So Societe Generale lost 7.1 bn last week, then restated this to $ 5.x bn because 2.x bn was a loss from the sub-prime plague.
And it was a rogue trader who opened SG's purse but was it a rouge rat who cast the sub-prime spell on them ? Who has been blamed for this ?
Daniel Bouton, the bank Chairman, is on a panhandling trip to get $ 5.x bn and keeps his job, while his resignation is still on the desk. A moral resignation nevertheless which was honorably presented the moment the s%6t hit the ceiling.
Consider the lies which has been hogging the news :
First it was "Rogue trader defrauds the bank of $ 7.1 bn"
There was no defrauding the bank. This guy was doing his job, a and that too too independently. There was no one checking his work ! Cool........ give me the bank treasury and I will also play the stock exchange at will.
Hey what happened to the 7.1 bn - now it is only 5.1 bn ! the other 2 bn is actually the hit SG got from the sub-prime exposure and sorry the Chairman goofed up in his communication to the Prime Minister and the Central Bank and the public and shareholders at large.
Its okay this is just a couple of billion here or there ! So what if I just messed the European market a tad while squaring all holdings.
And he was "a junior trader, recently promoted from the back office. so he has intimate knowledge of the systems and easily circumvented controls"
Another white lie - he has been trading since 2005 (?) so that is pretty recent ! Three years on the trading desk and he contributed €1.5 bn to the bank kitty with his trading profits last year. Pretty cool performance for a junior trader and I am sure there was a lot of Champagne and partying at the end of the year when the numbers came in. Will you be surprised to find that the Chairman sent a case of Dom alongwith a card ?
The Chairman said that he did not know him...
OK we shall take it at face value. The Chairman is not supposed to know everyone in the bank. And considering how loose the controls at SG are, I am apt to believe that there are hundreds / thousands of traders betting the banks pants everyday and making a billion plus for the bank every year.
Now.......
The French government wants to protect this institution from takeover without realizing that it will be good for their health if this is allowed. At least the new owners will bring in a training program on 'Better Communication Skills for Chairmen"
I seem to be forgetting the information security and risk management aspect of this episode .... and will cover this in the next post.
Wednesday, January 30, 2008
Wednesday, January 16, 2008
A Security Incident looked at closely
Incident Response, Handling, Management and Post-Incident actions are crucial to any Security program and this is a well recognized fact. Many companies do not test their systems, many do tests using internal 'gurus' who are generalists or hobbyists, some do it for the sake of meeting a regulatory requirement and so on. And unfortunately there are attacks and then there are attacks which are undiscovered.
And there was the mother of all compromises - the TJX Maxx incident which went undetected for more than a year.
A very interesting 'anatomy' of a hack was published and provides a situational view of what is happening and what to do.
It will be to the advantage of the security organization to build a culture of proactive security and to continuously update and test their responsiveness to incidents. The security officers must also participate in meetings with law enforcement agencies to be informed about ground realities and any happenings which may affect their organization too.
Dinesh
And there was the mother of all compromises - the TJX Maxx incident which went undetected for more than a year.
A very interesting 'anatomy' of a hack was published and provides a situational view of what is happening and what to do.
Anatomy of a hack attack
Sally Whittle ZDNet.co.uk
Published: 07 Jan 2008 16:39 GMT
With the help of security experts, we recreate a typical hack attack on two large organisations and walk through the steps that the head of IT should follow in such a case.
(the print version of this article is here)
It will be to the advantage of the security organization to build a culture of proactive security and to continuously update and test their responsiveness to incidents. The security officers must also participate in meetings with law enforcement agencies to be informed about ground realities and any happenings which may affect their organization too.
Dinesh
Tuesday, January 15, 2008
Education system should include IT Security
Education is key to building a culture of respect for the system in which we live, for nature, for our fellow beings and for all that which is not ours. This does not mean that I should not respect what is mine !
To get back to the subject of this post... I mentioned the need to "reorient" education at all levels and today and this is what the MP is talking about and thats the way to go.
