I've learned to be skeptical when I see law enforcement praising the l337 skillz of their targets.
> “This guy is in another league, he’s like Rafa Nadal
> playing tennis,” Yuste says. “There are few people in
> the world capable of doing what he did.”
It sounds really cool (and budget-justifying) to be chasing some mastermind, and a journalist is likely to pump up that aspect of the story too. Because they know we're reading it to be entertained, for there to be suspense, to enjoy the frisson of a "victimless" crime requiring ingenuity, like Ocean's 11.
Then you find out later it's just a python script probing for default passwords, or someone who learned some of nmap's command-line switches.
Yeah; I also have the general impression (admittedly without much data to support it) that IT security at banks and other gargantuan, long-lived institutions is pretty crappy? I would think it's easy to get in, and hard to not get caught.
Anecdotally, I have a friend who briefly worked at a company which exclusively makes software for financial institutions. Their product was a web app that only worked in a version of Internet Explorer so old, it didn't support Ajax. Asynchronous requests were made by changing the src attribute of a 1px <iframe>.
It's valid concern, but I'm not so sure in this case. Spear phishing is a skilled art, and requires relatively significant knowledge of the target and their domain. Sure the rest is a essentially a stackoverflow post away, but it requires real determination to research this kind of attack and real skill to carry it out and see it through to millions in cash popping from ATMs in foreign countries. Just the people management alone is impressive
And finally, I don't think stackoverflow cover ATM maintenance procedures yet. These guys weren't kiddies
That particular quote concerned Katana's ability to move money between banks, not his "hacking" prowess. In fact, the article even refers to their methods as "class spear-phishing", implying there wasn't anything special behind their methods.
This is a problem with pretty much all media stories. There's money to made making things seem dramatic and spectacular and out of the ordinary...when most things just aren't.
The fact they supposedly recovered 15k Bitcoins tells me he wasn't sophisticated enough to secure his private key sufficiently. If he had memorized a BIP39 mnemonic for his private key we wouldn't be reading about $162 million dollars worth getting seized. Brain wallets are pretty tough to crack.
>> Someone had sent emails to the bank’s employees with Microsoft Word attachments, purporting to be from suppliers such as ATM manufacturers. It was a classic spear-phishing gambit.
Microsoft Windows + Outlook Email + Attached word document = the Drake equation for internet security. No matter how secure each of these things are individually, when added together infection becomes inevitable.
Why does outlook have to pass such documents to Word? Why does Word have to open and run macros so willingly? Why does Windows allow word to talk to the internet so easily? I just don't understand the use case these links are meant to address. Are there really so people out there installing software via links inside word documents? That this has to be a seamless user experience? There are so many opportunities to limit such such infections. Why do we still tolerate this?
This is the real question. The thieves are just a symptom of the real infection: terrible, insecure client software. I'm not sure what the solution is but I am pretty sure it involves Microsoft having skin in the game somehow.
Microsoft Office was years ahead of the Open Web / JavaScript in providing all the convenience and security of remote code execution at the request of arbitrary untrusted third-party systems.
We want Outlook to open our attachments without having to explicitly choosing the program.
We want Word to have those advanced macro features.
We want Word to have hyperlinks to things on the internet.
We want to be able to install things downloaded from the internet.
In isolation, each of those things are desirable to some segment of the userbase. It just so happens that the chain basically allows you to install a program from an email attachment.
The article doesn't really go into the thieves' backgrounds at all strangely enough. How did Katana end up in the bank heist business? How did he acquire the skills to turn making fake bank transactions into an "art"? I always wonder about the kind of person who ends up in these criminal dealings and where they come from.
He probably worked for a bank. Lots of smart people learn the "loopholes" of their trades.
My mom worked at a car dealership and realized that you could steal a car from them and it would be upwards of a year before they figured it out, since that's when they did inventory. Back then, the keys were all kept in an marginally secured cases.
People are always shocked at the stupid mistakes that big criminal masterminds make.
Like the Silk Road guy, "how could he possibly ask on stack overflow using his real name".
And so on.
There are ten thousands different mistakes that you can make, you need to guard against all of them. And against whatever unknown tech exists.
In this story, that dropped bank card turns out to not be that significant. The real breakthrough was identifying another mule through the video surveillance videos, following him to the airport and putting surveillance on the lockers used to store the cash.
He was also emptying ATMs apparently with witnesses behind him. This is like a bad movie. One of those witnesses might as well be an off-duty cop who could just pull out his gun right there.
It sounded like it was one of the "mules" who dropped the card. Probably just some random guys hired cheaply so those in charge didn't have to go out in person; they probably weren't necessarily smart or careful.
