26 October 2009

The Myth of CyberTerrorism

I was woken shortly before midnight, on a chilly July evening in Auckland by the sound of a bomb. It was 1985, and the Greenpeace vessel Rainbow Warrior had been hit by two explosions, from limpet mines attached by two frogmen (I use that term very deliberately.) One man, Ferndando Pereira, was killed in the attack.

Most commentators now accept that this was an act of terrorism -- and indeed, the initial reaction of the French government was to condemn it as such. It was only twenty years later that French president Fran├žois Mitterrand admitted that he had personally authorised the bombing.

Was this an act of terrorism, albeit state-sponsored? In my view, absolutely. It was an act deliberately intended to terrorise Greenpeace and its supporters (although the agents concerned claimed that they had tried to avoid any loss of life.)

Now let's look at another case. Three years earlier, in June 1982, the Russian government was conducting pressure tests on its new trans-Siberian gas pipeline, which resulted in a catastrophic explosion -- allegedly with the force equivalent to three kilotons of TNT.

According to the 2004 book "At the Abyss: An Insider's History of the Cold War", written by Thomas C. Reed, this was a deliberate act of sabotage, carried out by the CIA as part of the cold war against the Soviet Union. Reed, a former Air Force secretary who served in the US National Security Council during the Reagan administration,

reported how the U.S. allowed the USSR to steal pipeline control software from a Canadian company. Unknown to the Russians, this software included malicious code (known as a Trojan horse) that caused a major explosion of the Trans-Siberian gas pipeline in June 1982. The Trojan ran during a pressure test on the pipeline and massively increased the usual pressure, causing the explosion. Reed writes:

"In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds"

By creating an explosion with the power of a three-kiloton nuclear weapon, the U.S. managed to disrupt supplies of gas and consequential foreign currency earnings of the Soviet Union for over a year.

Was this an act of CyberTerrorism? In my view, yes. This was probably the very first documented case where computer-related sabotage was used to trigger major damage (although apparently with no loss of life.)

Subsequently, the world has witnessed hundreds of lesser cases of sabotage and attempts to compromise control systems and economic attacks, which might be classed as cyberterrorism -- but is there really a threat here of the same class as we are confronted by with "classical" terrorism -- i.e., suicide bombers, assassinations, anthrax letters or mass poisonings?

In my view, the threat of CyberTerrorism is largely a myth. A report published by James Lewis of the Washington think-tank Center for Strategic and International Studies, tends to support this view, claiming that although clearly many major states have the capability of undertaking CyberWarfare attacks which could be classed as acts of war, there are few, if any, non-state actors with these capabilities.

These days, the greater threat comes from organized criminal groups, and their targets are almost exclusively economic. It's now possible for a well-funded terrorist group to rent a botnet, but this begs the question -- what would be their target? In order for a terrorist attack to be effective, it has to by definition cause fear or terror, and few conceivable attacks could lead to loss of life necessary to achieve that.

Despite what several "B" movies and shows like "24" or "Law and Order" suggest, there are no super-powered hackers who can take over GPS satellites, hospital emergency equipment or air traffic control systems. Any failures are more likely to be collateral damage from economic attacks, or simple incompetence in the deployment of basic safeguards by those responsible for defense.

CyberTerrorism is a great buzzword, and is being used to attract millions of dollars in counter-terrorism funding, but the real risks should be seen as financial, and the attackers are far more likely to be from the world of organized crime rather than Al Queda.

25 October 2009

Financial Crime and Money Laundering

Let's start by talking about 10 days in January earlier this year [2009]. You may have heard of the torpig malware, which builds a botnet focused on stealing Banking details and other information.

In a period of just over a week, US researchers were able to penetrate the torpig botnet, and collect some information. Here's a summary of what they found.

182,000 unique PCs were infected. In addition, 50,000 new PCs joined the network from fresh infections, mostly from drive-by web site takeovers and other program flaws.

That's 5,000 new PCs every day.

8,310 financial accounts were compromised, from USA, Italy, Germany, Spain, Poland and more countries – from 410 different banks. (The standard torpig configuration targets more than 300 online banking systems around the world.)

Top financial accounts stolen include PayPal (1,770 accounts), followed by Poste Italiane (765), Capital One (314), E*Trade (304) and Chase (217.)

