was some impropriety by @Stake, Inc., the
first forensic team called in on the case.

However, in his testimony Thursday, Secret Service Special Agent
Gregory O'Neil said all trails led to Duronio.

He told the jury that a team of 14 agents conducted the four-hour
search that led them to a folded up piece of paper with scribbles on
the back of it. The paper, which sat on the dresser in Duronio's
master bedroom, had the code for the logic bomb's trigger mechanism
printed out on it.

O'Neil said several pieces of the coding on the paper quickly jumped
out at him: mon; hour >= 9; min >= 30; mrm.

''I knew UBS' computer system had gone down on a Monday at 9:30 [a.m.]
and I knew 'mrm' was identified as part of the malicious code,'' he
told the jury. ''It was the source code for the trigger of the logic
bomb.'' There was a line at the very top of the printout:  
wait_tst.c.txt. Agent O'Neil also said the Secret Service seized four
computers from Duronio's home that day. They subsequently found the
wait_tst.c.txt file on two of the seven hard drives that were
contained in the four machines. The code on the computer files was the
''identical'' chain of code that had been found printed out in the
bedroom, he testified. Earlier in the week, the defense took two runs
at Rafael Mendez, who was UBS' division vice president for network
services at the time of the attack.

Adams, who is a partner at Walder, Hayden & Brogan in Roseland, N.J.,
pointed out repeatedly that in 2001 and 2002, UBS' security
configuration allowed more than one person to log onto the system at
the exact same time using the exact same user ID and password. He also
pounded on the fact that root users all had the same root password.  
Adams asked Mendez if a root user had the ability to edit a VPN log,
and Mendez said it could be done if the user had a ''specialized tool
set.''

Alan Paller, director of research at the SANS Institute, said in an
interview that having root users share a password isn't a good
security practice, but it's far from being uncommon.

''One company that's a household word in America has thousands and
thousands of servers, and one root password,'' said Paller. ''The
systems administrator lives in a world where that is common. It's
common because, historically, on Unix systems there was only one root
account, and if three people wanted to manage a machine, they had to
be root to do it.''

As for multiple users being able to log onto the system with the same
ID and password at the exact same time, Paller said it's a problem,
but again not one that's unique to UBS.

''It's a characteristic of Unix,'' he said. ''It's not a
characteristic of UBS. You could have a policy to stop it but it's
efficient for multiple people doing a lot of work.''

During re-direct, Assistant U.S. Attorney Mauro Wolfe, the lead
prosecutor on the case, pointed out that many of the security problems
that the defense was bringing up had been noted in a Year 2000 audit
report, two years before the attack on the company's network. Mendez
said the document specified that the password and user account
administration issues, for example, would be assessed a few months
after the report was released.

However, on re-cross examination, Adams asked Mendez if another audit
report had been done to show that the problems had been fixed. Mendez
said he did not know of any.

Adams then noted that the Post Mortem report on the attack, found that
the UBS ''security group lacks power and resources''. He also noted
that the report said, ''We know that there were problems with security
but the reason we did not get to them was lack of resources and lack
of organization...Productivity outweighed security.''

Adams also pointed to UBS' web-based applications, asking Mendez if
security was as tight around accessing them, compared to accessing the
company's VPN and internal network. Mendez agreed that security wasn't
as tight for web apps, but later, on redirect, he noted that the
web-based applications don't offer users access to the company's main
host server or branch servers, which are protected by UBS perimeter
defenses.

The defense also turned its attention on two companies outside of UBS
PaineWebber.

Over the course of cross-examining several witnesses, Adams repeatedly
brought up the point that former hackers work at @Stake, Inc., the
company that UBS initially brought in to do forensic work immediately
after the incident. ''Are hackers good people?'' he asked. ''Are
hackers reliable?''

The research labs in @Stake, which was bought by Symantec, Corp. in
2004, were headed up by Peiter C. Zatko (also known in the industry as
Mudge), the former CEO and chief scientist of the L0pht, a
high-profile hacker think tank. Mudge, however, worked his way into
the legitimate business world, testifying before a Senate Committee on
Government Affairs, and counseling President Clinton in the White
House on security issues.

Mendez testified that other Wall Street firms had recommended several
forensic companies, including @Stake, to UBS after their servers were
taken down. In 2004, Mudge reportedly became a division scientist
working at government contractor, BBN Technologies.

''In my opinion, it's generally a bad idea to bring in old hackers
because they have habits that are hard to break,'' said Paller in a
separate interview. ''From that perspective, they would be a bad bet
for analysis of a company's security. But for forensics, they are
often the best idea. There's the old statement about 'it takes one to
know one'. Somebody who has broken into computers is more likely to
see the evidence of a break-in. For forensics, when they are tightly
managed, it's a great idea.''

The defense also took several stabs at suggesting that Cisco Systems,
a networking industry giant, might have been responsible for taking
down the UBS network during a penetration test that was ongoing during
the March 4, 2002 incident.

Never actually coming out and accusing Cisco directly of the
take-down, Adams repeatedly asked witnesses if they knew that Cisco
had been hired to do the penetration test between February and March
of 2002.

''Would it have been helpful to know Cisco was trying to test and
bring down the network and operations?'' Adams asked Rajeev Khanna,
manager for UBS's Unix Systems Group at the time of the attack. Khanna
replied that he did not know about the test at the time.

In a written statement to InformationWeek.com, a spokesman for Cisco
said, ''While Cisco does not disclose details of the work we perform
for our customers, we are unaware of any issues related to any service
Cisco has performed for UBS.''

Copyright © 2005 CMP Media LLC



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 19 2006 - 01:06:28 PDT