Wednesday, 30 January 2008

Kerviel/Societe Generale & Information Security & Insider Threat

The story of Jerome Kerviel and the Société Générale bank has made a lot of news in the past couple of weeks. Outside of the €4.9billion in losses, I was wondering if you were aware that the story has an information security twist.
So Kerviel was official charge this weekend and you may or may not be aware but he was charged on one interesting point: «introduction dans un système de traitement automatisé de données» which very basically translates to «hacking into a computer system».
In the story there are different things going on including whether or not the boss were aware of the situation and whether or not he did this himself. What has been quickly passed over in this story because of the large sums, are the following facts that as IT/IS security professional make me shiver:
  • Kerviel was original hired in the back-office of the bank to do data process and in all probability was able to gain complete knowledge on how and what information is stored and processed concerning the validation of transactions
  • He progressed in his job profile to a trader but the question is was his privileges to the systems revoked or changed to reflect his new profile?
  • How did he hide all these transactions, the current assumption is that he used his knowledge of the systems to do this and seems to be corroborated with his statements to police!

What I find interesting is that this hacking charge reveals something that as security professionals, we all talk about but many business just do not know how to properly address from policies to procedures and how to protect the issue of Information Security as well as the Insider Threat.

There is a good article in the French newspaper "Le Monde" about the current situation from the 29th of January 2008 after his audience with the police - only in French (sorry). The article in fact quotes bits and pieces of the statement he made to the French police. One paragraph in particular relates to one of the methods that he used to obscure his fraudulent activities:

« J'ai alors fourni de faux justificatifs de saisie sur ces opérations, à savoir de faux mails. J'ai réalisé un faux mail en utilisant les possibilités qui me sont offertes par notre messagerie interne, à savoir une fonction qui me permet de réutiliser l'en-tête d'un mail qui m'est expédié en changeant le contenu du texte qui m'est envoyé. Il me suffisait alors de taper le texte que je souhaitais et le mail avait toute l'apparence d'un document original. »

Roughly translated, “At that point, I provided false reports and justifications on those financial operations, i.e. forged emails. I constructed a forged email by using features of our internal email system. It is indeed possible to re-use the header of an email I have received while changing the body. Then, I just had to type the body of the email I actually wanted and the email looked like a perfectly genuine one.”

Now as long as most e-mail correspondence between parties continues to remain in a non digitally signed manner, it is indeed trivial to alter its content before forwarding it - or even come up with a fake one from scratch.

This shows some of the flaws that continue to be present and visible in the lack of information security how many authentication and authorization processes are obviously flawed in their implementations and aren't necessarily used for information protection.

Business are still very much in the dark on what type of information security they need to implement. This situation proves that companies are still in the dark on how to ensure the basic Ws over their information: Who, What, Why and When! Essentially being able to understand the actions, manipulations and access of critical or important information! Kind of shows that the weakest link for indepth security continues to be the protection of the information!

Update 31-Jan: Another article on the hacking: French trader accused of hacking.