A Few More Thoughts on Data Security and Data Privacy in the ‘Golden Age of Surveillance’

Posted on : 30-03-2016 | By : Maria Motyka | In : Cyber Security, Data, General News, Innovation

Tags: , , , , , , , , ,

0

In the era of unparalleled tech innovation and global terrorism threats, 1) more and more of our sensitive data is being collected and 2) sophisticated surveillance measures are put into practice. We are being gradually deprived of (or perhaps willingly giving away) our privacy. Security guru Bruce Schneier goes as far as referring to current times as the ‘Golden Age of Surveillance’.

We previously discussed the issue of data security and privacy in the context of top 2015 hacks as well as innovations such as A.I. toys and healthcare wearables in our December blog post: Data Privacy/Security You Can Run But You Can’t Hide.

Here’s some more food for thought on the topic.

Governments and corporations not only collect much larger and more wide ranging datasets on us as individuals, but are also, now more than ever, able to compile it, make sense of it and take action based on in-depth big data insight. As noted by Chief Data Scientist of an admired Silicon Valley company during an interview with Jemand mit Eiern, the goal is to “change people’s actual behaviour at scale” through capturing their behaviors and identifying the ‘good’ versus ’bad’ behaviours to then create ways to reward the ‘good’ and punish the ‘bad’. The ultimate goal? Profit and control.

The application of big data to alter behaviours is very clear on both the corporate and government side; from Google, which announced that its maps will no longer merely provide users with a route they search for, but also suggest a destination, to China, which is now building a ‘pre-crime’ big data platform. China’s new tool will allow predictive policing, identifying individuals who ‘have the potential’ to engage in suspicious activities, based on complex data derived from citizens’ online and offline activity (including transactions, locations, who they engage with etc.) and thus to prevent crime, altering the way individuals behave.

Schneier finds what happens a ‘at the back-end’ in terms of big data rather disturbing. During Forbes’s first tech podcast ‘The Premise‘ he spoke about ‘dossiers’ that are built up with multiple inputs, such as “face recognition plus miniature cameras, plus Facebook’s database of tagged photos, plus the credit card database of your purchasing habits data… all of that put together…” The data privacy thought leader stresses that while on the corporate side big data and surveillance are used to get people to consume things, on the government side it is a tool for a variety of things: law enforcement, social control, terrorism, and political manipulation, making sure that ‘certain’ ideas don’t spread and silencing ‘certain’ people.

Knowledge is power and it is important to consider whom these surveillance/intelligence powers can be used against. Snowden recently reminded us of the case of UK Government Communications Headquarters (GSCHQ), which has previously used their ‘powers’ to spy on journalists and human rights groups such as Amnesty International.

How much of our data do we agree to ‘give away’? Is it at all possible to ensure that only the ‘good guys’ can access all this big, big data which, as we discussed, can be used to alter our behaviours?

During one of his recentAsk Me Anything Reddit sessions, Bill Gates himself drew the attention to the issue of data security. Microsoft’s founder demanded more public debate around bulk data collection and stressed that there are currently insufficient safeguards in place to make sure that information on us is only used for – what he called – the ‘proper’ reasons.

How do you even define ‘proper’ reasons?

The issue is highly relevant to the UK. In an interview for the Guardian, UN privacy chief Joseph Cannataci stated that “UK surveillance is worse than 1984″, “a rather bad joke at its citizens’ expense” and criticised the government for its approach to the Investigatory Powers Bill  In the case of the bill proceeding into statute, the Snooper’s Charter will have significant ramifications for Brits’ collective privacy.

Edward Snowden, during a talk he gave in Poland in mid-March, summarised the surveillance vs. security ‘dilemma’ (one, which the British MPs are currently facing) as follows:

 “Do we want liberty or do we want sort of a sense of total order where you may feel that life is a little bit more predictable but you are reliant upon some great authority that really has the extraordinary power to interfere in your life and tell you where to go what to do and how (…) and watch you at all times in exchange for a feeling of safety that in practical way is not delivered in any more reliable way today than it was before?”.

