Posts

Turns Out Their Reassurances Were Too SWIFT

/5 Comments/in /by

When I first wrote about the $81 million bank heist of Bangladesh, I noted that the hack appeared to target SWIFT, the international payment transfer system, even while SWIFT itself was giving us reassurances that they had not been breached.

While SWIFT insists it has not been breached, the hackers used a name making it clear they were targeting the SWIFT system.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

SWIFT is sending out a security advisors to its members, advising them to shore up their local operating environments.

Three days ago, Reuters issued a report that seemed to reiterate the centrality of the negligence of Bangladesh bank for the hack, which was relying on a second-hand, $10 router for its SWIFT set-up.

Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world’s biggest cyber heists said.

The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.

“It could be difficult to hack if there was a firewall,” Alam said in an interview.

The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added.

Though local cops cast some of the blame on SWIFT.

The police believe that both the bank and SWIFT should take the blame for the oversight, Alam said in an interview.

“It was their responsibility to point it out but we haven’t found any evidence that they advised before the heist,” he said, referring to SWIFT.

A spokeswoman for Brussels-based SWIFT declined comment.

Which might have been the tip-off that this was coming…

The attackers who stole $81 million from the Bangladesh central bank probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system, said security researchers at British defense contractor BAE Systems.

SWIFT, a cooperative owned by 3,000 financial institutions, confirmed to Reuters that it was aware of malware targeting its client software. Its spokeswoman Natasha Deteran said SWIFT would release on Monday a software update to thwart the malware, along with a special warning for financial institutions to scrutinize their security procedures.

[snip]

Deteran told Reuters on Sunday that it was issuing the software update “to assist customers in enhancing their security and to spot inconsistencies in their local database records.” She said “the malware has no impact on SWIFT’s network or core messaging services.”

The software update and warning from Brussels-based Swift, or the Society for Worldwide Interbank Financial Telecommunication, come after researchers at BAE (BAES.L), which has a large cyber-security business, told Reuters they believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access.

One wonders whether SWIFT would have released a public statement if not for BAE’s imminent public report on this?

Again, NSA managed to hack into SWIFT (double-dipping on the sanctioned access they got through an agreement with the EU) via printer traffic at member banks.

NSA’s TAO hackers hacked into SWIFT (even though the US has access to SWIFT to obtain counterterrorism information via an intelligence agreement anyway), apparently by accessing printer traffic from what sounds like member banks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

So SWIFT had warning there were vulnerabilities in its local printer system (though it’s not clear this is the same vulnerability the Bangladesh thieves used).

You’d think SWIFT would have made some effort when that became public to shore up vulnerabilities in the global finance system. Instead, they left themselves vulnerable to a $10 router.

SWIFT and the Bangladeshi Bank Heist

/7 Comments/in , /by

I’ve been following the story of how what are described to be criminal hackers tried to steal $1 billion from Bangladesh’s national bank, in part because of the tie to SWIFT, the financial transfer company (as of now, $81 million are still missing, but Sri Lanka and the Fed managed to reverse or prevent the remainder of the theft attempt). As part of the hack, the thieves stole Bangladesh’s SWIFT credentials (it appears they did this after Bangladesh connected the server running SWIFT transactions to 3 other servers).

“Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers,” the interim report said. Those servers are operated by the bank but run the SWIFT interface, and the report makes it clear the breach stretches into other parts of the bank’s network as well. “The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation.”

SWIFT is a member-owned cooperative that provides international codes to facilitate payments between banks globally. It can’t comment on the investigation, according to Charlie Booth from Brunswick Group, a corporate advisory firm that represents SWIFT.

“We reiterate that the SWIFT network itself was not breached,” Booth said in an e-mail. “There is a full investigation underway, on what appears to be a specific and targeted attack on the victim’s local systems.” SWIFT said last week its “core messaging services were not impacted by the issue and continued to work as normal.”

Dedicated servers running the SWIFT system are located in the back office of the Accounts and Budgeting Department of Bangladesh Bank. They are connected with three terminals for payment communications.

While SWIFT insists it has not been breached, the hackers used a name making it clear they were targeting the SWIFT system.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

SWIFT is sending out a security advisors to its members, advising them to shore up their local operating environments.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

In separate news, a local security researcher who had been working on the hack disappeared last week.

