Tuesday, May 24, 2016

"Unlimited" ATM attack in Japan against South Africa's Standard Bank

We've written about Unlimited ATM attacks in this blog many times in the past, from 2008 until just a few months ago, but this newest attack is the first to feature Japanese ATM machines, to my knowledge.  In the early morning hours of 15MAY2016, at least 100 criminals visited at least 1,400 ATM machines and used a set of counterfeit ATM cards, cloned to correspond with accounts at Standard Bank in South Africa, to do the maximum 100,000 Yen withdraw ($913USD or £629) . . . about 14,000 times!

Standard Bank has confirmed the robbery to South African media that the event occurred, and has estimated the damage to the bank at around R200m (200 million South African Rand, or about $12.7M USD or about 1.4 billion Japanese Yen).  But is it truly an "Unlimited" attack?

The story was first reported in the 22MAY2016 Mainichi Daily News as "1.4 billion yen stolen from 1,400 convenience store ATMs across Japan".  The ATM machines are located in 7-Eleven convenience stores throughout Tokyo and 16 prefectures around the country.  The ATM machines in 7-Eleven stores in Japan are part of the bank network associated with Seven Bank.  Seven Bank's website invites international visitors to Japan to use their ATMs at 7-Eleven stores "Day or Night" which may be part of the appeal to these criminals.


Several unique things happened in this account.  In previous "Unlimited" attacks, a very small number of accounts have had a related debit card "cloned" by making an exact copy of the magnetic stripe of the card.  In the past, an intruder onto the bank's network has been able to adjust the daily withdrawal limits of the cards, and reverse transactions, so that the same account could be used to perform hundreds or thousands of withdrawals.  The attacks are referred to as "Unlimited" attacks because a single account with a very small balance could be used to front millions of dollars worth of transactions, because each transaction is immediately reversed by the intruders who monitor the carefully orchestrated attack.  In the case of the most famous Unlimited attack, "The $9 Million World-Wide Bank Robbery", forty-four accounts were used to withdraw funds from 2,100 ATM machines in at least 280 cities around the world in a single evening.

In this case, it is not clear if this is what happened, primarily because the published reports say that at least 1,600 Standard Bank customers' accounts were used to perform the transactions. If this is true, with an estimate of 100 criminals involved in the "cash-out" portion of this robbery, that means on the average each criminal had access to 16 accounts that were unique to that criminal.  Also, with 1600 accounts in play, that means the average account holder's account would only have faced $7900 USD in charges.  This, however, contradicts the description of events that the BBC quotes, when it says that Standard Bank reported that "a small number" of fake cards were used in the event.  (The BBC article also places Standard Banks' estimated lossed at $19.25m, which, if you do the math, shows they chose the higher of the two contradictory values being reported in South Africa of either R200m or R300m.  R200m matches all of other figures being thrown about, while R300m is 50% higher.)

In my humble opinion, I believe that a journalist not versed in this type of cybercrime heard that 1600 counterfeit cards were used and assumed that they must belong to 1600 customers.  The key difference, and the most important with regards to Standard Bank, is that in a true "Unlimited" attack, the criminals would need to be controlling ATM accounts and logs INSIDE the Standard Bank network with administrator-level privileges. 

The Japan Times say "Japanese police have put suspects belonging to a Malaysian group on an international wanted list" relating to this event.  In reports from 2014, Japanese officials say that Chinese students are often used as money mules in Japan for withdrawing cash on behalf of organized cyber criminals, in much the same way that Russian money mules are used to withdraw cash from American banks.

Monday, May 02, 2016

Rule 41 Changes: Search and Seizure when you don't know the Computer's location

This one is for the legal geeks ...

This weekend, the EFF published an article With Rule 41, Little-Known Committee Proposed to Grant New Hacking Powers to the Government. This discussion pits the privacy advocates such as EFF against the Department of Justice folks who want more powers to gather data.   The EFF is  crying foul and making it seem that these changes are being sneaked through in the dead of night, while the DOJ is pointing out how reasonable the changes are. Multiple public hearings were held and written testimony received and used (including theirs) to amend the rule change.  This conversation has been going on since early 2014.

