from: http://www.forbes.com/asap/00/0403/056.htm Click Here: <A HREF="http://www.forbes.com/asap/00/0403/056.htm">Forbes ASAP: How to Hack a Bank</A> ----- Feature How to Hack a Bank Electronically knocking over a financial institution isn't easy, but it's probably not as hard as you think.[1] let's get to work By David H. Freedman ------------------------------------------------------------------------ STEP ONE: THE SETUP First, we'll pull our core team together. We'll need at least half a dozen software whizzes to do our hacking,[2] including specialists in banking application software, wire transfer networks, IBM MVS, Unix, Sun Microsystems Solaris, or Windows NT (depending on which is controlling the bank's servers), Windows 95 and 98, and security software.[3] We'll also want at least one inside person at the bank.[4] This could be a mid- to low-level employee, a teller, assistant manager in data processing, or a wire transfer clerk. We should have someone experienced in physical security, too, as well as a talented "social engineer" capable of charm and fast talk. Next, we'll pick our target, avoiding top-tier banks because they're too well protected. We don't want small community or Internet-only banks, either, because their limited money supply makes it likely that managers would instantly notice millions of dollars flying out the electronic doors. So we target a nice midsize bank.[5] Finally, like any other business endeavor, we'll need time to get set up and some seed money-for equipment, living expenses, advances, bribes, and so on.[6] Two million dollars should do it.[7] Our goal will be to steal between $10 million and $100 million.[8] STEP TWO: THE GROUNDWORK Our physical-security pro and his or her associates will get themselves hired by the target bank as janitors, electricians, plumbers, or other contractors.[9] Once inside, they'll plant bugs throughout the bank. They'll also filch useful hard-copy information from desks, filing cabinets, and closets. At the same time, our social engineer and hired cohorts will run a number of small scams designed to yield insights into how the bank sets up, accesses, modifies, and pays out its accounts. For instance, they'll pose as retail and commercial customers, making friends with bank employees outside of work, and impersonating bank employees over the phone in an effort to get information from employees, customers, software vendors, computer professionals, and other banks. Meanwhile, of course, our main insider will be learning everything he or she can about the bank's network, software, processes, and employees. The actual hacking will be cautious and low-level for the first several weeks[10]-better to peel an onion than boldly drill for oil. We won't go near the money systems at this point. Instead, we'll focus on finding various ways to get onto the network from the outside.[11] One approach will be "war-dialing," which involves setting up a computer to automatically dial every phone line in the bank[12] in search of an answering modem.[13] Another approach is to set up an online account with the bank, then jump from the online banking server to the bank's main network.[14] Yet another avenue is provided by bank managers who take laptops home and hook up to their banks via cable Internet services (particularly easy to penetrate).[15] If the bank has overseas branches, we may decide to come in through one of them because computer security tends to be more lax offshore. Whatever route we take, we won't be able to get in without employee passwords, preferably several-to avoid raising suspicion by running up one person's computer time. But there are lots of ways of getting them. Our inside people should be able to spot some scribbled down on desktops; our social engineers will talk employees and the IT department out of others; we'll run widely available freeware automated password-guessing programs such as Crack; we'll steal them from employees' accounts at e-commerce sites like Amazon.com, because people tend to use the same passwords in different applications; and in many cases we'll be able to quickly guess them off the tops of our heads because people often use passwords such as their last names, "hello," or "password." Once on the network, we'll search for ways to jump into different computers and software programs. We may need new passwords at each step-no big deal. At this point, we'll log on only for short periods and avoid touching sensitive systems, to keep from attracting attention. We'll also have our social engineers open several dozen accounts of various types at the bank under false identities. They'll keep mostly modest but occasionally large sums of money flowing into, out of, and among them. STEP THREE: THE CODE WORK Once we get a feeling for the network, we'll start to obtain "root access" on some of the servers. That is, to get a server to give us all the rights and privileges normally afforded only to the server's systems administrator, or sysadmin. All it takes is the right password.[16] With root access, we can start rolling out the hacker heavy artillery. We'll create new computer accounts, install back doors and Trojan horses,[17] and set up "sniffers" to monitor traffic and break into email archives. In this way, we'll learn the formats and codes that the bank uses to move money around. We'll also break into files storing hundreds of passwords, which will come in handy. And we'll run remote network analyzers-freely available programs such as Satan, Saint, and Sara-that relentlessly probe a network looking for security weaknesses. At this point, we'll now be able to cover our tracks by altering the computer logs that keep track of who accesses what on the network, so we can stay on for longer periods and penetrate more deeply.