Also stolen were credentials from thousands of corporate web sites, and 1,660 credit and debit card details.

Nearly 300,000 user names and passwords were collected, including Google, Facebook, MySpace and others, thereby compromising a wide variety of personal information and documents.

Typical attacks include man-in-the-middle browser phishing, web injection and form spoofing.

The market for stolen credit cards and bank details is now seeing greater sophistication, with increasing supply leading to lower prices. For example, credit cards with CVV2 codes which have not yet been confirmed can be sold in batches of 1,000 for around $3 each. Prices go up to $12 when you add the consumer's name, address and date of birth. The market is so strong, thieves are using classic marketing tactics -- “buy 500, get 500 free.”

Estimates of revenue from just 10 days of the botnet operation range up to $8 million, based on current market prices for credit card details and compromised bank accounts. Not a bad return on investment for just one criminal enterprise.

And in news from researchers at McAfee, 12 million new computers have been taken over as botnet zombies since January – that's a 50% increase over last year. According to the report, 18% of all computers in the USA have been compromised, with second place China on 13%.

Here's another case, from Korea. Rhee Jin-shik, a 57 year old self-employed businessman, received a phone call from the Post Office, telling him that they were unable to deliver his new credit card. Rhee said he never ordered one, so the Post Office told him they were reporting it to the Financial Police, who would help him. A few minutes later, with uncharacteristic efficiency, someone from the Cyber Investigation Unit called, and told him that he was being targeted by a gang of criminals. In order to protect his money, he was recommended to transfer it from his current account, into a special “protected” account set up by the government. A kind manager from the government controlled Bank soon called him, to help him do this.

Naturally, all three callers were fake – part of a sophisticated Voice Phishing scam, which targets small business owners.

You've all heard similar cases, and we could stand here all day talking about them, but let's focus on what's important.

First, the Fraud market is a global, complex problem. Nearly every country is affected, and the criminal gangs behind it are increasingly professional, using sophisticated techniques and the latest technologies to achieve their goals.

Wherever there is Fraud, you can be sure that Money Laundering isn't far behind.

Fraudsters need to channel their illegal earnings back to where they can spend them. This also brings in tax evasion, and a whole range of different ways of benefiting from the proceeds of crime.

A more worrying trend is that a significant percentage of crime is also being used to benefit terrorist organisations. Recent investigations for example show that Somali marine piracy is being funded from Dubai, and banks there have been accused of laundering money for the pirates.

There are well-recognized links between some traditional informal methods of money transfer (such as Fei Ch'ien or Hawala), and terrorism financing. Increasingly, terrorists are using the same channels as regular criminals, and are investing resources to build their capabilities.

This global problem is growing and changing, almost faster than the authorities can keep up. To protect themselves, financial institutions have to become more effective.

The criminals are becoming smarter. Last week, we learned that fraudsters were using their access to Lexis-Nexis to steal information required for Credit Cards – and have been doing it for three years, putting more than 32,000 people at risk of financial loss.

The threats are multiplying. Another factor which is starting to have a major impact is the financial meltdown of the past 12 months.

This has led to a huge loss of confidence among consumers, as well as a surge in financial crime from desperate people, some of whom may have lost their jobs in the industry.

Thus, we see greater risk from insider threats, as internal fraud is driven by employees with knowledge of vulnerable systems, and fear for their future.

Finally, we must not neglect consumer confidence among the risks, as this has been particularly hard-hit by the collapse of banks and property prices, with a string of bankruptcies leading to unemployment and loss of investments.

In the Unisys Security Index survey (Wave 4), 61% of Europeans believe that the world financial crisis will increase their personal risk of becoming a victim of identity theft – with the Spanish having the highest levels of concern.

All of these problems require a firm decision by regulators and financial institutions to take the threat seriously – which means continuing to invest in training, building institutional capabilities, and selecting appropriate technologies to combat financial crime.

To summarize, we have the following conditions:

1) Increasingly sophisticated complex attacks on financial systems;
2) More professional, highly motivated and intelligent criminals, with an apparently endless variety of new techniques for stealing our money;
3) Blended threats, using combinations of online phishing, telephone and document fraud, plus dangerous malware and botnets;
4) Global financial meltdown, with associated higher risks of internal attacks;
5) Threats are increasing by 40% each year – we are entering the age of CyberWar.
6) Urgent action is needed now – requiring coordination between the financial industry and government.

