[ISN] U.S. could use cybertactics to seize bin Laden's assets

From: InfoSec News (isnat_private)
Date: Fri Sep 21 2001 - 00:40:58 PDT

  • Next message: InfoSec News: "[ISN] Is there a plan to DoS defacement sites off the Internet?"

    http://www.computerworld.com/storyba/0,4125,NAV47_STO64072,00.html
    
    By DAN VERTON 
    September 20, 2001
    
    WASHINGTON -- U.S. officials mobilizing to freeze the financial assets
    of international terrorist Osama bin Laden may resort to cybermethods,
    such as hacking, to cut off the money supply that has been used to
    finance his terrorist activities, including the Sept. 11 attacks on
    the World Trade Center and the Pentagon, of which he is the prime
    suspect.
     
    Intelligence and security experts said the U.S. government, using
    diplomatic channels, doesn't expect to receive cooperation from all of
    the hundreds of banks, holding companies and other private enterprises
    and fictitious front companies that bin Laden uses to hide his
    estimated $300 million personal fortune. As a result, the U.S.
    intelligence community might use cybermethods to put a virtual
    stranglehold on bin Laden's global terror organization, Al Qaeda.
    While acknowledging that the operation could take years, security
    officials said that such an attempt was possible.
    
    Experts recognize that finding bin Laden's money, which is believed
    hidden in 50 countries in small amounts at hundreds of banks,
    companies and charitable organizations, will be difficult. Still, if
    the accounts that store the money can be located, hacking experts said
    it is well within the technical capabilities of the U.S. intelligence
    community to make it disappear forever.
    
    In the U.S., the Knight-Ridder news service quoted a U.S. Treasury
    Department official, who spoke anonymously, saying that the government
    ordered bin Laden's U.S. assets seized in the mid-1990s, but nothing
    was recovered. However, the government said in January it had seized
    assets worth $245 million from Taliban, the militant Islamic group
    running the government of Afghanistan, the news service said.
    
    Hacking into the computer systems of banks and other financial
    institutions around the world raises a number of coordination and
    legal challenges, said experts.
    
    "You'd need a lot of things in place," said Ken Van Wyk, chief
    technology officer at Para-Protect Services Inc., an IT security firm
    in Centreville, Va. For example, federal agents would need in-depth
    knowledge of the bank and how the bank operates, the names and account
    numbers in question, and at a minimum, access codes, such as personal
    identification numbers, to the accounts, said Van Wyk.
    
    In many instances, inside help, such as a bank employee, would be
    required to both learn the inner workings of the bank's IT operations
    and to gain unquestioned access to the accounts. However, if bin
    Laden's associates who control the account can show that the funds
    were stolen, the financial institution would be required to simply
    restore them, said experts.
    
    "We have seen theft of money out of banks using electronic means. It
    has certainly happened," said Van Wyk. For example, in 1994, a
    24-year-old Russian programmer hacked into Citibank's systems and made
    off with $10 million. Likewise, a German bank this week threatened a
    lawsuit against producers of a local television show for hiring
    hackers to break into the bank's servers and download customer names,
    account numbers, PINs and IP addresses,
    
    But the bulk of the work that needs to be done to hack bin Laden's
    money would be nontechnical in nature, Van Wyk said. "I would expect
    that the name on the account is probably not Osama bin Laden. It's
    probably extremely well hidden," he said.
    
    "To steal it would require some insiders who are sympathetic to the
    cause," said Winn Schwartau, an information warfare expert and
    president of security firm Interpact Inc. in Seminole, Fla. "With
    corporate shells and fast-moving money, it's going to be difficult."
    
    But not impossible.
    
    Computerworld asked a hacker known as "Gen," the head of a U.S.-based
    group of more than 100 hackers, how such a sophisticated hacking
    operation might be carried out. Hacking into the bank and stealing the
    money would be the easy part, Gen said, in an interview via e-mail.
    