Schneier agrees with this view and stresses that surveillance with no probable cause is not compatible with liberty:

“the whole point of democracy is that we are willing to live with some amount of crime because we realise that a totalitarian police state is much worse”.

At the same time, the security champion discredits the ‘myth’ that surveillance is good for security: “There is no evidence for that. It has been stated as a truism and we’re expected to believe”. Whenever we see counter-terrorism success it is based on targeted, not mass surveillance.

Big data will get bigger, there is no question to it. However, “we need comprehensive laws that regulate all forms of data: collection, storage, use, sale, destruction. The whole process”, Schneier argues. Let’s hope that sooner or later we will learn to appreciate our privacy and put in place systems to protect it.

The CEO Phishing Scam – It’s All About People, Policy and Procedure

Posted on : 30-03-2016 | By : kerry.housley | In : Cyber Security, Data, Uncategorized

Tags: , , , , , ,

0

The CEO phishing scam, where fraudsters impersonate the email accounts of chief executives, has grabbed the headlines increasingly over the last few months and is proving to be a huge potential threat to any company, large or small.

The FBI Internet Crime Centre IC3 has been tracking Business Email Compromise (BEC) scams and found that over $2BN has been lost globally over the past two years. There is no doubt that the real figure is considerably higher as companies hide the loss from their shareholders and the media.

So why is this very low tech scam so effective in this ever growing technical age?  Companies are very aware of the cyber attackers trying to penetrate their networks and therefore implement sophisticated preventative measures to stop them from doing so. Unfortunately, it is difficult to block human nature which is the key element to a successful phishing scam operation.

Most of the scams follow a similar pattern, with the average loss at $120,000 rising up to tens of millions being lost. So how do the fraudsters strike it lucky?

When the corporate controller of a US grain trading company was sent an email from his CEO asking him to transfer $17.2M to a Chinese bank account he didn’t think twice about doing so. The controller was told in an email that the company has been in confidential negotiations to purchase a Chinese company and that the purchase was almost complete. In order to finalise the deal, he was to liaise with a lawyer at consultants KPMG who would then send him the payment details. Over three separate transactions the financial controller wired across a total of $17.2m to a Shanghai Bank.  It was that easy – The Sting Had Stung!

How do the fraudsters convince intelligent professional individuals to send across such large sums of money with very few questions, if any, asked?  Settling invoices, making purchases is an integral part of the day to day running of any business.  The scammers use this to their advantage. They work hard to set the scene, follow the tone of existing email conversations and tag on to existing scenarios. In the case of the grain company outlined above, there had been talk of acquiring a Chinese company so the request was not totally out of the blue. The fraudsters had used the name of a real person at KPMG, setting up fake email accounts and phone numbers for this person.

Social media sites make it easy to build a picture of the hierarchy of the company and see when key individuals might be out of the office making it easier to pull of their heist. A common way in is to use a traditional phishing email to access the companies email network. This enables them to track conversations and adopt the tone and the language to convincingly script their fake emails.

What can companies do to protect themselves against this growing phenomenon?  In most of the cases, if the person responsible for making the money transfer had actually picked up the phone then the scammers would have been found out!  The following steps could help your company beat the fraudsters:

  • Review your accounts policy, ensure that all payments require the approval of two people. Create internal checks that will check and slow down the process.
  • Increase awareness and train all staff in the ways in which they might be targeted.
  • Encourage staff to me more guarded on social media sites, particularly high profile board members.
  • Maintain system security, for example a company could scan the validity of email addresses entering your network.
  • Buy all domain names that sound similar to your companies to prevent copycat domain names being set up.

The CEO phishing scam is not a security scenario easily fixed by a shiny new piece of technology. It’s essentially a conversation, a story between individuals so the key to combatting has to be people, policy, procedure.