I remember Moral Science classes in school where we were taught the virtues of honesty and loving my neighbor, respecting my elders et al. This shaped me into a responsible human being and I believe that the same values are needed when we are talking about computing and internet usage.
12 year olds are trading viruses !
14 year olds are arrested for screwing up a public transport system !! The kid(s) thinks this is fun when grown ups run around crazy just because he / she pressed the enter key without anyone being wiser.
Yes there is the need to include ethical computer usage and it has to start young. It is a recognized fact that training and awareness are the most effective tools in any Information Security implementation, and the same solution has to be brought into the system.
Maybe I shall make a check to see how many management or technology courses include ethical computing as part of their curriculum......... fodder for my next post.
Adios
Dinesh Bareja
"ramble securely"
To get back to the subject of this post... I mentioned the need to "reorient" education at all levels and today and this is what the MP is talking about and thats the way to go.
MP: Children must be taught IT security
Tom Espiner ZDNet.co.uk
Published: 10 Jan 2008 16:55 GMT
The UK government has said that young people need to be educated about IT security.
Minister of state for schools and learners Jim Knight told ZDNet.co.uk on Wednesday that, as there is increasing online interaction between schools and parents, young people need to know about the possible dangers of IT security being compromised.
I remember Moral Science classes in school where we were taught the virtues of honesty and loving my neighbor, respecting my elders et al. This shaped me into a responsible human being and I believe that the same values are needed when we are talking about computing and internet usage.
12 year olds are trading viruses !
14 year olds are arrested for screwing up a public transport system !! The kid(s) thinks this is fun when grown ups run around crazy just because he / she pressed the enter key without anyone being wiser.
Yes there is the need to include ethical computer usage and it has to start young. It is a recognized fact that training and awareness are the most effective tools in any Information Security implementation, and the same solution has to be brought into the system.
Maybe I shall make a check to see how many management or technology courses include ethical computing as part of their curriculum......... fodder for my next post.
Adios
Dinesh Bareja
"ramble securely"
Thursday, December 13, 2007
This lover will take you for a ride !
A new threat on the Net ....... you may be cozy up with the wrong type of lover. A lover who does not exist and is only a computer program !! This robot will turn you on and get under your skin :)
Cyber lovers warned beware of flirtatious robots
Predatory program can attract 10 partners in 30 minutes
http://www.computerworld.com.au/index.php/id;1672098041;fp;;fpid;;pf;1
Internet users are being warned about a new malware trend involving the use of natural language dialogue systems that are already deployed within gaming technologies.
The software conducts fully automated flirtatious conversations in a bid to collect personal data from those seeking relationships online.
Tuesday, December 11, 2007
Its the war syndrome....
The generals have new weapons. The generals need not be uniformed with rows of medals on their chests . Their armies need not be working out everyday to be in good health etc.... They may never step out into the open to wage war because they attack through computers and networks using invisible bits and bytes to inflict more damage than "Little Boy" and it's descendants.
Well MI-5 has warned UK based corporations to be aware of Chinese espionage. The statement makes a vague reference to 'other states' but that is unqualified.
(Check the story at http://news.bbc.co.uk/1/hi/business/7123970.stm)
Then we have the White House, yesterday, asking for a few millions to fortify cybersecurity and $ 115 m is not small change.
To add to the terror scenario we have a teenager who was controlling the largest botnet from idyllic New Zealand. And then the personal data of a person no less than the Information Commissioner is farmed off the net at a cost of 35 p in less than an hour !
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/04/ndata204.xml
So is the Internet going to become the nemesis of mankind ? Is this where they will launch wars of a personal nature or against a state ? And the intensity of the weapons will overshadow the infamous invisible WMDs.
The enemy may well be sitting at a console next to you in the neighborhood cybercafe.
Everyday we have a new doomsday scenario tale and a small world becomes smaller.
Dinesh O Bareja
Well MI-5 has warned UK based corporations to be aware of Chinese espionage. The statement makes a vague reference to 'other states' but that is unqualified.