[18] On another front, we'll try getting our hands on a copy of the application software that the bank uses to manage money and accounts because we'd like to figure out a way to secretly modify it to our benefit. The version the bank is running won't do us any good because working software, or "machine code," is nothing but an unintelligible string of 1s and 0s. We'll need the "source code"-the version written in a standard programming language. Software companies guard source code jealously, but we might be able to hack a copy from the vendor.[19] Alternatively, if we're lucky, the bank may have modified the software on its own, in which case it will have a copy somewhere. If we can't find it on the network, we may be able to get it by bribing or extorting one of the bank's IT consultants.[20] Or we might have better luck lifting a copy from an overseas bank or vendor that modified the software to suit local requirements.[21] If we can get the program, we'll look for ways to usefully alter one of its components, then we'll "compile it"-convert it to machine code ready for running. Later, we'll hack into the system and swap our modified component for the real thing.[22] Either way, eventually we will learn how to move money internally among accounts-essentially the level of control of a teller-and how to control wire transfers, in which money is transferred to another bank.[23] We'll know what sorts of checks and verifications are run on every transaction of a given type and size, when audits take place, and what sorts of actions cause the computer systems to alert sysadmins or other managers.[24] But we still won't take any money. While we're getting to know how the bank's systems operate, we'll also be gathering the latest in nuisance hackerware-viruses, autospammers, and other goodies designed for "denial of service" attacks-that is, attacks intended to bring a system to its knees without necessarily taking anything (the kind of attacks leveled recently at e-commerce sites like Amazon).[25] We'll put these tools into position, but we won't activate anything yet. Finally, we'll set up numbered bank accounts in Jamaica, Cyprus, and several other countries that provide maximum banking privacy and minimal cooperation with international law enforcement agencies. We'll also set up accounts at several other U.S. banks, with detailed instructions for quickly moving money in and out of each of these banks.[26] STEP FOUR: THE HEIST We'll wait for one of the eight or so annual periods of unusually high banking activity to strike.[27] Initially, we activate the computer viruses and the other denial-of-service attacks. This is the civilian equivalent of throwing smoke grenades. We may add some physical shenanigans as well, including bomb threats, plumbing mishaps, electrical failures, and the like. As a result, the bank's IT staff will be bouncing off the walls trying to keep the systems up and running. Of course, the bank could bite the bullet and avoid really serious damage by simply closing down until things are back under control. But it won't; banks are terrified of being seen as anything less than completely reliable.[28] All this mischief, of course, will simply be a diversion. The main assault will be on two fronts. First, we'll transfer money from thousands of accounts into the ones we opened for ourselves. We'll do this either by becoming a sort of secret superteller on the system or by triggering embedded commands in the hacked version of the account management software, or both. We'll take only a modest amount from any one account-just under the amount that the bank has set as a threshold for triggering extra scrutiny, which might be $1,000 or 3% of the total in the account, whichever is greater. As far as the bank's systems are concerned, this activity will appear as the processing of checks written on one of the bank's accounts, payable to another of its accounts. At this time of year, the extra volume in the check-processing avalanche won't be much more than a small lump. To be sure, even a small lump would normally attract attention, but at this particular moment, bank managers and technicians have too many other things on their minds. As the money accumulates in our accounts, we will start wiring it out, a few thousand dollars at a time (again to avoid tripping alarms or requiring bank manager approval), to our various outside accounts. The second front of the attack will involve wire transfer intercepts-that is, hijacking large sums of money that are being wired by legitimate customers to accounts at other banks. It would be extremely difficult to create a fake wire transfer of any significant size because large transfers (more than, say, $10,000) require physical approval from at least two managers. We also couldn't pirate transfers en route between banks because they're encrypted. So we'll grab the transfer after it has been approved but before it's encrypted, using what is known as a "man-in-the-middle" attack.[29] When the approved wire transfer information is supposed to be on its way via the bank's internal network to the computer that will encrypt it, it will in fact be on its way to a server we control, where the information will be modified to make one of our own accounts the recipient. That done, the data will be sent on to the encrypting machine, looking for all the world as if it had come straight from the first machine. The money that we're wiring to ourselves through both attacks over a period of perhaps a few hours will be scattered among several U.S. banks, but we'll immediately issue prepared instructions that will consolidate the deposits in the first of our offshore banks, where directions will be instantly provided for rewiring to a second, a third, and so forth, until we finally withdraw the money as cash from the last bank.