Get that right and the scammers are less likely to sting!

The Ultimate Way to Move Beyond Trading Latency?

Posted on : 30-03-2016 | By : richard.gale | In : Finance, Innovation

Tags: , , ,

0

A number of power surges and outages have been experienced in the East Grinstead area of the UK in recent months. Utility companies involved have traced the cause to one of three  high capacity feeds to a Global Investment bank’s data centre facility.

The profits created by the same bank’s London based Propriety Trading group has increased tenfold in the same time.

This bank employs 1% of the world’s best post-doctoral theoretical Physics graduates  to help build its black box trading systems.

Could there be a connection? Wild & unconfirmed rumours have been circulating within  the firm that a major breakthrough in removing the problem of latency – the physical limitation the time it takes a signal to transfer down a wire – ultimately governed by of the speed of light.

For years traders have been trying to reduce execution latency to provide competitive advantage in a highly competitive fast moving environment. The focus has moved from seconds to milli and now microsecond savings.

Many Financial Services & technology organisations have attempted to solve this problem through reducing  data hopping, routing, and going as far as placing their hardware physically close to the source of data (such as in an Exchange’s data centre) to minimise latency but no one has solved the issue – yet.

It sounds like this bank may have gone one step further. It is known that at the boundary of the speed of light – physics as we know it -changes (Quantum mechanics is an example where the time/space continuum becomes ‘fuzzy’). Conventional physics states that travelling faster than the speed of light and see into the future would require infinite energy and so is not possible.

Investigation with a number of insiders at the firm has resulted in an amazing and almost unbelievable insight. They have managed to build a device which ‘hovers’ over the present and immediate future – little detail is known about it but it is understood to be based on the previously unproven ‘Alcubierre drive’ principle. This allows the trading system to predict (in reality observe) the next direction in the market providing invaluable trading advantage.

The product is still in test mode as the effects of trading ahead of the data they have already traded against is producing outages in the system as it then tries to correct the error in the future data which again changes the data ad finitum… The prediction model only allows a small glimpse into the immediate future which also limits the window of opportunity for trading.

The power requirements for the equipment are so large that they have had to been moved to the data centre environment where consumption can be more easily hidden (or not as the power outages showed).

If the bank does really crack this problem then they will have the ultimate trading advantage – the ability to see into the future and trade with ‘inside’ knowledge legally. Unless another bank is doing similar in the ‘trading arms race’ then the bank will quickly become dominant and the other banks may go out of business.

The US Congress have apparently discovered some details of this mechanism and are requesting the bank to disclose details of the project. The bank is understandably reluctant to do this as it has spent over $80m developing this and wants to make some return on its investment.

If this system goes into true production mode surely it cannot be long before Financial Regulators outlaw the tool as it will both distort and ultimately destroy the markets.

The project even has a code-name…. Project “Prima Aprilis”

No one from the company was available to comment on the accuracy of the claims.

5 Minutes With Nigel D. Solkhon, CEO of ISITC Europe

Posted on : 14-03-2016 | By : Maria Motyka | In : 5 Minutes With

Tags: , ,

0

As one of the founding members of the organisation, you were invited to become CEO of ISITC Europe in Q4 2015. What is your vision for the organisation?

ISITC Europe was formed in 1992,  6 months after the forum was established in North America. It is a voluntary organisation that has lead operational and technical change over the past 25 years, contributing to the rise of efficiency in the securities markets to the mutual benefit of all participants. The initiative has lost members and focus over the past 5 years, which I believe, left a gap in the industry for a vendor/participant neutral forum to educate, debate and advise on the industry needs.

