The recent loss from unauthorized trading at UBS was revised upward to $2.3 billion as announced Sept. 18, 2011:

The actions of a single rogue trader are blamed, and UBS has disclosed that the magnitude of the risks taken by the trader was masked by “fictitious positions”. Everyone appears to agree this situation was caused by a lack of internal controls. The real question is, what is meant by internal controls? Usually, the term refers to internal policies, procedures and protocols. Sometimes these are a reflection of governmentally imposed requirements (for example Sarbanes-Oxley), but mostly these just refer to an organization’s own interpretation of what constitutes good governance. The concept of “checks and balances”, otherwise know as Segregation of Duties (SoD), is supposed to help safeguard good governance. Corporate policies should be reflected and enforced by its enterprise computer systems.

Unfortunately most internal policies depend on voluntary compliance by employees, otherwise known as an “honor system”. The deterrent against non-compliance is discipline or termination, again basing the control mechanism on human ethics and emotional drivers. Experience shows that this approach breaks down from time to time when a rogue individual chooses to circumvent approved processes. In the case of UBS, or the very similar €4.9 billion Société Générale case several years earlier, the individual may have been motivated not by personal gain but by the potential fame of achieving huge trading gains for their employer: . In several recent fraud cases involving Citigroup and Bank of America, personal gain was the driver, where bank insiders embezzled large sums for their own use.

Regardless of motivation, these individuals were not prevented from their actions due to an absence of computer system controls.

Most users of corporate enterprise computer systems log on at the beginning of their work session with a profile consisting of username and password, and that is the extent of system control. Password use is a category of security techniques called “what you know”, in other words, a piece of information which could be acquired by anyone including an unauthorized user. The computer system has no way of knowing if the operator that has logged on is the designated user of the profile, or an impostor who has stolen or guessed the password combination. In other words, no true identity management takes place, only validation of a theoretical user profile. Given this inherent vagueness, even when insider fraud is discovered, it is often legally impossible to convict a suspect due to the circumstantial nature of password use.

From a computer system perspective, techniques are available to exert more stringent controls which are not based on voluntary compliance, and which use true identity management. This entails the use of biometric verification of the person logging on. A biometric credential such as a fingerprint is unique to an individual and cannot be guessed or stolen, because it is based on a person’s physiology. This category of security techniques is known as “who you are”. Organizations wishing to truly take charge of who has access to their enterprise system would be well advised to consider the use of biometrics instead of passwords.

Using biometric controls is not limited to the moment of logging on to a system, in fact, what happens inside the system is even more important. It should be possible to set up additional checkpoints inside the system whenever a critical activity is performed. This could mean anything involving sensitive data, or large amounts of money, or information that would be of value if stolen. For example, if a user is transferring a large sum of money, or setting up a new trading account, or opening a customer’s record with all their personally identifiable information (PII) visible, these activities are critical enough to require the operator to re-authenticate with a fingerprint. This can accomplish several goals:

a)      Absolutely prevent a user from gaining access to unauthorized areas.

b)      Create true accountability for a user’s actions.

c)      Enforce any segregation of duties, or checks and balances, as deemed necessary by the organization’s business processes or government regulation (ex. HIPAA, ITAR, etc.)

d)      Generate a robust audit trail of user activities, even failed attempts.

e)      Provide employers with legal ammunition to pursue rogue employees.

UBS and Citigroup have doubtlessly pursued vigorous internal investigations, of which only few details have been released in news reports. However, we have learned from those news reports that the rogue insiders drastically overstepped their credentials and falsified accounting records, meaning they set up fake transactions, fake customers or fake vendors. This would only be possible in a system based on passwords, and would be impossible in a system using biometric re-authentication as described above. While the financial institutions affected by these losses have publicly announced re-examinations of their policies, and have appealed to their employees for higher professional and ethical standards, unless biometric controls are implemented within their computer systems it is only a matter of time before another employee gives in to temptation.

Biometric system controls can be enabled using commercially available software such as bioLock™ for SAP®. Such software also requires the presence of biometric scanners  installed at users’ workstations or mobile devices. The most widely available, reliable and cost-effective devices are fingerprint scanners or biometrically enabled smart cards from various manufacturers. These devices transmit the scanned, encrypted biometric data back to the identity management software located in the entreprise host system, which then controls what a user is allowed to do according to their security credentials. This type of biometric control, based on “who you are”, is the most advanced security technology available today for enterprise systems.

