Giving a “worm” welcome: The financial sector’s move to open source security products

In January 2003, "Bank of America" was the most prominent victim of the aggressive "Slammer" computer virus that Richard Clarke, the former top adviser to President George W. Bush on cybersecurity, simply called "a dumb worm".

Virtually over night, "Slammer" shut down 13,000 ATMs in the land of opportunities. Bank of America ATMs ceased to spit out cash and customers were unable to withdraw a single buck. Canadian Imperial Bank of Commerce ATMs were also knocked offline. Within minutes, the "Slammer" virus had both infected banking networks and scared the entire financial industry. "Slammer" shut down Microsoft's SQL Server 2000 as well as applications created with the Microsoft SQL Server 2000 Desktop Engine. The virus caused damages of almost US$ 1.2 billion. By all means, Clarke did not want to downplay the danger of worms and vi-ruses, but rather point out that this was just the tip of the iceberg. In the face of painful damages caused by "Slammer", Clarke looked ahead into a grim future and saw "more sophisticated attacks against known vulnerabilities in cyberspace that could be devastating."

In the case of "Slammer", the malware exploited vulnerabilities on Microsoft SQL 2000 servers by causing increased traffic on UDP port 1434 as it spread between Microsoft SQL servers. Hundreds of servers were affected and the generation of enormous data volume severely strained Internet resources. As a consequence, many providers suffered from drastic drops in performance. At the same time, the worm scanned the Internet for other SQL servers and infected them. "Slammer" spread extremely fast which aggravated an already dramatic situation. The W32/SQL worm was followed by the "Blaster" attacks in the summer of 2003. Finally, the "Nachi" worm compromised Windows-based automated teller machines at two financial institutions.

Every month, between 150 and 250 new viruses are detected. However, turmoil created by the viruses mentioned above is just one threat to the strained financial industry. To make things worse, Trojans and hackers in particular menace money transactions over the Internet. In November 2002 for example, federal prosecutors arrested three men involved in what officials were calling the largest identity fraud case in American history. Law enforcement officials busted a massive ID theft ring which obtained more than 15,000 customer credit records. According to law enforcement reports, the group's activities lasted for more than two years and resulted in thousands of people across the country collectively losing millions of dollars as their bank accounts were drained and credit cards maxed out with bogus charges.

Tux the penguin is germfree

Nevertheless, clearly the future of the financial business is online as more and more money transactions and statements of account are generated via the Internet. In a cost-sensitive business environment, the digital medium allows for fast and easy management of personal information and standing orders. By deploying encryption technologies, digital signature mechanisms, authentication methods, as well as firewalls, trust centers and in-trusion detection systems a majority of security concerns can be met. Additionally, an efficient security strategy needs to be put into reality in order to prevent damages for banking customers and financial institutes.

Linux technology has become a valid alternative to the traditional Microsoft monopoly. Only last year, Bloor Research North America, an independent technology research institute, announced the results of a study looking at Linux and its enterprise-readiness. After examining Linux scalability, availability, reliability, security, manageability, flexibility, as well as server consolidation characteristics, the research institute concluded that Linux was enterprise ready. Joe Clabby of Bloor Research North America, and the report's author commented "Linux is proven to be reliable, especially for dedicated applications, and its open source nature ensures that it is at least as secure as its rivals." Bloor summarized its findings by saying that because Linux was based on open source code, a huge community of developers closely scrutinised Linux code, thus revealing any code-related security issues. Linux developers can build their own layers of security directly on the Linux kernel which is beneficial for both enterprises and governments who want to invest in specialised security development.

Security and cost-efficiency remain the fundamental advantages of open source products. This is good news, indeed, for companies like Germany-based Astaro. "When it comes to core technology aspects Astaro relies on open source", Mr Jan Hichert, CEO at Astaro, explains. The makers of the company firewall "Astaro Security Linux" also combine Linux technology with commercial solutions, though. Hichert again: "There are applications which are less technology-prone like the manual search for virus patterns and attack scenarios for example." On account of inevitable maintenance costs, commercial solution providers would then be first choice. The company's main asset was to "verify again and again which spam, surf and virus filter solutions worked best - either commercial prod-ucts or software based on open source technology". With more than 10,000 installations in over 60 countries, including organizations as EDS, Los Alamos National Labs and Stan-ford University, Astaro Security Linux integrates firewall, VPN, content filtering, anti-spam, URL filtering and virus protection on a single, rapidly configured, automatically up-dated "software appliance."

Linux is probably the only good news that the financial industry has had over the past couple of years. The financial sector has recently discovered the world of Tux the penguin as a sensible alternative. Besides lower licensing fees meeting the need for cost savings, the urge to build higher security standards can also be met. Financial industry heavy-weights such as Merrill Lynch, Morgan Stanley, Credit Suisse First Boston, Goldman Sachs Group and E-Trade have all announced major Linux deployments in recent months. In February 2003, Reuters announced that its popular Reuters Market Data System, or RMDS, has been ported to Linux. Tux the penguin has obviously opened his first banking account.

Jan Hichert is CEO of Astaro
Astaro AG are exhibiting at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.