Friday, November 28, 2008

Aligarh police crack cyber crime

This a good news and shows the increasing awareness among the law enforcement fraternity in the country. Mind you Aligarh is not a Bombay or Delhi. It is pretty far away from the hustle and bustle of a big town and is a growing city.

Wed, Nov 26 02:05 AM

THE ALIGARH police have cracked the case of cyber crime clipping on the google and youtube websites under the title 'Save Aligarh Save Aligarh', propagating employment of child labourers for manufacturing of hardware and locks in five biggest export players homes, including prominent exporter Prashant Enterprises, in Aligarh. On the basis of an FIR lodged by Managing Director of Prashant Enterprises, Aligarh, Ramesh Chand Singhal charging the google clip - which propagated the name of his export home - with mischief by showing Prashant Enterprises using child labourers in its video clip, the Aligarh police raided the office of one news channel based in Sector 6, Noida and arrested Ram Nagina Yadav, an Information technical head of the news channel and detained its other two employees Rudra Pratap and Gaurav Garg for interrogation in the matter. Superintendent of Police (City) Man Singh Chauhan told HT that Singhal had lodged the FIR on October 20 under IT Act that some unidentified person had uploaded a video clipping showing child labours were working in his unit and that the video clip was being posted on and brought to the notice of major importers of the Western countries with whom Prashant Enterprises has export ties. Singhal stated in his FIR that the said clip was fabricated to defame his concern at the national and international levels due to which Prashant Enterprise had not only suffered a substantial loss in its export business but it also received threats, Chauhan added. He further said during the investigation, the police also cracked the e-mail identity which had uploaded the said video clip on Google website. This exposed that the clip was uploaded by the office of a news channel situated in Sector 6 in Noida, he said. Thereafter, the Aligarh police raided the office of the news channel on Sunday, he said. Chauhan further added during the interrogation the three employees of the channel disclosed that their employer Surendra Gupta and his sons Abhishek and Sunil Gupta had directed them to upload the clip on the google website through Rudra Pratap's e-mail address. Efforts are on to nab Surendra Gupta and his sons, who also run an export business, he added. Meanwhile, the news channel's owner Surendra Gupta told journalists here over phone that he had received this video clip from one television reporter of Aligarh but he refused to telecast the video clip, as his channel was not functioning in Aligarh. "I have no knowledge as to who had uploaded this video clip on the internet," he said.

Tuesday, November 11, 2008

Compliance is the fuel for InfoSec initiatives ?

The law is a strong whip to crack when you need to get people in line and the need to comply with the law of the land where you are from and the law of the land where you work increases the stress levels of individuals and organizations.

It is a known fact that IT, IS, Governance, IT Risk Mgt are always short changed in terms of funding. However, it is also known that Compliance requirements are disposed off with no thought of expense. Consider the billions spent on SOX compliance which could have been saved substantially if these very corporations had a semblance of Security / Governance / Risk Management best practices in place !!

But no ! They all had to build it all from scratch and in doing so they spent millions, nay they spent billions.

Having spent this money, they sat back and waited for the next compliance need since the 'SOX project' was over. Well we now see that they did not learn anything from SOXing their corporations since everything was done just for the sake of doing it and not for the spirit. Else they would have been able to discover the fact that the banking system was rotten within and would not be able to survive another few years.

Dear reader, you know all about Enron and WorldCom. Well they just screwed a few pension funds and a few thousand employees. They did not bring the financial system to collapse point. They did not bring G-8 and G-x government heads together to pump billions into the system. Their collapse did not bring about a global meltdown. Their collapse did not screw investors worldwide, it did not butcher governments, trade, manufacturing, support etc etc.

I think a few thousand billions have already been poured into this black hole and they are still crying for more.

Well coming back to Compliance - it is time to take advantage of this whip and turn the whiplash into a pat on the back. Time to move ahead of the pack and turn this "requirement" into a strength and extract a pound for every penny spent.

Welcome to the thought of Unified Compliance or Integrated Compliance or whatever you may call it.

I had made a presentation ICAI in India, and at iSAFE in Dubai last month in October. Follow the link to download these, if you are interested.

Thursday, April 10, 2008

Catching them early ... build security in to the psyche

I have been thinking about this for quite a while, and had written to a management institute in Mumbai (India) to propose an addition to the curriculum, and establish thought leadership in IT education in the country.

Since I had been a guest lecturer for two semesters for the IT Audit elective in the IT Management curriculum, I wrote to them, as they were the only institution I was familiar with someone in the management. I have not got a response from them yet, and I shall look at some means to connect with other institutions in India and elsewhere.

And today I read Mary Ann Davidson's blog ... she has obviously spent a lot of on this as compared to my stumbling on a thought while rambling away. And she would, since it is straight off something which has clearly been an issue at her organization and more.

There are a lot of things which are right in what she says but then the American psyche is to think University and a formal regulated education system. My thinking about the subject was more grassroot level, where the problem begins.... and being from India, I tend to think neighborhood before going mainstream.