(Check the story at http://news.bbc.co.uk/1/hi/business/7123970.stm)
Then we have the White House, yesterday, asking for a few millions to fortify cybersecurity and $ 115 m is not small change.
To add to the terror scenario we have a teenager who was controlling the largest botnet from idyllic New Zealand. And then the personal data of a person no less than the Information Commissioner is farmed off the net at a cost of 35 p in less than an hour !
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/04/ndata204.xml
So is the Internet going to become the nemesis of mankind ? Is this where they will launch wars of a personal nature or against a state ? And the intensity of the weapons will overshadow the infamous invisible WMDs.
The enemy may well be sitting at a console next to you in the neighborhood cybercafe.
Everyday we have a new doomsday scenario tale and a small world becomes smaller.
Dinesh O Bareja
Tuesday, December 4, 2007
120 countries building cyber-war capacity
*_McAfee report: Cyberespionage to be a top 2008 national security threat_*
By Jim Carr
03 December 2007
http://www.securecomputing.net.au/news/98544,mcafee-report-cyberespionage-to-be-a-top-2008-national-security-threat.aspx <http://www.securecomputing.net.au/news/98544,mcafee-report-cyberespionage-to-be-a-top-2008-national-security-threat.aspx >
A rise in international cyberspying will pose the most significant threat to the national security of the United States in 2008, according to a report from anti-virus vendor McAfee.
The company said that governments and "allied groups" will turn to cyberspying and cyberattacks against targets such as electricity grids, air-traffic control systems, financial markets and government networks - all critical infrastructure that, if compromised, could affect the country's national security, according to the report.
McAfee's annual "Virtual Criminology Report," which looks at global cybersecurity trends, was conducted in conjunction with NATO, the FBI, the Serious Organised Crime Agency (SOCA), an independent organisation formed by the United Kingdom's Home Office, and security experts from non-profit organizations and universities.
"Cybercrime is now a global issue," Jeff Green, senior vice president of McAfee Avert Labs and product development, said in a prepared statement. "It has evolved significantly and is no longer just a threat to industry and individuals but increasingly to national security. We're seeing emerging threats from increasingly sophisticated groups attacking organizations around
the world. Technology is only part of the solution, and over the next five years, we will start to see international governments take action."
Tim Jemal, senior vice president of government relations for the Cyber Security Industry Alliance (CSIA), cited this year's attack on Estonian interests as an example of governments being targeted by malicious hacker groups.
Cyberthreats to the United States pose a growing risk to national security, that's true," he said. "When a technology-savvy county like Estonia was recently crippled by botnet attack from Russian sources, it's a clear indication that cyberspace is being used by some criminal sources to
destabilize countries, and the United States is definitely a target."
Other trends include increasing threats to online financial services and the emergence of a complex and sophisticated market for malware, according to the report, which noted that 120 countries "now use the internet for web-espionage operations," with many of the cyberattacks originating from China.
While Jemal wouldn't comment on McAfee's estimate of 120 countries involved in web-based espionage, he said many were using the internet in other malicious activities.
"Twenty-five nations, including China, are engaged in cyberwarfare programs," he said. "They use cyberspace as a weapon against another country."
The report also indicates that cyberattacks have become "more sophisticated, progressing from initial curiosity probes to well-funded, well-organised operations designed." These operations, designed to slip under the radar of government defenses, increasingly encompass political, military, economic and technical espionage, according to the report.
Cybercriminals are also developing new attack methods. These include "vishing," or phishing via Voice over IP phone networks, and "phreaking," hacking into telephone networks to make long-distance phone calls.
By Jim Carr
03 December 2007
http://www.securecomputing.net
A rise in international cyberspying will pose the most significant threat to the national security of the United States in 2008, according to a report from anti-virus vendor McAfee.
The company said that governments and "allied groups" will turn to cyberspying and cyberattacks against targets such as electricity grids, air-traffic control systems, financial markets and government networks - all critical infrastructure that, if compromised, could affect the country's national security, according to the report.
