Black Unicorn (unicorn@schloss.li)
Sun, 21 Jun 1998 23:34:08 -0500
At 05:38 PM 6/20/98 , Simon R Knight wrote:
>On 19 Jun 98 at 12:21, Black Unicorn wrote:
>
>> At 08:22 PM 6/17/98 , Simon R Knight wrote:
>> >On 17 Jun 98 at 14:26, bram wrote:
>
>> >I recently read that a number of UK and European banks had been
>> >attacked by a sophisticated kind of virus/program. This virus
>> >apparently worked by encrypting the banks more important files, and a
>> >fee of 10 million was reportedly required, before the perpetrators
>> >would provide the decryption key. As the cost of downtime to such
>> >banks can quickly exceed a figure of 10 million, they pay up. The
>> >UK police said that banks weren't reporting such incidents, and
>> >making there job very difficult.
>>
>> Are you trolling? This was exposed as a hoax almost immediately after the
>> rumor emerged.
>
>I have never heard anything regarding a hoax. This crime was
>reported quite widely in the British press, following a statement
>made by the police. The police - as I recall - were anouncing their
>intention to set up a special (committee?) to investigate such
>crimes. The idea being that Banks might report more instances of this
>kind were they able to do so in confidence. From why I recall reading
>(and hearing on the news) there was no suggestion that the cases the
>police refered to were anything other than genuine.
This myth comes up every 18 months. I chased down the first two and on
finding them identically full of beans I ceased paying attention. Usually
someone finally gets it right and writes about the inaccuracies.
The tell-tale signs of the myth are constantly repeated.
1. "Several" or "Many" banks (which are rarely named, though one report
pointed to Bank of London. Almost no one at Bank of London knew anything
about it when I asked. One Public Relations contact there actually laughed
and mused "That story again?") are involved.
2. The perpetrators perform some denial of service or display their
ability to withdraw money at will.
3. The perpetrators demand some outrageous payment to cease the attack or
refrain from exposing the vulnerability.
4. The banks pay off the perpetrators several times to avoid the
publicity, run on the bank/etc. Sometimes withing "hours." The money is
sent to various offshore centers and withdrawn within "minutes." Uh huh.
I guess not many reporters bother using the international banking system.
In one case an account in "Zurich" is supposedly used. Using a Swiss
account for fraud based in the U.S. or England in the late 1990s is like
turning yourself in.
5. Some clever reporter with e.g., The Sun "discovers" the nastiness and
writes an article. (Usually full of "security experts speculate that...").
6. Major papers print a "The Sun is reporting today..." column.
7. Police interviewed in response to the revelation whine about
non-disclosure by financial institutions and how something needs to be
funded/passed to encourage (read: compel) more direct disclosures about
"security incidents" at banks. They refuse comment on any specific incidents.
8. The citibank "heist" (in which 98% of the funds were rather immediately
recovered) is cited at least twice. Probably because it is the only real
and significant incident in public record.
The recent "big incident" which caught my attention was:
Sunday Times (London) June 2, 1996 - "City Surrenders to L400 million Gangs"
Interesting almost all of the incidents are either reported by the NSA, or
"scooped" by some previously unheard of journalist. See e.g.,
http://venus.soci.niu.edu/~cudigest/CUDS8/cud848
I love this part:
"According to the American National Security Agency (NSA), they have
penetrated computer systems using "logic bombs" (coded devices that can be
remotely detonated) electromagnetic pulses and "high emission radio
frequency guns", which blow a devastating electronic "wind" through a
computer system. They have also left encrypted threats at the highest
security levels, reading: "Now do you believe we can destroy your
computers?"
This article was debunked sometime after in a tiny column in (I think) U.S.
News and World Report. Debunking these kinds of things isn't real sexy, so
no one usually bothers.
Other "incidents" go back as far as 1993 or so.
>I don't know how a formal press statement by the British police
>regarding their concern over an increasing number of hight-tech bank
>crimes, can actually have come to assume the status of a hoax. This
>wasn't an attempt at a troll ... there are probably a number of
>references the announcement made by the British police online.
The British police, as well as the American FBI, are always making such
press releases. No specific incidents are ever cited with any verifiable
information with the exception of one case last year (involving NationsBank
I _think_) in which a fired clerk stole cashiers checks and offered to sell
them back to the bank. The high tech angle was that e-mail (not anonymous
email either) was used to make the demands. The bank paid the employee in
a successful sting operation in which the employee was apprehended. The
spun phrase in the press release was something to the effect of "a case in
which electronic mail was used in the furtherance of the theft and ransom
of cashiers checks." In fact, rather cursory investigation (three phone
calls) usually proves almost all the (carefully "cover-your-ass" worded)
assertions in these press releases to be almost entirely false but just
true enough to avoid too much nastiness.
In another message you write:
>A quick "Hotbot" search with the following keywords returns 317
>documents. As my earlier words were simply presented as a
>recollection of events that occurred some months ago ... I'll leave
>your verification to you. I'm going to bed instead !
>+police +banks uk +encryption millions british
Usually I would just point out that it is _you_ making the assertion, and
that it follows that _you_ should back it up or keep pleasantly quiet in
the first place. Still, your post was irritating enough that I bothered to
putz around with my time to see if you were entirely blowing smoke from an
orifice not your mouth, or if you actually had something to contribute. In
this case I find the former more probable.
I tried +police +banks +uk +millions +encryption +British on altavista, got
280 hits. In my admittedly short search of the results about 10% were
unrelated articles in "Phrack," some from as early as 1988. None of the
hits I saw had any articles which seemed to reference the incidents you
describe.
By the way, +police +banks +encryption +hoax spits out 157 matches. Why
don't you sift through those for me?
>> It's also getting off topic for CodherPlunks.
>>
>
>I considered if this may be the case, but as the crime specifically
>centred upon the use of unauthorized encryption as a weapon,
>it seemed to represent an interesting - if unusual - application of
>cryptographic technology, which I thought might prove of interest.
Even assuming all this was true, its still pretty much off topic. You're
looking for the record low signal to noise ratio list "cypherpunks."
It's my last post on the subject here.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:18:51 ADT