- Email: [email protected]
Suspicions surface about bugged Swiss encryption units
October 1994
Computer Fraud & Security Bulletin
means that the upgraded software will only work with the reconfigured UniKey hardware. Each UniKey can be reconfigured up to IO times. The reconfiguration process is by the exchange of a data string which can be accomplished via the telephone or fax. For further information contact Software Security International L td on +44 (0) 784 430060.
SUSPICIONS SURFACE ABOUT BUGGED SWISS ENCRYPTION UNITS For German about a allegedly
the past several months, the Swiss, and French media have been buzzing fantastic trap door encryption scheme involving Crypt0 AG, one of the world’s
foremost cryptographic companies. Crypt0 AG manufactures encryption hardware for domestic Swiss customers like the Swiss Federal Council as well as for foreign customers in over 120
ANTICIPATING
AN END TO FRAUD Lisa Armstrong
The developers of Sherlock claim the software program can not only detect and prevent bank and credit fraud but it can anticipate it. According to James C. Hope of NeuralTech Inc, Sherlock’s applications include all types of risk management, credit and collection issues, bond analysis, bankruptcy prediction and marketing response predictions. Its most distinguishing quality is its capacity to anticipate fraudulent situations. It can analyze massive amounts of data, identify patterns and determine a probability risk. Fraud risk assessment combines the probability of fraud with the magnitude of the decision to be made, and comes up with a decision as to whether or not the risk should be taken. Hope believes Sherlock can decrease the incidence of bank and credit fraud by 2540%. Sherlock works in two ways: it can identify fraudulent behaviour at point of authorization and it is able to detect patterns of multiple transactions which are correlated with fraud. Accounts can be routinely assessed in order to provide an image of the macroscopic risk potential of a portfolio. Individual transactions can also be analyzed. Sherlock is part of the innovative technology of artificial neural networks. It analyzes data, such as time of day, transaction amount and geographical location, and computes the probability of fraudulent activity.
01994
Elsevier Science Ltd
countries around the world. There have been allegations that the foreign customers have included Libya, Syria, Iraq and Iran. On 18 March 1992, Hans Buehler, a Swiss marketing representative for Crypt0 AG, a Steinhausen, Switzerland-based cryptographic firm, was arrested in Teheran by Iranian police and charged with espionage. A deal with Iran had resulted in several trips by Buehler to Teheran. Upon his arrest, Iran demanded a $1 million bail bond from Crypt0 AG as a ransom for Buehler’s release. After spending nine months in solitary confinement, Buehlerwas released by his Iranian jailers in January 1993, after Crypt0 AG paid the ransom to Iran. Shortly after Buehler’s return to Switzerland he was abruptly fired by Crypt0 AG. To add insult to injury, Crypt0 demanded that he repay them the $1 million (about 6 million Swiss francs). Buehler has recently told his story in a new book entitled Verschiiisselt (Ciphered) which was published by Werd Verlag of Zurich in March 1994. Buehler claims that Crypt0 AG is not owned by Swiss nationals but by the German Federal Intelligence Service (BND) via a post box company in Vaduz, Liechtenstein, called the Establishment European Trading Company. Furthermore, Buehler claims that German and American crypt0 specialists from the German Cipher Bureau [Zentrastelle fur Chiffrierwesen (ZfCH)] in Bad Godesburg and the National Security Agency (NSA) in Fort Meade, Maryland, USA, have been manipulating Crypt0 AG encryption units for at least the past 15 years. There is additional speculation that NSA has been planting trojan horses in Crypt0 AG
5
October 1994
Computer Fraud & Security Bulletin
machines since as early as 1957 when Boris Hagelin, Crypto’s Swedish founder, agreed to give NSAall the technical details of his machines. This was highlighted in James Bamford’s seminal work on NSA, The Puzzle Palace.
There is some speculation that NSA has exacted similar agreements to retrofit the encryption products of other manufacturers of crypt0 products, especially companies based in small NATO and neutral European nations.
Buehler particularly focuses on the claim that NSA/BND-re-engineered cipher machines sold to Libya allowed NSA to eavesdrop on encoded communications between Tripoli and the Libyan People’s Bureau (embassy) in East Berlin during 1986. Based on these intercepts, NSA was able to prove Libya’s official involvement with the West Berlin La Belle discotheque terrorist bombing in which a number of US servicemen were either killed or injured. This intelligence ultimately led to the US bombing raid on Libya. There are also claims that ‘bugged’ Crypt0 AG machines sold to Iran and used to encrypt coded messages between Teheran and Iranian diplomatic missions in Paris, London, Bonn and Geneva, permitted NSA and BND to prove beyond a doubt that the Iranian Government was involved in the assassination of former Iranian Prime Minister Shahpour Bakhtiar at his home near Paris in August 1991. Other alleged recipients of bugged Crypt0 AG units included the East German Stasi and the Russian KGB. There is some media speculation that the Russian coup plotters who attempted to oust Mikhail Gorbachev and Boris Yeltsin used such equipment to plan their revolt. It is believed that President Bush supplied the plotters’ decoded messages to both Gorbachev and Yeltsin who were able to act against individually identified coup leaders.