    "There would be two possible attacks to bring this to reality: social
    engineering and old-school hacking," said Gen."Hacking would be
    accomplished by breaking into the servers of whatever institution he
    was hiding his funds in. This type of hacking would really be no
    different then hacking a Web server. It's what you do afterward that
    would be impressive."
    
    Other practical skills would be critical to pull off such a heist, Gen
    said. You would need "someone who can speak his native tongue, someone
    who sounds like him [and] possibly someone who looks like him," he
    said. In addition, a hacking operation should first have knowledge of
    the subject's account structures and the passwords used to secure his
    funds, or to alert members of the banks and credit unions of a false
    withdrawal or redirection, he said.
    
    >From a technical standpoint, it might be necessary to deploy a
    cyberoperative in the same geographical location as bin Laden or his
    emissaries to mimic that location and avoid phone line reverse
    detection, according to Gen. Likewise, knowledge of protocols used at
    the banks and credit unions would be needed, as would knowledge of the
    account structures where the funds are to be transferred, and the
    ability to hide the funds once they are transferred.
    
    And although wire transfers are encrypted, it might be possible to
    hack the transfer before it is encrypted, helping authorities to
    follow the money trail. But Gen said it is easier to take over the
    entire server than to intercept encrypted data streams. "Typically the
    encryption actually takes place on the person's computer that is
    submitting the transfer. If this is through a Web interface like
    Netscape or MSIE [Microsoft's Internet Explorer], it uses SSL [Secure
    Sockets Layer]. It is possible to grab the encrypted stream, but then
    you must break the encryption, which is likely 128-bit."
    
    A former hacker who is now a systems engineer for a major software
    company said some banks allow people to request funds transfers over
    the telephone and through the use of simple PINs. Even stock transfers
    are relatively simple and rely on a great deal of trust that the
    person initiating the transfer is who he says is, the former hacker
    said.
    
    "At the lowest level, if his assets are in banks, they're just bits
    and bytes," he said. Assuming bin Laden doesn't have all the money in
    gold or cash, "the feasibility of a covert operation conducting a
    digital transfer between accounts and then withdrawing that money and
    taking it out of the digital universe is very feasible."
    
    A Dutch intelligence expert said isolating the accounts and the users
    making bin Laden's transactions will depend on how many stages
    authorities can trace back. "Who was the broker who gave the order to
    buy? That is easy," the expert said, speaking on condition of
    anonymity. "Which bank instructed the broker? That is easy, too. Who
    instructed the bank? Now it becomes difficult."
    
    There are also legal hurdles that might have to be overcome to prevent
    bin Laden's associates from forcing the banks to restore the stolen
    funds, said Mark Rasch, vice president for cyberlaw at Predictive
    Systems Inc. in Reston, Va., and the former head of the Computer Crime
    Unit at the U.S. Justice Department. Criminal investigations,
    intelligence gathering and warfare all have different rules, he said.
    
    "At present, we are conducting a criminal investigation," said Rasch.
    "What do we do? Transfer the money out? That doesn't do a lot of good.
    It would be illegal and he would ask the bank to restore it," he said.
    "What you really need is not the ability to transfer funds, but the
    ability to identify the assets and get a lawful seizure or freeze
    order."
    
    Eric Friedberg, a security consultant at New York-based Stroz
    Associates LLC and a former computer and telecommunications crime
    coordinator at the Justice Department, agrees that the legal
    guidelines of what can be done aren't clear.
    
    During times of war it would be legal to hack into, disable and steal
    information from "enemy" servers, said Friedberg. But who the enemy is
    in this case will be difficult to determine, he said. "The evidence
    and perhaps the assets may be in what appear to be neutral third
    parties' hands," such as brokerage firms, clearinghouses and
    investment banks, said Friedberg. "Once neutral third parties are
    involved, the lawfulness of intrusive electronic techniques becomes
    questionable."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 05:25:57 PDT