Sunday, 20 March 2016

80 Million and a Spelling Error: Hacking (Night's Black Agents)

When I was just starting out as a low level employee for a financial institution I shall not name, a senior staff member was caught with his fingers in the electronic till. He rigged the system so that, every so often, dormant accounts or trust funds would deposit a trifling amount of money in his personal account. It was never much more than a few dollars, even cents, at a time, but spread over many accounts and over a long period of time those small sums added up to one big payout. He was caught when he went to lunch one day and forgot to lock his machine. Someone came into his office to drop something off, noticed the suspicious activity on his monitor, and passed it on to the higher-ups. It became a police matter very soon after that.

I was reminded of him when I read about the $80 million heist carried out electronically via the Bangladesh Bank. His scheme wasn't original, but it paid off big time, and he would have gotten clean away had he not made a very simple mistake, the kind of error we all make every day. Not quite cautious enough, not quite careful or suspicious enough, and it's game over. It's stories like these that have me paying cash rather than electronic POS whenever I can.

If you haven't already read this one: sophisticated criminals ripped off the central bank of Bangladesh, breaching its systems and then sending requests for money transfer to the US Fed, where Bangladesh Bank had billions stored. Several transfers took place, only for the whole thing to come crashing to a halt when someone misspelled the word Foundation as Fandation on one of the request forms. If that request had gone through the gang - and given the level of preparation it probably was a gang - would have made off with at least a billion, and probably more, since there's no reason to think they would have stopped until Bangladesh's accounts were empty. An IT expert who publicly voiced suspicion that apathetic bank officials had, at the very least, contributed to the caper through their negligence has gone missing. The bank's governor resigned; apparently his employees failed to tell him what had happened, and he only found out about the heist when it hit the papers. Though the bank has said it expects to recover some of the money it seems likely that the bandits will make a clean getaway. Most of it went to casinos in the Philippines, presumably so it could be efficiently laundered, and as a consequence the Philippines may once again be blacklisted by the Money Laundering Task Force. This is all the more important for the Philippines because there are elections coming in May; this kind of news is the last thing the ruling Liberal party needs. At least $30 million in cash ended up in the hands of an ethnic Chinese in Manila, but as for the rest, it could be anywhere.

So what does this story tell us about what it takes to be a hacker in Night's Black Agents?

To begin with, as discussed in last week's post on black baggers, you have to know a lot about human nature and how organizations work. Whoever did this had to know how Bangladesh Bank operated. They probably studied the habits of bank employees for some time before making a move, both in the real world and via keylogger virus or similar on their work machines. They knew when to strike, and how, for maximum impact.

This has been the case since time immemorial, which in computer terms goes back all the way to last week Tuesday. I have on my bookshelf Secrets of a Super Hacker by someone writing under the pseudonym Knightmare. It's hopelessly out of date from a technical perspective - if ever I want to know how to cut up an 8 inch floppy, Knightmare has me covered - but its lessons on interpersonal interaction and information finding are still very relevant. One chapter's devoted to social engineering, another to reverse social engineering, and he spends a remarkable amount of time discussing the joys of dumpster diving and how information found in the trash can help you pillage companies' accounts.

Speaking of, I wonder what Bangladesh Bank did with its trash. Even today banks generate so much paper, reams of physical data. You'd like to think it was all shredded, pulped or otherwise rendered unreadable. But maybe not; after all, Kapersky Labs has a very beautiful interactive map that claims Bangladesh is, at time of writing, the 41st most attacked country in the world. These things don't happen by chance. That same map says Russia is #1 - not an award to be proud of, hope those nuclear silos are doing just fine - Vietnam is #3, the US is #2, and most of Europe seems to be hovering in the 10s and 20s. Apart from Norway, Sweden and Finland, which are #133, #87 and #149. Come on, guys, Finland's not that bad. I know some great Finns. Don't be shy. Bear in mind this is real time data, so by the time you read this everything will have changed, with the possible exception of the top 2.

Incidentally, Kapersky, I notice Bermuda doesn't even feature on the map. Way to hurt my feelings, fellas.

So we're looking at Bureaucracy, Human Terrain, and probably Reassurance to reflect social engineering, and Urban Survival for those dumpster diving expeditions. The hacker is an urban animal; no hiking through the piney woods and living off fresh caught fish or beef jerky for this bunch. A decent Infiltration pool might also be helpful, for breaking into installations and making off with the contents of the shredder. With enough dedication almost anything can be pieced back together. It isn't about whether it can be done, but rather if it's worth the effort. Research is a must, as is Traffic Analysis. Depending on whether or not the hacker makes a dishonest crust by, say, fleecing banks in Bangladesh, or catching those who do, points in Streetwise or Criminology might be in order.

While the hacker is probably the least athletically inclined of all the Night's Black Agents types, it would be a very foolish player who didn't put some points in self defense. However pools in Mechanics and Surveillance are more likely. You're the one who watches, not the one who goes in with a cosh and a black bag.

With all that in mind, consider this example:


One sentence: Former Nollywood actor and con artist shooting for the big leagues.

Investigative: Accounting 1, Bureaucracy 1, Bullshit Detector 3, Cryptography 1, Data Recovery 2, Electronic Surveillance 2, Human Terrain 2, High Society 1, Research 1, Traffic Analysis 1, Reassurance 2, Languages 2, Streetwise 1, Urban Survival 1

General: Athletics 8, Cover 10, Digital Intrusion 15, Disguise 6, Health 8, Infiltration 10, Mechanics 4, Network 15, Shooting 8 (base 14, with special weapons training), Stability 7, Surveillance 5, Sense Trouble 1.

MOS: Digital Intrusion (silly not to, really).

Cherries: Athletics (Parkour), Digital Intrusion (cracker's cryptid), Infiltration (open sesame), with special weapons training in the AK47. I picture this as an actor's conceit, for when Kayo decides to relive his glory days in Mafia Soldiers or the like.

As has become traditional, let's end this with a scenario seed:

A not for profit has announced a competition, the Shreddathon Challenge, to see who can be the first to piece together five sets of shredded documents, with $50,000 going to the winner. One team, the Hatfall Brigade, was coming very close to this goal with its specially designed computer program, but just as the final pieces were coming together three of the five programmers were brutally murdered, and the program was stolen. Shortly afterward the hacking community discovers that the not for profit hosting the challenge only ever existed in cyberspace; its backers have disappeared. What happened to the team, and what was the Shreddathon Challenge really all about?

No comments:

Post a Comment