Nowadays everything runs on SAAS, why are banks and other institutions letting key people use MS windows and outlook in the first place. Don't you reduce your risk by like 90% by using Linux clients instead?
[+] [-] ur-whale|7 years ago|reply
I suspect this is actually a Bitcoin mining farm:
In goes dirty money, to buy mining hardware in bulk.
Out comes fresh, never-transacted-with Bitcoin block rewards.
It is fairly hard for authorities to trace the wash: in Bitcoin land, block rewards are the least-tainted kind of coins.
[+] [-] freeloop10|7 years ago|reply
Also, the most anonymous.
[+] [-] SilasX|7 years ago|reply
[+] [-] neilk|7 years ago|reply
Then you find out later it's just a python script probing for default passwords, or someone who learned some of nmap's command-line switches.
[+] [-] _bxg1|7 years ago|reply
Anecdotally, I have a friend who briefly worked at a company which exclusively makes software for financial institutions. Their product was a web app that only worked in a version of Internet Explorer so old, it didn't support Ajax. Asynchronous requests were made by changing the src attribute of a 1px <iframe>.
This was in 2015.
[+] [-] _wmd|7 years ago|reply
And finally, I don't think stackoverflow cover ATM maintenance procedures yet. These guys weren't kiddies
[+] [-] cgh|7 years ago|reply
[+] [-] pembrook|7 years ago|reply
[+] [-] MR4D|7 years ago|reply
I'm sure even a random sample would cause a huge reduction in these inflated "master hacker" claims.
It seems that if you can have a few people rationally explain to a jury what the accused did, the crimes would seem much less diabolical.
[+] [-] jtms|7 years ago|reply
[+] [-] sandworm101|7 years ago|reply
Microsoft Windows + Outlook Email + Attached word document = the Drake equation for internet security. No matter how secure each of these things are individually, when added together infection becomes inevitable.
Why does outlook have to pass such documents to Word? Why does Word have to open and run macros so willingly? Why does Windows allow word to talk to the internet so easily? I just don't understand the use case these links are meant to address. Are there really so people out there installing software via links inside word documents? That this has to be a seamless user experience? There are so many opportunities to limit such such infections. Why do we still tolerate this?
[+] [-] cgh|7 years ago|reply
This is the real question. The thieves are just a symptom of the real infection: terrible, insecure client software. I'm not sure what the solution is but I am pretty sure it involves Microsoft having skin in the game somehow.
[+] [-] kolpa|7 years ago|reply
[+] [-] bena|7 years ago|reply
We want Outlook to open our attachments without having to explicitly choosing the program.
We want Word to have those advanced macro features.
We want Word to have hyperlinks to things on the internet.
We want to be able to install things downloaded from the internet.
In isolation, each of those things are desirable to some segment of the userbase. It just so happens that the chain basically allows you to install a program from an email attachment.
[+] [-] sneak|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] dmvinson|7 years ago|reply
[+] [-] mywittyname|7 years ago|reply
My mom worked at a car dealership and realized that you could steal a car from them and it would be upwards of a year before they figured it out, since that's when they did inventory. Back then, the keys were all kept in an marginally secured cases.
[+] [-] adreamingsoul|7 years ago|reply
[+] [-] 21|7 years ago|reply
Like the Silk Road guy, "how could he possibly ask on stack overflow using his real name".
And so on.
There are ten thousands different mistakes that you can make, you need to guard against all of them. And against whatever unknown tech exists.
In this story, that dropped bank card turns out to not be that significant. The real breakthrough was identifying another mule through the video surveillance videos, following him to the airport and putting surveillance on the lockers used to store the cash.
He was also emptying ATMs apparently with witnesses behind him. This is like a bad movie. One of those witnesses might as well be an off-duty cop who could just pull out his gun right there.
[+] [-] eumoria|7 years ago|reply
What's the bank card for if they just stood there and it spit money out in a timed fashion?
[+] [-] _bxg1|7 years ago|reply
[+] [-] professorTuring|7 years ago|reply
- You have to be lucky every time to continue free... I only have to be lucky once to catch you.
[+] [-] adiack|7 years ago|reply
[+] [-] wazoox|7 years ago|reply
https://books.google.fr/books/about/Stealing_the_Network.htm...
[+] [-] _bxg1|7 years ago|reply
[+] [-] dang|7 years ago|reply
[+] [-] mikro2nd|7 years ago|reply
[+] [-] blanderman|7 years ago|reply
[+] [-] alanfranzoni|7 years ago|reply