In a weird turn of events, one of the security researchers who voiced their criticism at the central bank’s security measures disappeared on Wednesday night.

Family members are saying that Zoha met with a friend at 11:30 PM on Wednesday night, March 16. While coming home, a jeep pulled in front of their auto-rickshaw, and men separated the two, putting them in two different cars.

Zoha’s friend was dumped somewhere in the city (Dhaka) and was able to get home by 02:00 AM, the next day. He then contacted Zoha’s family, who said the security researcher never came home.

The next day, family members tried to report the researcher missing, but police officers just kept redirecting them from one police station to another until the family gave up and contacted the media for help.

[snip]

According to BDNews24, Zoha was a former collaborator of Bangladesh’s ICT (Information and Communication Technology) Division and worked with various government agencies in the past. It appears that his comments about the Bangladesh central bank cyber-heist were made working as a “shadow investigator” for a security company that family members declined to name.

Answering questions about his own investigation into the central bank’s cyber-heist, Zoha said that the “database administrator of the [Bangladesh Bank] server cannot avoid responsibility for such hacking” and that he “noticed apathy about the [server’s] security system.”

From this description and those based on the FireEye report, it seems like Bangladeshi authorities, and not SWIFT, would be the powerful people who might want to make this guy disappear. But I find it interesting that someone who was presumably mirroring FireEye’s work has apparently been kidnapped.

Remember: NSA’s TAO hackers hacked into SWIFT (even though the US has access to SWIFT to obtain counterterrorism information via an intelligence agreement anyway), apparently by accessing printer traffic from what sounds like member banks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

While we don’t have enough detail to assess, it does sound like the NSA got in through vulnerabilities at the member bank level, like these thieves did.

Again, I assume the kidnapping is best explained by Bangladeshi efforts to cover up their own incompetence. But I do find the possibility that SWIFT might be vulnerable due to vulnerabilities at its member banks, too.

Russia’s Sabre-Rattling: Not Just Bluster About Banks and Ukraine Unrest

/40 Comments/in /by


Last Friday, CNBC interviewed Andrey Kostin, CEO of Russia’s second largest bank, following the EU’s decision to extend economic sanctions against Russia, ostensibly to punish Russia for hostilities against Ukraine. Kostin’s comments were combative.

“You know, we have quite a strong opinion on sanctions. Sanctions, in other words, is economic war against Russia. Economic war will definitely have and will have very negative implications on the Russian economy, but more than that it will have very negative implications on the political dialogue and on security in Europe. And who wants to live in a less secure world? I think nobody. I think it’s the wrong way to treat Russia like this. I think it will never to lead to any other consequences as to less stability and less secure Europe.” [sic]

“”You can’t treat any country like this. You know you can’t say, if you behave rightly, that’s a small [weep*] for you, if you behave wrongly, that’s a big [weep*] for you.’ That’s not a dialog, that’s a threat. … I think we should talk. I mean, politicians should talk, like business men. Business men do talk, and they are interested in working together. …”

In short, Russia feels the sanctions are warfare, and they want to deal. They’d really like the asymmetric attack on finance to stop short of terminating Russian banks’ access to SWIFT (the impact of which WaPo spells out).

But the banks’ discomfort with the sanctions and continued incursions against Ukraine aren’t the only signs of Russian belligerence. By year end, there had been forty events characterized as “close military encounters” during 2014, according to European Leadership Network, a non-partisan, nonprofit think tank. Read more

SWIFT Change

/9 Comments/in /by

I’ve long tracked developments in SWIFT, the system that tracks international bank transfers. The NSA got SWIFT to turn over data willingly after 9/11. But then the consortium moved its servers to Europe, making the data legally safer — though surely not technically safer  — from NSA hands. And in spite of the fact that the US negotiated, and then violated the spirit of, a permissive deal to access this information, documents leaked by Edward Snowden still show the NSA double dipping, obtaining SWIFT information via the legal front door and the technical back door.

Nevertheless, it wasn’t the evidence that the US had preferential access to the records of international bank transfers is not what led someone to create a competitor. The threat of sanctions did.

