Well its happened again, UBS announced that a "rogue trader" is responsible for $2 billion $2.3 billion in losses. Apparently a Swiss currency hedge gone wrong was the culprit. Or was it? This was not a senior trader, he was by all accounts early in his career having worked his way up from the back office.
Where have we heard this before? Societe Generale where Jerome Kerviel worked his way "up" from IT to trading and due to what appeared to be snowballing entitlements could both execute trades and cover the tracks. This led to ~$7 billion in losses at SocGen
When the Societe Generale story broke I immediately asked Jeremy Epstein to write a paper for IEEE Security & Privacy which he called "Lessons Learned from Societe Generale", here were the lessons Jeremy identifed
Lesson 0: Make sure that you’re measuring the right risks.
Lesson 1: Low tech attacks are easier.
Lesson 2: Logs are only useful if they’re examined.
Lesson 3: Don’t rely on system secrecy for security
Lesson 4: We’re looking at the wrong things
Lesson 5: Rights revocation needs to be tied to new role assignments
Lesson 6: Social engineering is a threat to investigation
Lesson 7: Don’t believe everything that you read, especially in email.
Lesson 8: Cutting staffing costs can backfire.
I guess Jeremy can write a sequel called "Lessons Not Learnt" or "Rogue Trader - the Return".
Maybe its just me but shouldn't there be stricter rules on trading billions of dollars? Maybe its what Wells Fargo CEO DIck Kovecavich meant when he said - "I don't know why banks feel like they need to invent new ways to lose money when the old ways work perfectly fine."
**
Secure Coding Training Class: Mobile AppSec Triathlon
Do you have what it takes to complete a triathlon on three vital topics in the mobile world: Mobile application security, web services security, and mobile identity management?
Come join two leading experts, Gunnar Peterson and Ken van Wyk, for the first Mobile App Security Triathlon, in San Jose, California, on November 2-4, 2011.
I wasn't familiar with either of these (highly interesting) cases. But I wonder if the details were similar, or if they were sufficiently different that fixing the first would not have prevented the second?
Posted by: www.facebook.com/profile.php?id=608118695 | September 19, 2011 at 10:27 PM