[30] Then we get lost-very comfortably lost [31]-until we're ready to do it all over again.[32] ===== THE FINER POINTS [1] Of eight respected computer security experts consulted for this article, all agreed that hacking into a bank was doable, and most insisted it wouldn't be all that hard. "If I were going into e-crime, I'd hit a bank," says Jon David, a security guru who has worked in the field for 30 years. Why haven't banks been hacked, then? Oh, but they have--big time. In 1994, a 24-year-old programmer in St. Petersburg, Russia, named Vladimir Levin hacked Citibank for $10 million. He was later caught, extradited to the United States and is serving a three-year sentence. (All but $400,000 of the money was recovered.) This sort of thing happens often but is hushed up, according to Michael Higgins, a former analyst with the Defense Intelligence Agency and now a financial computer security consultant who heads Para-Protect in Alexandria, Virginia. The federal government requires banks to report losses, but Higgins says banks avoid potentially bad publicity by reporting losses as accounting efficiency errors. "The losses are in the reports, but the FBI doesn't get them. They only get reports of alleged crimes," he says. "The reports aren't specific enough to identify losses that could have come from hacking." In the case of larger losses, bank managers simply disregard the law for fear that customers would flee if the truth were known, according to Bob Friel, a former Secret Service agent who now heads a computer forensics group at the Veterans Affairs Inspector General's office. During a stint as a security consultant to banks and other organizations, Friel was shocked to discover the magnitude of the hacker losses that banks were swallowing. He claims his sources in the financial industry report individual hits as large as $100 million. A half dozen banks contacted for this article declined to comment. [2] Computer security insiders are usually careful to use the term cracker for someone who tries to gain unauthorized entry into a computer system, reserving hacker as a complimentary term for someone adept at programming. But we'll stick with the popular usage of hacker as an intruder. [3] As with many high tech ventures in today's robust economy, finding good people will be our biggest challenge. Programmers with malicious or criminal bents tend not to be the exceptionally talented; most of those make pretty good money in legitimate jobs. If the bloom fades on the tech stock market, however, there could be a lot of high-living programmers who suddenly don't have jobs. In the meantime, we could use "false flag recruitment" techniques, convincing candidates that they would be serving a bank. [4] Though our heist will be electronic, it would probably be close to impossible to pull it off without someone providing information from the inside. Levin had an inside partner on the Citibank job. [5] Preferably we target a midsize bank that has moved aggressively into information technology and Internet banking, because competitive pressure from technology-savvy big banks has probably caused them to get in over their heads, opening up security gaps. Says Higgins: "Those banks are rushing into technology, and they don't comprehend it completely." [6] According to Jim Settle, founder of the FBI's original computer crime squad and now CEO of security consultancy SST, a successful electronic bank heist should take about six months. [7] To get our seed money, we can form a private syndicate of the sort that has cropped up to support computer credit card fraud operations in Russia. You'd think we'd be able to work with organized crime, but for now these people "are way behind the curve, for reasons nobody understands," says Settle. In any case, a syndicate or crime boss is going to want a near-guaranteed ROI. If we can't be convincing in that regard, and we lack even the tiniest shred of ethics or patriotism, we can always approach a hostile foreign government--Iraq, North Korea, Russia, and so forth--or even a terrorist organization. Saudi terrorist Usama bin Laden would probably be an eager backer, according to Kawika Daguio, a security expert who heads the bank-supported Financial Information Protection Association, because bin Laden has publicly declared his interest in disrupting U.S. financial institutions. Besides providing ready cash, these sorts of backers won't be on our case about ROI, says Daguio, because "the theft of money could trigger a crisis of confidence, and it doesn't have to be a huge amount." [8] We should be able at least to match Levin's initial haul from Citibank, but we could expect to steal as much as $1 billion because of lax standards over the past few years, Friel says. ===== [9] Most midsize banks don't bother to do more than the most cursory of background checks of blue-collar employees and contractors. [10] This is the opposite of what David Remnitz, CEO of New York information security consultancy IFsec, calls the "Catherine Zeta-Jones" approach--a big-bang, instant hack of the sort popularized by Hollywood and the New York Times that bears little resemblance to the sort of hacking that organizations really need to fear. [11] Virtually all banks, and most midsize and large companies, have by now installed a combination