My thoughts go to the zillions of tiny, mid-sized and large institutes that dot the Indian countryside and cities - teaching Oracle, Java, .NET, C and what have you. Costs may start as low as $100 and students are usually new graduates from school or university. They are looking at learning 'computers' to get a break in IT and make a good salary. Many are guided by word of mouth or by a counselor that a certain course is 'hot' in the market and that it the motivation to join the course - he / she will finish the course in 4 - 8 weeks and try to join the developer mainstream. These students may or may not be engineering or science graduates. The instructor may usually be an ex-student paying off his / her discount from the course fee for a stipend, teaching by rote from the book which he / she learned from a few weeks earlier.

These students are hired by companies large and small, put through the in-house training, if in a large organization else he/she learns on the job, deployed on development projects for overseas customers.

This is the bulk of the workforce which grows in their roles, the smart ones pick up certifications and skills and grow. Others take time, but they grow too since they keep learning better practices.

So how does one control the millions of students who are half-baked in terms of their understanding of the processes underlying the systems they are going to program for, and are unaware of the expectations these systems and industry have from them !

This is where the solution has to be found... yes the large organized and funded universities and institutions will teach security as part of their programs and the Ivy league member will come out of the education system properly ordained into the culture of security and best practices, but the bulk of the workforce still remains to be addressed.

I don't believe DHS, or the Universities can do anything here, as this solution has to come from industry leaders like in software, hardware, databases like Microsoft, Oracle, Sun, Apple, Intel, AMD and others. The underlying systems have to be tuned NOT to accept calls under normal computing commands.

If I am designated as a common database user why do I need to look at the structure or permissions or settings. My application interface is built to carry out my read/write and report functions. In such a scenario, a default database installation may be configured to accept calls ONLY from applications X, y and Z and only and forces a change of the Administration login / password on installation. The argument will be that this can be taken care of by an Identity Management System, but how many IdM installations do we find in mid and small sized companies. Or, large companies for that matter.

Underlying systems have to demand secure access and practices from the application layer and the GUI. This will force the industry to ensure that secure practices starts getting the same level of importance as syntax. Sit in a class, and you will know that the only thing taught is syntax and compilation, debugging and rollout. Testing is a different profession !

Another example can be to have a feature for secure documentation. Or term it secure editing. If I coin an industry word it will be secure word processing. As MS-Word is the most commonly installed word processor, why does Microsoft not have an add-on which will provide a secure documentation feature. This can be a common feature in the application which will encrypt the document as it is saved. The application will use the owner's private key and challenge questions which will have been stored in the user profile. This can be an enterprise feature too, and will help save countless idiotic incidents where data is lost by banks, corporations and government agencies.

Security and Privacy are necessary to be safeguarded and the psyche has to be tuned to accept this as a way of life. Education has an important role to play and must start as early as possible. Going back into school and early years when the child is exposed to computers and computer games it will be nice to provide the knowledge to him / her that the machine is highly versatile and will help do all sorts of work and will entertain too, however, while enjoying the fruits of computing power there is a certain way of life which has to be followed (online and offline) and that is the path of secure and safe computing.

Wednesday, January 30, 2008

Societe Generale .. messed up information security controls

They say that they have SIX levels of controls.... so were the controls working ? or were they drunk (or disabled to allow easy access) for over a year.

And what were the auditors doing !
And the managers to whom M Kerviel reported.

Obviously Societe Generale team has no clue about the concept of Segregation of Duties, or Identity Management at the first level. One would expect that SOD would be in place and responsibility levels would be established. There seems to be no limit on the transaction value which an individual can transact and to top this sad state of affairs, there is no oversight on the actions of the trader.

The the spirit of Governance is sorely lacking in terms of communication, in terms of transparency since this is a public institution, in terms of (seemingly) witch hunting, in terms of absolving the Chairman of any responsibility in the affair. The basic tenet of good governance is that the bosses are responsible for EVERY MESS as much as they are responsible for every win, and that they have to know what is going on in the organization, especially when the risk is so high.

Incident Management sucks - their Communication plan is all messed up. Every statement has been made when their knee jerked. Statements do not seem to be backed by any investigation and just make allegations. Then there are mis-statements like the correction of the original amount of $ 7.1 bn being split into 5.1 from the trade and 2 from the sub-prime exposure.

Their reputation is already in the pits, and with these gaffes, they are just making themselves look sillier and sillier. If bank chairmen are such, I think I can do a better job

Risk Management ... does it exist outside their policy book ? They claim to have the most sophisticated risk management system, but does it exist in practice ? That is the catch and this is how it is everywhere. Policies are made along with loud noises but then what ? Does the policy move into practice and is the practice sustained, is the billion dollar question. Everyone wants to know how this works at SG and it is anyone's guess if these guys are going to share their sob story.

The jury is out on this ......... a trader is exposed for about $ 50+ bn which is enough to wipe out the bank. And NO ONE IN THE BANK KNOWS ! So does he not report to anyone. Are there no pay-outs or pay-ins which have to be entered into the books of account, no checks to issue, no payments to acknowledge - do we assume that he made the trade, then HE wrote up the books of account and then HE signed any check / voucher. In other words he (a junior trader) ran the bank department or HE was the department.

