LPL Financial fined following account hacking

The SEC issued a cease and desist order and imposed a fine of $275,000 against LPL Financial due to the firm’s failure to implement adequate controls to protect access to customer accounts. Between mid-July 2007 and February 2008, LPL was subject to hacking incidents in which customer accounts were accessed and the perpetrator placed or attempted to place 209 unauthorized trades in 68 customer accounts, in the sum of over $700,000. At that time, the SEC found that LPL had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by SEC regulation.

The SEC noted that, among other things,
--LPL did not develop or maintain a complete set of policies and procedures addressing administrative, technical, and physical safeguards reasonably designed to protect customer records and information at its branch offices.
--LPL failed to reasonably evaluate security controls despite its knowledge of a prior data breach incident.
--A prior audit revealed deficiencies concerning users’ password complexity and session inactivity parameters.

The SEC Order In the Matter of LPL Financial Corp. is posted at http://www.sec.gov/litigation/admin/2008/34-58515.pdf

Citic Pacific faces billions in losses on unauthorized forex bets

Citic Pacific, a Chinese government conglomerate, is facing billions of dollars in losses after traders made what the company said were unauthorised bets against US currency. At current mark-to-market prices, Citic Pacific faces a loss of US$1.88bn. The company said that “there was no reason to believe fraud or other illegal activities were involved.” Following the news, Citic Pacfic shares lost 38%.

See, "Citic Pacific faces $2bn in forex losses," Financial Times, October 20, 2008, at http://www.ft.com/cms/s/0/b65d9e52-9eaa-11dd-98bd-000077b07658.html; "CITIC Pacific shares dive 38 percent on forex losses," Reuters, October 20, 2008, at http://www.reuters.com/article/ousiv/idUSTRE49K0AU20081021.

Quantum encryption demonstrated

Researchers demonstrated a quantum encryption system at a conference in Vienna. The system uses photons to encode data and relies on the Heisenberg Uncertainty Principle, which says that quantum information cannot be measured without disturbing it. As soon as the photons are observed by an eavesdropper they are scrambled, leaving the encryption unbroken and creating a trace of the eavesdropper.

See, "Researchers show off 'unbreakable' quantum encryption," ITPro, October 9, 2008, at http://www.itpro.co.uk/606984/researchers-show-off-unbreakable-quantum-encryption; "The solace of quantum key technology," The Guardian, October 9, 2008, at http://www.guardian.co.uk/technology/2008/oct/09/news.hitechcrime.

SMS attack on India's ICICI Bank

India's ICICI Bank has requested a police investigation into brokers and others who allegedly used SMS, email, and the Internet to launch a run on its branches and an attack on its shares, which fell as much as 28 per cent. One of the SMS messages reportedly said, "Kindly withdraw all your deposits and cash in account with ICICI Bank as ICICI Bank has already rushed to RBI for insolvency."

See, "ICICI demands police probe into share attack," Financial Times, October 14, 2008, at http://www.ft.com/cms/s/0/d528df7a-9989-11dd-9d48-000077b07658.html; "ICICI moves cops against 'malicious' brokers," Business Standard, October 18, 2008, at http://www.business-standard.com/india/storypage.php?autono=337152.

Palin e-mail account hack

David Kernell, the son of a prominent Democratic Tennessee state lawmaker, was indicted for hacking into the Yahoo! Web mail account of Sarah Palin, Republican Vice-Presidential candidate and Alaska Governor. Kernell broke into the account by guessing the answers to her pre-selected "Secret Questions," which must be answered before Yahoo! will allow users to reset their account passwords.

The hack was apparently facilitated by the fact that Yahoo! does not allow new registrants to make up their own question for resetting their passwords. Kerrin apparently found information on Wikipedia and used Google to discover the answers to her pre-selected secret questions and change her account password.

See, "Son of Tenn. Lawmaker Indicted in Palin E-Mail Hack," Washington Post, October 8, 2008, at http://voices.washingtonpost.com/securityfix/2008/10/son_of_tenn_lawmaker_indicted.html?hpid=news-col-blogs.

Computer faults causes jet to plummet

The Australian Transport Safety Bureau said onboard computer equipment faults in a fly-by-wire Airbus jet, operated by Qantas, caused it to plummet, sending passengers, crew and objects flying through the air.

See, "Computer fault blamed in Qantas jet fall," Australian IT, October 9, 2008, at http://www.australianit.news.com.au/story/0,24897,24469386-15317,00.html.

Surveillance system found in Chinese version of Skype

Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype (an online phone and text messaging service), has routinely been storing messages with politically sensitive keywords, along with with personal user records.

A research group at the University of Toronto, Citizen Lab, discovered an encrypted list of words inside the Tom-Skype software, which, in turn, monitors messages containing those words. Encrypted copies of messages containing the words are sent to servers that also store personal information about the customers who sent the messages. They also record chat conversations between Tom-Skype users and Skype users outside China.

The researchers were able to download and analyze copies of the surveillance data because the Chinese computers were misconfigured. The computer directories were readable with a simple Web browser and researchers also found a file containing the key needed to decode the encrypted files. The researchers said they did not know who was operating the surveillance system.

See, "Surveillance of Skype Messages Found in China ," New York Times, October 1, 2008, at http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?em.

Text-messaging moments before train crash

A commuter train engineer apparently was exchanging text messages on his mobile phone moments before his train ran a red light and slammed into a freight train, resulting in 25 deaths. Following the crash, state railroad regulators temporarily banned the use of all cellular devices by anyone at the controls of a moving train. Federal railroad regulators also issued an emergency order banning most cellphone use by locomotive engineers.

See, "California Bans Texting by Operators of Trains," New York Times, September 18, 2008, at http://www.nytimes.com/2008/09/19/us/19crash.html?fta=y; "Railroad Agency Bans Cellphones," New York Times, October 2, 2008, at http://www.nytimes.com/2008/10/03/us/03brfs-RAILROADAGEN_BRF.html?ref=us.