Monday, October 20, 2014

The Federal Reserve, the Virtual Private Network and the Zeus Trojan

This post examines an opinion a U.S. District Court Judge who sits in the U.S. District of Minnesota recently issued in a civil suit:  State Bank of Bellingham v. BancInsure, Inc., 2014 WL 4829184 (2014) (“State Bank v. BancInsure”).  She begins the opinion by explaining that the bank is a Minnesota
`state bank with five employees and one location in Bellingham, Minnesota.’ . . . [BancInsure] is an insurance company . . . incorporated in Oklahoma. . . . In October 2010, [BancInsure] issued Financial Institution Bond No. FIB0011607 (the `Bond’) to Bellingham Corporation, with coverage effective from October 17, 2010, to October 17, 2013. . . [State Bank] is a named insured on the Bond. . . . Under the Bond, [BancInsure] agrees to indemnify [State Bank] in various circumstances, collectively referred to as `Insuring Agreements,’ including-relevant to this case-in the case of `computer systems fraud.’
State Bank v. BancInsure, supra.  Essentially, the Bond covered “[l]oss resulting directly from a fraudulent . . . entry of Electronic Data or Computer Program into, or . . . change of Electronic Data or Computer Program within any Computer System operated by the insured, whether owned or leased”.  State Bank v. BancInsure, supra. 
The lawsuit involves a “loss” that resulted from “a fraudulent wire transfer.”  State Bank v. BancInsure, supra.  At the time the loss occurred, State Bank made wire transfers
through the Federal Reserve's FedLine Advantage Plus system (`FedLine’). . . . State Bank used a desktop computer that was connected to a Virtual Private Network device . . . provided by the Federal Reserve. . . . The VPN was both a modem and an encryptor. . .  It encrypted the information entered on the computer and transmitted it over the internet to the Federal Reserve, where the information was then decrypted. . . . [T]o complete a wire transfer on FedLine, a user had to enter an authorized user name and three passwords. . . . One of the passwords was provided by a security token issued by FedLine that had to be inserted into a USB port on the computer. . . . The other two passwords were typed in by the user. . . . And, although it was not required by FedLine, wire instructions had to be verified by entry of a second user name and set of passwords. . . .

On October 27, 2011, one of [State Bank’s] employees, Sharon Kirchberg, accessed FedLine . . . to complete a wire transfer. . . . Kirchberg's token, password, and pass phrase, as well as the token, password, and pass phrase of another employee, were used to complete the transfer. . . . When Kirchberg left the Bank for the day, she left both tokens in the computer and left the computer running. . . .

On October 28, Kirchberg arrived at work and accessed Fedline's Account Information Management application, which shows [State Bank’s] account balance with the Federal Reserve. . . . At approximately 8:12 a.m. CST, she noticed that $940,000 had been transferred out of the bank using Fedwire Funds, which is part of FedLine. . . . She began investigating the entry and discovered someone had attempted to initiate two wire transfers from a Demand Deposit Account at the bank to two different banks in Poland. . . . The first transfer, to a Citibank account in Warsaw, was in the amount of $485,000 and was initiated at 7:12 a.m. CST. . . . That transfer was completed at 7:25 a.m. CST using the user name and passwords of Kirchberg and one other employee. . . .

However, neither of those employees authorized or verified the transfer or had access to FedLine at the time of the transfer. . . . The second transfer, to an ING Bank account in Katowice, was in the amount of $455,000 and was initiated at 7:21 a.m. CST and completed at 7:25 a.m. CST. . . . The same user names and passwords were used, but, again, neither employee even had access to FedLine at the time of the transfer. . . . Both transferee accounts were in the name of Markus Vorreas. . . .

Kirchberg immediately attempted to reverse the wire transfers using FedLine. . . . However, shortly after 8:00 a.m., [State Bank’s] internet service provider experienced a distributed denial-of-service attack (`DDoS’), which disabled internet service near [State Bank]. . . .  Accordingly,. Kirchberg was unable to electronically request reversal of the transfers. . . .  She then called the Federal Reserve and requested the reversals, but her request was denied. . . .

