Information Security News
mailing list archives
U.S. could use cybertactics to seize bin Laden's assets
From: InfoSec News <isn () c4i org>
Date: Fri, 21 Sep 2001 02:40:58 -0500 (CDT)
By DAN VERTON
September 20, 2001
WASHINGTON -- U.S. officials mobilizing to freeze the financial assets
of international terrorist Osama bin Laden may resort to cybermethods,
such as hacking, to cut off the money supply that has been used to
finance his terrorist activities, including the Sept. 11 attacks on
the World Trade Center and the Pentagon, of which he is the prime
Intelligence and security experts said the U.S. government, using
diplomatic channels, doesn't expect to receive cooperation from all of
the hundreds of banks, holding companies and other private enterprises
and fictitious front companies that bin Laden uses to hide his
estimated $300 million personal fortune. As a result, the U.S.
intelligence community might use cybermethods to put a virtual
stranglehold on bin Laden's global terror organization, Al Qaeda.
While acknowledging that the operation could take years, security
officials said that such an attempt was possible.
Experts recognize that finding bin Laden's money, which is believed
hidden in 50 countries in small amounts at hundreds of banks,
companies and charitable organizations, will be difficult. Still, if
the accounts that store the money can be located, hacking experts said
it is well within the technical capabilities of the U.S. intelligence
community to make it disappear forever.
In the U.S., the Knight-Ridder news service quoted a U.S. Treasury
Department official, who spoke anonymously, saying that the government
ordered bin Laden's U.S. assets seized in the mid-1990s, but nothing
was recovered. However, the government said in January it had seized
assets worth $245 million from Taliban, the militant Islamic group
running the government of Afghanistan, the news service said.
Hacking into the computer systems of banks and other financial
institutions around the world raises a number of coordination and
legal challenges, said experts.
"You'd need a lot of things in place," said Ken Van Wyk, chief
technology officer at Para-Protect Services Inc., an IT security firm
in Centreville, Va. For example, federal agents would need in-depth
knowledge of the bank and how the bank operates, the names and account
numbers in question, and at a minimum, access codes, such as personal
identification numbers, to the accounts, said Van Wyk.
In many instances, inside help, such as a bank employee, would be
required to both learn the inner workings of the bank's IT operations
and to gain unquestioned access to the accounts. However, if bin
Laden's associates who control the account can show that the funds
were stolen, the financial institution would be required to simply
restore them, said experts.
"We have seen theft of money out of banks using electronic means. It
has certainly happened," said Van Wyk. For example, in 1994, a
24-year-old Russian programmer hacked into Citibank's systems and made
off with $10 million. Likewise, a German bank this week threatened a
lawsuit against producers of a local television show for hiring
hackers to break into the bank's servers and download customer names,
account numbers, PINs and IP addresses,
But the bulk of the work that needs to be done to hack bin Laden's
money would be nontechnical in nature, Van Wyk said. "I would expect
that the name on the account is probably not Osama bin Laden. It's
probably extremely well hidden," he said.
"To steal it would require some insiders who are sympathetic to the
cause," said Winn Schwartau, an information warfare expert and
president of security firm Interpact Inc. in Seminole, Fla. "With
corporate shells and fast-moving money, it's going to be difficult."
But not impossible.
Computerworld asked a hacker known as "Gen," the head of a U.S.-based
group of more than 100 hackers, how such a sophisticated hacking
operation might be carried out. Hacking into the bank and stealing the
money would be the easy part, Gen said, in an interview via e-mail.
"There would be two possible attacks to bring this to reality: social
engineering and old-school hacking," said Gen."Hacking would be
accomplished by breaking into the servers of whatever institution he
was hiding his funds in. This type of hacking would really be no
different then hacking a Web server. It's what you do afterward that
would be impressive."
Other practical skills would be critical to pull off such a heist, Gen
said. You would need "someone who can speak his native tongue, someone
who sounds like him [and] possibly someone who looks like him," he
said. In addition, a hacking operation should first have knowledge of
the subject's account structures and the passwords used to secure his
funds, or to alert members of the banks and credit unions of a false
withdrawal or redirection, he said.
From a technical standpoint, it might be necessary to deploy a
cyberoperative in the same geographical location as bin Laden or his
emissaries to mimic that location and avoid phone line reverse
detection, according to Gen. Likewise, knowledge of protocols used at
the banks and credit unions would be needed, as would knowledge of the
account structures where the funds are to be transferred, and the
ability to hide the funds once they are transferred.
And although wire transfers are encrypted, it might be possible to
hack the transfer before it is encrypted, helping authorities to
follow the money trail. But Gen said it is easier to take over the
entire server than to intercept encrypted data streams. "Typically the
encryption actually takes place on the person's computer that is
submitting the transfer. If this is through a Web interface like
Netscape or MSIE [Microsoft's Internet Explorer], it uses SSL [Secure
Sockets Layer]. It is possible to grab the encrypted stream, but then
you must break the encryption, which is likely 128-bit."
A former hacker who is now a systems engineer for a major software
company said some banks allow people to request funds transfers over
the telephone and through the use of simple PINs. Even stock transfers
are relatively simple and rely on a great deal of trust that the
person initiating the transfer is who he says is, the former hacker
"At the lowest level, if his assets are in banks, they're just bits
and bytes," he said. Assuming bin Laden doesn't have all the money in
gold or cash, "the feasibility of a covert operation conducting a
digital transfer between accounts and then withdrawing that money and
taking it out of the digital universe is very feasible."
A Dutch intelligence expert said isolating the accounts and the users
making bin Laden's transactions will depend on how many stages
authorities can trace back. "Who was the broker who gave the order to
buy? That is easy," the expert said, speaking on condition of
anonymity. "Which bank instructed the broker? That is easy, too. Who
instructed the bank? Now it becomes difficult."
There are also legal hurdles that might have to be overcome to prevent
bin Laden's associates from forcing the banks to restore the stolen
funds, said Mark Rasch, vice president for cyberlaw at Predictive
Systems Inc. in Reston, Va., and the former head of the Computer Crime
Unit at the U.S. Justice Department. Criminal investigations,
intelligence gathering and warfare all have different rules, he said.
"At present, we are conducting a criminal investigation," said Rasch.
"What do we do? Transfer the money out? That doesn't do a lot of good.
It would be illegal and he would ask the bank to restore it," he said.
"What you really need is not the ability to transfer funds, but the
ability to identify the assets and get a lawful seizure or freeze
Eric Friedberg, a security consultant at New York-based Stroz
Associates LLC and a former computer and telecommunications crime
coordinator at the Justice Department, agrees that the legal
guidelines of what can be done aren't clear.
During times of war it would be legal to hack into, disable and steal
information from "enemy" servers, said Friedberg. But who the enemy is
in this case will be difficult to determine, he said. "The evidence
and perhaps the assets may be in what appear to be neutral third
parties' hands," such as brokerage firms, clearinghouses and
investment banks, said Friedberg. "Once neutral third parties are
involved, the lawfulness of intrusive electronic techniques becomes
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- U.S. could use cybertactics to seize bin Laden's assets InfoSec News (Sep 21)