That said, it is entirely possible that the Technology Folks who probably have the best insights into how these rules would intersect with the Modern Internet probably have the least understanding of how these rules work.  I've tried to put together a brief backgrounder, followed by links to some of the key Comments and Testimony received thus far.  IF YOU DON'T WANT THIS TO BE LAW, YOUR CONGRESSMAN NEEDS TO STOP IT.  (conversely, if you are technical and see no problem with it, you might share those thoughts with your Congressman as well.)  Here's House.gov's "Find Your Representative" page in case this whole concept of representative government is new to you.  They can't REPRESENT you if you don't TALK TO THEM!

What are the Federal Rules of Practice and Procedure?

The Federal Rules of Practice and Procedure were created in 1934 under the "Rules Enabling Act (28 U.S.C. § 2071-2077).  The key pieces of the act are in 2071 and 2072 -- (2071) "The Supreme Court and all courts established by Act of Congress may from time to time prescribe rules for the conduct of their business. Such rules shall be consistent with Acts of Congress and rules of practice and procedure prescribed under section 2072 of this title." and (2072) "The Supreme Court shall have the power to prescribe general rules of practice and procedure and rules of evidence for cases in the United States district courts (including proceedings before magistrate judges thereof) and courts of appeals."  The rest of the act lays out how the "Judicial Conference" plays a role in this work.

Who is the Judicial Conference?

Back on October 1, 2015, U.S. Supreme Court Justice John Roberts named the chairs for his six Advisory Committees. One of the powers of being the Chief Justice is that you get to appoint who the chairs of the Committees of the Judicial Conference, who are the leaders who decide what the Federal Rules are going to be, pending approval first by the Supreme Court, and then by Congress. There are actually eleven Judicial Conference committee chairs.
  • Judge Richard R. Clifton (Ninth Circuit) -- Committee on Federal-State Jurisdiction
  • Judge Allyson K. Duncan (Fourth Circuit) -- Committee on International Judicial Relations
  • Judge Lawrence F. Stengen (Eastern District of Pennsylvania) -- Committe on Judicial Resources
  • Judge David R. Herndon (Soutern District of Illinois) -- Committee on Judicial Security
  • Judge John D. Bates (District of DC) -- Advisory Committee on Civil Rules
  • Judge Donald W. Molloy (Montana District) -- Advisory Committee on Criminal Rules
  • Previously named chairs:
    • Judge Lawrence L. Piersol (South Dakota) -- Committee on Audits and Administrative Office Accountability
    • Chief Judge Catherine C. Blake (Maryland) -- Committee on Defender Services
    • Judge Anthony J. Scirica (Third Circuit) -- Committee on Judicial Conduct and Disability
    • Judge Jeffrey S. Sutton (Sixth Circuit) -- Committee on Rules of Practice and Procedure
    • Judge Steven M. Colloton (Eighth Circuit) -- Advisory Committee on Appellate Rules
On October 9, 2015, Jeffrey Sutton, the chair of the Committe on Rules of Practice and Procedure, sent their "Summary of Proposed Amendements to the Federal Rules" to the Supreme Court. The document is co-signed by the Chairs of the Advisory Committees (Appellate Rules, Bankruptcy Rules, Civil Rules, Criminal Rules, and Evidence Rules).

 The full package contained several rules, and per the normal process, the Supreme Court had until May 1, 2016 to forward them to Congress if they agreed with them (This is the action that just happened, triggering the current media round) who then has until December 1, 2016 to take "contrary action" if they don't want them to become the law of the land.

What did the Judicial Conference ask for this year?