The new agenda I established with the IELG (ISITC Europe Leadership Group) in December 2015, was targeted at 3 levels:

  1. Deliver value to ISITC Europe Members
  2. Re-establish ISITC Europe as a contributing forum for industry change
  3. Establish work groups around contemporary and innovative topics (Blockchain, Standards, Regulation, Industry Engagement and Cybersecurity)

The value will be derived from the right context of debate and education as well as the fee reduction we applied in 2016. The work groups have attracted more people/firms than the total membership in the past 2015, proving the demand is strong. Lastly, we are holding our first General Meeting on 25th April which will allow members and non-members access to the work group updates as well as discussions around the individual topics.

 

According to your view “technology has a huge role in translating the data into information and creating efficiency”. During a recent interview you also expressed your belief that the current interest and investment in blockchain technology among financial firms will reveal its impact as soon as in 1 – 1.5 years. In your opinion, how will the financial industry change as a result of the adoption of new tech including blockchain?

The most difficult challenge is to predict the future. Adoption of new technology happens every day, whether it be a database, network or application, it is the natural evolution of the industry. Blockchain is seen as disruptive technology, meaning that the adoption may change not only the process but the actors. This has resulted in the fear and greed emotional response. Whenever new technology hits the industry there is a period of chaos, as use cases are researched and new companies and consortia are formed. ISITC Europe is not about choosing a technology or consortia but about looking at the impact of the technology on the operation and technical use across the firms and providers. There already exists products and services based on this technology in operation today. However, most of the payers in the industry are at the stage of defining which processes (internally or externally) will benefit from moving to the new platform. Moving will incur costs, as migration from old to new is never an exact science, and is always dependent up the last adopter to close off old processes. Suffice to say, Blockchain has made the industry think about current processes and models, and ISITC Europe will be in the middle of validating any changes.

Mr Solkhon jp

You said “Blockchain is seen as a catalyst for change and ISITC Europe members need to be involved in setting the agenda for change”. Can you explain the ways ISITC can contribute to setting this ‘change agenda’?

As I mentioned previously, ISITC Europe is a neutral platform for participants to have open dialogue about common challenges to drive a common equitable solution. I could be sitting in my office with an issue that I believe is unique to me/my organisation and without a forum like ISITC Europe I would not know that everyone has the same issue. A problem shared is a problem halved could be a relevant adage, however sharing the problem allows for a wider community looking for a resolution. ISITC Europe educates its members by bringing people together from a range of firms and discussing common topics. Once the knowledge is shared, the debate begins, and once this is formed into an opinion, this can be shared with the entities canvassing the industry for input to regulation, technology and industry future models. By making the ISITC Europe agenda interesting and relevant, a common voice can be heard.

 

What are the potential security challenges of blockchain tech?

I am no expert on security, but I certainly see the concern from Governments, Banks, Asset Managers, Brokers et al. ISITC Europe will look at these concerns, work on a scope of activity to deliver in a set time and pass any relevant outputs to the other working groups to review (for example standards of regulation). This is an area where I personally will be interested in being educated by the experts.

 

What do you consider as the most common mistake financial organisations make in terms of cyber security?

This is a tough question. Any technology has an evolution path, and this appears to be accelerating in certain areas. The positive side of this is that we can see benefits to our everyday life such as contactless payments, social media etc. Unfortunately this is not the case for those looking to fraudulently use technology for gain or disruption. Mistakes will happen, and thankfully most are used to prevent recurrence in the future. As more and more of the services delivered by financial  services organisations are delivered through self-service electronic means, the attacks on these assets will inevitably increase. ISITC Europe can be a place to share these issues and raise awareness and share solutions.

 

As Citi’s Regional Head of E2C EMEA, can you briefly describe its Execution 2 Custody solution?

My day job is actually similar to ISITC Europe in that it supports efficient trading and settlement of assets across the Citi trading and Custody landscape in a very efficient model. The trades are executed and sent by Citi in a journey that can be as short as 1 second for the entire process. We use open architecture standards such as Fix and ISO 15022 enabling clients to integrate much quicker and gain benefits from the automated flows. We count Private Banks, Retail brokers, Bank retail flow, Institutions, Market infrastructures and stockbrokers as clients.