Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Banks Blackmailed by Crackers

Posted by Roblimo on from the pay-up-now-or-pay-up-later dept.

Palin Majere writes "This story from USAToday reports on how banks in the UK are finding it cheaper (and easier) to pay off cracker groups rather than try and defend themselves properly."

9 of 98 comments (clear)

  1. This was all made up by the UK's NSA. by Paul+Crowley · · Score: 3

    Inhabitants of the "UKcrypto" mailing list, for discussing government cryptology policy, have come to the conclusion that this story is a complete fabrication, "cut from whole cloth" by GCHQ (the UK equivalent of the NSA) to spread bad words about strong crypto and encourage regulation.

    The original story has bizarre references to "hackers" holding up banks "with crypto" - I know it's a munition, but you can't point it at a bank teller!

    See for example thi s article by highly respected cryptologist and computer security expert Ross Anderson, who is also co-author of AES candidate Serpent. Note also thi s observation on bank panic stories, or read the whole thread (search for "today's Times").

    I'll also echo the comments here about Jonathan Ungoed-Thomas's hilarious attempts to cover security issues, among other iGaffes.
    --

    --
    Xenu loves you!
  2. Been happening for a long time by Anonymous Coward · · Score: 5
    As someone who's been involved with various information warfare efforts over the years (hence the AC posting) this has been a well known fact for at least the last 10 years that I know of.

    The methods of blackmail are very simple as most of the systems run over standard high bandwidth lines. It's a simple enough problem to get into these systems by going through the exchange points rather than walking through the front door of a bank (just like breaking into most company networks is actually much easier to break the PABX system and then jump across into the data stream that contains the network link rather than trying to attack the firewall directly).

    Most of the time, the banks don't even bother with varifying the cracker's claims. They just pay up the cash and be done with it. You'd be surprised as just how lax most banks are with thier internal security. Oh, this system is inside the network so we don't even have to worry about encrypting the comms between our two mainframes even though their located at two different sites 50Km apart.

    Another interesting whole to watch out for in the future will be the increasing use of direct fibre channel connections. Some of the setups that I've seen put the mainframe connection in one site and the drives and backdrives in two separate sites. The drives are hooked up using fibre channel as though they were local hard drives to the machine. If you know what you're doing, getting inside one of these links can be quite easy.

    Despite repeated demonstrations of how easy some of these systems are to break, the banks just don't seem to be interested in trying to make it more secure. They don't want to spend the extra money because it eats into the profit margin. Security through obscurity seems to be their favourite mantra. Fscking idiots!

    1. Re:Been happening for a long time by The+Dodger · · Score: 4

      I've heard a lot of people dismissing this story as pure fabrication and, whilst I do suspect that Ungoed-Thomas doesn't have a clue about what he's writing about (do a search for "Ungoed" on NTK for my reasons for thinking this), I'm inclined to suspect that there may be some truth behind the story.

      Back in '95 I wrote a couple of articles on on information warfare, battlefield technology, etc. for an international military magazine. In April '96, I was contacted and asked if I could supply an EMP device which could "wipe out all computers within a 100m radius in a built-up area", for a certain amount of money (in excess of $15k).

      Obviously, I refused the "commission", and thought no more of it, but several weeks later, the Sunday Times led with this story.

      Needless to say, I've kept an open mind about these things since, especially as, since then, I've been asked to do all manner of illegal things, from hacking into the mail servers of competitors, takeover-targets and companies planning IPOs, to monkeywrenching - i.e. causing crashes, glitches and other problems in a company's systems and networks to make them look bad).

      The methods of blackmail are very simple as most of the systems run over standard high bandwidth lines. It's a simple enough problem to get into these systems by going through the exchange points rather than walking through the front door of a bank (just like breaking into most company networks is actually much easier to break the PABX system and then jump across into the data stream that contains the network link rather than trying to attack the firewall directly).

      That's true enough, and it's also true that companies' phone systems are often a lot less secure that their data networks, but that sort of hacking is quite low-level and requires a level of knowledge which, luckily, isn't as easy to acquire as normal hacking scripts are.

      You'd be surprised as just how lax most banks are with thier internal security.

      I don't have any experience with banks, but I've been involved in testing the security at other financial institutions, and I've been completely astonished at things like an insurance company with a wide open RAS dialup into their internal network. Senior executives can and do crap themselves when they realise just how vulnerable they are and, perhaps more importantly, that they are legally responsible for the security of their company's information systems and networks and the data (financial and personal) held on them.

