Tuesday, May 24, 2016

"Unlimited" ATM attack in Japan against South Africa's Standard Bank

We've written about Unlimited ATM attacks in this blog many times in the past, from 2008 until just a few months ago, but this newest attack is the first to feature Japanese ATM machines, to my knowledge.  In the early morning hours of 15MAY2016, at least 100 criminals visited at least 1,400 ATM machines and used a set of counterfeit ATM cards, cloned to correspond with accounts at Standard Bank in South Africa, to do the maximum 100,000 Yen withdraw ($913USD or £629) . . . about 14,000 times!

Standard Bank has confirmed the robbery to South African media that the event occurred, and has estimated the damage to the bank at around R200m (200 million South African Rand, or about $12.7M USD or about 1.4 billion Japanese Yen).  But is it truly an "Unlimited" attack?

The story was first reported in the 22MAY2016 Mainichi Daily News as "1.4 billion yen stolen from 1,400 convenience store ATMs across Japan".  The ATM machines are located in 7-Eleven convenience stores throughout Tokyo and 16 prefectures around the country.  The ATM machines in 7-Eleven stores in Japan are part of the bank network associated with Seven Bank.  Seven Bank's website invites international visitors to Japan to use their ATMs at 7-Eleven stores "Day or Night" which may be part of the appeal to these criminals.


Several unique things happened in this account.  In previous "Unlimited" attacks, a very small number of accounts have had a related debit card "cloned" by making an exact copy of the magnetic stripe of the card.  In the past, an intruder onto the bank's network has been able to adjust the daily withdrawal limits of the cards, and reverse transactions, so that the same account could be used to perform hundreds or thousands of withdrawals.  The attacks are referred to as "Unlimited" attacks because a single account with a very small balance could be used to front millions of dollars worth of transactions, because each transaction is immediately reversed by the intruders who monitor the carefully orchestrated attack.  In the case of the most famous Unlimited attack, "The $9 Million World-Wide Bank Robbery", forty-four accounts were used to withdraw funds from 2,100 ATM machines in at least 280 cities around the world in a single evening.

In this case, it is not clear if this is what happened, primarily because the published reports say that at least 1,600 Standard Bank customers' accounts were used to perform the transactions. If this is true, with an estimate of 100 criminals involved in the "cash-out" portion of this robbery, that means on the average each criminal had access to 16 accounts that were unique to that criminal.  Also, with 1600 accounts in play, that means the average account holder's account would only have faced $7900 USD in charges.  This, however, contradicts the description of events that the BBC quotes, when it says that Standard Bank reported that "a small number" of fake cards were used in the event.  (The BBC article also places Standard Banks' estimated lossed at $19.25m, which, if you do the math, shows they chose the higher of the two contradictory values being reported in South Africa of either R200m or R300m.  R200m matches all of other figures being thrown about, while R300m is 50% higher.)

In my humble opinion, I believe that a journalist not versed in this type of cybercrime heard that 1600 counterfeit cards were used and assumed that they must belong to 1600 customers.  The key difference, and the most important with regards to Standard Bank, is that in a true "Unlimited" attack, the criminals would need to be controlling ATM accounts and logs INSIDE the Standard Bank network with administrator-level privileges. 

The Japan Times say "Japanese police have put suspects belonging to a Malaysian group on an international wanted list" relating to this event.  In reports from 2014, Japanese officials say that Chinese students are often used as money mules in Japan for withdrawing cash on behalf of organized cyber criminals, in much the same way that Russian money mules are used to withdraw cash from American banks.

Monday, May 02, 2016

Rule 41 Changes: Search and Seizure when you don't know the Computer's location

This one is for the legal geeks ...

This weekend, the EFF published an article With Rule 41, Little-Known Committee Proposed to Grant New Hacking Powers to the Government. This discussion pits the privacy advocates such as EFF against the Department of Justice folks who want more powers to gather data.   The EFF is  crying foul and making it seem that these changes are being sneaked through in the dead of night, while the DOJ is pointing out how reasonable the changes are. Multiple public hearings were held and written testimony received and used (including theirs) to amend the rule change.  This conversation has been going on since early 2014.

