Saturday, January 26, 2008

$7 billion rogue trader turns himself in

The $7 billion rogue trader has turned himself in to French authorities.

Nicola Clark of the NY Times just reported:

Jérôme Kerviel, a former trader at Société Générale, surrendered to the police on Saturday as investigators looked into what had caused the bank, one of Europe’s largest, to lose more than $7 billion.

When the story hit the wires, Kerviel's attorney stated that he would be available to speak with judicial authorities.

The $7 billion question for the authorities and the rest of us us:

The bank’s management has come under increasing pressure from French officials to provide a more detailed accounting of how Mr. Kerviel could have racked up such enormous losses by himself, over a year, without raising any red flags among either his supervisors or the bank’s internal auditors.

Many familiar with the situation are speculating that the recent problems with the stock market caused the losses to unexpectedly grow, which led to them becoming transparent.

NY Times story, here.

My original post on this (probably historical case), here.

Scientology taken on by anon hackers

There seems to be a growing controversy with Scientology recently. Not sure why, it didn't exactly appear on the scene yesterday. Besides that most of us are supposed to believe in "freedom of religion."

Well .... I guess the word "most" doesn't necessarily mean "all?"

A lot of people seem to be harmed in the name of religion! When this occurs there seems to be a lot of disagreement on what the "word" actually is.

I try to be one of those people, who believes in freedom of religion so I'm not going to come to any conclusions in this post and merely document the phenomenon.

The most recent twist to the public focus on Scientology is that "anonymous" hackers reportedly shut down their site with a DDOS attack.

CNet (Robert Vamosi) did an interesting article about the conflict this anonymous group has with the Scientologists.

In it he writes:

A group of vigilantes--calling themselves Anonymous, or Anon--are escalating their attacks against the Church of Scientology in what they consider to be Internet censorship by issuing new video challenges.

The CNet article reference a YouTube video posted by this anon group (still up and running).

The article references a website called "Project Chanology," which appears not to be accessible at the present time. I wonder if the Scientology folks counterattacked?

Interestingly enough, I checked and the Scientology.org is up and running as of this writing.

Undaunted I did a little more digging and found a decent "Wikipedia" write-up on Project Chanology, here.

Here is a snippet from Wikipedia on the latest attack by Anon:

Calling the action by the Church of Scientology a form of Internet censorship, a series of DDoS attacks against Scientology websites, prank calls, and black faxes to Scientology centers were organized. They call for this to continue until they have "total and complete destruction of the present form of the Church of Scientology". Members of "Anonymous" were directed via a web site set up for the group to download denial of service software in order to take down the website Scientology.org.

According to the Wiki, a lot of the recent focus on this started after the unauthorized biography on Tom Cruise was published and the "Church" threatened YouTube with a lawsuit over a video showing "a manic-looking Cruise who gushes about his appreciation of Scientology."

Of course, I can remember Tom gushing on Oprah's couch over Katie in what some would consider a manic manner, also. Maybe gushing in a manic manner is part of his personality?

As a disclaimer, I know a lot of guys who have done a little manic gushing over a woman they were in love with. The difference probably is that most of them never get a chance to do it on the Oprah show.

Here is the latest YouTube video from Project Chanology:

Kidnapping scams head North of the Border

Over the years, I've heard stories of illegal immigrants having family members kidnapped, or held in safe (?) houses until they pay up. Sometimes the kidnapping occurs in Mexico -- where kidnappings are common -- and the illegal aliens are compelled to wire money for the release of their loved one(s).

Dane Schiller of the Houston Chronicle recently wrote a interesting article about this with a slightly different twist. In this article, the alleged victim fakes the kidnapping and attempts to collect the money, herself.

From Dane's article:

A chilling voice mail came over Delfino Ramirez Diaz's cell phone: His pregnant and sobbing girlfriend told Ramirez she'd been snatched by kidnappers and only a ransom of $10,000 would stop them from inducing labor and selling their twins on the black market.

"Help me, my love! Help me!" Maria Isabel Puente said in Spanish. "They said they are going to give me an herb to remove my babies," she continued. "I love you so much. Whatever happens, I love you so much."

The incident, which police said played out quietly in Houston last week, turned out to be a scam.

The article quotes a retired FBI agent, who is now the mayor of a town in Texas as saying:

Retired FBI agent Raul Salinas, who taught anti-kidnapping courses to Mexican police and is now mayor of the border city of Laredo, said kidnapping scams are so common in Mexico that there is a term for them — autosecuestro — which basically translates as "self-kidnapping."

"I handled a couple in Mexico City — they would claim they were kidnapped and they were just trying to extort their families," Salinas said.
Going back to the alleged kidnapping in the article found the so-called victim in an apartment and arrested her.

Interesting article from the Houston Chronicle, here.

When I first started writing this post, I referenced I few personal instances of hearing about illegal immigrants being kidnapped, or having family members held for ransom. I decided to run a Google search, "illegal immigrants kidnapping," and a lot of references to this subject. If you would like to see for yourself, the search results are here.