The items in the 2015-2016 Supreme Court Package of Proposed Rule Changes package consisted of 244 pages of committee notes, Comments from the open comment period, and responses to them. Here is an outline of the Changes proposed, with our focus being on V. B. - Venue to Obtain Warrants for Remote Electronic Search:
I.Elimination of the Three-Day Rule for Items Served Electronically.
basically the "three-day rule" had been set up to allow for the time it takes to mail a package through the U.S. Postal Service. The point of this rule change is that if things are being delivered electronically, whey do we need this three day delay?
II. Federal Rules of Appellate Procured
A.Inmate-Filing Rules
B.Late Post-Judgment Motions and Appeals Time
C.Length Limits for Briefs and Other Documents
D.Amicus Filings in Connection with Rehearing
E.Technical Amendment
III. Federal Rules of Bankruptcy Procedure
A. Procedures for International Bankruptcy Cases
B. Chapter 13 Notices
IV. Federal Rules of Civil Procedure
A. Service on a Foreign Corporation
B. Service
C. Venue Technical Amendment
V. Federal Rules of Criminal Procedure
A. Service on Foreign Corporate Defendants
"The proposed amendment to Criminal Rule 4 addresses service of a summons on organizational defendants that have no agent or principal place of business within the United States. (...) Given the increasing number of criminal prosecutions involving foreign entities, the Advisory Committee agreed that the Criminal Rules should provide a mechanism for foreign service on an organization."
B. Venue to Obtain Warrants for Remote Electronic Searches
More below ...

Rule 41 Amendment: Venue to Obtain Warrants for Remote Electronic Searches

The text below comes from the aforementioned "Supreme Court Package" ... specifically from pp.198-200, for the text of the rule change itself, and from pp.200-202, for the Subcommittee comments.  Further explanation is from pp.225- labeled "Excerpt from the September 2015 Report of the Judicial Conference"

 Rule 41. Search and Seizure

(b) Venue for a warrant Application.  At the request of a federal law enforcement officer or an attorney for the government:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
(C) Reciept.  The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property.  For a warrant to  use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied.  Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person.

Subcommittee notes on (b)(6)

Subcommittee notes on (b)(6):
Subdivision (b)(6). The amendment provides that in two specific circumstances a magistrate judge in a district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and seize or copy electronically stored information even when that media or information is or may be located outside of the district.

First, subparagraph (b)(6)(A) provides authority to issue a warrant to use remote access within or outside that district when the district in which the media or information is located is not known because of the use of technology such as anonymizing software.

Second, (b)(6)(B) allows a warrant to use remote access within or outside the district in an investigation of a violation of 18 U.S.C. § 1030(a)(5) if the media to be searched are protected computers that have been damaged without authorization, and they are located in many
districts. Criminal activity under 18 U.S.C. § 1030(a)(5) (such as the creation and control of “botnets”) may target multiple computers in several districts. 

In investigations of this nature, the amendment would eliminate the burden of attempting to secure multiple warrants in numerous districts, and allow a single judge to oversee the investigation.

As used in this rule, the terms “protected computer”  and “damage” have the meaning provided in 18 U.S.C. § 1030(e)(2) & (8).

The amendment does not address constitutional questions, such as the specificity of description that the Fourth Amendment may require in a warrant for remotely searching electronic storage media or seizing or copying electronically stored information, leaving the application of this and other constitutional standards to ongoing case law development. 


Excerpt from the September 2015 Report of the Judicial Conference re:Rule 41

I'll place the footnote first ... "At present, Rule 41(b) authorizes search warrants for property located outside the judge's district in only four situations: (1) for property in the district that might be removed before execution of the warrant; (2) for tracking devices installed in the district, which may be monitored outside the district; (3) for investigations of domestic or international terrorism; and (4) for property located in a U.S. territory or a U.S. diplomatic or consular mission."

Now from the memo:

The proposed amendment to Rule 41 addresses venue for obtaining warrants for certain remote electronic searches. At present, the rule generally limits searches to locations within a district, with a few specified exceptions. The proposal to amend Rule 41 is narrowly tailored to address two increasingly common situations in which the existing territorial or venue requirements may hamper the investigation of serious federal crimes:

(1) where the warrant sufficiently describes the computer to be searched but the district within which that computer is located is unknown, and

(2) where the investigation requires law enforcement to coordinate searches of numerous computers in numerous districts.