of hardware and software firewalls that sit between the outside world and the main gateway to the internal network. Some firewalls are harder to defeat than others, but we won't really care because we won't want to go through the network's main gateway anyway. Hackers usually look for the digital equivalent of rickety back doors and unlocked or easily breakable windows. By the way, larger banks and other businesses sometimes spend as much as millions of dollars apiece on automated "intrusion detection" software. But Settle points out that his company is often hired by companies to try to break into their networks, and in 40 break-ins his team's incursion has been detected only once. [12] We can narrow down the list of numbers to dial by looking at the bank's published phone numbers, and our inside people should be able to help, too. Some banks furnish publicly accessible Web domain-name registries with the phone numbers of their computer systems administrators; it's a good bet that there is a modem with a similar number. [13] The less sophisticated large corporation has thousands of modem-equipped computers attached to the corporate network, notes Settle. One device often overlooked: multipurpose printer/fax machines, usually left in auto-answer mode to receive faxes but connected to the network for printing purposes. [14] Online banking servers should be "air-gapped" from the bank's main network, meaning that no physical connection should exist between them, foiling hackers. But small and midsize banks rushing into online banking don't always take this basic precaution. Even better, some banks are placing their Internet-based services on servers run by outside Web site-hosting companies--servers that may be shared by other, far less security-intensive Web businesses. We could break into one of these other sites, take control of the server, and then jump into the bank's main network. This is an example of the "weakest-link" approach to hacking, notes Higgins. [15] Cable companies that provide home Internet access treat entire neighborhoods like one local-area network, points out security expert David, so a hacker can often gain full access to a PC in one home through a PC in a nearby home or a neighborhood cable switch. [16] As it turns out, obtaining or guessing root-access passwords isn't necessarily any harder than getting ordinary passwords. For one thing, sysadmins tend to suffer from simultaneous inferiority and superiority complexes, often leading them to favor irreverent, self-aggrandizing, and entirely predictable passwords such as "god" and "bigkahuna." Even better, servers are often shipped from the factory loaded with supposedly default "backdoor" passwords meant for use by vendor technicians; these are sometimes known to the hacker community. [17] A Trojan horse is a class of program, freely available on the Internet, that serves a function useful to a hacker but is disguised to look exactly like one of Unix's or Windows' legitimate components. ===== [18] Does it seem hard to believe that computer security professionals haven't wised up to these tricks and tools and set up effective defenses? In fact, top security professionals, like the ones interviewed for this article, always make sure such safeguards are installed in systems they are charged with protecting. Fortunately for us, there are barely enough top-notch people in this field to serve large companies; smaller banks and other businesses have to make do with lesser lights. But even the most experienced pros admit that their safeguards can be rendered ineffective by the new security vulnerabilities constantly being identified by hackers and passed around--often well before the typical IT security professional learns of them. Part of the problem is that software vendors are loath to admit to and publicize weaknesses. Says David: "Hackers share vulnerabilities very quickly and efficiently. The vendors often deny that they even exist." There's no shortage of these vulnerabilities: A new security flaw in Windows NT alone is discovered by security professionals on average every three days, says Bruce Schneier, a well-known expert on data encryption and founder of computer security firm Counterpane Internet Security in San Jose, California. Higgins says 32 new flaws were uncovered in Windows NT just in December. No one, of course, knows how many additional flaws hackers are turning up. "Some of these types of flaws have been known for 30 years, and they still haven't been fixed," Schneier says. [19] In the book At Large, Charles C. Mann and I describe how a learning-impaired teenager with few computer skills managed, among other sobering feats, to hack from Sun Microsystems a copy of the source code for Solaris--one of the most widely used Internet server software systems in the world. [20] According to Friel, midsize banks tend to be overly dependent on consultants and rarely spend the necessary resources on developing their own subject-matter experts. In particular, the consultant feeding frenzy fueled by Y2K anxiety provided a perfect opportunity for outsiders to secretly compromise bank and other software. [21] In 1998, an employee of Russia's largest savings bank was caught after having doctored the bank's software to siphon money into his account. [22] If for some reason we have trouble enacting the swap, we might have more luck getting our hands on and modifying backup versions of the software, which, notes Schneier, are typically stored in less well-protected facilities. Then all we'll have to do is shut down the working version--the easiest kind of hack--forcing the bank to fire up the secretly