Crypt0 AG vehemently denies the allegations made against it. In an April 1994 statement, the company declared, “It appears that this campaign is aimed at discrediting the integrity and reputation of Crypt0 AG, particularly as regards the level of security of our products. It has been the total commitment of Crypt0 AG for over 40 years to design and produce equipment that meets the highest security levels utilizing state-of-the-art scientific and engineering know-how.” The statement goes on to say, “The belief, commonly held by outsiders, that the customer buys a black box, the functioning of which he does not know, has no connection to reality. No discerning customer would accept such a procedure and no manufacturer trying to cheat or manipulate the equipment would survive in this extremely demanding market.”
Buehler contends that it was the suspicions that Iran had of Crypt0 AG’s communications intelligence (COMINT) activities that ultimately led to his arrest. The Iranians told Buehler while he was being interrogated that they knew that Crypt0 AG has been supplying their codes to American and German intelligence. In particular, they believed that the company had provided Iranian army codes to the Iraqis. The Swiss Justice
Ministry
and the Federal
Police (BUPO) launched an investigation into the charges against Crypto AG. As of 31 August 1994, their investigation
had not led to any civil
or criminal action against Crypt0 AG, but Crypt0 has filed a lawsuit against Buehler.
6
With many companies and individuals concerned about US plans to escrow encryption keys (Clipper and Capstone), reports of NSA bugging encryption hardware will do little to calm their fears that the electronic surveillance agency is seeking increased powers to conduct communications intelligence-gathering with or without legal authorization.
ENCRYPTION
OVER THE INTERNET Lisa Armstrong
The Internet has become secure enough for a computer programmer to trust the network with his Visa card number. Phil Brandenberger is the first person to use the encryption technology of a small US company called NetMarket to purchase a compact disk over the Internet. Brandenberger, a system programmer at the prestigious US Wharton School of Business, bought a compact disk in his lunch hour with his Visa account and an encryption service from the NetMarket Company. NetMarket is a tiny start-up company featuring four partners and one employee. Its encryption technology incorporates
01994
Elsevier Science Ltd
Computer Fraud & Security Bulletin
means that the upgraded software will only work with the reconfigured UniKey hardware. Each UniKey can be reconfigured up to IO times. The reconfiguration process is by the exchange of a data string which can be accomplished via the telephone or fax. For further information contact Software Security International L td on +44 (0) 784 430060.
SUSPICIONS SURFACE ABOUT BUGGED SWISS ENCRYPTION UNITS For German about a allegedly
the past several months, the Swiss, and French media have been buzzing fantastic trap door encryption scheme involving Crypt0 AG, one of the world’s
foremost cryptographic companies. Crypt0 AG manufactures encryption hardware for domestic Swiss customers like the Swiss Federal Council as well as for foreign customers in over 120
ANTICIPATING
AN END TO FRAUD Lisa Armstrong
The developers of Sherlock claim the software program can not only detect and prevent bank and credit fraud but it can anticipate it. According to James C. Hope of NeuralTech Inc, Sherlock’s applications include all types of risk management, credit and collection issues, bond analysis, bankruptcy prediction and marketing response predictions. Its most distinguishing quality is its capacity to anticipate fraudulent situations. It can analyze massive amounts of data, identify patterns and determine a probability risk. Fraud risk assessment combines the probability of fraud with the magnitude of the decision to be made, and comes up with a decision as to whether or not the risk should be taken. Hope believes Sherlock can decrease the incidence of bank and credit fraud by 2540%. Sherlock works in two ways: it can identify fraudulent behaviour at point of authorization and it is able to detect patterns of multiple transactions which are correlated with fraud. Accounts can be routinely assessed in order to provide an image of the macroscopic risk potential of a portfolio. Individual transactions can also be analyzed. Sherlock is part of the innovative technology of artificial neural networks. It analyzes data, such as time of day, transaction amount and geographical location, and computes the probability of fraudulent activity.
