[ISN] German TV Hackers Crack Bank Server - Lawsuit Possible

From: InfoSec News (isnat_private)
Date: Thu Sep 20 2001 - 02:15:24 PDT

  • Next message: InfoSec News: "[ISN] The Terrorists Are Winning the Cyber War"

    By Ned Stafford, Newsbytes
    17 Sep 2001, 4:51 PM CST
    HypoVereinsbank, one of Germany's largest banks, is considering legal
    action against a popular consumer high-tech TV show that hired hackers
    to break into the bank's online banking servers, according to a bank
    Cornelia Klaila, a spokeswoman for HypoVereinsbank in Munich, told
    Newsbytes: "It is illegal what they did. It is very illegal."
    The "they" she is referring to is a TV show called Technical Adviser,
    which is produced by ARD, one of Germany's two public TV networks.
    Technical Adviser hired some young hackers in August to break into
    HypoVereinsbank's online banking servers and download information
    about customer accounts.
    The information included names, account numbers, PIN numbers and
    Internet IP addresses, which are important for secure online banking.
    The story was broadcast Sunday evening.
    Bernd Leptihn, head of the Technical Adviser (Ratgeber Technik) news
    team in Hamburg, told Newsbytes he was not worried about a lawsuit
    from HypoVereinsbank.
    Leptihn, who was anchorman for Technical Adviser for 27 years but now
    works behind the camera, quipped: "You know, I have done illegal
    stories for 30 years now. I have had lawsuits before and, up to now, I
    have never lost a case."
    He said ARD's legal department says that such investigative journalism
    is allowed under German law if it is "in the interest of the public."
    Leptihn, a well-known personality in Germany, said he thinks that
    informing the public of the holes in HypoVereinsbank's computers was
    very much in the public interest.
    "With the (bank account) information we had, we could have been
    anyplace in the world with millions and millions of euros," he said.
    Leptihn said that research indicated that HypoVereinsbank had some big
    security holes. He said the bank used Microsoft's Internet Information
    Server (IIS 4.0).
    "This is a very, very low quality server," he said.
    Technical Adviser hired a team of four hackers. He declined to say how
    much they were paid, but said it was "not much." The young hackers
    were more interested in gaining publicity for their start-up Internet
    security consulting company, he said.
    One of those four is Stephan Weide, who at 22 is a managing director
    of the company, called Multimedia Network Systems in Leinefelde.
    Weide told Newsbytes that it only took two to three days to break into
    HypoVereinsbank's computers.
    "It was no problem," he said. "Anybody could have done it."
    After Technical Adviser aired Sunday night on TV, Weide said he and
    his team participated in a teleconference phone call with
    HypoVereinsbank technicians to tell them how they could patch the
    When asked if the technicians expressed anger about the hacking, he
    said: "They said no angry words. I think they were afraid of losing
    their jobs."
    Weide and Leptihn said that HypoVereinsbank's online banking Web site
    was shut down beginning late Sunday night for about 6 hours.
    Klaila, the bank's spokeswoman, emphatically disputed this.
    "No," she said. "That is not correct."
    She said the Web site was shut down for routine regular maintenance,
    and not to patch security holes.
    She also said that HypoVereinsbank this summer had put a new banking
    Web site online, and that this site is a "state-of-the-art" system
    that is secure. During the month of August, she said both the old and
    new sites were online, and the hackers had broken into the old Web
    site, not the new site. The old site was taken offline at the
    beginning of September.
    Leptihn, from Technical Adviser, disputes that the new site was secure
    before last night.
    "Our hackers tried again on the new site and got in," he maintained.
    Klaila said both criminal and civil damage proceedings against
    Technical Adviser are possible.
    "We have yet to decide what we are going to do," she said.
    HypoVereinsbank Home Page http://www.hypovereinsbank.de
    Multimedia Network Systems Home Page:
    Technical Adviser Home Page (German language)
    Bernd Leptihn Photo
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 04:45:05 PDT