Since illegal immigrants are generally fearful of reporting things to the authorities, it makes me wonder how much of this might be going on?

No matter what side of the immigration debate you are on (one thing is for certain) a lot of criminal activity is hidden within this growing issue.

Friday, January 25, 2008

The $7 Billion Fraudster


(Photo courtesy of Zorg at Flickr)

Jerome Kerviel -- who may have cost his employer somewhere around $7 billion -- might prove that no security system is flawless, especially when the person compromising it has been given access to it.

Molly Moore of the Washington Post reports:

For five years, Jérôme Kerviel toiled in the back offices of Societe Generale, learning the intricacies of the six-layer security system that France's second-largest bank used to protect its money, investors and customers from fraud, according to bank officials here.

Kerviel then made an unusual career move. He was promoted to trader -- becoming one of the very employees the security systems are designed to oversee and keep honest.
Of course, no exact details (they seldom are for obvious reasons) are being given as to how Jerome pulled this off, but he is being described as a "computer genius."

I did notice in the Washington Post article that Jerome was keeping two sets of books, which is an age-old method of committing white collar crime. Jerome was also voiding transactions to cover up questionable transactions, which is hardly a new method of fraud, either.

The trader maintained two sets of books, one in which he kept accounts of his successful investments, and a secret parallel book where he was "voiding his losing positions," Bouton said.

"He knew when controls were going to take place," Bouton said, because "over the years he had become an expert in controls." Bouton said Kerviel managed to outmaneuver six levels of controls and firewalls intended to detect and prevent fraud.
Most high tech fraud is based on tried and true (even historical) methods of deception. Too often, organizations rely on computerized detection systems that might be a little too predictable. This is especially true when dealing with someone, who has been given access to them and understands how they work.

All too often, organizations are sold one form of technical protection only to find out that in a given period of time, someone has figured out how to circumvent them. Once this occurs, they need to buy another system, which might be circumvented over time, also.

Human beings are very adept at figuring out how to circumvent (hack) systems. In fact, there seems to be communities of people dedicated to hacking whatever new technology comes out.

If Jerome was able to cost his employer $7 billion dollars, he has set a new record. The person, who set the previous record is mentioned in the Post artice, and even made a quote from prison:

If confirmed, the losses at the bank would be the largest ever caused by an individual trader. They are far higher than the $1.4 billion run up by trader Nick Leeson in the mid-1990s in Singapore. His fraud caused the collapse of the institution where he worked, Britain's 233-year-old Barings Bank.

Leeson, now living in Ireland after serving a prison sentence in Singapore, told the BBC that he was not shocked such a fraud had happened again, but that "the thing that really shocked me was the size of it."

Maybe we shouldn't be so shocked? Perhaps the problem is an over reliance on systems to prevent fraud without enough human interface? Computers only do what they are told to do and it takes a human being to circumvent them.

Technology is a wonderful thing and a great tool, but when it comes to protecting anything, common sense and the human factor need to be considered carefully, also!

The Washington Post article also has some interesting speculation on how this might have had an effect on global markets. The article can be seen, here.

Tuesday, January 22, 2008

Symantec reports sighting drive-by pharming in the wild



We hear a lot about phishing, but we don't see a whole lot written about pharming. According to a blog post on Symantec's blog by Zulfikar Ramzan, we might start seeing pharming mentioned a lot more than it has been in the past.

According to Zuftikar, the first instances of drive by pharming are being seen in the wild (on the Internet). This means a computer can be infected by merely viewing a e-mail, or website without clicking on a attachment, or link.

"Pharming (pronounced farming) is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software," according to Wikipedia.

In Zuftikar's own words:

In a previous blog entry posted almost a year ago, I talked about the concept of a drive-by pharming attack. With this sort of attack, all a victim would have to do to be susceptible is simply view the attacker’s malicious HTML or JavaScript code, which could be placed on a Web page or embedded in an email. The attacker’s malicious code could change the DNS server settings on the victim’s home broadband router (whether or not it’s a wireless router). From then on, all future DNS requests would be resolved by the attacker’s DNS server, which meant that the attacker effectively could control the victim’s Internet connection.

Here is a further description of the activity seen in the wild, which reveals how deceptive (not to mention deadly) this type of pharming attack could be:

In one real-life variant that we observed, the attackers embedded the malicious code inside an email that claimed it had an e-card waiting for you at the Web site gusanito.com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site.

Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen.
Please note that many users fail to change preset (factory) passwords, which leaves hardware vulnerable to being compromised. These preset passwords aren't very difficult for those with malicious intent to get their greedy paws on. I've even run into preset passwords on technical manuals posted on the Internet.

What is SCARY in this instance is that the specific router targeted in this attack didn't need a password to compromise the system.

Quite simply, the router didn't authenticate the request.

The malicious code which makes this attack possible can be inserted on the inside of a e-mail message, or directly off a web page. It isn't necessary to click on something to start the execution (pardon the pun) process.

Once this occurs, the hacker controls your router and can send you anywhere they want to.

Zuftikar offers a lot of sound recommendations on how to protect yourself from pharming attacks.