That said, it is entirely possible that the Technology Folks who probably have the best insights into how these rules would intersect with the Modern Internet probably have the least understanding of how these rules work.  I've tried to put together a brief backgrounder, followed by links to some of the key Comments and Testimony received thus far.  IF YOU DON'T WANT THIS TO BE LAW, YOUR CONGRESSMAN NEEDS TO STOP IT.  (conversely, if you are technical and see no problem with it, you might share those thoughts with your Congressman as well.)  Here's House.gov's "Find Your Representative" page in case this whole concept of representative government is new to you.  They can't REPRESENT you if you don't TALK TO THEM!

What are the Federal Rules of Practice and Procedure?

The Federal Rules of Practice and Procedure were created in 1934 under the "Rules Enabling Act (28 U.S.C. § 2071-2077).  The key pieces of the act are in 2071 and 2072 -- (2071) "The Supreme Court and all courts established by Act of Congress may from time to time prescribe rules for the conduct of their business. Such rules shall be consistent with Acts of Congress and rules of practice and procedure prescribed under section 2072 of this title." and (2072) "The Supreme Court shall have the power to prescribe general rules of practice and procedure and rules of evidence for cases in the United States district courts (including proceedings before magistrate judges thereof) and courts of appeals."  The rest of the act lays out how the "Judicial Conference" plays a role in this work.

Who is the Judicial Conference?

Back on October 1, 2015, U.S. Supreme Court Justice John Roberts named the chairs for his six Advisory Committees. One of the powers of being the Chief Justice is that you get to appoint who the chairs of the Committees of the Judicial Conference, who are the leaders who decide what the Federal Rules are going to be, pending approval first by the Supreme Court, and then by Congress. There are actually eleven Judicial Conference committee chairs.
  • Judge Richard R. Clifton (Ninth Circuit) -- Committee on Federal-State Jurisdiction
  • Judge Allyson K. Duncan (Fourth Circuit) -- Committee on International Judicial Relations
  • Judge Lawrence F. Stengen (Eastern District of Pennsylvania) -- Committe on Judicial Resources
  • Judge David R. Herndon (Soutern District of Illinois) -- Committee on Judicial Security
  • Judge John D. Bates (District of DC) -- Advisory Committee on Civil Rules
  • Judge Donald W. Molloy (Montana District) -- Advisory Committee on Criminal Rules
  • Previously named chairs:
    • Judge Lawrence L. Piersol (South Dakota) -- Committee on Audits and Administrative Office Accountability
    • Chief Judge Catherine C. Blake (Maryland) -- Committee on Defender Services
    • Judge Anthony J. Scirica (Third Circuit) -- Committee on Judicial Conduct and Disability
    • Judge Jeffrey S. Sutton (Sixth Circuit) -- Committee on Rules of Practice and Procedure
    • Judge Steven M. Colloton (Eighth Circuit) -- Advisory Committee on Appellate Rules
On October 9, 2015, Jeffrey Sutton, the chair of the Committe on Rules of Practice and Procedure, sent their "Summary of Proposed Amendements to the Federal Rules" to the Supreme Court. The document is co-signed by the Chairs of the Advisory Committees (Appellate Rules, Bankruptcy Rules, Civil Rules, Criminal Rules, and Evidence Rules).

 The full package contained several rules, and per the normal process, the Supreme Court had until May 1, 2016 to forward them to Congress if they agreed with them (This is the action that just happened, triggering the current media round) who then has until December 1, 2016 to take "contrary action" if they don't want them to become the law of the land.

What did the Judicial Conference ask for this year?