The proposal would address this issue by amending Rule 41(b) to include two additional exceptions to the list of out-of-district searches permitted under that subsection.(see footnote above) Language in anew subsection 41(b)(6) would authorize a court to issue a warrant to use remote access to search
electronic storage media and seize electronically stored information inside or outside of the

(1) when a suspect has used technology to conceal the location of the media to be
searched; or

(2) in an investigation into a violation of the Computer Fraud and Abuse Act, 18
U.S.C. § 1030(a)(5), when the media to be searched include damaged computers located in five
or more districts.

The proposal also amends Rule 41(f)(1)(C) to specify the process for providing notice of a remote access search.

As expected, the proposed amendment generated significant response; the Advisory
Committee received 44 written comments, and 8 witnesses testified at a public hearing in
Washington, D.C. In addition, the Department of Justice submitted written responses to the
issues raised by the comments and testimony. Many commentators raised concerns regarding the
substantive limits on government searches, which are not affected by the proposal. In fact, much
of the opposition reflected a misunderstanding of the scope of the proposal. The proposal
addresses venue; it does not itself create authority for electronic searches or alter applicable
constitutional requirements.

The Advisory Committee approved revisions to the published proposal aimed at
clarifying the procedural nature of the proposed amendment. It changed the published caption
from “Authority to Issue a Warrant” to “Venue for a Warrant Application” and revised the
Committee Note to state that the constitutional requirements for the issuance of a warrant are not
altered by the amendment. The Advisory Committee also approved revisions to the notice
provision and accompanying Committee Note that directly respond to points raised by

Some of the Comments and Witnesses

The Center for Democracy & Technology submitted an 11-page PDF prior to testifying before the Judicial Conference on this matter Friday, October 24, 2014.  Their big "Legal Implication" was "The proposed modification to FRCrmP Rule 41 would make policy decisions about important questions of law that are not currently settled and would best be resolved through legislation."

The ACLU submitted a 21-page PDF comment April 4, 2014 -- "ACLU Comment on the Proposed Amendment to Rule 41 Concerning Remote Searches of Electronic Storage Media"-- prior to the Advisory Committee's public hearing on the subject, April 7-8, 2014.  Great reading!  I especially appreciated this being cast into the area of Cloud Data challenges -- see the section "Remote Searches of Cloud Data Pose Fourth Amendment, Statutory, and Policy Problems."  This report also addresses one of my chief concerns, which I call "Venue Shopping."   In a large botnet, victims exist in every single Federal District.  This means that if I found a "friendly judge" in any district, I could just flood all my requests through that jurisdiction.

Many of these same concerns were re-addressed to the committee by the ACLU who also presented testimony for the October 24, 2014 meeting.  (See "Second ACLU Comment on Rule 41")

Richard Salgado also shared Google's Comments on the Proposed Amendment to Rule 41 (13FEB2015) raising these and many similar concerns, and specifically pointing out that the Mutual Legal Assistance Treaties exist for exactly the purpose of international cooperation on searches.   Should we really be conducting extra-territorial searches without even knowing what territory the seized material is located in?  Google also mentions the concern that many VPNs may find themselves subject to this search because of the anonymizing function that a VPN can perform, even if the VPN is a legitimate bank, retailer, or other business merely seeking to better secure their users.

The EFF was represented in testimony (November 5, 2014) by Amie Stepanovich, the Senior Policy Counsel at Access, "an international digital rights non-governmental organization founded in the wake of the 2009 Iranian post-election crackdown."  She points out in her testimony that this is a broad expansion of the powers defined in the Computer Fraud and Abuse Act (CFAA) which may, due to the nature of botnets that use distributed Command and Control, result in searching and seizing evidence from various protected classes of computer users, all of which have been victims of botnets, including journalists, dissidents, whistleblowers, members of the military, lawmakers and world leaders!

The list of all 55 received comments can be accessed at Regulations.gov

Other significant commentors included:

Kevin Bankston, for New America's Open Technology Institute

Bruce Moyer, for the National Association of Assistant United States Attorneys

David Bitkower, for the U.S. Department of Justice
 This memo presents three "warrant scenarios" and attempts to show how they would not be violations of Fourth Amendment rights of protection from unreasonable search.