modified version. This approach exploits the common vulnerability known as "default to insecure," as when a store can't get through to the network to verify your credit card and approves the purchase rather than lose business. [23] Wire transfers are encrypted--that is, scrambled into unintelligible text--and it's not likely we'll break the encryption. Not that it's impossible. In fact, there is a long, rich history of supposedly impervious encryption schemes being broken. Just ask cell phone manufacturers, media companies whose works are distributed on DVD, and any company that has relied on the well-known DES encryption scheme--formerly the standard for banks and now considered crackable with an inexpensive, custom-built computer. Any bank with enough money to make it worth hitting currently employs the vastly more secure "Triple DES" scheme, which would require "alien technology" to break, according to Schneier. Fortunately, we don't need to break it. We might be able to find a bank employee's "pass phrase"--essentially a long password that unscrambles the information--on his or her PC, or lying around a desk. Even easier, we can hack the wire transfer information before it's encrypted. [24] In England, for example, a teller discovered that change-of-address procedures for account holders were not audited by her bank--after all, what's so worrisome about a change of address?--so she simply changed the addresses of various account holders to that of her own when checks were due to be sent out, then changed them back. She operated this scam for 10 years before being caught. [25] A recent particularly nasty example of nuisance hackware is "extended Trinu," a program that dispatches tens of thousands of "slave" programs throughout the Internet to hide out. When the hacker triggers the "master" program, it in turn sends out commands that activate all the slaves to start sending out streams of system-crippling bogus data via the Internet. "You can defend against 1 or 2 of these attacks," says David, "but not 10 or 20, let alone 10,000." By the way, one of the best-known denial-of-service attacks was carried out on a highly regarded national business magazine by a disgruntled former employee who remotely erased massive amounts of irrecoverable data on the magazine's servers. ===== [26] Stealing the money won't be the hard part; getting away with it will be. Schneier says Levin did a good job of hacking but was caught because of amateurish laundering. As Daguio points out, U.S. banks have a history of sparing no expense or effort to track down anyone who steals from them, going all the way back to the posses and bounties of the stagecoach era. [27] According to Richard Cromwell, a former Goldman Sachs VP now with security consultancy IFsec, the end of the year is a particularly good time to pull the trigger because of the vast rivers of money moving through the holiday-shopping-fueled economy and the increase in staff absences. [28] Friel estimates that a systems shutdown would cost a large business, such as eBay or Amazon.com, $1 million per hour in hard losses. "But the bad PR would cost 10 times that much," he adds. [29] This is one example of a broader class of attack known as "spoofing," in which commands from an outside computer are disguised to make them look as if they are coming from another, friendlier computer. [30] Eventually, each one of these banks will almost certainly report us to the authorities, under pressure from their own governments, which will be facing the threat of international sanctions. But if we push the money through enough of these banks, by the time the last bank is coerced, we'll long since have cashed out. [31] The only risk of immediate physical apprehension will be borne by our insiders at the bank. Sad to say, they may have been expendable to begin with, especially if we obtained their services through extortion. But there is a good chance they will have been able to skip town ahead of the attack, too, having already provided all the needed information. Even if they are sitting right there, perhaps providing approval of the wire transfers, the final attack will be so buried in a sea of activity that it will probably be hours, if not a day or more, before the money is discovered missing--plenty of time to simply walk out and get to the airport. [32] If--or, let's face it, when--a few banks are publicly cyberlooted, most might raise the security bar to the point where it simply doesn't make sense to go after them. At least not when there are so many other, far less well-protected businesses to pillage, offering expensive goods, engineering data, credit card numbers, payments for fictitious services, and more. Fortunately for us of the high tech criminal element, only a small percentage of companies make computer security a high priority, and there is little pressure from the marketplace on Microsoft, Sun Microsystems, and other major software vendors to stop turning out code that is rife with security flaws. So barring some sort of stunning wake-up call to corporate America, we should be able to keep on hacking profitably for years to come. Current Search Archives Home Forbes Digital Tool Webmaster Gilder Archives Copyright © Forbes 2000 ----- Aloha, He'Ping, Om, Shalom, Salaam. Em Hotep, Peace Be, All My Relations. Omnia Bona Bonis, Adieu, Adios, Aloha. Amen. Roads End <A HREF="http://www.ctrl.org/">www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, misdirections and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html <A HREF="http://home.ease.lsoft.com/archives/ctrl.html">Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om