The “sharp end” for most of this criminal activity is something we see every day in Fraud and Money Laundering investigations.

Those of us active in CyberSecurity believe that the old techniques, based on basic transaction monitoring with pattern matching are no longer enough.

Investigators and the executives responsible for risk reduction need better intelligence to combat these threats.

By intelligence, we mean the training, tools and techniques used in the world of CIA, NSA and FBI, but applied in the domain of financial crime.

It's not enough to have access to data. By itself, the data does not help us.

We have to work smarter. This means approaching financial crime in a new strategic way. It means breaking down some of the barriers which may exist between silos, bridging the gaps between compliance and fraud investigation departments.

We see a need for closer cooperation between regulators, the Financial Intelligence Units, and banks and insurance companies.

And finally, we need the political will to tackle these issues, or the problems will simply continue to get worse.

23 October 2009

Chinese CyberWarfare Capabilities Developing

The following article (from Associated Press) shows that modern governments are seriously investing in their CyberWar Fighting capabilities.

But what does this mean to the rest of us? How can a government (especially one under totalitarian rule such as China) impact on the lives of we who live in democratic countries?

Currently, English is the dominant language on the Web -- but Google's Eric Schmidt recently proposed that within five years, Chinese language web sites could overtake this dominance, with their current rate of growth.

Increasingly, every aspect of our lives is becoming more dependent on the online experience. As China grows, and with the suggestion that "GreenWall"-like censorship measures could contain hidden backdoors that could recruit nearly every Windows PC in China into a giant government-controlled botnet, the threat of the Chinese being able to bring down nearly every Web site with a massive DDOS attack becomes a reality.

But in my view, for the Chinese government it's not only about force projection -- it's also about infiltrating themselves into foreign networks (e.g., NYPD and LAPD have long reported subtle attacks apparently originating from China), using a combination of HumInt and SigInt to subvert critical infrastructure, as part of a long-range plan to support potential future strikes.

More concerning for businesses however is the existence of ties between such intelligence operations, and the covert industrial espionage that endangers commercial enterprises. For this reason, in my view companies need to invest in long-range planning and strategic actions that reduce their exposure to such threats -- and acknowledge that the attackers are usually much better-funded, and smarter than our current defensive systems.

China is building its cyberwarfare capabilities and appears to be using the growing technical abilities to collect US intelligence through a sophisticated and long-term computer attack campaign, according to an independent report.

Released Thursday by a US congressional advisory panel, the study found cases suggesting that China's elite hacker community has ties to the Beijing government, although there is little hard evidence.

The commission report details a cyberattack against a US company several years ago that appeared to either originate in or come through China and was similar to other incidents also believed to be connected to the country.

According to the analysis, the company noticed that over several days, data from their network was being sent to multiple computers in the US and overseas. While the report does not identify the company, it contends that the attackers targeted specific data, suggesting a very coordinated and sophisticated operation by people who had the expertise to use the high-tech information. An internet protocol (IP) address located in China was used at times during the episode.

Barring proof, the study by the US-China Economic and Security Review Commission warns that the sort of expansive and sophisticated computer resources that have been seen in cyberattacks on the US and other countries "is difficult at best without some type of state sponsorship."

The study contends that the Chinese, long reported to be stoking a massive military build up, has also made computer warfare a priority. The Chinese government is said to view such cyberprowess as critical for victory in future conflicts - similar to the priority on offensive cyber abilities stressed by some US officials.

Potential Chinese targets in the US, according to the report, would likely include Pentagon networks and databases to disrupt command and control communications, and possibly corrupt encrypted data. The report notes, however, that penetrating such classified systems would be time consuming and difficult.

In large part, the commission report expands on the Pentagon's annual China military power review. The Defense study said earlier this year that China's People's Liberation Army has set up information warfare units to develop viruses to attack enemy computer systems and networks as well as to protect friendly systems.

The Pentagon report described computer attacks believed to have originated in China, but concluded that "it remains unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC (People's Republic of China) government."

