Home      Themenübersicht / Sitemap      Notizen      Webmaster      

Vormals: http://www.math.org.il/post-office.html

The Israeli Post Office Break-In

by Gadi Evron (ge@linuxbox.org), Senior security and virus researcher, eSafe, Aladdin Knowledge Systems.

11th of January, 2004.

Last week a story came to life in Israeli news about a computer heist in an Haifa branch of the Israeli Postal Service, successfully stealing 56 thousand Shekels (a sum equal to about 13 thousand US Dollars) using a wireless networking device planted in a computer rack and hooked into the local computer network.

About a month ago, a break-in was reported in a branch of the Israeli Postal Service (which is also a small bank in Israel) in the City of Haifa. Israeli Police detectives hurried to the scene, yet could find nothing missing or out of place.

It is reported that last week (roughly 3 weeks after the incident) the Israeli Postal Service noticed large withdrawals of money from newly opened accounts, all originating from the Haifa branch. According to Postal Service this was detected by auditing abnormal transfers of money, a known technique used for fighting Financial Frauds.

Postal Service personnel hurried to the branch. Upon further investigation the unauthorized device was discovered.

Reports claim the scam took place as follows:

1. The break-in, installing the Wireless Gateway/Entry Point.

2. "Dispensable Mob Soldiers" (as termed by the Police) of what the Police believes to be a vast and sophisticated crime gang, opened legitimate new accounts at the Postal Service bank.

3. A person, supposedly using a laptop at the distance of a few hundred meters, gained access to the Postal Service bank computer systems and initiated money transfers, illegally transferring money to the newly-opened accounts.

4. The perpetrators then attempted to withdraw the funds from the new accounts, which led to the arrest of four suspects. The suspects have yet to cooperate with the authorities, which are trying to locate the "brains" as well as the "hacker" behind the operation. An Israeli Police official was quoted saying "This computer crime takes us to year 3000."

The hack itself could be performed in many different ways, accessing different computers, sniffing and re-constructing traffic, etc. Personally, I believe some inside information was used rather than pure network research.

If we are to believe how this scam was "busted" and that financial auditing raised the alarm, we can presume that the legit-looking wireless networking device connected to the switch in the Postal Service branch would have gone undetected for a long time still.

Had the perpetrators not gone ahead and withdrawn large sums of money, using statistical techniques to guide their actions instead, the heist would probably have been long over by the time the wireless networking device was found.

On the conspiratorial side, it is quite possible the scam was detected by other means.

With four suspects in custody, and rumors of quite a few people involved, one can speculate that someone within the crime ring might have talked. It is also possible that somebody actually noticed the legit-looking network hardware or that the police was already investigating this group when they came across this latest crime. I guess we won't find out until the case reaches a court of law.

If this wireless networking device, that simply "appeared", had no reason to look suspicious in a computer rack that is virtually never opened, one would have to speculate the crime did not warrant a less "alarming" or "better hidden" device.

This is a case of the right tool for the right job, with the correct amount of resources (cost vs. benefits, or risk vs. gain) invested in the illegal endeavor.

The failing point of the operation in my personal opinion is the lack of knowledge in the statistics, financial and auditing systems to pull the operation through undetected.

Furthermore, this crime provides us with a hint as to more advanced and sophisticated computer crimes and frauds taking place around the world, which are probably better executed for the very simple reason that we do not hear about them.

Two such crimes that were recently reported, were the theft of servers holding face recognition counter-terrorism information from an Australian Airport and Industrial Espionage where a person unwisely emailed an entire credit company a Trojan horse.

This story makes me wonder what else happens we never hear about.

---------------------------------------------------------------------------------------------------------------------------------

There was a follow-up article posted on the 24th of January, 2004. It was at: http://www.math.org.il/post-office2.html.

Social Engineering and Physical Security Concerns in Financial Institutions Following the Israeli Bank Hack

by Gadi Evron ge@linuxbox.org, Information security consultant.

24th of January, 2004.

This follow-up article conveys the facts of the Israeli Postal Service heist incident in December, 2003, in which an unknown party successfully stole NIS56,000 (approximately USD13,000) through off-the-shelf wireless networking hardware. The original article can be found at http://www.math.org.il/post-office.html.

Some additional details have been released:

Israeli Police arrested a suspect accused of being the "hacker" behind the operation, David Sternberg. Mr Sternberg was previously arrested in December, 2003 by Israeli Police with the assistance of the FBI for allegedly stealing 80,000 credit card numbers.

As mentioned in the previous article, the “smart” hack performed here shows that more sophisticated hacks can occur which we do not hear about.

The device placed in a Haifa branch of the Israeli Postal Service is a perfect example of two major issues in organizational security today: User education and social engineering. It is reasonable to assume the device would have remained undisturbed and undetected for a very long time if the fraud was not found by statistical auditing techniques.

These two security issues are to a degree one and the same, cause-and-effect.

An organization cannot be secure unless its users know how to handle suspicious email messages and attachments. Likewise, an organization cannot trust that information is secured if users may be tricked into providing it over the phone or by throwing official documents into the waste basket.

The human element of security must not be ignored.

It is clear part of the answer is in investing more resources to educate users, but as the saying goes, "easier said than done".

Let’s examine the physical security aspect of this hack: Physical security should account for at least half of the items in an organization’s information security budget. Spending time and money purchasing, deploying and maintaining firewalls, IDS systems and so forth are useless if employees come to work one day only to find the hard drives missing from their computers.

It is important to note that physical security breaches by social engineering techniques, as seen in this case, confronts us with a very difficult truth. Most of us still do not take physical security as a serious enough threat.

It is difficult to evaluate the security of financial institutions beyond educated guesses because we usually do not hear about their failings, but it would seem many of them do not yet take these issues as seriously as they should.

Although it can be difficult, not to mention illegal, not to report fraud and theft to regulatory and law enforcement agencies, some banks might prefer to keep their dirty laundry in-house and cover the losses themselves rather than go public with information about their security breaches or pursuing legal options.

A data security officer at a major Midwestern bank relayed the following story to me after reading my original article: Concerned with the threat portrayed in the article they decided to play a game of cat-and-mouse:

"[We] placed a WAP (wireless access point) in plain sight on one floor of the bank with instructions on the bottom to call data security […] to test people's reaction to seeing new and strange stuff sitting around.”

“So far no one has called."

I believe that covers it.

We have seen an example of a "smarter" hack and it can serve as a warning to us all.

There is a lot yet to be done, but I believe we are on the right track.

Gadi Evron

NOTE: Due to growing information security concerns there has been discussion of starting a secure information exchange for data security officers, researchers and investigators in banks and financial institutions to share information and data on upcoming threats. Interested parties can contact me at ge@linuxbox.org.


Home