Note that he still recommends changing the factory preset passwords on any router you might own. The problem in the instance observed occurred with a particular type (brand) of router.

To view these recommendations, I recommend you read his interesting post, which can be seen, here.

Truston Identity Theft Services recognized in Javelin Report as standing apart from the competition

Tom Fragala, CEO of Truston just dropped me a line about his "privacy friendly" identity theft protection and recovery service being mentioned in the most recent Javelin report.

In Tom's own words:

Truston was featured in a Javelin Strategy & Research research report entitled "Identity Fraud Protection Services: Double Digit Growth to Continue."

The report, released December 2007, provides a comprehensive analysis of the key identity theft protection services and is based in Javelin's leading consumer survey data. According to the report, "MyTruston stands apart from other identity protection vendors in this space."

Other companies featured include Equifax, Experian, TransUnion, Fair Isaac, LifeLock, Debix, FraudStop (Identity Safeguards), Identity Guard (Intersections,Inc.) and TrustedID. Read the report brochure here (PDF) and our press release.

Truston stands apart from the other services because it is privacy friendly. Other services require that you give them all your personal information to be maintained in (my guess) another data base. The other feature Truston offers is free prevention tools. A customer only pays for recovering IF and when they become a victim.

The report mentions that there is double digit growth in this industry despite reports showing that identity theft has been on the decline for the past three years.

Please note that a lot of people, watching the identity theft problem, don't necessarily agree with this statement. Maybe this is one of the underlying reasons for the double-digit growth?

One of the biggest problems in compiling accurate statistics is that not all identity theft is reported. A large portion of it is simply written off as a loss by financial institutions, and never reported outside these institutions to the organizations putting together the statistics.

Tom is also a blogger and writes about identity theft. His blog can be seen, here.

Sunday, January 20, 2008

Do secure storage/destruction facilities really protect information from theft?

Information by it's very nature is hard to inventory. Let's face it, it isn't cash or precious gems and it can be copied in a LOT of different ways.

This fact also gives the entity losing it a lot of deniability. Most of the time, it's impossible to be 100 percent sure what happened to any information discovered missing.

Could a tape gone missing at a secure storage facility owned by Iron Mountain containing 650,000 customer files reveal that these facilities provide us with a false sense of security?

Robert McMillian at Computer World is reporting the latest information on this story:

A backup tape containing credit-card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud.

GE Money, which manages in-store credit-card programs for the majority of U.S. retailers, first realized that the tape was missing from an Iron Mountain secure storage facility in October, said Richard Jones, a company spokesman. "We were informed that one of the tapes could not be located. But at the same time there was no record of it ever having been checked out," he said.

The tape contained in-store credit-card information on 650,000 retail customers, including those of J.C. Penney, he said. GE Money employees are also affected by the breach.
Please note, there are reports that 230 retailers lost information and JC Penny is just one of them.

Secure storage/information destruction businesses have seen explosive growth due to all the compliance regulations we've seen enacted in recent years.

Many of them, including Iron Mountain advertise state of the art physical security standards. I did take the time to watch the videos on this at the Iron Mountain site, and although they are impressive, the measures they take are pretty common at most secure buildings.

Secure buildings have been burglarized before.

I would also guess that even if external compromise was ruled out, it can be stolen by anyone who has been given access to it. Again, we are dealing with a commodity that is hard to inventory and can be reproduced (copied) in a lot of different ways.

Another point to reflect on is that a lot of this information is brought to these facilities to be destroyed. Since the information being destroyed isn't inventoried, it's probably impossible to go back and verify whether the information was actually destroyed.

My guess is that the biggest threat to information stored at these facilities are human beings, who make mistakes or can intentionally commit wrongdoing.

How valuable would a plant, or a recruit be to a identity theft gang in one of these facilities? My guess also is that as long as they were not very greedy, they could probably operate for a long time and never get caught.

Again, it is very hard to inventory information, which make theft detection difficult, also.

When watching Iron Mountain's security videos, they mention that they put their employees through extensive background tests. In today's world, with all the stolen identities and counterfeit documents available, the effectiveness of background checks is questionable, also.

To support this, I would point to the fact that millions of illegal immigrants seem to have no problem passing them.

Please note, I'm not worried about the illegal immigrants trying to make a better life for themselves. The problem is all the criminals, who hide in the camouflage the illegal immigration phenomenon provides.

So far as the people coming here to earn a decent living, they wouldn't be here if there weren't a lot of jobs available to them.

I don't want to pick on Iron Mountain too much. They aren't the only players in this growth industry. In fact, the security they provide is probably as good, or better than most of their competition.

The problem is that in actuality, they are just one more place information can be compromised. By their very nature these facilities are a point of consolidation for sensitive information. This makes them a lucrative target for those in the information theft business.

A wise man once said, the best way to protect information is to not store it in too many places in the first place. Unfortunately, as long as information is worth a lot of money, we will probably continue to ignore this sage advice.

The good news is that in this case, we know what information was stolen. This means that measures can be taken to prevent it from being used to commit crimes.

Computer World article by Robert McMillan, here.