Russia has just announced a plan to have some alternative to SWIFT in place by May.

Russia intends to have its own international inter-bank system up and running by May 2015. The Central of Russia says it needs to speed up preparations for its version of SWIFT in case of possible ”challenges” from the West.

“Given the challenges, Bank of Russia is creating its own system for transmitting financial messaging… It’s time to hurry up, so in the next few months we will have certain work done. The entire project for transmitting financial messages will be completed in May 2015,” said Ramilya Kanafina, deputy head of the national payment system department at the Central Bank of Russia (CBR).

Calls not to use the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system in Russian banks began to grow as relations between Russia and the West deteriorated over sanctions. So far, SWIFT says despite pressure from some Western countries to join the anti-Russian sanctions, it has no intention of doing so.

I’ve long wondered when US reliance on sanctions — which is effectively an assertion of the authority to be able to dictate which economic players are acceptable and not — would begin to undermine the US system. And while this does not seem to be primarily motivated by an effort to undercut US hegemony, except to the degree that Russia refuses to comply with US demands it be permitted to rearrange Russia’s immediate neighborhood. Rather, this is a reaction to US actions.

Nevertheless, it may establish the infrastructure that undermines US hegemony.

Double Dipping at SWIFT

/16 Comments/in , /by

Spiegel today reveals more details about NSA’s “Follow the Money” program, in which it collects credit card information from select geographical regions. In addition, as TV Globo also revealed last week, they are conducting Tailored Access Operations against SWIFT, the international financial transfer messaging system.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

Now, some caution about this claim is in order. Spiegel reports that NSA’s financial records database has 180 million records, of which 84% are credit card transactions.

The collected information then flows into the NSA’s own financial databank, called “Tracfin,” which in 2011 contained 180 million records. Some 84 percent of the data is from credit card transactions.

Even assuming the balance of the records in the database come from SWIFT, that’s less than 29 million records (in 2011, so assume the number is larger now). In 2011, SWIFT was sending 17.5 million records a day. So whatever makes it into the actual database is just a small fraction of international traffic.

But that almost certainly doesn’t account for the bulk of the SWIFT information collected by the US government. Remember: in addition to stealing the data, Treasury also gets it via a now-public agreement. The former CEO of SWIFT Leonard Schrank and former Homeland Security Czar, Juan Zarate actually boasted in July, in response to the earliest Edward Snowden revelations, about how laudable Treasury’s consensual access to the data was.

The use of the data was legal, limited, targeted, overseen and audited. The program set a gold standard for how to protect the confidential data provided to the government. Treasury legally gained access to large amounts of Swift’s financial-messaging data (which is the banking equivalent of telephone metadata) and eventually explained it to the public at home and abroad.

It could remain a model for how to limit the government’s use of mass amounts of data in a world where access to information is necessary to ensure our security while also protecting privacy and civil liberties.

Never mind that by the time they wrote this, an EU audit had showed the protections were illusory, in part because the details of actual queries were oral (and therefore the queries weren’t auditable), in part because Treasury was getting bulk data. But there was a legitimate way to get data pertaining to the claimed primary threat at hand, terrorism. And now we know NSA also stole data.

Note, too, the timing. While Spiegel doesn’t provide enough details about the exploitation of SWIFT for us to date it, the dates it does provide about this financial spying are 2010 and 2011. That was the period when the EU was trying to put sensible limits to Treasury’s access of SWIFT.

Back when the intelligence community first decided to go after SWIFT data, their first plan was to just steal it.

Intelligence officials were so eager to use the Swift data that they discussed having the C.I.A. covertly gain access to the system, several officials involved in the talks said. But Treasury officials resisted, the officials said, and favored going to Swift directly.

12 years later, they apparently are stealing at least some of it. That probably means they wanted data for transactions that have nothing to do with the counterterrorism application first SWIFT and then the EU bought off on. So there’s the legal access to counterterrorism data via Treasury, and the illegal access to (presumably) some other kind of data via NSA.

Read more

James Clapper’s Financial War on the World

/22 Comments/in , , /by

I’m fundraising this week. Please support me if you can. 

