IP: MORE ON THE UK BANKING INCIDENTS

[Dave Farber <farber () central cis upenn edu>]

To: farber () central cis upenn edu (David Farber)
Date: Tue, 25 Jun 96 10:05:15 PDT
From: "Willis H. Ware" <willis () rand org>


Dave:


The following is making its way around the net.  It's a follow-on to
your recent post on the incident.


BTB - the Rand games are called "The Day After" games and essentially
put a group of decision makers in an environment that has been
corrupted/damaged/invaded by infowar sorts of things.  they have
attracted a certain amount of attention, including the popular media.
The scenarios are very sci-fi in a sense, and the decision makers are
thrust into a situation for which they have little-to-none prior
experience in dealing with.  But it is an effort to get some analytic
attention on the IW scene.


The "120 countries" does NOT comes from Rand; I believe it originates
in some USG study, possibly by DISA, or possibly from the intell
community.  The GAO report in large measure lifted facts from the story
and briefings that DISA have been giving around town.


                                        ww


------- Forwarded Message


From: winn () Infowar Com
Subject: Tales from the UK: Basel Part IV
Date: Tue, 25 Jun 1996 10:06:02 -0400


June, 1996: Basel, Switzerland
More on the London Attacks: Part IV


The International Banking Information Technology Forum seemed like an ideal
location to get a reading on whether the Times' articles held any water or
not.  I sent the family to Germany for two days while I spoke and schmoozed
and asked some of Europe's and America's top bankers about the articles.
(See my last three reports [June 1 - 23, 1996] on the alleged attacks as
reported in the (London) Sunday Times


I browsed and wove in and out of this esteemed financial community and
asked anyone and everyone in the banking field: "Do you know anything?" "Is
any of it true?" "Do you know any victims?" "Was your bank attacked?"
"Please, tell me!"


Of course I didn't scream this out to all four hundred of the world's top
bankers in the public forum of my keynote speech; rather I asked quietly
and discreetly, hoping for a discreet and honest answer.  I got lucky and
received two.


Both people who did agree to speak about the events in question do *not*
want to be identified.  They are both in the very senior ranks of European
banking and only asked that I do not divulge their companies, their
positions, backgrounds or names.  They both feel that the *real* story
should get out - at least as much as they know - and that the leaks are
inherently good for the banking industry. [They do not agree with security
by obscurity.] Further, they both told me, at separate times during the two
day conference, stories that were nigh on identical (and I never told
either one that I spoke to the other).


The bottom line is they both know about _four_ 'attacks' against financial
institutions, although it was unclear as to whether they were all in the UK
or not.  I am left with the distinct impression at least three of them
were. [Not the 40 or more that the Times suggested or that I have heard
about since April of 1994.] However, unlike the Times article, there was no
question as to the method of attack, and both sources were very clear in
the use and the meaning of the word attack.  Here is what they said as to
how the technical extortion was accomplished.


The perpetrator(s) would first place a call to the upper management of the
intended victim announcing his/her intention. "We will take down your bank
(or financial organization) unless you pay us a lot of money not to."


The intended victims each sluffed off the threats.  Shortly thereafter
(within a day or two) their financial systems would seemingly collapse for
no reason at the prescribed time and as promised by the caller.  Banking
services and/or trading would come to a halt, for about an hour or so, and
then the affected systems would come back on line.  Backups were
ineffective; typical disaster recovery methods, I was told, just didn't
work.


Thereafter, a second call would be made to senior executives of the victim
firms, and the extortion demands for payment made again.  In these cases,
electronic payments to Switzerland were made, and the monies were then
secreted from their temporary Swiss home within seconds - destined for
places unknown or unannounced.  No repeat attacks to paying institutions
has occurred according to my sources.


I was told unequivocally that all of the four attacks used the same
methodology: malicious software was somehow injected into the systems but
neither was either forthcoming or knowledgeable about the specifics.  They
specifically denied that HERF techniques were used.  But many questions
remained, and I was unsuccessful at getting what I would call good answers
to these and more queries:


        - Which systems were affected exactly?
        - How were the backup/redundancies disconnected?
        - Exactly what do you mean by remote control?
        - Did you ever find the offending software?
        - Was it an insider job?
        - Was it pure hacking?
        - Was is mission critical application software gone awry?
        - And so on . . . .


My questions flowed but both people either didn't know the answers or
wouldn't talk.  With both of them, there was a clear discomfort as I pushed
and prodded for more details.  Despite having so many questions still
unanswered, I do feel fortunate to have found at least two people who were
willing to support at least aspects of the Times' story.


One of the two banking people in Basel went even further with detail.
He/she says the actual dollar figure extorted in these four cases using the
software techniques, was L63 Million (UK), which is just about US$100
Million.  According to him/her, a lot of meetings have been taking place
amongst the banks and financial institutions to deal with the situation but
they have agreed and thus made a conscious effort to avoid government and
law enforcement.


So, no, none of this fully supports the Times' story, but it does support
aspects of it, and aspects of the rumors and stories I've been hearing
since April of 1994.  No HERF Guns, although another of my contacts who
will not let me use much of his/her information yet, swears that the
software attack stories are merely obfuscating the higher technology
methods.


I certainly don't know all of the facts, but as more people come forward
with bits and pieces we may be able to siphon through the maelstrom of
noise and rumor and find out what's really been going on.


Back at you as soon as I have something more.
Winn




Peace
Winn


                        Winn Schwartau - Interpact, Inc.
                        Information Warfare and InfoSec
                       V: 813.393.6600 / F: 813.393.6361
                            Winn () InfoWar Com




- ------- End of Forwarded Message




------- End of Forwarded Message