On October 31, the Federal Reserve notified the two intermediary institutions for the transfers that the transfers were fraudulent. . . . While the intermediary institution for the second transfer was able to revert the transferred funds to [State Bank], the $485,000 that was transferred to the Citibank account in Warsaw has never been credited or reverted. . . .
State Bank v. BancInsure, supra. 
State Bank notified BancInsure of the loss on October 28 . . . by faxing a copy of the transaction details of the two transfers. State Bank v. BancInsure, supra.  On November 3, BancInsure acknowledged receipt of the notice and advised State Bank that the claim had been assigned to Karbal Cohen Economou Silk Dunne (`KCESD’) for investigation. State Bank v. BancInsure, supra.  In a November 9 letter, KCESD reminded State Bank of its obligation to provide BancInsure with “`proof of loss . . . with full particulars’“ within six months of discovering the loss. State Bank v. BancInsure, supra. 
BancInsure received State Bank’s Proof of Loss on December 27, 2011. . . .  State Bank v. BancInsure, supra.  In the `Details of Loss’ section of the form, State Bank stated that “`an unknown individual or individuals gained unauthorized access to the FedLine Advantage Plus service on the State Bank of Bellingham's computer systems and fraudulently authorized two wire transfers.’” State Bank v. BancInsure, supra.  It went on to describe Kirchberg's discovery and attempted reversal of the transfers, and said that, “in addition to the Federal Reserve, it had notified various law enforcement agencies and the FBI had examined” State Bank’s computers but it “was not aware of the status of any investigations.” State Bank v. BancInsure, supra. 
With regard to its security measures, State Bank said that, internally, it followed
standard security procedures with respect to user names and passwords for its systems in accordance with the Federal Reserve Banks' Password Practice Statement. All systems on the internal network have Symantec Small Business Endpoint Protection 12.5, with not only antivirus and antispyware features but a desktop firewall and intrusion detection/protection. This security suite is centrally managed by the network server for definitions and threat management and updates automatically. Additionally, the native Windows firewall is activated on computers on the internal network and the computers are configured to limit the software that can be installed on the device.

As for external threats, the Bank uses a Sonic WALL NSA 240 firewall. The firewall has Gateway Antivirus and Gateway Anti–Spyware inspecting all traffic before passing through the gateway and uses Gateway Intrusion Protection. This security suite likewise is updated automatically on a daily basis, meaning no user accesses or modifies the firewall or the settings of the software overall.
State Bank v. BancInsure, supra. 
On May 15, BancInsure’s counsel told State Bank “that it had retained forensic computer specialist Mark Lanterman of Computer Forensic Services, Inc.” (CFS) to work on investigating the crime.  State Bank v. BancInsure, supra.  On June 20, State Bank told BancInsure’s lawyer it had the “hard drive in the condition it was in at the time of the loss” and agreed to “provide the hard drive to Lanterman for examination under certain conditions”.   State Bank v. BancInsure, supra.  Lanterman “received the hard drive on August 8, and issued his report on October 10.” State Bank v. BancInsure, supra.  His report said the analysis
identified an email message, sent to the address `bellinghambank’, which contained a hyperlink to a malicious webserver. CFS further determined that this email had been read and the embedded link clicked on. . . .

The user's action of clicking on the hyperlink ultimately lead to the download of multiple files associated with the Zeus virus.
State Bank v. BancInsure, supra. 
The CFS report also explained that the analysis showed the Zeus virus was detected
on October 13, 2011. Given [Symantec's] settings, it is more likely than not that Symantec notified the user of the infection. The analysis revealed [Zeus] was quarantined on October 18, 2011 but the infection was never completely removed by Symantec Antivirus. Given [its] settings, it is more likely than not that Symantec notified the user of the quarantine. . . . Once [Zeus] executed, it remained resident, ultimately downloading a rash of subsequent infections that resulted in the unauthorized ACH transactions. The continued use of the computer after receiving multiple virus warnings is contrary to generally accepted computer security practices.

