Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Banks Blackmailed by Crackers

Posted by Roblimo on from the pay-up-now-or-pay-up-later dept.

Palin Majere writes "This story from USAToday reports on how banks in the UK are finding it cheaper (and easier) to pay off cracker groups rather than try and defend themselves properly."

3 of 98 comments (clear)

  1. Been happening for a long time by Anonymous Coward · · Score: 5
    As someone who's been involved with various information warfare efforts over the years (hence the AC posting) this has been a well known fact for at least the last 10 years that I know of.

    The methods of blackmail are very simple as most of the systems run over standard high bandwidth lines. It's a simple enough problem to get into these systems by going through the exchange points rather than walking through the front door of a bank (just like breaking into most company networks is actually much easier to break the PABX system and then jump across into the data stream that contains the network link rather than trying to attack the firewall directly).

    Most of the time, the banks don't even bother with varifying the cracker's claims. They just pay up the cash and be done with it. You'd be surprised as just how lax most banks are with thier internal security. Oh, this system is inside the network so we don't even have to worry about encrypting the comms between our two mainframes even though their located at two different sites 50Km apart.

    Another interesting whole to watch out for in the future will be the increasing use of direct fibre channel connections. Some of the setups that I've seen put the mainframe connection in one site and the drives and backdrives in two separate sites. The drives are hooked up using fibre channel as though they were local hard drives to the machine. If you know what you're doing, getting inside one of these links can be quite easy.

    Despite repeated demonstrations of how easy some of these systems are to break, the banks just don't seem to be interested in trying to make it more secure. They don't want to spend the extra money because it eats into the profit margin. Security through obscurity seems to be their favourite mantra. Fscking idiots!

    1. Re:Been happening for a long time by The+Dodger · · Score: 4

      I've heard a lot of people dismissing this story as pure fabrication and, whilst I do suspect that Ungoed-Thomas doesn't have a clue about what he's writing about (do a search for "Ungoed" on NTK for my reasons for thinking this), I'm inclined to suspect that there may be some truth behind the story.

      Back in '95 I wrote a couple of articles on on information warfare, battlefield technology, etc. for an international military magazine. In April '96, I was contacted and asked if I could supply an EMP device which could "wipe out all computers within a 100m radius in a built-up area", for a certain amount of money (in excess of $15k).

      Obviously, I refused the "commission", and thought no more of it, but several weeks later, the Sunday Times led with this story.

      Needless to say, I've kept an open mind about these things since, especially as, since then, I've been asked to do all manner of illegal things, from hacking into the mail servers of competitors, takeover-targets and companies planning IPOs, to monkeywrenching - i.e. causing crashes, glitches and other problems in a company's systems and networks to make them look bad).

      The methods of blackmail are very simple as most of the systems run over standard high bandwidth lines. It's a simple enough problem to get into these systems by going through the exchange points rather than walking through the front door of a bank (just like breaking into most company networks is actually much easier to break the PABX system and then jump across into the data stream that contains the network link rather than trying to attack the firewall directly).

      That's true enough, and it's also true that companies' phone systems are often a lot less secure that their data networks, but that sort of hacking is quite low-level and requires a level of knowledge which, luckily, isn't as easy to acquire as normal hacking scripts are.

      You'd be surprised as just how lax most banks are with thier internal security.

      I don't have any experience with banks, but I've been involved in testing the security at other financial institutions, and I've been completely astonished at things like an insurance company with a wide open RAS dialup into their internal network. Senior executives can and do crap themselves when they realise just how vulnerable they are and, perhaps more importantly, that they are legally responsible for the security of their company's information systems and networks and the data (financial and personal) held on them.

      Another interesting whole to watch out for in the future will be the increasing use of direct fibre channel connections. Some of the setups that I've seen put the mainframe connection in one site and the drives and backdrives in two separate sites. The drives are hooked up using fibre channel as though they were local hard drives to the machine. If you know what you're doing, getting inside one of these links can be quite easy.

      I work with FCAL technology (Sun A5*00 arrays, mostly) and so on and I've heard of these type of set-ups as well. I think that the security of SANs and NAS devices will become an issue over the next couple of years.

      Despite repeated demonstrations of how easy some of these systems are to break, the banks just don't seem to be interested in trying to make it more secure. They don't want to spend the extra money because it eats into the profit margin. Security through obscurity seems to be their favourite mantra.

      Agreed. There's a huge amount of complacency in the UK regarding computer security. In August, a bunch of guys at DNSCon "outed" a couple of websites which were vulnerable to hackers, including the Scottish Government's site. Unfortunately, although they claimed to have tightened security, the new measures obviously weren't quite secure enough, as they were hacked not long afterwards.

      There's a growing feeling in the UK that companies are failing to place enough emphasis on information security, and that a lot of so-called information security consultancies are incompetent. Many of them are formed by IT auditors, who might know how to count computers, but know fuck-all when it comes to effective information security risk management. Even the British Standards Institute's BS7799 standard for information security management is widely acknowledged to be a joke. The majority of systems which are certified as conforming to BS7799 are still vulnerable to attack.

      The recent revision of the UK's Data Protection Act has taken a step towards making the directors of companies directly responsible for ensuring that the private information which is held on their companies' information systems, is adequately protected.

      However, I feel that it won't be until the shareholders realise that their companies' profits are in danger, because of management incompetence, that we'll see real moves towards implementing effective information security practices.

      The Dodger

  2. It's Ungoed-Thomas by rafial · · Score: 5

    As I suspected when I saw the reference to the Sunday Times, the original article that was cited in USA today was authored by Jon Ungoes-Thomas. Readers of ntk.net will be familiar with Ungoed-Thomas as a journalist who is long on unsubstantiated sensation, and very short on fact checking, and who is building a career out of predicting the collapse of civilization as a result of the Internet.

    I'd take this particular article with a few large and tasty grains of salt.