The items in the 2015-2016 Supreme Court Package of Proposed Rule Changes package consisted of 244 pages of committee notes, Comments from the open comment period, and responses to them. Here is an outline of the Changes proposed, with our focus being on V. B. - Venue to Obtain Warrants for Remote Electronic Search:
I.Elimination of the Three-Day Rule for Items Served Electronically.
basically the "three-day rule" had been set up to allow for the time it takes to mail a package through the U.S. Postal Service. The point of this rule change is that if things are being delivered electronically, whey do we need this three day delay?
II. Federal Rules of Appellate Procured
A.Inmate-Filing Rules
B.Late Post-Judgment Motions and Appeals Time
C.Length Limits for Briefs and Other Documents
D.Amicus Filings in Connection with Rehearing
E.Technical Amendment
III. Federal Rules of Bankruptcy Procedure
A. Procedures for International Bankruptcy Cases
B. Chapter 13 Notices
IV. Federal Rules of Civil Procedure
A. Service on a Foreign Corporation
B. Service
C. Venue Technical Amendment
V. Federal Rules of Criminal Procedure
A. Service on Foreign Corporate Defendants
"The proposed amendment to Criminal Rule 4 addresses service of a summons on organizational defendants that have no agent or principal place of business within the United States. (...) Given the increasing number of criminal prosecutions involving foreign entities, the Advisory Committee agreed that the Criminal Rules should provide a mechanism for foreign service on an organization."
B. Venue to Obtain Warrants for Remote Electronic Searches
More below ...

Rule 41 Amendment: Venue to Obtain Warrants for Remote Electronic Searches

The text below comes from the aforementioned "Supreme Court Package" ... specifically from pp.198-200, for the text of the rule change itself, and from pp.200-202, for the Subcommittee comments.  Further explanation is from pp.225- labeled "Excerpt from the September 2015 Report of the Judicial Conference"

 Rule 41. Search and Seizure

(b) Venue for a warrant Application.  At the request of a federal law enforcement officer or an attorney for the government:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

(f) Executing and Returning the Warrant.
(1) Warrant to Search for and Seize a Person or Property.
(C) Reciept.  The officer executing the warrant must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property.  For a warrant to  use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant and receipt on the person whose property was searched or who possessed the information that was seized or copied.  Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person.

Subcommittee notes on (b)(6)

Subcommittee notes on (b)(6):
Subdivision (b)(6). The amendment provides that in two specific circumstances a magistrate judge in a district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and seize or copy electronically stored information even when that media or information is or may be located outside of the district.

First, subparagraph (b)(6)(A) provides authority to issue a warrant to use remote access within or outside that district when the district in which the media or information is located is not known because of the use of technology such as anonymizing software.

Second, (b)(6)(B) allows a warrant to use remote access within or outside the district in an investigation of a violation of 18 U.S.C. § 1030(a)(5) if the media to be searched are protected computers that have been damaged without authorization, and they are located in many
districts. Criminal activity under 18 U.S.C. § 1030(a)(5) (such as the creation and control of “botnets”) may target multiple computers in several districts. 

In investigations of this nature, the amendment would eliminate the burden of attempting to secure multiple warrants in numerous districts, and allow a single judge to oversee the investigation.

As used in this rule, the terms “protected computer”  and “damage” have the meaning provided in 18 U.S.C. § 1030(e)(2) & (8).

The amendment does not address constitutional questions, such as the specificity of description that the Fourth Amendment may require in a warrant for remotely searching electronic storage media or seizing or copying electronically stored information, leaving the application of this and other constitutional standards to ongoing case law development. 


Excerpt from the September 2015 Report of the Judicial Conference re:Rule 41

I'll place the footnote first ... "At present, Rule 41(b) authorizes search warrants for property located outside the judge's district in only four situations: (1) for property in the district that might be removed before execution of the warrant; (2) for tracking devices installed in the district, which may be monitored outside the district; (3) for investigations of domestic or international terrorism; and (4) for property located in a U.S. territory or a U.S. diplomatic or consular mission."

Now from the memo:

The proposed amendment to Rule 41 addresses venue for obtaining warrants for certain remote electronic searches. At present, the rule generally limits searches to locations within a district, with a few specified exceptions. The proposal to amend Rule 41 is narrowly tailored to address two increasingly common situations in which the existing territorial or venue requirements may hamper the investigation of serious federal crimes:

(1) where the warrant sufficiently describes the computer to be searched but the district within which that computer is located is unknown, and

(2) where the investigation requires law enforcement to coordinate searches of numerous computers in numerous districts.

The proposal would address this issue by amending Rule 41(b) to include two additional exceptions to the list of out-of-district searches permitted under that subsection.(see footnote above) Language in anew subsection 41(b)(6) would authorize a court to issue a warrant to use remote access to search
electronic storage media and seize electronically stored information inside or outside of the

(1) when a suspect has used technology to conceal the location of the media to be
searched; or

(2) in an investigation into a violation of the Computer Fraud and Abuse Act, 18
U.S.C. § 1030(a)(5), when the media to be searched include damaged computers located in five
or more districts.