Three additional malicious executable files, downloaded automatically by [Zeus], still reside on the system. There is no evidence these files were detected by Symantec. [One] resulted in the download of . . . a virus. [It] . . . was downloaded and launched on October 26, 2011 [and] is considered directly responsible for the unauthorized wire transfers. . . .

Further, Symantec `Proactive Threat Protection’ was disabled due to the fact that it was last updated July 30, 2008. This left the system vulnerable to viruses created after 2008. . . .  Generally accepted security practices would include daily virus scans and ensuring the virus definitions are current. . . .

[T]he system was previously compromised on August 8, 2011. Symantec Antivirus . . . successfully removed that infection. This demonstrates the computer has a history of vulnerabilities due to user activity. The user(s) was also aware of this compromise after receiving Symantec's alert. . . .

CFS reviewed email activity on the system and was able to identify the specific message containing the malicious hyperlink. Other messages within the Outlook Express inbox also suggest that the email application was being used for purposes other than FedLink. For instance, the email account was used to order and track company purchases. This is contrary to generally accepted security practices. The use of email on a computer that's purpose is to initiate FedLink transactions resulted in that system's compromise.

Additionally, CFS determined that messages in the spam folder had been opened or read. Spam is a typical vehicle for malware.

CFS recovered and analyzed nearly one million URLs from Internet browser histories on the system. . . . Much of the history was found to relate to activity other than banking. For example, the user `FedLine’ multiple times, with and without private browsing activated, before and after the initial infection. . . .This is contrary to generally accepted computer security practices.

CFS also determined that the administrator user accounts, `Administrator’ and `FedLine’, were not password protected. This would have allowed the virus to execute itself as an administrator without the need of a password. This is contrary to generally accepted computer security practices.
State Bank v. BancInsure, supra. 
As a result of this investigation and other factors, BancInsure denied coverage and State Bank then filed suit against BancInsure, “asserting a claim for breach of contract.”  State Bank v. BancInsure, supra.  BancInsure responded by asserting three counterclaims, one of which asserted that it “owe[d] no duty” to provider coverage for the bank’s losses and another of which asserted a cause of action for breach of contract based on State Bank’s “alleged failure to provide a complete and accurate Proof of Loss and its alleged failure to cooperate with” BancInsure.  State Bank v. BancInsure, supra. 
Both sides eventually filed motions for summary judgment on their respective behalves. As Wikipedia explains, in U.S. law, a court can award summary judgment before
trial, effectively holding that no trial will be necessary. Issuance of summary judgment can be based only upon the court's finding that:
  1. there are no disputes of `material’ fact requiring a trial to resolve, and
  2. in applying the law to the undisputed facts, one party is clearly entitled to judgment. . . .
A `material fact’ is one which . . . could lead to judgment in favor of one party, rather than the other.
The District Court Judge began her analysis of BancInsure’s argument, in its summary judgment motion, BancInsure argued, in part, that the policy’s exclusions for a loss
`caused by an Employee’ . . ., `. . .  resulting directly or indirectly from theft of confidential information’ . . . and `. . . resulting directly or indirectly from mechanical failure . . . [or] gradual deterioration” of a computer system . . . preclude coverage of [State Bank’s] claim. As for the employee exclusion, [BancInsure] argues that `Bank employees caused the loss by intentionally disregarding Bank policies, Federal Reserve policies, and good banking practices.’ . . . [It] points to the employees' downloading of the Zeus virus through spam email, [their] continued use of the computer after it detected a virus, the employees' failure to enable and update antivirus software, the employees' failure to password-protect the FedLine user accounts, Ms. Kirchberg's use of another employee's password and token to complete a transfer on the day preceding the loss, and Ms. Kirchberg's failure to remove the tokens from the computer or shut down the computer on the day preceding the loss. . . .