Fraud perpetrated by trusted insiders usually remains poorly documented as the corporation affected tries to contain the negative publicity. A sketchy outline of what happened is often all that reporters can learn, but missing pieces of the story can be deduced. Although the following report only gives a vague description of a large fraud perpetrated by a bank Vice-President, the trick probably consisted of first making accounting entries against the bank’s debt adjustment account (a/k/a “write-off”):

Later, journal entries were made transferring the funds to a cash account and finally out of the bank via wire transfer, using “counterfeit contracts and deal numbers to mask the transfers”. It would certainly require a supervisory level of accounting skill and understanding to know how to use write-off accounts to deflect suspicion, since that is where money can be made to disappear “down the rabbit hole”. The process would also have required administrator rights and system access. Due to the significant sums involved, numerous large transactions must have occurred in order to arrive at the total amount that was embezzled. Surely the traditional $10,000 benchmark used by IRS or FBI would have been exceeded in individual wire transfers and should have triggered attention. Also, the overall scope of the accounting entries made would have likely exceeded segregation of duties (SoD) guidelines. The question is, how could this occur?

This Wall Street Journal account portrays the accused not as a VP but as “an anonymous drone in Citi’s treasury department in Queens, N.Y”, focusing on the lavish lifestyle afforded by the bank’s embezzled cash:

Leaving aside questions of governance, would an employee at this level, supposedly earning less than $100,000, be driving up to his office in a Maserati or chauffeured BMW? The chauffeur was apparently needed because he was legally blind, although not blind enough to keep him from appreciating the view over the Hudson River from his $920,000 condo bought with Citi’s cash. These patterns alone should have aroused suspicion, especially over the course of many years that the fraud was ongoing.

In the case of the $2.3 billion UBS trading loss, fraudulent accounting also played a starring role:

In this case, speculative market positions were hedged by fake offsetting positions that appeared to mitigate the overall risk to UBS. Such trading positions would have to be created by someone with sufficient system credentials and accounting knowledge to set up fake customer accounts in the transactional computer system against which to record the phony transactions. Segregation of duties again comes into question. UBS senior management has appealed to their staff’s sense of professionalism, tradition and pride to prevent further incidents.

In both the Citigroup and UBS situations, the common thread is that phony accounting happened, involving the creation of fake customers and transactions by senior finance professionals who knew how to exploit the lack of controls in their computer systems. It sounds like the $6.7 billion Societe Generale loss of 2008, following which process reviews and controls were supposed to prevent future fraud, but in reality nothing changed.

Prevention of insider fraud cannot rely on the ethics of the employees – that would be an honor system. Real prevention requires instituting robust controls within computer systems such as biometric authorization and tracking.

Last month’s notorious Defcon show in Las Vegas attracted an extremely varied audience of 10,000. The only show where attendees do not provide names, at Defcon the $150 entrance fee has to be paid in cash for maximum anonymity. As the showcase for hacking techniques, presumably the brightest underground talent was on display, attracting the attention of many government agencies such as DOD, DHS, NASA and NSA. The NSA is known to be looking to hire 3,000 employees in the next two years for cyber offense and defense roles. According to Richard “Dickie” George, technical director of the NSA’s Information Assurance Directorate (the agency’s cyber-defense side), “today it’s cyber warriors that we’re looking for, not rocket scientists.” The quoted article was published prior to the conference; for obvious reasons there is no report after the show mentioning how the hiring went – presumably quite well, although the required background check process may be taking more time:

The show’s founder, Jeff Moss, was appointed to the Department of Homeland Security’s Advisory Council (HSAC) several years ago by the President to help with national initiatives against cybercrime. However, he is also known as the “Godfather of Hackers”, having also founded the Black Hat IT security conference, and so understands both worlds. Many corporations are also realizing that they need to hire talent from the “other side”. After Apple was repeatedly embarrassed by 19-year-old Nicholas Allegra’s iPhone “jailbreaking” programs, they decided to hire him as an intern:

In another example, Facebook has a standing offer to compensate those who report bugs, and have paid $40,000 to various parties in a recent three week period.$40000-to-bug-hunters-in-three-weeks/

In both examples, non-conventional talent seems to provide very high returns to these companies – despite paying far less than typical salaries would have cost. The following comments from Nicholas Allegra give some insight into the hackers’ view of the world. He said that he would consider working for what he called “the dark side.” On the other hand, “to work on ways of adding security instead would be kind of refreshing. I guess it’s just about the challenge, more than anything else.” He also refers to himself as an Apple “fanboy,” and said he sees Android’s more open platform as “the enemy.”

Once upon a time, conventional opinion was that major cyber-attacks required major resources, such as those available to foreign governments seeking to damage their targets. These opinions are out of step with today’s reality. Michael Chertoff, former DHS secretary, told attendees during keynote remarks at the 2011 Gartner Security & Risk Management Summit that in recent years he has seen technology evolve to the point where government resources aren’t needed to launch large-scale information security attacks.

Recent attacks have sometimes involved small groups or even teenagers, possibly acting alone, such as this 19-year old recently arrested in England as a suspect.