01994
Elsevier Science Ltd
countries around the world. There have been allegations that the foreign customers have included Libya, Syria, Iraq and Iran. On 18 March 1992, Hans Buehler, a Swiss marketing representative for Crypt0 AG, a Steinhausen, Switzerland-based cryptographic firm, was arrested in Teheran by Iranian police and charged with espionage. A deal with Iran had resulted in several trips by Buehler to Teheran. Upon his arrest, Iran demanded a $1 million bail bond from Crypt0 AG as a ransom for Buehler’s release. After spending nine months in solitary confinement, Buehlerwas released by his Iranian jailers in January 1993, after Crypt0 AG paid the ransom to Iran. Shortly after Buehler’s return to Switzerland he was abruptly fired by Crypt0 AG. To add insult to injury, Crypt0 demanded that he repay them the $1 million (about 6 million Swiss francs). Buehler has recently told his story in a new book entitled Verschiiisselt (Ciphered) which was published by Werd Verlag of Zurich in March 1994. Buehler claims that Crypt0 AG is not owned by Swiss nationals but by the German Federal Intelligence Service (BND) via a post box company in Vaduz, Liechtenstein, called the Establishment European Trading Company. Furthermore, Buehler claims that German and American crypt0 specialists from the German Cipher Bureau [Zentrastelle fur Chiffrierwesen (ZfCH)] in Bad Godesburg and the National Security Agency (NSA) in Fort Meade, Maryland, USA, have been manipulating Crypt0 AG encryption units for at least the past 15 years. There is additional speculation that NSA has been planting trojan horses in Crypt0 AG
5
October 1994
Computer Fraud & Security Bulletin
machines since as early as 1957 when Boris Hagelin, Crypto’s Swedish founder, agreed to give NSAall the technical details of his machines. This was highlighted in James Bamford’s seminal work on NSA, The Puzzle Palace.
There is some speculation that NSA has exacted similar agreements to retrofit the encryption products of other manufacturers of crypt0 products, especially companies based in small NATO and neutral European nations.
Buehler particularly focuses on the claim that NSA/BND-re-engineered cipher machines sold to Libya allowed NSA to eavesdrop on encoded communications between Tripoli and the Libyan People’s Bureau (embassy) in East Berlin during 1986. Based on these intercepts, NSA was able to prove Libya’s official involvement with the West Berlin La Belle discotheque terrorist bombing in which a number of US servicemen were either killed or injured. This intelligence ultimately led to the US bombing raid on Libya. There are also claims that ‘bugged’ Crypt0 AG machines sold to Iran and used to encrypt coded messages between Teheran and Iranian diplomatic missions in Paris, London, Bonn and Geneva, permitted NSA and BND to prove beyond a doubt that the Iranian Government was involved in the assassination of former Iranian Prime Minister Shahpour Bakhtiar at his home near Paris in August 1991. Other alleged recipients of bugged Crypt0 AG units included the East German Stasi and the Russian KGB. There is some media speculation that the Russian coup plotters who attempted to oust Mikhail Gorbachev and Boris Yeltsin used such equipment to plan their revolt. It is believed that President Bush supplied the plotters’ decoded messages to both Gorbachev and Yeltsin who were able to act against individually identified coup leaders.
Crypt0 AG vehemently denies the allegations made against it. In an April 1994 statement, the company declared, “It appears that this campaign is aimed at discrediting the integrity and reputation of Crypt0 AG, particularly as regards the level of security of our products. It has been the total commitment of Crypt0 AG for over 40 years to design and produce equipment that meets the highest security levels utilizing state-of-the-art scientific and engineering know-how.” The statement goes on to say, “The belief, commonly held by outsiders, that the customer buys a black box, the functioning of which he does not know, has no connection to reality. No discerning customer would accept such a procedure and no manufacturer trying to cheat or manipulate the equipment would survive in this extremely demanding market.”
Buehler contends that it was the suspicions that Iran had of Crypt0 AG’s communications intelligence (COMINT) activities that ultimately led to his arrest. The Iranians told Buehler while he was being interrogated that they knew that Crypt0 AG has been supplying their codes to American and German intelligence. In particular, they believed that the company had provided Iranian army codes to the Iraqis. The Swiss Justice
Ministry
and the Federal
Police (BUPO) launched an investigation into the charges against Crypto AG. As of 31 August 1994, their investigation
had not led to any civil
or criminal action against Crypt0 AG, but Crypt0 has filed a lawsuit against Buehler.
6
With many companies and individuals concerned about US plans to escrow encryption keys (Clipper and Capstone), reports of NSA bugging encryption hardware will do little to calm their fears that the electronic surveillance agency is seeking increased powers to conduct communications intelligence-gathering with or without legal authorization.
ENCRYPTION
OVER THE INTERNET Lisa Armstrong
The Internet has become secure enough for a computer programmer to trust the network with his Visa card number. Phil Brandenberger is the first person to use the encryption technology of a small US company called NetMarket to purchase a compact disk over the Internet. Brandenberger, a system programmer at the prestigious US Wharton School of Business, bought a compact disk in his lunch hour with his Visa account and an encryption service from the NetMarket Company. NetMarket is a tiny start-up company featuring four partners and one employee. Its encryption technology incorporates
01994
Elsevier Science Ltd