Comments on Proposed Remote Search Rules by professors Steven Bellovin of Columbia, Matt Blaze of University of Pennsylvania, and Susan Landau of Worcester Polytechnic Institute
This memo points out concerns about trying to address very specific botnet features in the face of the unknown - how botnets will change in the future,  as well as raising some very key questions about Chain of Custody and Authenticity of Evidence when we have no idea where the computer is providing the evidence in question.

Saturday, April 23, 2016

Is the Bank of Bangladesh ready for the Global Economy?

On February 4, 2016, more than $100 Million USD were stolen from the Bank of Bangladesh's foreign exchange reserves housed at the Federal Reserve Bank in New York. The hackers had actually attempted to steal US$951 Million, in a series of three dozen SWIFT wire transfers, but were thwarted when an alert staff member found some suspicious misspellings in the name of the organization used for the fifth transfer. Five transfers were completed totaling US$101 Million, although a $20M transfer to a non-profit organization in Sri Lanka was reversed due to the spelling error, which called them "Shalika Fandation" instead of "Foundation," causing a deeper look at the transfer, and stopping an additional US$850 Million of queued transfers to other organizations. Stealing $1 Billion is huge, but especially for Bangladesh, whose total foreign currency holdings are $27 Billion.

The four successful transfers, totaling US$81 Million were sent to an account in the Philippines at Rizal Commercial Banking Corporation. Hearings held by the Philippines Senate revealed that these accounts had been opened nine months earlier by two Chinese residents. Kim Wong (AKA Kam Sin Wong) claims that he only acted as an interpreter to assist two other Chinese nationals, Gao Shu Hua and Ding Zhi Ze, from Beijing and Macau.

Gao and Wong are "junket operators" who are among the many small boat captains who are thought to ferry gamblers between the casinos in Macau and the Philippines.

In a series of quick financial operations, the funds were transferred from the Philippines to three large local casinos: Midas Hotel and Casino, City of Dreams, and Solaire Resort and Casino, and then wired back to various international accounts, using the common trick of laundering the money by claiming it as gambling proceeds. Fortune magazine reported that in the case of Solaire, the $29 Million was credited to the account of a Macau-based high-rolling gambler. Somehow I don't think this is what Solaire was thinking of when they advertise "The Great Exchange":

At least one Philippine Senator, Sergio OsmeƱa III, claims that this is a planned loop hole in the Anti-Money Laundering Act. Casinos lobbied the Senate heavily as the bill was being considered, and as a result, they are exempt from reporting suspicious financial transfers that most other commercial businesses are required to report.

RCBC & Maia Santos-Deguito

(image from The Philippine Star)

The Epoch Times reports that in at least one of these transfers, $22 Million was placed into the Jupiter Street branch of Philippines RCBC and $427,000 of those funds were withdrawn in cash and loaded into the car of Maia Santos Deguito, the brand manager. The withdrawal was handled by Deguito's assistant, Angela Torres, who had the money delivered by armored car, took the money and placed it in a box, which was then transferred to a paper bag and placed in the branch manager's car. GMA News picks up the story of testimony from bank employees ... A bank employee said in testimony that Deguito told him, "I would rather do this than me being killed or my family," claiming that her life had been threatened if she refused to participate in the illegal activity. But when deposed herself, Deguito says her life was never threatened. The transfers from the Federal Reserve Bank of New York came to RCBC accounts under the names Michael F. Cruz, Jessie C. Lagrosas, Alfred S. Vergara, and Enrico T. Vasquez. From there, $66M was withdrawn and consolidated into an account in the name of William So Go. Deguito claims that Kim Wong, the front man for the Chinese pair, was a "friend of bank President and CEO Lorenzo V. Tan." Tan denies this, although he admits having seen Wong on a number of occasions.

The Treasurer of RCBC, Raul Victor Tan, has resigned "out of decency and honor, and despite his lack of involvement." Branch Manager Deguito reported to him and is largely believed to be the main point of contact between the bank and Gao Shu Hua. RCBC's president was also placed on leave from March 23rd. The Central Bank Governor in Bangladesh, Atiur Rahman, has been forced to resign as well.

My security is so bad that I'm suing you!

According to The Epoch Times, the Bank of Bangladesh hired FireEye to investigate the situation. The initial FireEye report, released March 16th, indicated that at least 32 compromised assets had been identified that were part of a complex malware scheme for harvesting credentials needed for the SWIFT transfers and erasing logs of the activity in question.

In much the same way that small businesses have attempted to file lawsuits against their banks when their lack of security has led to malware infections that drained their accounts, the Bank of Bangladesh announced through Finance Minister AMA Muhith that they would sue the Federal Reserve Bank of New York. In Al-Jazeera, Muhith is quoted as saying "We've heard that Federal Reserve Bank of New York has completely denied their responsibility. They don't have any right."

But much like the small businesses who have lost those lawsuits once their ineptitude was put on display, Bank of Bangladesh may have trouble claiming the problem resided at the Fed. On Friday, April 22nd, Reuters and BBC both released stories exposing the horrible security at Bank of Bangladesh. The Reuters' headline read "Bangladesh Bank exposed to hackers by cheap switches, no firewall: police" while the BBC headline pronounced "$10 router blamed in Bangladesh bank hack". A forensic investigator working on the Bangladesh team, Mohammad Shah Alam, says the investigation was complicated by the lack of log files available on these discount routers, but the larger problem is the illustrated lack of any care about security that choosing such a device indicates in the first place. (It should be acknowledged that this contradicts the bank's statement that their firewall was penetrated by a sophisticated cyber attack:

"The central bank had put “zero tolerance security” and robust firewalls in place in the back office of its foreign currency division. But the cyber gang used a powerful malware to break the firewall and managed to send fake payment orders to the US bank, added the official." -- source: www.asianews.network/content/bangladesh-bank-installing-monitoring-software-11440

Who can Join Our Network?

The bigger question raised in the Reuters story, though, is what responsibility should the western banking world hold in requesting to evaluate the security of those who would attach themselves to the trillions of dollars per day global financial markets? In the United States our regulations require that a holder of Personally Identifiable Information should require proof of the security of those they interact with in a wide variety of settings. HIPAA, the ruleset for protecting the privacy of your medical records, began requiring HIPAA-covered entities to take responsibility for the security of their vendors who may interact with sensitive records in 2013/2014. (See for example this story in IAPP -- "HIPAA Changes Mean Tightening Up Vendor Relationships"). In the same way the Payment Card Industry standard, PCI, that protects the privacy of credit card information also requires any covered entity to perform Due Diligence of their third party vendors (See their 47 page guidance on the subject, "Information Supplement: Third-Party Security Assurance").

So if my Hospital is not allowed to exchange patient data with an insurance company before checking the security of their networks, systems, and applications, and my Grocery Store is not allowed to exchange credit card information with a financial services company before checking the security their networks, systems, and applications, why would SWIFT and the Federal Reserve Bank system be allowed to move billions of dollars on behalf of banks that don't have a firewall and have $10 routers bought second hand off the Internet? SWIFT has announced they would be issuing "written guidance" to ensure their members are practicing proper security methods. Hopefully these are more robust than those in their 2012 Whitepaper "CPSS-IOSCO's Principles for Financial Market Infrastructures">. (To learn more see: SWIFT: Information Security)

Probably because we are trying to lower the barriers of entry to banks from depressed economies. "Is it fair" to require one of the poorest nations in the world to have to spend the same type of money that western nations spend on Internet security? Perhaps not. But until we do, these emerging economies are going to be a continual and growing target of the cyber criminals that are willing to invest "western-style" funds to accomplish heists that are truly worthy of a Hollywood movie.

Update 25APR2016 - BAE Analysis of SWIFT malware

Adrian Nish has published a blog post at BAE Systems Threat Research Blog Two Bytes to $951M where he documents the behavior of the malware that was likely used in the Bank of Bangladesh unauthorized SWIFT transfers. Malware that causes the SWIFT software running at the bank to bypass certain confirmations, and alter the print queue where messages are sent to hide the evidence of the transaction being performed. Great analysis! And making this attack far more advanced than the "didn't have a firewall" accusations being leveled.