Before you think this is only about teenagers, know that corporations get involved as well. The following case, (and here the corporation is not the victim but the alleged perpetrator), involves News Corporation ($32 billion in revenue) and its British tabloid News of the World.

Apparently, the newspaper had for years made a habit of hacking the mobile phones of celebrities, politicians and crime victims to spice up the contents of its reporting. News Corp has basically admitted guilt by their decision to shut down the newspaper permanently. This still leaves the News International paper, also owned by News Corp. who specifically targeted the British Prime Minister:

Hackers operate under a rather murky set of ethics and codes of conduct. Corporations practicing industrial espionage may believe that the end justifies the means. Individual hackers may see themselves in a “Robin Hood” role, but who their beneficiaries are is difficult to say. Sometimes they like to be viewed as performing a valuable service, such as this group warning of a weakness in Apple’s developer website. Hard to say if this will help Apple more than it would help others immediately exploit the weakness:

Obviously there is no more room for complacency in today’s security world. Information piracy has evolved to a new level and become accessible to many more participants. Experts are increasingly saying that many recent high-profile breaches have not even involved any advanced or groundbreaking techniques. And now you don’t know whether to be on the lookout for a teenage intruder, or a corporation with substantial resources, who is testing the defenses of your networks.

Security administrators have to similarly step up their game.

Tags: , , ,

Last week I passed on an opportunity to attend a 2-day seminar on ethical hacking, which made me realize that this information is becoming very accessible. Small wonder therefore to see the rash of attacks against numerous corporate and government websites, such as the CIA or the International Monetary Fund:

Many of these cyber-attacks apparently used SQL injection to get past firewalls or network perimeter security. In the case of the LulzSec group, a 19-year-old member just arrested was alleged to have breached a British law enforcement system, for motives that are unclear. This approach to network intrusion is now being referred to by some experts as “low-hanging fruit”, in other words presumably quite easy if you know how! Clearly, re-evaluating network perimeter security should be a priority for all at this point. Equally important is, what happens once an intruder is inside?

With so many sites having been breached, there seems to be a common thread in the banking and e-commerce reactions. A letter is sent out to customers, stating that although there was a breach, the really important data, such as customer birthdates, Social Security Numbers and so on were not seen, while less critical data like names and addresses might have been viewed (although this means that “Personally Identifiable Information” was copied). The hope is apparently that customers will believe that data storage was compartmentalized with progressively escalated security measures. Having personally received such letters from several card issuers, I can say that none of them even claim that any data was encrypted. I would have thought that the best public relations stance would be to state that fact. However, since some data was exposed, the more likely scenario is that some companies used no encryption at all. In other words, there was no second line of defense.

Eddie Schwartz, the new – and first – chief security officer of RSA, said in his first interview that “we’re in a new era of computer security in which every type of organization – banks, corporations, governments and even security providers – are being penetrated. “It’s just a fact of life that we all have to come to grips with,” Schwartz says. “Now the question is, how open is that window of risk during which the attacker is in our organization and can we put measures in place that increase both control and visibility during that timeframe?” It sounds like secondary lines of defense are the key to reducing the window of risk. Putting those in place is probably preoccupying many IT managers right now.

Happy 4th of July.

Tags: , , ,

Jun 16

The impact of the RSA SecurID breach is still unfolding. The decision by RSA to finally appoint an experienced Chief Security Officer comes after a slow process of contacting customers to offer full replacement of millions of existing security tokens:

RSA SecurID is usually based on a two-factor authentication mechanism. The device supplies a time-sensitive six-digit one-time password. This originates from a “seed” algorithm which is unique to each serialized token. The same seed is stored on the server, to generate the identical six-digit code as the token during a given 60-second window for comparison. This information is what hackers apparently gained access to. Adding the user password (“what you know” plus “what you have”) adds some level of complexity, as the password would not be stored on the token, just on the server, and is memorized by the end user. From personal experience, these passwords are generally limited to a four-digit numerical code, i.e. less than 10,000 possible combinations, and are not regularly changed. Add the fact that many users’ passwords are really simple (did you try “1111”?) and you have a “piece of cake” for a brute force attack. If the passwords were stolen from the servers then this step would not even be necessary.

By RSA’s admission, this breach would allow hackers to generate the one-time codes without having access to the physical tokens. Users of the tokens who have accepted the offer of replacement, including Bank of America, SAP and Lockheed Martin, will have to have faith that RSA has plugged their security holes, or else worry that the first round of token replacements will not be the last.


