Kerviel/Societe Generale & Information Security & Insider Threat

The story of Jerome Kerviel and the Société Générale bank has made a lot of news in the past couple of weeks. Outside of the €4.9billion in losses, I was wondering if you were aware that the story has an information security twist.
So Kerviel was official charge this weekend and you may or may not be aware but he was charged on one interesting point: «introduction dans un système de traitement automatisé de données» which very basically translates to «hacking into a computer system».
In the story there are different things going on including whether or not the boss were aware of the situation and whether or not he did this himself. What has been quickly passed over in this story because of the large sums, are the following facts that as IT/IS security professional make me shiver:

• Kerviel was original hired in the back-office of the bank to do data process and in all probability was able to gain complete knowledge on how and what information is stored and processed concerning the validation of transactions
• He progressed in his job profile to a trader but the question is was his privileges to the systems revoked or changed to reflect his new profile?
• How did he hide all these transactions, the current assumption is that he used his knowledge of the systems to do this and seems to be corroborated with his statements to police!

What I find interesting is that this hacking charge reveals something that as security professionals, we all talk about but many business just do not know how to properly address from policies to procedures and how to protect the issue of Information Security as well as the Insider Threat.

There is a good article in the French newspaper "Le Monde" about the current situation from the 29th of January 2008 after his audience with the police - only in French (sorry). The article in fact quotes bits and pieces of the statement he made to the French police. One paragraph in particular relates to one of the methods that he used to obscure his fraudulent activities:

« J'ai alors fourni de faux justificatifs de saisie sur ces opérations, à savoir de faux mails. J'ai réalisé un faux mail en utilisant les possibilités qui me sont offertes par notre messagerie interne, à savoir une fonction qui me permet de réutiliser l'en-tête d'un mail qui m'est expédié en changeant le contenu du texte qui m'est envoyé. Il me suffisait alors de taper le texte que je souhaitais et le mail avait toute l'apparence d'un document original. »

Roughly translated, “At that point, I provided false reports and justifications on those financial operations, i.e. forged emails. I constructed a forged email by using features of our internal email system. It is indeed possible to re-use the header of an email I have received while changing the body. Then, I just had to type the body of the email I actually wanted and the email looked like a perfectly genuine one.”

Now as long as most e-mail correspondence between parties continues to remain in a non digitally signed manner, it is indeed trivial to alter its content before forwarding it - or even come up with a fake one from scratch.

This shows some of the flaws that continue to be present and visible in the lack of information security how many authentication and authorization processes are obviously flawed in their implementations and aren't necessarily used for information protection.

Business are still very much in the dark on what type of information security they need to implement. This situation proves that companies are still in the dark on how to ensure the basic Ws over their information: Who, What, Why and When! Essentially being able to understand the actions, manipulations and access of critical or important information! Kind of shows that the weakest link for indepth security continues to be the protection of the information!

Update 31-Jan: Another article on the hacking: French trader accused of hacking.

2Buy | !(2Buy)

So, I am off to Houston(TX) next week and building a small shopping list. With the current Euro USD exchange rate might be worthwhile, but I will of course still compare before purchasing. The list of stuff right now stands at:

• MacBook or MacBook Air or MacBook Pro - not sure which to get still under serious consideration...
• DVR (digital video recorder) Camera, current suggestions are: ????
  
• A new Canon Powershot SD950IS, SD870IS or SD1100IS - probably depending on price vs. features
• There was something else but I forget...

So I am open to suggestions, hints and whatever your thoughts might be on this list... BTW, I already ordered a nice QNAP TS-209 NAS server!

Translation: To Buy or Not To Buy... ;-P

Now on IPv6...

One of my two ISPs (Free to be precise), recently started deploying IPv6 on its ADSL network. They recently enabled it in my area and I quickly jumped on the bandwagon.
I am now an IPv6 enable network, LOL! My address if your interested:

IP Address. . . . . . . . . . . . : 2a01:5d8:52e3:2b9d:e4ec:5a32:1c02:f9f2
IP Address. . . . . . . . . . . . : 2a01:5d8:52e3:2b9d:214:2aff:fe68:9181

And just to ensure you that these are real IPv6 address, this is the RIPE entry for the 2a01:5d8 subnet:

