Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: A Marine Biologist Comments on "Pirates of the Caribbean" |
| Zero-Day Microsoft PowerPoint Vulnerability »
July 17, 2006
Paris Bank Hack at Center of National Scandal
From Wired News:
Among the falsified evidence produced by the conspirators before the fraud unraveled were confidential bank records originating with the Clearstream bank in Luxembourg, which were expertly modified to make it appear that some French politicians had secretly established offshore bank accounts to receive bribes. The falsified records were then sent to investigators, with enough authentic account information left in to make them appear credible.
Posted on July 17, 2006 at 6:42 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Just a precision. It is not yet clear whether there was a bank hack in the first place. The guy that produced the first version of the file was an auditor of the firm.
He worked at Clearstream as member of team of external auditoris which was mandated by the Luxembourg government, in response to a book already alleging wrongdoings in Cleastream.
As an auditor, he certainly had legitimate access to confidential data during his mission without having to "hack" anything. Several sources do indicate that he got the files from his own work files during that mission.
Unless you define hacking as copying files files which you have access to, the title of the blog entry is a bit out of place.
The only "real issues" in terms of security are how to deal with people spreading information they have legitimely access to and how to spot "falsified" electronic records.
Perhaps the "Paris Bank Hack" is the auditor... "Hack" here meaning "a mediocre and disdained writer".
I'm afraid I can't agree with you, completely. It always feels like another small piece of our dignity is chipped away each time the media uses the term "Hacker" with an evildoer connotation. I consider myself a true "hacker" in the traditional senses like Ham Radio, electronics, programming and golf :) . So, on that count, I would prefer to not see the term "hacker" used in the title the way it is. Oh, well.
However, even though the guy had inside access, how did he get there? A little Social engineering, even if it wasn't in his thoughts at the time he did it. What did he do that was "nefarious" with his access? He cleverly crafted falsified records and intermixed them with legitimate ones.
That all sounds like "hacking" to me. What he didn't have to do was "crack" into the system, which is why I think choosing between the terms "Hack" and "Crack" for the title of this article would be tougher, unless the general media would use the two correctly. In that case, it's definitely, "Hack".
It all depends on your definition of hacking. I agree that all of the above can be classified as "hacking" however we are not sure exactly what went on in this grand scenario so its hard to completely classify this incident.
Protecting personal assets from ID theft is one of the most difficult tasks these days so we need to learn how to protect our personal financial information better.
The "essentialsecurity" site has a designed for XP image on it. THAT is too damned funny, essential security and designed for XP all with one mouse click!
I don't really see that as a problem. Unless they've got gold reserves they are systematically engaged in fraudulent counterfitting just like every other non-gold backed governement bank.
Why is it a crime for a hacker to take money for himself through his (immoral) labor, but OK for a government institution to be openly engaged in fraud by creating money out of thin air?
There is no good answer other than it's legal for a public institution to commit fraud, and everyone close to the new fiat money (gov, contractors, commercial banks) fully endorses it.
This is a REAL security challenge. Not like some of the ridiculous, politicised, movie plot rubbish we see good money spent on.
Like the Greek Vodafone example an insider was a key part of the subversion.
This kind of attack vector is getting larger all the time, because of the way business is growing inter-connected at a network lavel.
All the tools in the world are no substitute for well trained staff and well thought out procedures fo checking.
Greed burns eternal in the human breast.
God, let the hack vs crack semantic debate go already. It's 2006, not 1986, the battle is long lost.
Let's also let the gold bugs shuffle off this mortal coil. Seriously, what's so magic about some yellow metal that makes it an absolute, immutable store of value. The gold standard is only as good as the politicians that define it, and gold's value will be redefined by the politicians when it suits their needs.
There is no absolute store of value. Period.
Captain Ned, the gold standard is not defined by politicians. There is an actual market in gold - despite the disproportionate amount still held by governments.
The gold is typically confiscated by politicians whenever necessary. Fiat currency under fractional reserve banking is a fraudulent hidden tax, and is the cause of the boom & bust cycle.