Tags: , , , , , , , ,

Jun 6

After this week’s revelation of a third security breach, this time involving
one million compromised accounts at Sony Pictures Entertainment,

one starts to wonder whether Sony is looking in all the right places for answers. A data breach is usually presumed to occur via direct outside attack by third parties on databases or data centers. But it could also originate from insider sources who
facilitate the attack by participating in some way to effectively “hold the
door” for the intruders.
Despite vigorous security initiatives like rebuilding data center firewalls
and such, intruders still were able to penetrate Sony’s new defenses. This
increases the likelihood of the involvement of insiders who might have the
knowledge to either bypass security controls without “breaking and
entering”, or perhaps gain access to databases via the standard ERP interface without leaving a trail. Even just the ability to set up user profiles, in the absence of a rigorous audit trail, can result in fake user profiles which are then used for nefarious purposes.
Surprisingly, many organizations have not seen fit to improve activity
logging which would allow forensic analysis of system events. Most systems
rely purely on username/password combinations to identify and validate the
“actors” who navigate their ERP systems. Inside fraud can be committed using
such theoretical personas, because there is no identity management
connecting the persona to a real person via biometric verification, or at
the very least a form of two-factor authentication.
Given the ineffectiveness of previous approaches, perhaps Sony could try to
eliminate the possibility of insider involvement by implementing stronger
internal controls over system activity.

Tags: , , , ,

Recent major security issues like the RSA SecurID hack, or the Epsilon and Sony breaches, make one wonder whether lightning has not been striking a bit too often. Ironically hackers are developing a preference for using Amazon’s Elastic Compute Cloud (EC2), which can be used almost anonymously, for carrying out their activities. Amazon itself has recently suffered from significant outages in their Elastic Block Store (EBS) service, which it has recently explained in a very detailed and technical statement, although we can only guess what the real or complete details behind these problems might be.

Surprisingly, the Ponemon Institute’s recent Security of Cloud Computing Providers study reveals that cloud providers do not put security as the No. 1 concern in providing their services:

Imagine if your local bank where you keep your money did not treat locking its doors and vaults as its first priority.

It is reminiscent of parking lot tickets, where the fine print on the back disclaims any responsibility towards the customer beyond renting them a parking space.

Tags: , , , , , ,

Sony’s Virtual Battle

posted by Martin
May 3

In contrast to the Epsilon “business as usual” approach, Sony has been reeling from the security breach which has had the PlayStation Network shut down for several weeks.

Sony has now freely admitted that personal information of up to 77 million PlayStation users was compromised. Their website provides advice to users for obtaining free credit reports, in case any users believe they are victims of identity theft:

While this disclosure is to be applauded, Sony’s refusal to testify at a US House Energy and Commerce subcommittee hearing scheduled this week seems a tacit admission that they have not yet identified how the cyber attack on their data center in San Diego, CA  could have happened:

The initial breach has been compounded by the discovery of additional impact on the Sony Online Entertainment games network, resulting in further losses of customer data involving another 25 million accounts and SOE taking down that network for repairs. Estimates of the cost to Sony primarily from lost revenue have ranged up to $50 million, however the real damage could be in terms of their market share, which has been eroding.

While Sony is taking this very seriously, experts are divided as the actual risk. Congress is pushing for legislation forcing companies to immediately disclose any data breaches to consumers to reduce the risk of identity theft and fraud. The real solutions as suggested by some experts might include a reevaluation of network security procedures, which often still rely on username and password combinations:

Tags: , , , , , , ,

Apr 22

Everyone had hoped that the announcement of Epsilon’s massive data breach was just a bad April Fool’s joke, but no such luck. Ripples from the event continue to spread. Consumers over the last few weeks have received multiple communications from major clients of Epsilon such as banks, large credit card providers or other vendors. They all share an obvious concern for managing the potential damages in advance, while assuring everyone that no financial information was lost, only consumers’ names and email addresses.

Epsilon, who by their own description are the world’s largest permission-based email marketer, send about 40 billion emails annually on behalf of 2500 major corporate clients. The reported breach affected about 2% of their clients. Not known is how many consumer email addresses that equates to. Putting this into context, two percent of the client list may be only 50 companies, but when those might be Fortune 100 banks and credit card providers the true significance emerges. Several points are troubling:

Epsilon and their clients insist that no “Personally Identifiable Information” (PII) was lost. The term PII is governed by The National Institute of Standards and Technology, under the auspices of the U.S Department of Commerce, which publishes the

Guide to Protecting the Confidentiality of Personally Identifiable Information”: (April/2010)

In that document’s definition, a person’s full name or email address are clearly qualified as PII. Did Epsilon not check the definition? And is a name and email address not sufficient for a “phishing” attack to be sent?

Secondly, how do they know what data was compromised? When you find the barn doors open and the horses gone, it is not difficult to assess the damages. But when an electronic copy of the horses has left the barn, how do you measure that?

Tags: , , ,