McAfee's annual "Virtual Criminology Report," which looks at global cybersecurity trends, was conducted in conjunction with NATO, the FBI, the Serious Organised Crime Agency (SOCA), an independent organisation formed by the United Kingdom's Home Office, and security experts from non-profit organizations and universities.
"Cybercrime is now a global issue," Jeff Green, senior vice president of McAfee Avert Labs and product development, said in a prepared statement. "It has evolved significantly and is no longer just a threat to industry and individuals but increasingly to national security. We're seeing emerging threats from increasingly sophisticated groups attacking organizations around
the world. Technology is only part of the solution, and over the next five years, we will start to see international governments take action."
Tim Jemal, senior vice president of government relations for the Cyber Security Industry Alliance (CSIA), cited this year's attack on Estonian interests as an example of governments being targeted by malicious hacker groups.
Cyberthreats to the United States pose a growing risk to national security, that's true," he said. "When a technology-savvy county like Estonia was recently crippled by botnet attack from Russian sources, it's a clear indication that cyberspace is being used by some criminal sources to
destabilize countries, and the United States is definitely a target."
Other trends include increasing threats to online financial services and the emergence of a complex and sophisticated market for malware, according to the report, which noted that 120 countries "now use the internet for web-espionage operations," with many of the cyberattacks originating from China.
While Jemal wouldn't comment on McAfee's estimate of 120 countries involved in web-based espionage, he said many were using the internet in other malicious activities.
"Twenty-five nations, including China, are engaged in cyberwarfare programs," he said. "They use cyberspace as a weapon against another country."
The report also indicates that cyberattacks have become "more sophisticated, progressing from initial curiosity probes to well-funded, well-organised operations designed." These operations, designed to slip under the radar of government defenses, increasingly encompass political, military, economic and technical espionage, according to the report.
Cybercriminals are also developing new attack methods. These include "vishing," or phishing via Voice over IP phone networks, and "phreaking," hacking into telephone networks to make long-distance phone calls.
Sunday, December 2, 2007
Bhelpuri - the ultimate privacy mish mash
Inspired by
http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms
Isn't it apt that identity and card information was available in a bhelpuri, and that too at the hands of a techie with the source being the world's largest chip maker and the world\s largest car rental company.
The bhelpuri is the ultimate Indian smorgasbord - a mish mash of a snack which can be spiced up on a scale of 0 to infinity and can symbolize all the regulations and controls thrown into a wrapper and mixed into obliviion so no one knows what came from where - just pass the audit, make sure there is evidence controls.
Oh, I am digressing, this can be a plot for a new Bollywood blockbuster "Secure Bhel" and the catch line will be CIA on the street.... Compromised and Internationally Available.
Is this another lapse which is being swept under the carpet ? Now we wonder, as security professionals, that if a company on the bleeding edge of technology can send private data in this manner what is the state of it's internal systems. Not that they will reveal this.
Well that is the international giant, the bleeding edge technology company and they do not have a clue about security of private information, because they are busy securing technology IP. So how about the leading car rental company which handles tons of personal data from credit cards to driver licences, addresses, birthdates, travel plans etc - so how does current and valid personal data land up in a snack ! Is this how they treat personal data of clients - boy I would love to audit them and take them to the cleaners.
This rambling was prompted by this article......
Credit card info found on bhelpuri wrapper
1 Dec 2007, 0238 hrs IST,Kavita Kukday,TNN
MUMBAI: On Tuesday evening, Aneesh, a media professional in his thirties, bought a packet of bhelpuri from the roadside vendor in MIDC, Andheri. While munching on the snack, he happened to glance at the paper cone in which the vendor had mixed the bhel. His curiosity was piqued. It was a computer printout of an invoice for a car rental. Once he had eaten up his bhel, he studied it carefully: it had the name of a credit card holder, the 16-digit credit card number, the three-digit batch number (from the back of the card) and the expiry date. In short, all the ammo needed for online transactions.
