I just noted that the sad story about the investment trader gone bad has been distilled down to a case of weak password/user controls:

Societe Generale might have been able to prevent a year-long binge of fraudulent transactions by one of its mid-level traders – which the French banking giant confirmed this week has cost it more than $7 billion in losses – simply by instituting stricter password controls and applying available software that tracks transactions to individual workstations, analysts told SCMagazineUS.com today.

They do not mention clear-text passwords as one of the gaps, but I bet stronger passwords would have only helped a little. The article suggests that administrators should not have access to users passwords, but few systems actually allow this by design. Two-factor would have definitely been better, but it still begs a few simple control questions.

Ed Felten has described some interesting and somewhat simplistic flaws in a Dutch smartcard
based transportation payment system.

Among other foolishness, the designers used a custom cryptosystem and 48 bit keys.

The fundamental security problem with the disposable Ultralight card is that it doesn’t use cryptography, so the card cannot keep any secrets from an attacker. An attacker who can read a card (e.g., by using standard equipment to emulate a card reader) can know exactly what information is stored on the card, and therefore can make another device that will behave identically to the card. Except, of course, that the attacker’s device can always return itself to the “fully funded” state. Roel Verdult of Raboud University implemented this “cloning” attack and demonstrated it on Dutch television, leading to the recent uproar.

The Dutch have only invested $2 billion so far for this amazing system that accidentally gives away rides for free.

More detail on the hacks can be found in a presentation by Karsten Nohl and Henryk Plötz called “Mifare: Little Security, Despite Obscurity“, hosted by the 24th Chaos Communication Congress.

I have been reading about the new medical marijuana vending machines in Los Angeles that are meant to go-live today.

The security discussion has been amazingly sparse. So here is a quick review of what I have noted:

1. Anytime Vending Machines (AVM) have been deployed to meet a requirement for 24/7 secure and automated dispensaries of medical marijuana
2. AVM locations will approve a prescription, take your fingerprint, and provide a prepaid credit card loaded with dosage (3.5 or 7 grams, with a max of 1oz a week) and one of five strain options

Watching the video by a CBS station revealed many of the physical security measures, but also shows a cord running across the floor from the vending machine (look at the bottom left of the machine). That made me wonder about data transmission from this thing. Where is it going to/from and how often? Does it fail to vend if it can not connect to a database, and then what integrity controls are in place…?

That would be a more interesting attack vector than the usual tubular lock weakness. The fact that a human guard is said to be deployed at all times with the vending machine makes me think there is implicit recognition of weakness. I also wonder about the paper trail and whether video is integrated into the box.

The pin pad sure looks exposed, doesn’t it? Must be hard to hide your key-code when it’s setup in such a big spread open to plain view. Maybe only one person can be in the room at a time with the machine.

And finally, I have to say this definitely “high” security. Sorry, couldn’t resist.

The article by the Associated Press is written so well, it is hard to add much comment. I will do my best to keep the quotes brief, but I recommend reading the full article.

This highlights the ever-present insider issue. My first concern is that there is a lot of emphasis on motive, and most conclusions suggest none “rational”:

“This is a bad time for banks and the industry in general. But detecting the fraud over the weekend was problematic because world stock markets on Monday and Tuesday fell hugely around the world. When the positions had to be unwound, the bank did that in a terrible market of falling equities,” said Janine Dow, senior director at Fitch Ratings financial institution group in Paris

“In hindsight, it was this guy’s superior knowledge of the control system of every aspect of trading at the bank that allowed him to build up fraudulent positions and hide them,” she said.

The bank said the trader had misled investors in 2007 and 2008 through a “scheme of elaborate fictitious transactions.” The trader, who was not named, used his knowledge of the group’s security systems to conceal his fraudulent positions, the statement said.

The man admitted to the fraud, the bank said, and was being dismissed. Four or five of his supervisors were to leave the group. Bouton offered to resign but the board rejected that.

So motive is unclear, but method and consequences are easy to document.

Axel Pierron, senior analyst at Celent, an international financial research and consulting firm, was stunned that 13 years after the Barings collapse, something similar has happened.

“The situation reveals that banks, despite the implementation of sophisticated risk management solutions, are still under the threat that an employee with a good understanding of the risk management processes can getting round them to hide his losses,” he said.

If the controls are easy to circumvent without detection, why should we assume that they will not be circumvented without detection? Implicit in the article is that the trader was given a lot of leeway and trust, which seems the opposite of what an effective control system is meant to do. Bottom line, one introduces extreme social, cultural, and psychological (to name a few) risks/unpredictable results by basing controls on motives of users.