From: winn@Infowar.Com
Date: Wed, 26 Jun 1996 04:20:35 +0800
To: Nmunro@access.digex.net
Subject: Tales from the UK: Basel Part IV
Message-ID: <199606251406.KAA24757@mailhost.IntNet.net>
MIME-Version: 1.0
Content-Type: text/plain


June, 1996: Basel, Switzerland
More on the London Attacks: Part IV

The International Banking Information Technology Forum seemed like an ideal 
location to get a reading on whether the Times' articles held any water or not. 
I sent the family to Germany for two days while I spoke and schmoozed and asked 
some of Europe's and America's top bankers about the articles. (See my last 
three reports [June 1 - 23, 1996] on the alleged attacks as reported in the 
(London) Sunday Times

I browsed and wove in and out of this esteemed financial community and asked 
anyone and everyone in the banking field: "Do you know anything?" "Is any of it 
true?" "Do you know any victims?" "Was your bank attacked?" "Please, tell me!"

Of course I didn't scream this out to all four hundred of the world's top 
bankers in the public forum of my keynote speech; rather I asked quietly and 
discreetly, hoping for a discreet and honest answer. I got lucky and received 
two.

Both people who did agree to speak about the events in question do *not* want to 
be identified. They are both in the very senior ranks of European banking and 
only asked that I do not divulge their companies, their positions, backgrounds 
or names. They both feel that the *real* story should get out - at least as much 
as they know - and that the leaks are inherently good for the banking industry. 
[They do not agree with security by obscurity.] Further, they both told me, at 
separate times during the two day conference, stories that were nigh on 
identical  (and I never told either one that I spoke to the other).

The bottom line is they both know about _four_ 'attacks' against financial 
institutions, although it was unclear as to whether they were all in the UK or 
not. I am left with the distinct impression at least three of them were. [Not 
the 40 or more that the Times suggested or that I have heard about since April 
of 1994.] However, unlike the Times article, there was no question as to the 
method of attack, and both sources were very clear in the use and the meaning of 
the word attack. Here is what they said as to how the technical extortion was 
accomplished. 

The perpetrator(s) would first place a call to the upper management of the 
intended victim announcing his/her intention. "We will take down your bank (or 
financial organization) unless you pay us a lot of money not to." 

The intended victims each sluffed off the threats. Shortly thereafter (within a 
day or two) their financial systems would seemingly collapse for no reason at 
the prescribed time and as promised by the caller. Banking services and/or 
trading would come to a halt, for about an hour or so, and then the affected 
systems would come back on line. Backups were ineffective; typical disaster 
recovery methods, I was told, just didn't work.

Thereafter, a second call would be made to senior executives of the victim 
firms, and the extortion demands for payment made again. In these cases, 
electronic payments to Switzerland were made, and the monies were then secreted 
from their temporary Swiss home within seconds - destined for places unknown or 
unannounced. No repeat attacks to paying institutions has occurred according to 
my sources.

I was told unequivocally that all of the four attacks used the same methodology: 
malicious software was somehow injected into the systems but neither was either 
forthcoming or knowledgeable about the specifics. They specifically denied that 
HERF techniques were used. But many questions remained, and I was unsuccessful 
at getting what I would call good answers to these and more queries:

	- Which systems were affected exactly?
	- How were the backup/redundancies disconnected?
	- Exactly what do you mean by remote control?
	- Did you ever find the offending software?
	- Was it an insider job?
	- Was it pure hacking?
	- Was is mission critical application software gone awry?
	- And so on . . . .

My questions flowed but both people either didn't know the answers or wouldn't 
talk. With both of them, there was a clear discomfort as I pushed and prodded 
for more details. Despite having so many questions still unanswered, I do feel 
fortunate to have found at least two people who were willing to support at least 
aspects of the Times' story.

One of the two banking people in Basel went even  further with detail. He/she 
says the actual dollar figure extorted in these four cases using the software 
techniques, was L63 Million (UK), which is just about US$100 Million. According 
to him/her, a lot of meetings have been taking place amongst the banks and 
financial institutions to deal with the situation but they have agreed and thus 
made a conscious effort to avoid government and law enforcement.

So, no, none of this fully supports the Times' story, but it does support 
aspects of it, and aspects of the rumors and stories I've been hearing since 
April of 1994. No HERF Guns, although another of my contacts who will not let me 
use much of his/her information yet, swears that the software attack stories are 
merely obfuscating the higher technology methods.

I certainly don't know all of the facts, but as more people come forward with 
bits and pieces we may be able to siphon through the maelstrom of noise and 
rumor and find out what's really been going on.

Back at you as soon as I have something more.
Winn


Peace
Winn

		        Winn Schwartau - Interpact, Inc.
		        Information Warfare and InfoSec
		       V: 813.393.6600 / F: 813.393.6361
			    Winn@InfoWar.Com