It was an American Express card. The request had gone on email from tech firm Intel to Avis, an international car rental firm with offices in India. It was sent in March last year for an Intel guest who was staying at the Grand Hyatt and needed to hire a car for a day. Despite the invoice being more than a year old, the expiry date (Feb 2008) showed that the card was still valid. To heighten the risk, it was a company credit card, which automatically scales up the chances of misuse --- not only is the credit limit higher even the authenticity of the spends are tougher to track.
So how did such sensitive information find its way to the bhelwalla? While the paper trail is hard to trace to source, an important stop must certainly have been the raddiwalla.
An Intel spokesperson said, "It is an unfortunate incident and Intel is deeply concerned. We hold our employee confidentiality in the highest respect. We are currently investigating the matter."
Those in the credit card business warn that this is not an isolated case. Security norms for digital transactions are still very lax in India, and the use of shredders for documents is almost non-existent.
The bhel-puri credit card story, however, had a safe ending. The person eating bhel didn't head for the nearest cyber cafe. He carefully ironed out the paper cone and passed it on to a writer friend, who called TOI.
http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms
http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms
Isn't it apt that identity and card information was available in a bhelpuri, and that too at the hands of a techie with the source being the world's largest chip maker and the world\s largest car rental company.
The bhelpuri is the ultimate Indian smorgasbord - a mish mash of a snack which can be spiced up on a scale of 0 to infinity and can symbolize all the regulations and controls thrown into a wrapper and mixed into obliviion so no one knows what came from where - just pass the audit, make sure there is evidence controls.
Oh, I am digressing, this can be a plot for a new Bollywood blockbuster "Secure Bhel" and the catch line will be CIA on the street.... Compromised and Internationally Available.
Is this another lapse which is being swept under the carpet ? Now we wonder, as security professionals, that if a company on the bleeding edge of technology can send private data in this manner what is the state of it's internal systems. Not that they will reveal this.
Well that is the international giant, the bleeding edge technology company and they do not have a clue about security of private information, because they are busy securing technology IP. So how about the leading car rental company which handles tons of personal data from credit cards to driver licences, addresses, birthdates, travel plans etc - so how does current and valid personal data land up in a snack ! Is this how they treat personal data of clients - boy I would love to audit them and take them to the cleaners.
This rambling was prompted by this article......
Credit card info found on bhelpuri wrapper
1 Dec 2007, 0238 hrs IST,Kavita Kukday,TNN
MUMBAI: On Tuesday evening, Aneesh, a media professional in his thirties, bought a packet of bhelpuri from the roadside vendor in MIDC, Andheri. While munching on the snack, he happened to glance at the paper cone in which the vendor had mixed the bhel. His curiosity was piqued. It was a computer printout of an invoice for a car rental. Once he had eaten up his bhel, he studied it carefully: it had the name of a credit card holder, the 16-digit credit card number, the three-digit batch number (from the back of the card) and the expiry date. In short, all the ammo needed for online transactions.
It was an American Express card. The request had gone on email from tech firm Intel to Avis, an international car rental firm with offices in India. It was sent in March last year for an Intel guest who was staying at the Grand Hyatt and needed to hire a car for a day. Despite the invoice being more than a year old, the expiry date (Feb 2008) showed that the card was still valid. To heighten the risk, it was a company credit card, which automatically scales up the chances of misuse --- not only is the credit limit higher even the authenticity of the spends are tougher to track.
So how did such sensitive information find its way to the bhelwalla? While the paper trail is hard to trace to source, an important stop must certainly have been the raddiwalla.
An Intel spokesperson said, "It is an unfortunate incident and Intel is deeply concerned. We hold our employee confidentiality in the highest respect. We are currently investigating the matter."
Those in the credit card business warn that this is not an isolated case. Security norms for digital transactions are still very lax in India, and the use of shredders for documents is almost non-existent.
The bhel-puri credit card story, however, had a safe ending. The person eating bhel didn't head for the nearest cyber cafe. He carefully ironed out the paper cone and passed it on to a writer friend, who called TOI.
http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms
Subscribe to:
Comments (Atom)
