Category Archives: Security

History, Security

AIG’s Hack of Regulations

Leave a comment

Rolling Stone does not mince words in their story called The Big Takeover

Cassano, by contrast, was just a greedy little turd with a knack for selective accounting who ran his scam right out in the open, thanks to Washington’s deregulation of the Wall Street casino. “It’s all about the regulatory environment,” says a government source involved with the AIG bailout. “These guys look for holes in the system, for ways they can do trades without government interference. Whatever is unregulated, all the action is going to pile into that.”

The author is clearly a fan of working within regulations, and not a fan of innovative rule-breakers. The review of the regulators is scathing first for reducing their own authority:

Cassano’s outrageous gamble wouldn’t have been possible had he not had the good fortune to take over AIGFP just as Sen. Phil Gramm — a grinning, laissez-faire ideologue from Texas — had finished engineering the most dramatic deregulation of the financial industry since Emperor Hien Tsung invented paper money in 806 A.D.

Second, he points out that they did not regulate even when they retained the right to do so:

“There’s this notion that the regulators couldn’t do anything to stop AIG,” says a government official who was present during the bailout. “That’s bullshit. What you have to understand is that these regulators have ultimate power. They can send you a letter and say, ‘You don’t exist anymore,’ and that’s basically that. They don’t even really need due process. The OTS could have said, ‘We’re going to pull your charter; we’re going to pull your license; we’re going to sue you.’ And getting sued by your primary regulator is the kiss of death.”

When AIG finally blew up, the OTS regulator ostensibly in charge of overseeing the insurance giant — a guy named C.K. Lee — basically admitted that he had blown it.

It provides a very informal and interesting perspective on the financial crisis and the challenges of regulation. Well worth reading.

Security

Tiburon Surveillance

Leave a comment

Faced with less than 200 burglaries a year on average, law enforcement authorities in the small town of Tiburon, California have decided to propose a high-tech surveillance system. Geographically isolated by mountains and water in Marin County, there are only two roads in and out so cameras can be easily situated.

Tiburon Police Chief Michael Cronin, is pitching the idea of installing closed circuit TV (CCTV) security video cameras on Tiburon Boulevard and Paradise Drive. The idea is they’d be able to capture cars and licenses of individuals suspected of committing those crimes in a much more efficient manner.

Their response to privacy concerns seem to be twofold. First, procedure for reviewing the data would require a formal investigation to be started. Otherwise the data will rest unseen. Second, only the back of the vehicles will be recorded.

This reminds me of a car I saw once in Santa Cruz, California that had placed a sheet of notebook paper over the license plate. The driver and passenger were reclined so far in their seats you could not see them from behind. Obviously avoiding high-tech surveillance systems, let alone human ones, is both well known and also fairly low-tech.

I am not opposed to using detection technology, but I think the better solution given the low crime rate is to educate residents on prevention such as the need to lock doors and hide valuables. It seems the police have already explained this in the town newsletter:

Most of the crimes occurred between midnight and dawn,
and most were thefts from unlocked cars.

All of that being said, I have to wonder about the police statement that “most of those arrested in these incidents did not live on the peninsula”. Are we talking about a vast majority, or just a little over half? What is the rate of conviction for local versus outsider suspects?

Security

Compromised Symantec Call Centers

Leave a comment

The BBC NEWS has posted an investigation that explains credit card fraud in Indian call centers. They did a far better job than many companies I have worked with that have claimed to provide assurance and security assessment services in India:

A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man after receiving a tip off.

The reporters went undercover. They meet with a man in a cafe who sells them credit card records for $10/record in bulk.

In Delhi they say you can buy anything…about one in seven card numbers we bought were valid…

The reporters then contact the cardholders to alert them and they interview one man.

We saw a pattern. Two other customers had bought the same Norton program after dialing the same number. That suggested a breach of security at the call center handling sales of that Norton product.

Symantec of course called this an isolated incident and “one employee had been removed”. Very convincing security.

In India, in the last fourteen years, there has only been one successful prosecution for the misuse of details stolen from call centers and even that led to a non-custodial sentence.

The BBC then asks the man who sold them the credit card data to explain why he is doing it.

Sounds like it is about time for some India data protection regulation. Will the payment card brands crack down on the call center companies?

Energy, Security

Coal Risks

1 Comment

I recently read a 58 page report by the U.S. Government Accountability Office from May 2008 related to the Tennessee Valley Authority that calls them vulnerable to disruption by cyber attack:

Until TVA fully implements security program activities, it risks a disruption of its operations as a result of a cyber incident…possibly resulting in loss of life, physical damage, or economic losses.

Apparently only one in four of their workers was given the required security training, while almost nine million people in the Tennessee Valley depend on the TVA for energy. You will often hear me bring up these details in presentations about the NERC Critical Infrastructure Protection (CIP) standards.

Meanwhile, I just noticed that the first action by President Obama’s Environmental Protection Agency (EPA) Administrator Lisa Jackson is on the TVA for a Coal Ash spill:

The December spill spurred increased attention to coal-waste issues around the country. The 1.1 billion gallons of slurry flooded more than 300 acres of land and damaged homes in the area surrounding the Tennessee Valley Authority pond, and clean-up could cost up to $825 million.

That is ten times the Exxon Valdez spill. What is most amazing about the new direction of the EPA is that it actually seems to be talking about these environmental issues in terms of National Security:

“Environmental disasters like the one last December in Kingston should never happen anywhere in this country,” said EPA Administrator Lisa Jackson in a statement. “That is why we are announcing several actions to help us properly protect the families who live near these facilities and the places where they live, work, play and learn.”

After the TVA spill the New York Times ran a “Collapse of the Clean Coal Myth” story last January.

It was an accident waiting to happen and an alarm bell for Congress and federal regulators. Senator Barbara Boxer of California noted that coal combustion in this country produces 130 million tons of coal ash every year — enough to fill a train of boxcars stretching from Washington, D.C., to Australia. Amazingly, the task of regulating the more than 600 landfills and impoundments holding this ash is left to the states, which are more often lax than not.

Compare and contrast the GAO report with the coal ash issues and you start to see how security is really a process and a state of mind influencing behavior more than any particular technology or control. Let’s hope the GAO warnings on Cyber Security, along with the NERC compliance deadlines, give enough traction to TVA security management to prevent an even larger disaster.