Introducing the “WE WUZ HACKED” Business Strategy
2017 the year of the ATM hack
So here it is a New Year, spent some time reflecting on the InfoSec and Financial Security events of the year, the more I reflect the more annoyed I become, not with the current InfoSec/FinSec Industry, not even the Cyber Criminals, but rather the “victim”. Cyber Security and Philosophy quietly took a radically different direction in the third quarter of 2016. Introducing
The WE WUZ HACKED STRATEGY
or
IF YOU CAN’T BEAT THEM MONETIZE THEM.
Why bother with Fin-Sec? Fin-Sec is so boring, expensive and hard! When you can now legally Institutionalize and monetise cyber attacks for fun, profit and endless lead on revenue!
This new strategy is one of those “thou shalt no speak of” subjects in the FinSec Industry, a new concept, currently in various forms of refinement. No this is not a joke, unfortunately now I no longer care, so I will speak of the strategy! (you will understand at the end of this story.)
Late summer we noticed a new technique of Jackpotting Automatic Teller Machines as did other industry pro’s. It is was clear Dyre/Dyre type mods could become a digital beast… AGAIN!
As seen in this initial demo video, released very early in the exploit cycle.
The exploit (dual exploits) work together or independently while gaining more sophistication, organization & momentum since the industry was notified in August/September. After some refinement, it was ready to deploy & money mule recruitment has gone from the shadows out in the open.
Many more (if you know the code words) go to YouTube search ATM hacks 2016 /2017 You too can be a money mule or scammed! Controllers get $ up front with no risk, in return Money Mules get all the risk & potential jail time. So proceed at your own peril!
We do our preliminary threat assessments, forward to our PoC’s (Point of Contacts) and we are notified a conference call, during the conference call strange things were being asked, not really related to Cyber Fin-Sec or Intel gathering or PenTesting questions. But the client reps are asking for numbers data to crunch and plug into their “analytics”, potential damage, loss risk factors and a dozen other variables vs cost analysis, tax credit and pass through benefits to determine how to address the issue.
Uh??? We are your cyberSec contractor notifying you of a threat, that has not yet occurred! Not auditors, insurance actuaries or Soothsayers peering into a crystal ball? How are we supposed to know if there will be 1 or 10,000 attacks if any at all will occur?
A few days later we captured codes, (which will not be shown). Another contact to the PoC, another conference call and it was decided for us to conduct emergency field Pentesting… 2 PenTest to be exact.
1. Being the average garden variety clueless youtube style money mule, who could clearly be identified and easily caught,
2. Being our James Bond Black Hat of Doom package.
The end result, both field tests go unnoticed and netted enough cash, to concern any Client, another conference call, once again, client becomes concerned about the threat by obsessing over projection figures and data input into the risk modeling… as the call was about to end, we must ask a stupid question “where do you want the cash returned” the answer was almost an after thought “oh yeah that… we will make arrangements”.
Later in the day we were told we were needed to make a presentation at emergency “conference” @ their campus. A rushed presentation was organized followed by an equally rushed travel day. That morning presentation made, disclosures along with additional threat assessments, data and intel, followed by an extensive Q&A session before breaking for lunch.
As we broke for lunch, more strange things began occurring, On the way out, in hallway a young IT guy was having an extremely heated argument with two older gentlemen… one the CISO ( I recognized) and the other I did not recognize, the CISO had balled up his fist and looked like he was going to punch the younger man. Not the typical type of behavior you expect to see in a multi billion dollar company conference. But from the initial notification of this exploit, not much else had made sense from the Fin-Sec stand point… so why should brawls in the hall be all that surprising?
After lunch the meeting reconvenes, the afternoon session was headed by the financial risk department and the CISO The total after noon presentation was based on the “economic risks”, the budgeting of benefits vs corrective costs and the EXPECTED POSITIVE OUTCOME from this exploit. Expected Positive outcome?
Ummm? Earlier we demo’ed we easily took 5 figures of your cash from your ATM’s, nothing positive about taking unaccounted cash from your ATMs?
First glimpses of the “We Wuz Hacked Business Strategy” was starting to show itself, I literally could not get my mind around what I was hearing or seeing.
As the meeting broke up we were thanked for bringing this to their attention, good job, keep up the good work blah blah blah… On the way out I saw the young man from the earlier brawl in the hall, waiting at the exit he asked if we could meet and talk over dinner, I accept out of curiosity, if not for any other reason.
Over dinner I learned he was a former Black Hat who had been busted and flipped, by being given a choice criminal charges or accept a six figure salary and a job title by his “victim”, (not a hard choice for him.) The Institution hired him for IT Security, using his words “ did nothing and held hostage to a Long term Non Disclosure Non Compete Contract”. He said over and over “its all a big scam, scammers scamming scammers they dont care about security sh*t, Needless to say I was disbelieving, uncomfortable and regretting meeting him for dinner. I suppose my thoughts were obvious, he said “see for yourself” passed website written down on the napkin and left.
Later reading over the documents on the red eye flight home, I was disbelieving of what I was reading, (it would not of been the first time we had been given dis-information to distract us.) choosing to remain skeptical and take an objective wait and see approach regarding what I had read. I did not have to wait long before noticing the trend and variants of the “We Wuz Hacked” strategy being deployed via industry news and other media outlets.
So what is the “We wuz hacked” strategy?
The simplified basics (I am being intentionally vague & not 100% “accurate” for a reason!) So feel free to speculate!
Any losses/potential loss due to criminal cyber activity are run through a scalable threat economics projections/threat remediation model, contingent on the parameters input by the users set for internal thresholds. Based on threat levels 0 through 5.
Level 0 gets minimal attention lets say less than $1,000,000 or less will not disclosed to the public and the losses will be booked as “R&D” or write downs in GAAP approved methods for tax credits, if possible “Consultancy fees” and highly unlikely no proactive security actions will be taken.
The General theme from the level 0 through 2 or 3 are generally cooky cutter template response guide.
MY TRANSLATION: If the Cyber Criminal is dumb to the bone and holding a “catch me sign” (like youtube recruits) they are considered apprehension Opportunities (cannon fodder) for a high profile public display of the full weight of the judicial system and the PR Department gold mine using the Youtube level crim for a high profile prosecution as an example for all the world to see how good their “Internal Security” if you catch only one of the cybercriminals, the master cyber criminal has been caught, if you catch more than one and you have caught the “ring of Cyber crims” even if they are operating independently of one another. Public prosecution has minimal cost or downside to the institution and public pays the bulk of the expenses, the institution has nothing but upside and positive public imagery. But internally minimal effort or no effort will be applied toward Financial Security. Small events are compiled and once a certain predetermined economic threshold for tax credits or “user fee adjustments”.
Level 1, For Instance the Criminal Ops exceed $2,000,000 threshold, it triggers the following. White papers and “solution expense reports” are written on IT/InfoSec options, theories, preventive actions and maybe even “conference presentations”. Its all a CYA for official investigators. An “investigation” with no real solution or public disclosure of the Ops.
level 2, is where things start getting interesting. Lets say the Crim Ops nets exceed $3,000,000 its highly possible the InfoSec world notices it and various. Industry media starts covering the “new threat” For instance this example of a level 2 event. From a non US bank, but give us a glimpse of the strategy.
http://www.bbc.com/news/technology-37974776
Note the quote “And a second cybersecurity company said it had warned Tesco of problems with several of its mobile apps four months ago, but had been ignored.”
The victim company was forced to publicly address the problem by a Cybersecurity company. Uh oh… another Fin-Sec company is not happy with their new role in the “We wuz hacked strategy” and forced the “victim” to deploy the scripted boiler plate statement
A spokesman for Tesco Bank said that “none of our systems were breached” and no personal data had been lost, but would not comment further.
No need to comment further because the extremely critical statement is to reassurance has been given to the customers “no personal data was lost” this statement is all true and intended to convey the message… move along, nothing to see here.
Behind the scenes? Maybe the problem has been corrected? Maybe not? Depending on their internal budgets and policy, for instance they have a $2,500,000 loss it may trigger low level El Cheapo Economical fix…
For instance we were asked at our our own “client conference”, when asked about a MINIMAL cost “solution”. The only MINIMAL COST SOLUTION I could think of was go to the local dollar store and buy all their super glue and super glue connections together so they cannot be unplugged without a little effort. (admittedly I am not proud of that FinSec solution!)
Level 3 and 4 continue along the same public and behind the scenes theme… internal numbers being compiled and scaled up, with a more “proactive aggressive public narratives will be deployed” with the more determined of apprehension of “suspects”. Congrats Billion $ institution! you may get lucky & catch low level youtube money mule type? But not directly address or resolve the exploit? Maybe they will or maybe not?
Basically Level 0 through 4 end solutions are farming tax credits and cannon fodder money mules. But the real goose laying the Golden Eggs will follow months later with “permanent user fee” increases for the customers. A $1,000,000 loss could be the justification for the “fee increase” that has the potential of generating $10,000,000? $20,000,000? $100,000,000? future lead on “revenue” into infinity. It becomes pretty clear the “we wuz hacked model” can be a very lucrative strategy for the “victim”.
Level 5? Oh they get serious about FinSec at this level!
A level 5 Incident involving the Swiftnet, FedWire, Term Auction Facility (TAF), Primary Dealer Credit Facility (PDCF), and Term Securities Lending Facility (TSLF) and a few other 3rd rails thou shalt not touch EVER! If the cyber crim does touch the 3rd rail, matters WILL rapidly escalate to an untenable level for the black hat, sux to be them!
For instance lets use this recent example…
http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-idUSKCN0XM0DR
Bad very bad… they got the dogs turned loose and all possible resources deployed, such as private Red Team hunters & REACT Teams (with no rules to restrict them) Local, State, National and International law enforcement FinSec teams are activated along with other mean nasty and horrible things will be deployed in order to “bring the cyber criminals to justice” and eventually they will! So remember skiddos ITS A BAD! VERY BAD IDEA to even consider touching a lvl 5, 3rd rail!
Frustrated? After digesting these concepts and various protocols, Frustration may be an understatement… Thinking “why should we bother wasting our limited time, resources and assets on this, there are enough problems needing attention to keep us busy for months or years.
A few weeks pass and this story breaks
The suppressed frustration turns into a triggered
GREAT BIG NEW YEAR MAD ON
The Trigger Quotes?
The New York Bankers Association, the industry lobbying group, spoke out against the stronger regulations, saying they “could create unsustainable economic stress for banks, while having the unintended consequence of a bank’s spending more time on compliance paperwork than on actual prevention and security.”
Oh trust me New York Bankers Association… there is going to be a truck load of unintended consequences about to be delivered to the members of your lobbying group!
Then this quote “What you’re trying to do is reduce risk,” Kirk Nahra, partner and co-chair of the health care practice at Wiley Rein, told The Post.
“The bad guys are always better at breaking in than we are at keeping out. And part of that is because the people who are charged with doing these things under these regulations actually have to run a business,” Nahra said.
So New York gave carte blanche validation to execute the “We wuz hacked Business strategy” because Fin-Sec is hard and the InfoSec FinSec pro’s are a pack of bumbling idiots when compared to stealthy Cyber Criminals?
Ummmm? I have a question!
What kind of new fresh steaming Male Bovine Fecal Matter (BS) is Mr Nahra shoveling to the world? Using FinSec pro’s as validation and justification for their “We wuz Hacked” strategy? Seriously?????
Oh never mind screw them, fine, whatever, no one cares, the customers, the shareholders, internal management and now we longer care… No answers needed my question!
But we will not be part of their “unintended consequences”. As of January 3, we are done with institutional FinSec kicking them to the curb, We have more pressing and profitable Block Chain projects waiting for us to focus on rather than trying to protect an industry that will not protect itself.
I hope the customer base of Sheeple are ready to be fleeced. Your data may not be breached but your wallet is about to be.
My prediction is 2017 will be the year of ATM hacking!