Yesterday, TV Globo published details of NSA spying on Brazil’s oil company, Petrobras, SWIFT, and financial organizations. Besides revealing that man-in-the-middle attacks are sometimes used, the report didn’t offer details of what the NSA was actually collecting. Its sources suggest NSA might be seeking Brazil’s leading deep sea drilling technology or geological information that would be useful in drilling auctions, but it is also conceivable the NSA is just trying to anticipate what the oil market will look like in upcoming years (this is one area where we probably even spy on our allies the Saudis, since they have been accused of lying about their reserves).

To some degree, then, I await more details about precisely what we’re collecting and why.

But what I am interested in is James Clapper’s response. He released this statement on the I Con site.

It is not a secret that the Intelligence Community collects information about economic and financial matters, and terrorist financing.

We collect this information for many important reasons: for one, it could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy. It also could provide insight into other countries’ economic policy or behavior which could affect global markets.

Our collection of information regarding terrorist financing saves lives. Since 9/11, the Intelligence Community has found success in disrupting terror networks by following their money as it moves around the globe. International criminal organizations, proliferators of weapons of mass destruction, illicit arms dealers, or nations that attempt to avoid international sanctions can also be targeted in an effort to aid America’s and our allies’ interests.

What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of – or give intelligence we collect to – US companies to enhance their international competitiveness or increase their bottom line.

As we have said previously, the United States collects foreign intelligence – just as many other governments do – to enhance the security of our citizens and protect our interests and those of our allies around the world. The intelligence Community’s efforts to understand economic systems and policies and monitor anomalous economic activities is critical to providing policy makers with the information they need to make informed decisions that are in the best interest of our national security.

Let me take this extraordinary statement in reverse order.

In the fourth paragraph, Clapper reiterates the final defense that NSA defenders use: that we’re better than, say, China and France, because we don’t engage in industrial espionage, stealing technology with our spying. That may be true, but I suspect at the end of the day the economic spying we do might be more appalling.

In the third paragraph, he retreats to the terror terror terror strategy the Administration has used throughout this crisis. And sure, no one really complains that the government is using financial tracking to break up terrorist networks (though the government is awfully selective about whom it prosecutes, and it almost certainly has used a broad definition of “terrorism” to spy on the financial transactions of individuals for geopolitical reasons). But note, while the Globo report provided no details, it did seem to describe that NSA spies on SWIFT.

That would presumably be in addition to whatever access Treasury gets directly from SWIFT, through agreements that have become public.

That is, the Globo piece at least seems to suggest that we’re getting information from SWIFT via two means, via the now public access through the consortium, but also via NSA spying. That would seem to suggest we’re using it for things that go beyond the terrorist purpose the consortium has granted us access for. Past reporting on SWIFT has made it clear we threatened to do just that. The Globo report may support that we have in fact done that.

Now the second paragraph. James Clapper, too cute by half, asserts, spying on financial information,

could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy

Hahahahahaha! Oh my word! Hahahaha. I mean, sure, the US needs to know of pending financial crises, in the same way it wants to know what the actual versus claimed petroleum reserves in the world are (and those are, of course, closely related issues). But with this claim, Clapper suggests the US would actually recognize a financial crisis and do something about it.

Hahahahaha. Didn’t — still doesn’t — work out that way.

Read more

Ignatius Has Become a “Choice between Security and Privacy” Stenographer

/19 Comments/in , /by

David Ignatius should be ashamed about this column. Even by his standards, it serves simply as stenography for the buzzwords top security officials have fed him, such that he repeats lines like this without any critical thinking.

Gen. Keith Alexander and other top NSA officials are considering ways they could reassure the public without damaging key programs, according to U.S. officials. They think that forcing Congress to decide between security and privacy is an unfair choice, since the country would lose either way. They’d like an agreement that protects both, but that’s a tall order. [my emphasis]

Remember: we’re talking about the Section 215 dragnet, not the (according to all players) far more valuable Section 702 collection. Even according to the government, it has only come into play in 13 terrorist cases. The only one the government can describe where it has been crucial involves indicting a man the FBI determined was not motivated by terrorism but rather tribal affiliation sending less than $10,000 to al-Shabaab three and a half years earlier.

And yet Ignatius uncritically repeats that requiring the government to use more specificity with its collections would present Congress the “unfair choice” of “deciding between security and privacy.”

So it should be no surprise that Ignatius uncritically repeats other details of the program. For example, Ignatius claims this involves only two-hop analysis, when we know it can go three hops (and therefore millions of people) deep.

When the agency identifies a suspicious number in, say, Pakistan, analysts want to see who that person called in the United States and who, in turn, might have been contacted by that second person.

Ignatius doesn’t note the descriptions — from both Edward Snowden and James Clapper — that they then use this metadata to index previously collected communications. That’s because he’s too busy repeating that we don’t “record” these collections, as if we’d have to.

Then finally there’s Ignatius’ claim that SWIFT (the record of international financial transfers) presents a viable alternative to the dragnet program. As I have reported, when the EU finally got to audit what the US had been doing with SWIFT, they discovered the real content of the queries was transmitted verbally, making it impossible to audit the use.

Thus far, no one has explained whether the queries and underlying articulable suspicion gets automatically recorded or — as happened with one of the precursors to this program — manually in hardcopy form. If it’s the latter (which I will assume until someone asserts differently) it is prone to the same kind of large scale documentation lapses that could hide a great deal of improper use of the dragnet. Which, given Ron Wyden and Mark Udall’s insistence that the problems have been more problematic than James Clapper lets on, could well be the case.

All of these are issues anyone with Ignatius’ access might want to answer.

Alternately, that access may now serve to do no more than produce “security or privacy” automatons, repeating the obviously false cant Ignatius has here.

 

In These Times We Can’t Blindly Trust Government to Respect Freedom of Association

/39 Comments/in , , , /by

One of my friends, who works in a strategic role at American Federation of Teachers, is Iranian-American. I asked him a few weeks ago whom he called in Iran; if I remember correctly (I’ve been asking a lot of Iranian-Americans whom they call in Iran) he said it was mostly his grandmother, who’s not a member of the Republican Guard or even close. Still, according to the statement that Dianne Feinstein had confirmed by NSA Director Keith Alexander, calls “related to Iran” are fair game for queries of the dragnet database of all Americans’ phone metadata.

Chances are slim that my friend’s calls to his grandmother are among the 300 identifiers the NSA queried last year, unless (as is possible) they monitored all calls to Iran. But nothing in the program seems to prohibit it, particularly given the government’s absurdly broad definitions of “related to” for issues of surveillance and its bizarre adoption of a terrorist program to surveil another nation-state. And if someone chose to query on my friend’s calls to his grandmother, using the two-degrees-of-separation query they have used in the past would give the government — not always the best friend of teachers unions — a pretty interesting picture of whom the AFT was partnering with and what it had planned.

In other words, nothing in the law or the known minimization rules of the Business Records provision would seem to protect some of the AFT’s organizational secrets just because they happen to employ someone whose grandmother is in Iran. That’s not the only obvious way labor discussions might come under scrutiny; Colombian human rights organizers with tangential ties to FARC is just one other one.

When I read labor organizer Louis Nayman’s “defense of PRISM,” it became clear he’s not aware of many details of the programs he defended. Just as an example, Nayman misstated this claim:

According to NSA officials, the surveillance in question has prevented at least 50 planned terror attacks against Americans, including bombings of the New York City subway system and the New York Stock Exchange. While such assertions from government officials are difficult to verify independently, the lack of attacks during the long stretch between 9/11 and the Boston Marathon bombings speaks for itself.

Keith Alexander didn’t say NSA’s use of Section 702 and Section 215 have thwarted 50 planned attacks against Americans; those 50 were in the US and overseas. He said only around 10 of those plots were in the United States. That works out to be less than 20% of the attacks thwarted in the US just between January 2009 and October 2012 (though these programs have existed for a much longer period of time, so the percentage must be even lower). And there are problems with three of the four cases publicly claimed by the government — from false positives and more important tips in the Najibullah Zazi case, missing details of the belated arrest of David Headley, to bogus claims that Khalid Ouazzan ever planned to attack NYSE. The sole story that has stood up to scrutiny is some guys who tried to send less than $10,000 to al-Shabaab.

While that doesn’t mean the NSA surveillance programs played no role, it does mean that the government’s assertions of efficacy (at least as it pertains to terrorism) have proven to be overblown.

Yet from that, Nayman concludes these programs have “been effective in keeping us safe” (given Nayman’s conflation of US and overseas, I wonder how families of the 166 Indians Headley had a hand in killing feel about that) and defends giving the government legal access (whether they’ve used it or not) to — among other things — metadata identifying the strategic partners of labor unions with little question.

And details about the success of the program are not the only statements made by top National Security officials that have proven inaccurate or overblown. That’s why Nayman would be far better off relying on Mark Udall and Ron Wyden as sources for whether or not the government can read US person emails without probable cause than misstating what HBO Director David Simon has said (Simon said that entirely domestic communications require probable cause, which is generally but not always true). And not just because the Senators are actually read into these programs. After the Senators noted that Keith Alexander had “portray[ed] protections for Americans’ privacy as being significantly stronger than they actually are” — specifically as it relates to what the government can do with US person communications collected “incidentally” to a target — Alexander withdrew his claims.

Nayman says, “As people who believe in government, we cannot simply assume that officials are abusing their lawfully granted responsibility and authority to defend our people from violence and harm.” I would respond that neither should we simply assume they’re not abusing their authority, particularly given evidence those officials have repeatedly misled us in the past.

Nayman then admits, “We should do all we can to assure proper oversight any time a surveillance program of any size and scope is launched.” But a big part of the problem with these programs is that the government has either not implemented or refused such oversight. Some holes in the oversight of the program are:

  • NSA has not said whether queries of the metadata dragnet database are electronically  recorded; both SWIFT and a similar phone metadata program queries have been either sometimes or always oral, making them impossible to audit
  • Read more

SWIFT: Big Brother with a Booz Assist, Only without the Paperwork

/14 Comments/in , /by

As reporting on Edward Snowden reveal the scope of our spying on European friends, I’ve been thinking a lot about SWIFT.

SWIFT, you recall, is the database tracking international online money transfers. After 9/11, the US Government started helping itself to the data to track terrorist financing. But then in 2010 the servers moved entirely to the EU, and the EU forced the US to accede to certain protections: protections for EU citizens, a prohibition on bulk collection (and with it data mining), and two-pronged audit system.

Today, the CEO of SWIFT until 2007, Leonard Schrank, and the former Homeland Security Advisor, Juan Zarate, boast about the controls on SWIFT, suggesting it provides a model for data collection with oversight.

Both the Treasury and Swift ensured that the constraints on the information retrieved and used by analysts were strictly enforced. Outside auditors hired by Swift confirmed the limited scope of use, and Swift’s own representatives (called “scrutineers”) had authority to stop access to the data at any time if there was a concern that the restrictions were being breached. These independent monitors worked on site at government agencies and had real-time access to the system. Every time an analyst queried the system, the scrutineer could immediately review the query. Each query had to have a reason attached to it that justified it as a counterterrorism matter. Over time, the scope of data requested and retained was reduced.

This confirmed that the information was being used in the way we said it was — to save lives.

[snip]

The use of the data was legal, limited, targeted, overseen and audited. The program set a gold standard for how to protect the confidential data provided to the government. Treasury legally gained access to large amounts of Swift’s financial-messaging data (which is the banking equivalent of telephone metadata) and eventually explained it to the public at home and abroad.

It could remain a model for how to limit the government’s use of mass amounts of data in a world where access to information is necessary to ensure our security while also protecting privacy and civil liberties.

This description should already raise concerns about the so-called gold standard for spying. When “scrutineers” cohabit with those they’re supposed to be scrutinizing, it tends to encourage cooperation, not scrutiny.

And somehow, Schrank and Zarate neglect to mention that the vaunted audit process they describe was conducted by none other than Booz Allen Hamilton, the contractor that hired and let Edward Snowden abscond with the spying world’s crown jewels. And, as ACLU noted in a report for the EU in 2006, even during Schrank’s tenure, Booz was neck deep in aggressive surveillance.

But the real problem with highlighting SWIFT as a poster child of massive surveillance done right post-dates Schrank’s tenure (though he must know about this), when the EU’s independent audits for the first time revealed what went on in SWIFT queries. Among other things: the actual requests were oral, and therefore couldn’t be audited.

