U.S. could use cybertactics to seize assets

Officials mobilizing to freeze the financial assets of international terrorist Osama bin Laden may resort to cybermethods, such as hacking, to cut off the money supply that has been used to finance his terrorist activities, including the Sept. 11 attacks on the World Trade Center and the Pentagon, of which he is the prime suspect.

Intelligence and security experts said the U.S. government, using diplomatic channels, doesn’t expect to receive cooperation from all of the hundreds of banks, holding companies and other private enterprises and fictitious front companies that bin Laden uses to hide his estimated US$300 million personal fortune. As a result, the U.S. intelligence community might use cybermethods to put a virtual stranglehold on bin Laden’s global terror organization, Al Qaeda. While acknowledging that the operation could take years, security officials said that such an attempt was possible.

Experts recognize that finding bin Laden’s money, which is believed hidden in 50 countries in small amounts at hundreds of banks, companies and charitable organizations, will be difficult. Still, if the accounts that store the money can be located, hacking experts said it is well within the technical capabilities of the U.S. intelligence community to make it disappear forever.

In the U.S., the Knight-Ridder news service quoted a U.S. Treasury Department official, who spoke anonymously, saying that the government ordered bin Laden’s U.S. assets seized in the mid-1990s, but nothing was recovered. However, the government said in January it had seized assets worth $245 million from Taliban, the militant Islamic group running the government of Afghanistan, the news service said.

Hacking into the computer systems of banks and other financial institutions around the world raises a number of coordination and legal challenges, said experts.

“You’d need a lot of things in place,” said Ken Van Wyk, chief technology officer at Para-Protect Services Inc., an IT security firm in Centreville, Virginia. For example, federal agents would need in-depth knowledge of the bank and how the bank operates, the names and account numbers in question, and at a minimum, access codes, such as personal identification numbers, to the accounts, said Van Wyk.

In many instances, inside help, such as a bank employee, would be required to both learn the inner workings of the bank’s IT operations and to gain unquestioned access to the accounts. However, if bin Laden’s associates who control the account can show that the funds were stolen, the financial institution would be required to simply restore them, said experts.

“We have seen theft of money out of banks using electronic means. It has certainly happened,” said Van Wyk. For example, in 1994, a 24-year-old Russian programmer hacked into Citibank’s systems and made off with $10 million. Likewise, a German bank this week threatened a lawsuit against producers of a local television show for hiring hackers to break into the bank’s servers and download customer names, account numbers, PINs and IP addresses,

But the bulk of the work that needs to be done to hack bin Laden’s money would be nontechnical in nature, Van Wyk said. “I would expect that the name on the account is probably not Osama bin Laden. It’s probably extremely well hidden,” he said.

“To steal it would require some insiders who are sympathetic to the cause,” said Winn Schwartau, an information warfare expert and president of security firm Interpact Inc. in Seminole, Florida. “With corporate shells and fast-moving money, it’s going to be difficult.”

But not impossible.

Computerworld US asked a hacker known as “Gen,” the head of a U.S.-based group of more than 100 hackers, how such a sophisticated hacking operation might be carried out. Hacking into the bank and stealing the money would be the easy part, Gen said, in an interview via e-mail.

“There would be two possible attacks to bring this to reality: social engineering and old-school hacking,” said Gen.”Hacking would be accomplished by breaking into the servers of whatever institution he was hiding his funds in. This type of hacking would really be no different then hacking a Web server. It’s what you do afterward that would be impressive.”

Other practical skills would be critical to pull off such a heist, Gen said. You would need “someone who can speak his native tongue, someone who sounds like him [and] possibly someone who looks like him,” he said. In addition, a hacking operation should first have knowledge of the subject’s account structures and the passwords used to secure his funds, or to alert members of the banks and credit unions of a false withdrawal or redirection, he said.

From a technical standpoint, it might be necessary to deploy a cyberoperative in the same geographical location as bin Laden or his emissaries to mimic that location and avoid phone line reverse detection, according to Gen. Likewise, knowledge of protocols used at the banks and credit unions would be needed, as would knowledge of the account structures where the funds are to be transferred, and the ability to hide the funds once they are transferred.

And although wire transfers are encrypted, it might be possible to hack the transfer before it is encrypted, helping authorities to follow the money trail. But Gen said it is easier to take over the entire server than to intercept encrypted data streams. “Typically the encryption actually takes place on the person’s computer that is submitting the transfer. If this is through a Web interface like Netscape or MSIE [Microsoft Corp.’s Internet Explorer], it uses SSL [Secure Sockets Layer]. It is possible to grab the encrypted stream, but then you must break the encryption, which is likely 128-bit.”

A former hacker who is now a systems engineer for a major software company said some banks allow people to request funds transfers over the telephone and through the use of simple PINs. Even stock transfers are relatively simple and rely on a great deal of trust that the person initiating the transfer is who he says is, the former hacker said.

“At the lowest level, if his assets are in banks, they’re just bits and bytes,” he said. Assuming bin Laden doesn’t have all the money in gold or cash, “the feasibility of a covert operation conducting a digital transfer between accounts and then withdrawing that money and taking it out of the digital universe is very feasible.”

A Dutch intelligence expert said isolating the accounts and the users making bin Laden’s transactions will depend on how many stages authorities can trace back. “Who was the broker who gave the order to buy? That is easy,” the expert said, speaking on condition of anonymity. “Which bank instructed the broker? That is easy, too. Who instructed the bank? Now it becomes difficult.”

There are also legal hurdles that might have to be overcome to prevent bin Laden’s associates from forcing the banks to restore the stolen funds, said Mark Rasch, vice president for cyberlaw at Predictive Systems Inc. in Reston, Va., and the former head of the Computer Crime Unit at the U.S. Justice Department. Criminal investigations, intelligence gathering and warfare all have different rules, he said.

“At present, we are conducting a criminal investigation,” said Rasch. “What do we do? Transfer the money out? That doesn’t do a lot of good. It would be illegal and he would ask the bank to restore it,” he said. “What you really need is not the ability to transfer funds, but the ability to identify the assets and get a lawful seizure or freeze order.”

Eric Friedberg, a security consultant at New York-based Stroz Associates LLC and a former computer and telecommunications crime coordinator at the Justice Department, agrees that the legal guidelines of what can be done aren’t clear.

During times of war it would be legal to hack into, disable and steal information from “enemy” servers, said Friedberg. But who the enemy is in this case will be difficult to determine, he said. “The evidence and perhaps the assets may be in what appear to be neutral third parties’ hands,” such as brokerage firms, clearinghouses and investment banks, said Friedberg. “Once neutral third parties are involved, the lawfulness of intrusive electronic techniques becomes questionable.”