According to [BancInsure], `[t]hese actions caused the loss by opening the door for cyber thefts.’ . . . As for the theft of confidential information exclusion, [it] argues that the employees' passwords and pass phrases were confidential, that those passwords and pass phrases were used to make the transfers, and, therefore, that `[t]he theft of [the] passwords and pass phrases caused the loss.’ . . .

Finally, as for the mechanical failure or gradual deterioration exclusion, [BancInsure] asserts that, because Proactive Threat Protection was disabled and its definitions not updated, the computer's antivirus software gradually deteriorated and allowed malware to be downloaded, which led to the unauthorized transfers. . . .

[State Bank] argues that none of these exclusions were triggered by the circumstances of the loss, but that even if they had been, [BancInsure] cannot satisfy its burden under Minnesota's concurrent causation doctrine of establishing that an excluded cause was the `overriding’ cause of the loss. . . .  
State Bank v. BancInsure, supra. 
The judge agreed with” State Bank.  State Bank v. BancInsure, supra.  She noted that
[w]hen there are multiple causes of an insured's loss, one of which is a `covered peril’ and the other of which is an `excluded peril,’ Minnesota's concurrent causation doctrine provides that the availability of coverage or the applicability of the exclusion depends on which peril was the `”overriding cause” ‘ of the loss. Friedberg v. Chubb & Son, Inc., 691 F.3d 948 (U.S. Court of Appeals for the 8th Circuit 2012) (quoting Henning Nelson Constr. Co. v. Fireman's Fund Am. Life Ins. Co., 383 N.W.2d 645 (Minnesota Supreme Court 1986)).
State Bank v. BancInsure, supra.  (This case was in federal court not because it involved any issues of federal law, but because the parties are “diverse,” i.e., are from different states.  As Wikipedia explains, the Constitution gives federal courts jurisdiction to hear such cases.  And as Wikipedia also explains, the U.S. Supreme Court has held that in diversity jurisdiction cases, the federal court applies the law of the relevant state.)        
Here, the District Court Judge applied Minnesota law and found that the computer systems
fraud was the efficient and proximate cause of [State Bank’s] loss. But for the hacker's fraudulent conduct, the $485,000 would not have been transferred. Conversely, neither the employees' violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer's antivirus software was the efficient and proximate cause of [its] loss.

Assuming all of these circumstances existed as [BancInsure] argues, it was not then a `foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus, even if those circumstances `played an essential role’ in the loss, they were not `independent and efficient causes’ of the loss. In other words, without the fraudster's actions, there would have been no loss even if all of the other circumstances [State Bank’s] loss.
State Bank v. BancInsure, supra.  
She therefore held that because BancInsure presented
no set of facts from which a reasonable jury could find that one of the excluded perils -- and not the computer systems fraud -- was the overriding cause of [State Bank’s] loss, [it] is entitled to summary judgment on its claim for breach of contract and on [BancInsure’s] claim for a declaratory judgment that it is not liable for coverage. Accordingly, [BancInsure] owes [State Bank] $480,000 under the Bond, which is the amount of the loss less the $5,000 deductible.
State Bank v. BancInsure, supra.  More precisely, the judge held that State Bank was “awarded the principal amount of $480,000 under the Bond, with prejudgment interest of $140,187.36, for a total of $620,187.36.”  State Bank v. BancInsure, supra. 

The judge’s opinion also addresses the legal issues raised by BancInsure’s motion for summary judgment, which she denied, but I am not addressing them, or the detailed analysis the judge conducted of State Bank’s motion for two reasons:  This post would be very long if I did that and the summary above, I think, explains why she ultimately found in favor of State Bank.  You can, if you are interested, find the full opinion here.

No comments: