No, our banks are still vulnerable to cyber attacks

Remember when it was revealed back in August that many Lebanese bank have been targeted by a malware called “Gauss”? I bet people are starting to forget about the matter and there’s really nothing wrong about that. I mean you can’t expect people to keep talking about the issue for ever, but what’s really worrying is when regulators disregard the threat this malware is still posing to the information systems at our banks.

On September 15th, an article was published in The Daily Star aiming to assure everyone that Lebanese banks are safe and no one will be able to break into their systems because of the “preventive measures” they’re taking. What measures you may ask? Updating their antivirus programs.

Lebanese banks have upgraded their software security systems to block any virus designed to spy on transactions and operations, the Central Bank and IT experts said Thursday.

Jonny Torbey, the head of the IT department at Credit Libanais, said Lebanese banks have developed a security system to prevent any outside party from penetrating their computers regardless of how strong the virus. Read more here

I don’t claim to be a security professional, but I work in the IT sector, and if you also have some basic knowledge in IT and Information Security, you’ll know that updating programs and virus definitions is not sufficient to be protect yourself from cyber attacks. Even the biggest organizations in the world are not immune to attacks, but the difference is in how these organizations react when facing such issue, and that can only be done with proper policies, standards, processes, and systems in place.

A group of independent security professionals wrote this reply to let people know why these actions are insufficient and I decided to publish it here for you guys to read.

Lebanese banks upgrading anti-virus systems: Isn’t it business as usual? Are they truly willing to fight back?

First and foremost, the authors are speaking as Lebanese banking customers who happen to be subject matter experts!

Some of us have had first hands experience reacting to the Gauss Malware in Lebanese banks, and we have taken notice of the Central Bank memorandum released to the IT Departments of all Lebanese banks as well as last week’s related press release.

We can quite understand the need for such communication. It was surely aimed at re-increasing the level of confidence in Lebanese banks in the media and reassuring the general public, who are mostly illiterate in the works of Gauss.

However, knowing how lethal and stealthy the Gauss malware is, we are afraid that such an analysis, if considered sufficient and remained unchallenged, is hurting the Lebanese Banking’s sector reputation rather than increasing confidence in it.

Indeed, the quoted explanations might be misleading and give the impression that the Lebanese Central Bank might have not fully understood the dynamics of the Gauss malware, specially that the latter targets customers’ workstations rather than the banks’ Information Systems.

The reported solution consisting of upgrading the anti-virus systems alone will not prevent future sophisticated malware from targeting the Lebanese banking sector again! More dangerously it might encourage more lethal and frequent hacking and cyber-espionage…

Gauss falls into the category of highly advanced cyber-espionage attacks, more commonly known as Advanced Persistent Threats (APT), and is far from being a playground for script-kiddies.
By only conveying simplistic views about Gauss, the banking sector might not be showing enough readiness to fight back.

Moreover, when it comes to the Lebanese banking sector intrinsic sensitivity, it is quite shocking to read “Other bankers confidently say that they are not concerned about any virus because they insist that they have nothing to hide.”

Is the Lebanese Central Bank enforcing security standards as it should? Is it emphasizing more on implementing policies and procedures? Is there enough security awareness preached and are banks investing enough in this area?

Regulatory authorities should really focus more on pushing Lebanese Banks to become ISO 27001 certified with a clear Information Security Management System (ISMS).

Such a continuous improvement lifecycle will concretely increase Lebanese Banks’ reputation when it comes to operational risk management.

Apparently, much more work needs to be done there, and it’s not that great to hear about these attacks targeting same assets once again. We sincerely hope this will trigger some sort of a more serious action! An information security program must exist, and must be based on a well-established strategy with measured deliverables, and clear accountability for all the involved parties.

As too much time has elapsed between the Gauss info disclosure from Kaspersky and the “public” reaction from the Lebanese Central Bank, one could legitimately look for an officially appointed crisis management spokesperson. Such speaker would rely on a Computer Security Incident Response Team (CISRT) and/or relevant structure in order to protect the sector and the public from unverified media delivery and from misleading information.

It’s not a shame to admit our shortcomings as long as we are determined to work on eliminating them and reassuring the customers in parallel about all sorts of required actions taken to contain and eradicate this malware from the internal workspace.

Remember, big worldwide financial and non-financial companies got compromised too. Even the most sophisticated information security organizations’ operations got hacked as well, but with proper ISMS in place, they were able to stand on their feet and react quickly and expertly.