% Information related to '2a01:5d8::/32'   

inet6num:        2a01:5d8::/32
netname:         FR-PROXAD-20071108
descr:           Proxad, Internet Service Provider in France
country:         FR
org:             ORG-PISP1-RIPE
admin-c:         ACP23-RIPE
tech-c:          TCP8-RIPE
status:          ALLOCATED-BY-RIR
mnt-by:          RIPE-NCC-HM-MNT
mnt-lower:       PROXAD-MNT
mnt-routes:      PROXAD-MNT
source:          RIPE # Filtered

organisation:    ORG-PISP1-RIPE
org-name:        Proxad, Internet Service Provider in France
org-type:        LIR
address:         Free SAS

EeePC HSPDA Bundle for €199

Well it seems that the mobile operator I use here in France (SFR) is having a special deal to purchase the EeePC with an inclusive unlimited 3G+ account, see this Register HW post.

As tempting as it might seem, I have a number of qualms:

• It doesn't have integrated HSPDA (3G+), in fact the support for HSPDA is provided by an external USB key;
• It's actually a rebate if you agree to sign-up for a one or two year contract (see next);
• (see previous) I already have 3 SFR accounts in various forms... I would prefer to just upgrade one to the new contract;
• Finally, It's still not clear what they mean by unlimited 3G+ access (the terms and conditions on data download are sketchy - at least IMHO).

Anyway its not really an issue, they apparently are already sold out!

IR DoS: Wake Up!

A lot of virtual ink has flowed on the confession from Gizmodo regarding the stunt they pulled with TV-B-Gone utility with most of the articles appearing recently describing from unprofessional to a crime. Now before I continue, I would like to make a small disclaimer: «I don't condone what happened, don't approve it and certainly would not recommend this be done».

What Gizmodo pulled demonstrates a very basic DoS (denial of service) attack. The DoS is achievable because of the ease in which it is possible to obtain the right control codes. The prime issues are based on the fact that most of these systems work with «open» and well documented standards (e.g. many manufactures always use the same code for turning off their devices thus a controller from one manufacturer is able to turn off different devices from that same manufacturer) as well as a primal flaw in wireless communications protocols security. TV-B-Gone like a universal remote works on the premise that it is easy to learn, store and replay the remote controls IR sequences. These sequences are equal to the codes that control the target device.

So where is the problem: The receiving device does not validate the issuer... The receiver in fact is an open listen mode thus any IR sequence that is correctly formatted and contains the right code will active the associated command. There is in fact no handshaking or confirmation between the receiver and the emitter.

In their DoS Attack, Gizmodo demonstrated that this one way command issuance process is in fact a big security flaw and could be avoided by not using such an open unidirectional protocol. Manufacturer could in fact avoid openness through simple methods such as encrypting the protocol, using a handshake protocol, using a knocking protocol or some other form of authentication between the transmitter and the receiver.

Unfortunately this then becomes a debate between security, complexity, cost to produce and return on investment. This attack may actually wake manufacturers up and decide to actually address this flaw! To demonstrate how serious this can eventually get, it appears a kid in Poland managed to crash the trams with an IR hack.

Europe-Wide Online Content

Apple recently announced that it had settled with the EU commission regarding the pricing difference between it's iTunes UK store and the rest of Europe (Yahoo News Article). The EU is now looking at trying to enforce a European wide online-content model. This is a good thing for the users/customers despite what some people seem to think and are writing about (see this TechDirt post). Alot of this discussion rants around what business is allowed to do or wants to do! I say horse-manure... Business is trying to protect its single local market business model, trying to avoid having to negotiate regional/global business models to make this possible. There is no financial reason/restriction stopping business in one EU country to sell to a customer in another (or the world for that matter). This is the premise of the common market model! [Note: ok I over simplify but you know what I mean...]

Despite what some have been saying it is my opinion that Europeans are in fact enlightened and want to be able to purchase and access content from their neighbors (i.e. other countries in the EU). People are interested in seeing/listening to content from their neighbors... I know of a lot of people from France, Spain, Germany and Sweden for example that want access to British music and TV shows and because it is not available through official means, they obtain them through less than correct ways.

Or take some one like me or some of my colleagues who are international and have worked/lived in and out of these different EU countries... We would like to be able to have access to the content we grew up with and love!

I really don't see why these business don't want to do this.. it would provide them with a much large market for the content!