This mechanism is critical for political control.
You are correct there is no absolute store of value other than what free individuals choose to be a store of money. Private Gold & Silver minting has been around for at least 3000 and has been the most popular way to gauge store of value.
"Seriously, what's so magic about some yellow metal that makes it an absolute, immutable store of value."
Durable, divisible, and can be measured by weight. It always emerged spontaneously as the free-market money of choice, reappearing now and again as oppressive regimes collapsed.
It takes effort to extract it and there is a limited mineable supply. Therefore some inflation is possible, but this inflation is nothing more than the demand-for-money curve shifted to the right.
Paper & digital currency however is not scarce (to the same extent) and can be inflated when ever it is necessary to, for example to engage in wars, institute ridiculously expensive social (anti-social) programs. The only real restraint you have is not to commit more fraud than your trading nations.
Fiat currency does not exist for your convenience, but rather that of your exploiters.
> However, even though the guy had >inside access, how did he get there?A >little Social engineering, even if it wasn't >in his thoughts at the time he did it
He got his access because he was hired by Clearstream to do an audit on them. External auditors are usually hired by the company they are supposed to audit.
No social engineering there, just normal business relations.
> He cleverly crafted falsified records >and intermixed them with legitimate >ones.
The guy that got the initial file out of Clearstream did not craft it. That was done by others.
>That all sounds like "hacking" to me
If you define hacking as inserting names in an EXCEL file then it is hacking.
IMVHO I'd categorize it more just under
falsifying records. The guy that crafted the record did not program anything, he did not change parameters, he just inputed information in a file.
All in all, there was theft of confidential electronic data and record falsifying of electronic data but there was no hacking involved unless doing those things with a comouter qualifies as hacking.
@quincunx Money is IOUs.
You do work for someone, they incur a debt to you. They pay you using a bunch of IOUs which they happen to have gotten from other people.
When you want to buy something, you give the IOUs to the person buying from, and if it is acceptable to them they give you goods.
The debt your employer incurred to you is now paid, because you have real physical goods in your hand.
This may sound crazy, except of course money actually *is* IOUs.
Issuing banks issue money backed by combinations mostly of treasury bonds (IOUs issued by the government), member bank deposits (IOUs issued by member banks to their depositors) , foreign currencies (ditto but foreign governments and banks) and gold.
If the bank wants to issue more or less money it does so in the market by changing the interest rate at which it lends to member banks. They will then repay loans or take out more loans, reducing or increasing the money supply, which is the same thing. Alternatively it might buy treasury bonds, releasing cash to the seller and thereby into the market, or sell treasury bonds to do the reverse. Of course treasury bonds are backed by future tax revenues, which is to say, the forcible confiscation of property.
Money, like any IOU, is only worth what the word of the issuer is worth. When a bank issues IOUs without getting something of value in return (like gold or a treasury bond) they break their word, and that is what breaks the system.
But the Federal Reserve doesn't do that. It's not all backed by Gold, but it's all backed by something.
US Treasury bills are backed by the US GDP, at least in consideration of international currency markets. In a sense, all dollar-denominated assets require dollars to buy, so could be considered part of the GDP for the purposes of the dollar valuation. Interestingly, Iraq broke with tradition and started pricing its oil in Euros a bit before the invasion, and benefitted a great deal by doing so due to the strong Euro vis-a-vis the dollar.
> money actually *is* IOUs.
This is not true. The bank notes are IOUs. The money isn't. The money is a *present* good, not a future obligation (which carries risk of not being honored).
Needless to say that all modern paper and electronic notes are not money. This is very amply demonstrated by the fact that these notes lose value completely from time to time in different contries. (US was lucky in this respect, but with the present shape of government finances means that ability of US government to deliver on their IOUs is more than a little suspect and grows more so every day).
Gold and other commodity money cannot lose value, and carry no risk. They are not IOUs.
There's a good and concise book explaining the nature of various kinds of money, and the history and present structure of the modern monetary systems: http://www.mises.org/money.asp
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.