Remember the Confidentiality, Integrity, Availability (CIA) triad? It’s a great model, but we prefer CIAA instead – Last “A=Accountability” is what matters everywhere used…

To end on a lighter note, we all recall that Lebanese applause when the plane lands safely in Beirut airport but isn’t it business as usual to have a successful landing? The same applies to bankers “continuously updating their antivirus systems”: Isn’t it business as usual?

Sustainable security can only happen with a process enhancement security program!

Comments { 4 }

The new 20,000L.L bill

I just came across this photo on Facebook showing what looks like a new 20,000 pound note to soon start circulating.

It looks similar to the 50,000 and 100,000 notes and apparently has the same size too, which should be reduced in my opinion.

Comments { 1 }

Alfa and Touch started offering Nano sim cards in Lebanon

Alfa and Touch both started offering Nano sim cards in Lebanon for those who have already purchased an iPhone 5 or are willing to.

I actually came across Alfa’s announcement through Elie’s blog, and then just saw Touch’s announcement on their twitter account.

Comments { 0 }

Lebanon ranks 69th in the Happy Planet Index

The New Economic Foundation issued the Happy Planet Index for 2012 showing how well are nations doing to keep their inhabitants living a good life, while ensuring to maintain the conditions for future generations to do the same.

The index was calculated following this formula:
Happy Planet Index = (Experienced well-being x life expectancy) / Ecological footprint

The Ecological footprint is by the way measures how quick humans consume nature capital compared to how much time earth takes to renew them.

Anyway, the report shows Lebanon in the 69th position with a life expectancy of 72.6 years, which is quite surprising knowing how much we nag here!

Globally, Costa Rica came first while Botswana was ranked last (151st). On the other hand, Algeria came first among the Arab countries in the 26th place, and Israel was ranked 15th.

You can download the full report here.

Comments { 1 }

Kamashtak – More naming and shaming of Lebanese drivers

Kamashtak is a new website by a group of people aiming to document the various parking violations causing traffic jams around Beirut by taking photos of the violating vehicles, tagging them on a map, and finally posting them on the website along with the violation type and the vehicle’s plate number. It’s a bit similar to Cheyef 7alak initiative by LBC Group, except that Kamashtak is limited to parking violations and is not crowd-sourced.

I don’t know how effective will this initiative be. I mean Cheyef 7alak is already quite popular but did it change a thing? Thousands of photos have been uploaded so far and we still suck ass at driving… talk about wasted efforts. Anyway if you ever see the above sticker on your car, just know that you’ve done something wrong!

Comments { 7 }

Claire Danes in Beirut

So as I mentioned in a previous post, the events in the first episodes of “Homeland” take place in Beirut, but its producers decided to shoot these scenes in Tel Aviv and make it look like Beirut as shown in the above photo. Still, the result didn’t seem pretty convincing to Karl from Karl reMarks blog, and so he offered the below alternatives!

Comments { 1 }

Xriss Jor performance on The Voice

Xriss Jor is a Lebanese contestant on the Arabic version of “The Voice” currently being aired on MBC. Judging by her first performance, she looks so talented and promises to hopefully make it to the final rounds.

You can follow and support Xriss on both of her twitter account and Facebook page. I have no idea by the way why does she write her name this way…

Comments { 3 }

Beirut featured in Homeland TV series

Fatima Ali, the first wife of a Hezbollah district commander, has information about an attack on the United States. Fatima refuses to speak to anyone but Carrie, who knows another secret from having recruited her eight years ago: She loves Julia Roberts movies. (What did she think of her in “Charlie Wilson’s War”?) This leads CIA counterterrorism director David Estes (David Harewood) and avuncular CIA vet Saul Berenson (Mandy Patinkin) to pull Carrie back into the business for a three-day, one-off mission to Beirut, Lebanon. (The Beirut scenes, however, were filmed in Israel.) Source

Funnily enough, the scenes in Beirut were all filmed in Tel Aviv.

Comments { 0 }

Electricity all over Lebanon affected by today’s rain

We all know the electricity situation here is very miserable, but I really find it hard to believe that three power plants, Jiyyeh, Zouk, and Deir Amar, went off the grid in the afternoon because it BARELY rained around the country today! Electricity consequently went off in the Beirut, Mount Lebanon, and the North.

This winter is definitely promising to be a fantastic season for all generators owners!

Update:

Even worse, check these two videos showing what the rain did to some regions. And don’t blame the rainfall amounts, it’s actually all because of the poor infrastructure we’ve got thanks to our dear government!


Comments { 0 }

Gangnam Style – Arabs Style

Comments { 1 }