      Another interesting whole to watch out for in the future will be the increasing use of direct fibre channel connections. Some of the setups that I've seen put the mainframe connection in one site and the drives and backdrives in two separate sites. The drives are hooked up using fibre channel as though they were local hard drives to the machine. If you know what you're doing, getting inside one of these links can be quite easy.

      I work with FCAL technology (Sun A5*00 arrays, mostly) and so on and I've heard of these type of set-ups as well. I think that the security of SANs and NAS devices will become an issue over the next couple of years.

      Despite repeated demonstrations of how easy some of these systems are to break, the banks just don't seem to be interested in trying to make it more secure. They don't want to spend the extra money because it eats into the profit margin. Security through obscurity seems to be their favourite mantra.

      Agreed. There's a huge amount of complacency in the UK regarding computer security. In August, a bunch of guys at DNSCon "outed" a couple of websites which were vulnerable to hackers, including the Scottish Government's site. Unfortunately, although they claimed to have tightened security, the new measures obviously weren't quite secure enough, as they were hacked not long afterwards.

      There's a growing feeling in the UK that companies are failing to place enough emphasis on information security, and that a lot of so-called information security consultancies are incompetent. Many of them are formed by IT auditors, who might know how to count computers, but know fuck-all when it comes to effective information security risk management. Even the British Standards Institute's BS7799 standard for information security management is widely acknowledged to be a joke. The majority of systems which are certified as conforming to BS7799 are still vulnerable to attack.

      The recent revision of the UK's Data Protection Act has taken a step towards making the directors of companies directly responsible for ensuring that the private information which is held on their companies' information systems, is adequately protected.

      However, I feel that it won't be until the shareholders realise that their companies' profits are in danger, because of management incompetence, that we'll see real moves towards implementing effective information security practices.

      The Dodger

  3. Long term /Short term and Capitalism by Tsk · · Score: 3

    Thi is exactly the kind of attitude I can't understand in the Capitalistc world were leaving in.
    Sure on the short terms it's cheaper to pay the hackers to send them elsewhere (like your comperitor). But on the long term this really is bad:
    * Crackers will see in such deal a good way to make money, they'll come back (this will increase the cost of security)
    * Since they just pay the cracker and don't do anything about security, what will happen when the cracker dosn't try to get paid by the bank but takes what he wants

    On the long trem the money should be spend on increaing security .....

    --
    none Yet.
  4. cHrackers by Matt2000 · · Score: 3

    Overheard on an unsecured line:

    "Did you pay off the hackers?"
    "Yes, they're covered."

    "How bout the crackers?"
    "Ya, we got them too."

    "Snackers?"
    "Trying to find them."

    "Meat packers?"
    "I can only work so fast boss..."

    Hotnutz.com

    --

  5. Re:Homer: mmmmm....Crackers.... by substrate · · Score: 3

    No they got it 100% right this time. They are hackers, they're using their hacking skills for malicious purposes therefore they're also crackers. The term hacker itself is grey, there are good hackers and there are bad hackers. The problem is that in the media hackers has been used to refer to the population of hackers who operate contrary to the law as opposed to the entire population of hackers.

    Even leaving it at reports of 'malicious hackers' would've been correct. They're hackers and they're malicious. It isn't implying that all hackers are malicious anymore than saying 'corrupt police officer' would imply that all police officers are corrupt.

  6. Catch them when they pay the bribe? by chandoni · · Score: 3
    "OK, we'll give you the $10 million. Where do you want that sent?"

    It seems much more likely that authorities could trace a single such (planned) transaction (even if it goes through an online Swiss bank or something) than if J. Random Cracker just transferred the $10 million to his account without the bank's knowledge. So, why would J. even demand a payoff at all unless he's bluffing or too stupid to realize he's increasing the chances of being caught?

  7. It's Ungoed-Thomas by rafial · · Score: 5

    As I suspected when I saw the reference to the Sunday Times, the original article that was cited in USA today was authored by Jon Ungoes-Thomas. Readers of ntk.net will be familiar with Ungoed-Thomas as a journalist who is long on unsubstantiated sensation, and very short on fact checking, and who is building a career out of predicting the collapse of civilization as a result of the Internet.

    I'd take this particular article with a few large and tasty grains of salt.

  8. Money transfer networks by GodEater · · Score: 3

    I work in the financial messaging sector of IT, and I find it difficult to believe that crackers have actually managed to move money from Bank Account A to Bank Account B.

    You'd not only need to be a fairly talented cracker to get into the bank's network in the first place - but you'd also have to have an in-depth knowledge of how banking transactions work to actually pass the money around.

    I've been working in this industry for five years now - working with a large number of banks - and I still don't think I could get away with it...

    --

    Gentlemen, start your penguins