The proposal also amends Rule 41(f)(1)(C) to specify the process for providing notice of a remote access search.

As expected, the proposed amendment generated significant response; the Advisory
Committee received 44 written comments, and 8 witnesses testified at a public hearing in
Washington, D.C. In addition, the Department of Justice submitted written responses to the
issues raised by the comments and testimony. Many commentators raised concerns regarding the
substantive limits on government searches, which are not affected by the proposal. In fact, much
of the opposition reflected a misunderstanding of the scope of the proposal. The proposal
addresses venue; it does not itself create authority for electronic searches or alter applicable
constitutional requirements.

The Advisory Committee approved revisions to the published proposal aimed at
clarifying the procedural nature of the proposed amendment. It changed the published caption
from “Authority to Issue a Warrant” to “Venue for a Warrant Application” and revised the
Committee Note to state that the constitutional requirements for the issuance of a warrant are not
altered by the amendment. The Advisory Committee also approved revisions to the notice
provision and accompanying Committee Note that directly respond to points raised by

Some of the Comments and Witnesses

The Center for Democracy & Technology submitted an 11-page PDF prior to testifying before the Judicial Conference on this matter Friday, October 24, 2014.  Their big "Legal Implication" was "The proposed modification to FRCrmP Rule 41 would make policy decisions about important questions of law that are not currently settled and would best be resolved through legislation."

The ACLU submitted a 21-page PDF comment April 4, 2014 -- "ACLU Comment on the Proposed Amendment to Rule 41 Concerning Remote Searches of Electronic Storage Media"-- prior to the Advisory Committee's public hearing on the subject, April 7-8, 2014.  Great reading!  I especially appreciated this being cast into the area of Cloud Data challenges -- see the section "Remote Searches of Cloud Data Pose Fourth Amendment, Statutory, and Policy Problems."  This report also addresses one of my chief concerns, which I call "Venue Shopping."   In a large botnet, victims exist in every single Federal District.  This means that if I found a "friendly judge" in any district, I could just flood all my requests through that jurisdiction.

Many of these same concerns were re-addressed to the committee by the ACLU who also presented testimony for the October 24, 2014 meeting.  (See "Second ACLU Comment on Rule 41")

Richard Salgado also shared Google's Comments on the Proposed Amendment to Rule 41 (13FEB2015) raising these and many similar concerns, and specifically pointing out that the Mutual Legal Assistance Treaties exist for exactly the purpose of international cooperation on searches.   Should we really be conducting extra-territorial searches without even knowing what territory the seized material is located in?  Google also mentions the concern that many VPNs may find themselves subject to this search because of the anonymizing function that a VPN can perform, even if the VPN is a legitimate bank, retailer, or other business merely seeking to better secure their users.

The EFF was represented in testimony (November 5, 2014) by Amie Stepanovich, the Senior Policy Counsel at Access, "an international digital rights non-governmental organization founded in the wake of the 2009 Iranian post-election crackdown."  She points out in her testimony that this is a broad expansion of the powers defined in the Computer Fraud and Abuse Act (CFAA) which may, due to the nature of botnets that use distributed Command and Control, result in searching and seizing evidence from various protected classes of computer users, all of which have been victims of botnets, including journalists, dissidents, whistleblowers, members of the military, lawmakers and world leaders!

The list of all 55 received comments can be accessed at Regulations.gov

Other significant commentors included:

Kevin Bankston, for New America's Open Technology Institute

Bruce Moyer, for the National Association of Assistant United States Attorneys

David Bitkower, for the U.S. Department of Justice
 This memo presents three "warrant scenarios" and attempts to show how they would not be violations of Fourth Amendment rights of protection from unreasonable search.

Comments on Proposed Remote Search Rules by professors Steven Bellovin of Columbia, Matt Blaze of University of Pennsylvania, and Susan Landau of Worcester Polytechnic Institute
This memo points out concerns about trying to address very specific botnet features in the face of the unknown - how botnets will change in the future,  as well as raising some very key questions about Chain of Custody and Authenticity of Evidence when we have no idea where the computer is providing the evidence in question.