------------------------------ From: P.A.Taylor@EDINBURGH.AC.UK Subject: CU in the News: "Hackers" and Bank Blackmail in England Date: 24 Oct 90 12:59:34 bst ******************************************************************** *** CuD #2.09: File 8 of 8: CU in the News: Hackers/English Banks** ******************************************************************** Taken from: "The Independent On Sunday," October 14, '90: Mysterious computer experts demand money to reveal how they penetrated sophisticated security. HACKERS BLACKMAIL FIVE BANKS by Richard Thomson At least four British clearing banks and one merchant bank in the City are being blackmailed by a mysterious group of computer hackers who have broken into their central computer systems over the last six months. These breaches of computer security may be the largest and most sophisticated ever among British Banks. The electronic break-ins which began last May, could cause chaos for the banks involved. Once inside their systems, the hackers could steal information or indulge in sabotage, such as planting false data or damaging complex computer programs.It is unlikely, however, they would be able to steal money. So far, the hackers have contented themselves with demanding substantial sums of money in return for showing the banks how their systems where penetrated. None of the banks has yet paid. The break-ins are evidence of the rapid growth in computer fraud and manipulation in Britain. Although most hacking is relatively trivial, the latest cases show much sophistication. The hackers have concentrated on tapping the banks' electronic switching systems which, among other things, control the routing of funds around the world. Some of the hackers are in contact with each other, but they are believed to be operating individually. One computer expert described their level of expertise and knowledge of the clearing bank computer systems as "truly frightening". They are not believed to have links with organised crime, which has become heavily involved in computer hacking in the US over the last two to three years. It is a severe embarrassment for the banking community which is frightened that public awareness of the security breach could undermine public confidence. As a result, they have not called in the police but have hired a firm of private investigators, Network Security Management, which is owned by Hambros Bank and specialises in computer fraud. It is common for banks not to report fraud and security failures to the police for fear of damaging publicity. All the banks approached either denied that they were victims of the blackmail attempt or refused to comment. The hunt for the hackers is being led by David Price, managing director of NSM, who confirmed his firm was investigating computer security breaches at five British banks. "I am confident of success in catching the hackers," he said. "The amount of information they can get from the banks will vary depending on the computer systems and the ways the hackers broke into them," he added. "They could go back in and sabotage the systems, but they are not threatening to do so." The ease with which the hackers appear to have penetrated the systems highlights the vulnerability of the computer data. Clearing banks in particular rely on huge computer systems to control their operations, from cash dispenser payments to massive international transfers of funds. Security measures were tightened after a large computer fraud at a leading City bank three years ago Although the bank involved was never named, it is understood the money was never recovered. Nevertheless, the speed with which computer technology has developed in the last few years has made the detection of security breaches more difficult. According to an expert, who recently advised one of the big four clearers on its computer systems, there are few people who understand the banks system well enough even to detect a break-in. Computer-related fraud has boomed over the last decade as businesses have come to rely more heavily on electronic information. According to some reputable UK and US estimates, up to 5% of the gross national product of western economies disappears in fraud. Experts say that the senior managers of many companies simply do not appreciate the need for tight security. The British legal system has been slow to respond. The Computer Misuse Act which makes it illegal to access a computer without authorisation, came into effect only at the end of August this year. (end article) ++++++++++++++++++++++++++++++++++++++++++++ The follow-up article (from The Independent on Oct 21), also by Richard Thomson, is basically much of the same thing. He quotes a hacker from the US who's computer "nom de guerre" is Michael Jordan who makes the following points. 1.One large US bank is notorious for lax security and it has effectively become a training ground for hackers. 2. Guessing passwords is sometimes "absurdly simple", they tend to choose words like "Sex, Porsche, or Password" 3.Social Engineering techniques are used and he would spend approx 6 weeks trying to suss out from a manager's secretary etc. anything he could find out that would help him have a better chance of accessing a bank's system. The main body of the article is pretty glib; it has the usual stock phrases like..."Hackers and Bank employees have always been a danger, but now there are signs that yesterdays bank robbers have hung up their sawn-off shot-guns and are turning to computers instead." and even more hypey is ... " Mr Jordan claims to have been shown pictures of people in organised crime. "They're East End lads who've become more sophisticated now. I've been told that if they ask you to help them and you refuse, it's baseball bats at dawn." There's also a discussion of the reliability of fraud figures, a mention of how various definitions can exaggerate the actual role played by the computer. Detective Chief Superintendent Perry Nove head of the city fraud squad defines "computer fraud" as ... "It is when the computer system itself is attacked rather than just used to facilitate an offence" The main conclusion on the whole area of fraud is "...the subject remains cloaked in mythology and mystery.Naturally, no one knows how many frauds are commited that are never discovered. Matters are further obscured because banks fearful of bad publicity, sometimes do not report frauds to the police- a situation that Mr Nove accepts with resignation. There is general agreement among hackers and other experts that it is more widespread and more sophisticated in the US, that it is growing in Britain, but that British Banks are more secure than those in America and the Continent. That is about as reliable as the detailed information gets." I hope I've summed up the general tone of the whole article, it was in the business section of The Independent On Sunday, 21st Oct. The paper's normally a very good one, so the generally bad coverage this bloke Thomson gave to the subject of hacking, and the amount of what I'd call "casual empiricism" he used to back up his arguments, is sadly probably indicative of what the CU is up against in the way of ignorance and bad reporting. I thought it was quite ironic that he recognised the role of mystery and mythology, since he seemed to be doing his best to add to it. Finally, if he'd of mentioned the word expert once more ..grrrrrrr.... Cheers for now, P.A.T. ******************************************************************** ------------------------------ **END OF CuD #2.09** ******************************************************************** Downloaded From P-80 International Information Systems 304-744-2253 12yrs+