The new report, prepared for the commission by Northrop Grumman, relies largely on publicly available information from Chinese hacker websites, technical articles and analysis of computer intrusions attributed to the Chinese.

21 October 2009

Presentation on CyberSecurity

Here is a presentation I prepared earlier this year for a talk I gave to a class at the University of Florida Levin College of Law.

Risk Management applied to Banking fraud

Trends in contemporary Risk Management and Enterprise Security

The Banking industry continues to be beset by external and internal fraud, covering a range of lines of business, from securities, online channels, application fraud, ATM, checks and money laundering. Recent best practices have recognized that Risk Management techniques yield the best results in detecting and preventing some of these diverse types of fraud.

From the earliest years when banking services were introduced in support of commerce, long distance trade and the prosecution of wars, there were creative and immoral intellects applying themselves to the task of fraudulently obtaining a share of the wealth. Banking has always been about trust, and finding mechanisms for allowing the legitimate control over flows of money that are difficult to counterfeit or circumvent.

In recent years, with the addition of the Internet and other online Banking channels (such as mPayments, Debit/Credit Cards and Wire Transfers), the tasks for banks have become exponentially more challenging. In addition to a huge increase in the value of transactions operating over electronic channels, there has also been a dramatic level of growth in the number and speed of such transactions. Given this trend, and the costs associated with manually checking each transaction for signs of fraud, Banks have been forced to invest in ever more complex systems and processes for detecting and preventing illegitimate transactions.

One of the earliest online international banking frauds hit Citibank in 1994, when a Russian criminal, Vladimir Levin, purchased access details for Citibank's X.25-based Cash Management system from fellow hackers. Over the next four months, he illegally transferred $10.7 million to several international accomplices. Citibank's fraud detection systems eventually were triggered, leading to investigation by the FBI, who traced the connections to St. Petersburg, which led to Levin's eventual arrest and successful prosecution.

In recent years, Citibank has again been hit by Russian fraudsters, who used ATM card information (including PINs) which were stolen from a compromised 3rd party banking system. With Ukrainian confederates, $2 million was stolen in cash from ATMs around New York over a period of months in late 2007, then laundered through various methods back to Russia.

Of much greater impact in recent times is the growth of insider fraud, which in more serious cases has led to the complete wiping out of a bank's assets -- such as the Barings Bank collapse in 1995, triggered when rogue trader Nick Leeson lost $1.4 billion from unauthorized futures trading positions. Austrian bank BAWAG hid $1 billion in losses for seven years until 2005, with on-going court cases, and the forced sale of the bank to new owners. An HSBC clerk stole $143 million from the bank in April 2008, using stolen account information. Credit Agricole lost $250 million from unauthorized trades in credit market indexes in its New York Calyon unit. And most spectacularly, Jerome Kerviel lost $7.1 billion from his employer, Societe Generale, from uncontrolled and highly risky trades in equity derivatives (hedge funds) based on European stocks.

These cases, while spectacular, are the tip of the iceberg, as many banks refuse to dislose publicly many of the smaller losses incurred, such as hundreds of millions annually from phishing attacks against customer accounts, as well as substantial levels of persisting check and credit card fraud. Understandably, banker's reluctance is driven by the fear that customers would lose confidence in a bank with such a poor security track record, and justifiably so. However, recent surveys [Unisys] have shown that many banking customers already are highly concerned about security, as more of them are hit by phishing, identity theft, advance-fee fraud and increased costs from banks, not to mention the dramatic liquidity crisis resulting from apparently fraudulent sale of unsecured mortgages and their toxic derivatives.

Bankers have not been unconcerned, and the most promising efforts in this area have come from a combination of self-regulation and government legislation. For the former, the Basel Committee on Banking Supervision has released many documents which outline voluntary codes by which banks can regulate their internal controls and risk management processes, especially in regards to Credit and Operational Risk. The Three Pillars of Basel II include:

1. Minimum capital requirements -- defining mechanisms for calculating the required level of capital adequacy to deal with market, operational or credit risk (potential losses);
2. Supervisory review process -- increasing accountability and transparency of banking supervision, in particular in its Risk Management processes and procedures;
3. Market disclipine -- requirements for a bank to publicly disclose its known risks and capital positions.