The report revealed that the Americans have been submitting largely identical requests–but then supplementing them with oral requests.

The oral requests, of course, make it impossible to audit the requests.

At the time of the inspection, Europol had received our requests for SWIFT data. Those four requests are almost identical in nature and request–in abstract terms–broad types of data, also involving EU Member States’ data. Due to their abstract nature, proper verification of whether the requests are in line with the conditions of the Article 4(2) of the TFTP Agreement–on the basis of the available documentation–is impossible. The JSB considers it likely that the information in the requests could be more specific.

Information provided orally–to certain Europol staff by the US Treasury Department, with the stipulation that no written notes are made–has had an impact upon each of Europol’s decisions; however, the JSB does not know the content of that information. Therefore, where the requests lack the necessary written information to allow proper verification of compliance with Article 4(2) of the TFTP Agreement, it is impossible to check whether this deficiency is rectified by the orally provided information. [my emphasis]

In addition, in spite of demands that the program include no bulk downloads, that’s precisely what the US was doing.

“We have given our trust to the other EU institutions, but our trust has been betrayed”, said Sophia in’t Veld (ALDE, NL), rapporteur on the EU-US Passenger Name Record (PNR) agreements. “This should be kept in mind when they want our approval for other agreements”, she declared.

“Somehow I am not surprised”, said Simon Busuttil (EPP, MT), recalling that “at the time of the negotiations last year we were not satisfied with having Europol controlling it – we wanted additional safeguards”. He added that ”the agreement is not satisfactory”, since it involves the transfer of bulk data, and insisted that ”we need an EU TFTP”.

For Claude Moraes (S&D, UK), the US demands are “too general and too abstract”. He also recalled that MEPs had insisted at the time that it must be specified how the US request would be made and that they needed to be “narrowly tailored”. A written explanation should accompany each request, he added.

This agreement is not in line with Member States’ constitutional principles and with fundamental rights, argued Jan Philipp Albrecht (Greens/EFA, DE). He highlighted the problem of bulk data transfer, “which is exactly what we have criticised before“. [my emphasis]

In other words, once an actual independent reviewer — not an embedded contractor like Booz — reviewed the program, it became clear it was designed to be impossible to audit, even while engaging in precisely the bulk downloads the Europeans feared.

Not only is the experience of SWIFT one reason why the Europeans are so quick to object to the scale of US spying on them. But it is actually a poster child for surveillance done wrong.

Contrary to what its boosters want you to believe.

“SWIFT” Boating the Russian Mafia

/21 Comments/in , /by

Remember that GCHQ/MI6 agent, Gareth Williams, who was found dead in a duffel bag last year?

At first, the narrative around his death centered on rumors he had been killed in a weird gay sex game. Amid such sensational reporting, other articles revealed Williams worked closely with the NSA on wiretapping Rashid Rauf, one of the men involved in the 2006 plot to bring down planes with small bottles of liquid. Williams’ work with NSA is all the more interesting when you consider American manipulation of that investigation and their subsequent squeamishness about sharing the intercepts.

But now there’s a new theory out now (from the Daily Mail, which was early to the now discredited sex crime theory): that Williams was killed by the Russian mafia because he was working on a way to track money laundering.

But now security sources say Williams, who was on secondment to MI6 from the Government’s eavesdropping centre GCHQ, was working on equipment that tracked the flow of money from Russia to Europe.

The technology enabled MI6 agents to follow the money trails from bank accounts in Russia to criminal European gangs via internet and wire transfers, said the source.

‘He was involved in a very sensitive project with the highest security clearance. He was not an agent doing surveillance, but was very much part of the team, working on the technology side, devising stuff like software,’ said the source.

He added: ‘A knock-on effect of this technology would be that a number of criminal groups in  Russia would be disrupted.

‘Some of these powerful criminal networks have links with, and employ, former KGB agents who can track down people like  Williams.’

The rest of the Daily Mail article on this hypes how scary and omnipresent the Russian mafia are.

But money laundering is money laundering. Terrorists do it. Organized crime does it. Spy services do it. Corporations do it (often legally). And banksters do it, among others.