We do know that red flags were raised about his positions, so was his work put under review and was a limit set to his activities.

......... there is much much more here and it will be a great drama which will unfold over the next few days / weeks. We have the first statements from the 'rogue trader' and as he talks and as the police investigate at SG we shall see and hear a lot more.

The article on the BBC website is an interesting read. SocGen Unhedged, by Robert Peston

Societe Generale ... lies, lies and all lies

So Societe Generale lost 7.1 bn last week, then restated this to $ 5.x bn because 2.x bn was a loss from the sub-prime plague.

And it was a rogue trader who opened SG's purse but was it a rouge rat who cast the sub-prime spell on them ? Who has been blamed for this ?

Daniel Bouton, the bank Chairman, is on a panhandling trip to get $ 5.x bn and keeps his job, while his resignation is still on the desk. A moral resignation nevertheless which was honorably presented the moment the s%6t hit the ceiling.

Consider the lies which has been hogging the news :

First it was "Rogue trader defrauds the bank of $ 7.1 bn"

There was no defrauding the bank. This guy was doing his job, a and that too too independently. There was no one checking his work ! Cool........ give me the bank treasury and I will also play the stock exchange at will.
Hey what happened to the 7.1 bn - now it is only 5.1 bn ! the other 2 bn is actually the hit SG got from the sub-prime exposure and sorry the Chairman goofed up in his communication to the Prime Minister and the Central Bank and the public and shareholders at large.
Its okay this is just a couple of billion here or there ! So what if I just messed the European market a tad while squaring all holdings.

And he was "a junior trader, recently promoted from the back office. so he has intimate knowledge of the systems and easily circumvented controls"

Another white lie - he has been trading since 2005 (?) so that is pretty recent ! Three years on the trading desk and he contributed €1.5 bn to the bank kitty with his trading profits last year. Pretty cool performance for a junior trader and I am sure there was a lot of Champagne and partying at the end of the year when the numbers came in. Will you be surprised to find that the Chairman sent a case of Dom alongwith a card ?

The Chairman said that he did not know him...

OK we shall take it at face value. The Chairman is not supposed to know everyone in the bank. And considering how loose the controls at SG are, I am apt to believe that there are hundreds / thousands of traders betting the banks pants everyday and making a billion plus for the bank every year.

The French government wants to protect this institution from takeover without realizing that it will be good for their health if this is allowed. At least the new owners will bring in a training program on 'Better Communication Skills for Chairmen"

I seem to be forgetting the information security and risk management aspect of this episode .... and will cover this in the next post.

Wednesday, January 16, 2008

A Security Incident looked at closely

Incident Response, Handling, Management and Post-Incident actions are crucial to any Security program and this is a well recognized fact. Many companies do not test their systems, many do tests using internal 'gurus' who are generalists or hobbyists, some do it for the sake of meeting a regulatory requirement and so on. And unfortunately there are attacks and then there are attacks which are undiscovered.

And there was the mother of all compromises - the TJX Maxx incident which went undetected for more than a year.

A very interesting 'anatomy' of a hack was published and provides a situational view of what is happening and what to do.

Anatomy of a hack attack
Sally Whittle
Published: 07 Jan 2008 16:39 GMT

With the help of security experts, we recreate a typical hack attack on two large organisations and walk through the steps that the head of IT should follow in such a case.

(the print version of this article is here)

It will be to the advantage of the security organization to build a culture of proactive security and to continuously update and test their responsiveness to incidents. The security officers must also participate in meetings with law enforcement agencies to be informed about ground realities and any happenings which may affect their organization too.


Tuesday, January 15, 2008

Education system should include IT Security

Education is key to building a culture of respect for the system in which we live, for nature, for our fellow beings and for all that which is not ours. This does not mean that I should not respect what is mine !

To get back to the subject of this post... I mentioned the need to "reorient" education at all levels and today and this is what the MP is talking about and thats the way to go.

MP: Children must be taught IT security
Tom Espiner
Published: 10 Jan 2008 16:55 GMT

The UK government has said that young people need to be educated about IT security.

Minister of state for schools and learners Jim Knight told on Wednesday that, as there is increasing online interaction between schools and parents, young people need to know about the possible dangers of IT security being compromised.

I remember Moral Science classes in school where we were taught the virtues of honesty and loving my neighbor, respecting my elders et al. This shaped me into a responsible human being and I believe that the same values are needed when we are talking about computing and internet usage.

12 year olds are trading viruses !

14 year olds are arrested for screwing up a public transport system !! The kid(s) thinks this is fun when grown ups run around crazy just because he / she pressed the enter key without anyone being wiser.

Yes there is the need to include ethical computer usage and it has to start young. It is a recognized fact that training and awareness are the most effective tools in any Information Security implementation, and the same solution has to be brought into the system.

Maybe I shall make a check to see how many management or technology courses include ethical computing as part of their curriculum......... fodder for my next post.

Dinesh Bareja
"ramble securely"