Beyond these voluntary accords, which have been successfully applied world-wide by banks in hundreds of countries, governments have enacted legislation intended to strengthen confidence in the banking system by requiring greater protection for consumers, as well as regulating bank's behaviours in selected markets. These laws include, for example, MiFID (European law for governing the sale of securities); 2nd and 3rd EU AML Directives, OFAC lists, FATF 40+9 (which regulate bank's behaviour in regard to requiring the detection and prevention of money laundering and terrorist financing,) and a host of other local laws that seek to improve Governance, Regulatory and Compliance processes within the financial services sector.

Such industry self-regulation and government laws have unfortunately not significantly diminished the growing wave of financial crime which threatens the banking industry. There is a trend for well-funded, ruthless and highly skilled and motivated international criminal gangs, which deliberately target the weakest institutions and the apparently threadbare security of online banking channels (according to one recent survey by the University of Michigan, 75% of a sample of 214 banking web sites have significant security flaws which could be used for identity theft or other fraudulent activities.)

Banks are driven by increasing complexity in the management of their business, with consumer demand for faster response, lower costs, wider ranges of products and services, and regulatory pressure. All of these conflicting demands mean that the necessary investments in security have not kept pace with the rapid rate of change in the fraud landscape, and the almost monthly tales of huge losses due to unauthorized insider trading and the rapid growth in identity theft paint a grim picture. Banking management will spend on security only in the face of a compelling event, such as recent major loss, or threat of government intervention. Until then, they will perform a rational risk cost/benefit analysis -- are the losses due to fraud likely to be significantly higher than the investments required and internal process changes needed to better detect and prevent such fraud? When the answer to this question is no, then banks will spend the minimum required to achieve compliance with the basic standards, and hope that customers won't notice the difference. Fortunately, consumers are becoming more discriminating, and are starting to insist that banks take responsibility for the poor state of banking security and its concomitant lack of confidence.

Can we continue to trust banks? In my view, the answer is maybe -- and those banks which demonstrate a higher level of security competence and investment in improved Governance, Regulatory and Compliance activity will get my business, while those other "soft target" banks will struggle to maintain their position. A revolution is needed--but fortunately the evolutionary effects of increasingly more successful "predators" (the fraudsters and criminals) will have the effect of weeding out the weaker banks, leading to an overall strengthening of security.

12 October 2009

Aubade: A poem by Philip Larkin

I work all day, and get half drunk at night.
Waking at four to soundless dark, I stare.
In time the curtain edges will grow light.
Till then I see what's really always there:
Unresting death, a whole day nearer now,
Making all thought impossible but how
And where and when I shall myself die.
Arid interrogation: yet the dread
Of dying, and being dead,
Flashes afresh to hold and horrify.

The mind blanks at the glare. Not in remorse
- The good not used, the love not given, time
Torn off unused - nor wretchedly because
An only life can take so long to climb
Clear of its wrong beginnings, and may never:
But at the total emptiness forever,
The sure extinction that we travel to
And shall be lost in always. Not to be here,
Not to be anywhere,
And soon; nothing more terrible, nothing more true.

This is a special way of being afraid
No trick dispels. Religion used to try,
That vast moth-eaten musical brocade
Created to pretend we never die,
And specious stuff that says no rational being
Can fear a thing it cannot feel, not seeing
that this is what we fear - no sight, no sound,
No touch or taste or smell, nothing to think with,
Nothing to love or link with,
The anaesthetic from which none come round.

And so it stays just on the edge of vision,
A small unfocused blur, a standing chill
That slows each impulse down to indecision
Most things may never happen: this one will,
And realisation of it rages out
In furnace fear when we are caught without
People or drink. Courage is no good:
It means not scaring others. Being brave
Lets no-one off the grave.
Death is no different whined at than withstood.

Slowly light strengthens, and the room takes shape.
It stands plain as a wardrobe, what we know,
Have always known, know that we can't escape
Yet can't accept. One side will have to go.
Meanwhile telephones crouch, getting ready to ring
In locked-up offices, and all the uncaring
Intricate rented world begins to rouse.
The sky is white as clay, with no sun.
Work has to be done.
Postmen like doctors go from house to house.