And there doesn’t appear to be anything about this description to suggest the Russian mafia would be specifically targeted by the technology. Indeed, the description of their exposure as a “knock-on effect” suggests everything would be targeted (which sort of makes sense; you can’t track money laundering unless you track the “legitimate” part of finance that makes it clean).

Which is why I find this latest narrative–with its complete lack of attention on the technology, instead focusing exclusively on the Russian mob–so interesting. Because finding a way to track money laundering, of any sort, would just be a new way to do what US intelligence has already been doing with SWIFT.

You’ll recall that SWIFT is the messaging system that tracks international money transfers; our use of it to track terrorist finance was first exposed by James Risen and Eric Lichtblau in 2006. In 2009, the US and EU got in a big squabble over whether the US would continue to have access when the servers moved to Europe. They ultimately signed a deal on access. But in March it became clear we were cheating on that deal–among other things by making all specific search requests orally, thereby bypassing the audit provisions demanded by the Europeans.

I increasingly suspect the furor around the SWIFT disclosures has to do with a concern over maintaining the perceived sanctity of tax havens even as it becomes clear our government has routinely been accessing money transfer information using nothing more than administrative subpoenas.  And I increasingly suspect the ongoing squabble between Europe and the US over SWIFT access has to do with America’s asymmetrical access to what has been described as the Rosetta stone of money transfers.

I’ve become convinced, the response to NYT’s reporting on SWIFT was (and remains) so much more intense than even their exposure of the illegal wiretap program. The shell game of international finance only works so long as we sustain the myth that money moves in secret; but of course there has to be one place, like SWIFT, where those secrets are revealed. And so, in revealing that the US was using SWIFT to track terror financing, the NYT was also making it clear that there is such a window of transparency on a purportedly secret system.And the CIA has, alone among the world’s intelligence services, access to it.

There are hints in Lichtblau’s book that back my suspicion that revealing SWIFT was so problematic because it reveals monetary transfers aren’t as secret as the banksters would like you to think they are. One reason people grew uncomfortable with the program was because “some foreign officials feared that the United States could turn the giant database against them.” (234) Others worried that the US might be “delving into corporate trade secrets of overseas companies.” (248) And when Alan Greenspan helped persuade SWIFT to continue offering US access to the database, he admitted how dangerous it was.

If the world’s financiers were to find out how their sensitive internal data was being used, he acknowledged, it could hurt the stability of the global banking systems. (246)

Now, Lichtblau doesn’t describe explicitly what these risks entail, but this all seems to be about letting the CIA see, unfettered, the most valuable secrets in the world, financial secrets. The world’s globalized elite has to trust in the secrecy of their banking system, but in fact the CIA (of all entities!) has violated that trust.

It turns out (the LAT reported this contemporaneously with the NYT reporting; I’ve just now read this in the context of Risen’s affidavit to quash his Sterling subpoena) that the CIA once developed a clandestine way to access SWIFT but were persuaded not to use it because doing so would “compromis[e] the integrity of international banking.”

CIA operatives trying to track Osama bin Laden’s money in the late 1990s figured out clandestine ways to access the SWIFT network. But a former CIA official said Treasury officials blocked the effort because they did not want to anger the banking community.

Historically, “there was always a line of contention” inside the government, said Paul Pillar, former deputy director of the CIA’s counterterrorism center. “The Treasury position was placing a high priority on the integrity of the banking system. There was considerable concern from that side about anything that could be seen as compromising the integrity of international banking.”

Ah, for the halcyon days when people believed international banking had any integrity to compromise!

My point, though, is that the US has had the potential capability to track Russian mobsters since SWIFT let us access the databases after 9/11, particularly now that we’re making all our specific requests orally. So far as I know, no one has ended up dead in a duffel bag over that access.

Moreover, there would be a great deal of people who would like to prevent the UK from getting their own back door into the global finance system, if that’s really the reason Williams was killed. (Note, Williams was also reportedly about to join the UK’s cybersecurity team, which might offer other reasons to want him dead.) Sure, the Russian mafia are among that group, but so would be many others with the means to murder a spook.

Now, it may be that this entire new narrative is just as sketchy as the sex crime one was. Or it may be that this is a preemptive attempt to suggest only Russian mobsters have anything to hide.

But I do find this latest narrative mighty intriguing.