[fc-discuss] Financial Cryptography Update: Sighting of near-extinct beast - the profitable crypto attacker

iang@iang.org iang@iang.org
Sat, 17 Dec 2005 14:53:43 +0000 (GMT) 

 Financial Cryptography Update: Sighting of near-extinct beast - the profitable crypto attacker 

                           December 17, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000611.html



------------------------------------------------------------------------

Regular readers know that I frequently stress that threats are
_unvalidated_ in that they derive from a textbook or a security
salesman's hyperactive imagination.  So it behoves to collect data on
what are _validated_ threats.  In what might be a first and is
certainly an event of rarity, we now have a report that indicates two
cryptosystems that were breached in an attack of value.

The first looks like a classical insider attack against a digsig system
by tricks that bypassed the checking of the signatures by switching
their need off.

It is the second one that is of more interest as it looks like a direct
attack on the encryption system, rather than a bypass attack.

================8<==============
E-Hijacking new threat to trucking

 by Sean Kilcarr, senior editor

 Nov 3, 2005 4:02 PM 
    
WASHINGTON D.C. The growing use of telematics for both gathering truck
performance data and for sending and receiving shipping documents also
exposes trucking to a new form of crime called "e-hijacking." 
  
At a special trucking safety and security seminar hosted by law firm
Patton Boggs LLP here in the nation's capital, Stephen Spoonamore, CEO
of data security consulting firm Cybrinth, gave examples of recent
e-hijacking events to illustrate why data security in trucking needs
tightening.
He pointed to the supposed loss of 3.9-million banking records stored
on computer backup tapes that were being shipped by UPS from New
York-based Citigroup to an Experian credit bureau in Texas. "These
tapes were not lost - they were stolen," Spoonamore said. "Not only
were they stolen, the theft occurred by altering the electronic
manifest in transit so it would be delivered right to the thieves." He
added that UPS, Citigroup, and Experian spent four days blaming each
other for losing the shipment before realizing it had actually been
stolen. 
Spoonamore, a veteran of the intelligence community, said in his
analysis of this e-hijacking, upwards of 15 to 20 people needed to be
involved to hack five different computer systems simultaneously to
breach the electronic safeguards on the electronic manifest. The
manifest was reset from "secure" to "standard" while in transit, so it
could be delivered without the required three signatures, he said.
Afterward the manifest was put back to "secure" and three signatures
were uploaded into the system to appear as if proper procedures had
been followed. 
"What's important to remember here is that there is no such thing as
'security' in the data world: all data systems can and will be
breached," Spoonamore said. "What you can have, however, is data
custody so you know at all times who has it, if they are supposed to
have it, and what they are doing with it. Custody is what begets data
security." 
Another case involved a fleet of 350 trucks shipping hazardous
materials using telematics to download and track vehicle operating data
in real-time - monitoring engine speed, hard braking events, etc. 
Spoonamore said the data streams coming from those vehicles only used a
basic level of encryption - codes broken by what he called an
"enterprising" local law firm that proceeded to download four months of
operating data on each truck - especially the actual road speed of each
truck over that period, down to the decimal point. The law firm then
sued the trucking company for speeding violations, using the carrier's
own telematics data against it. 
"[Telematics] can tell you at 2 a.m. precisely where your truck is -
but do you know where your data is at that time? That's why you can't
totally trust your computer anymore," Spoonamore cautioned.
=======>8============>8=========


http://fleetowner.com/news/topstory/hijack_electronic_data_truck_ehijac
k_security_110305/

Note the difference between the two:  the hackers in the first had to
expose themselves to significant costs to attack the system;  this is
in accordance with the goal of the security, being to raise the costs
of the attack.	In the second, once cracked, the costs of the attack
were fairly minimal and there was little exposure.  So much so that the
attacker successfully entered court and displayed all!

Other bloggers have picked it up (Adam pointed to Bruce Schneier). 
Adam quite correctly points out it is uncorroborated, and the notion of
an insider attack involving 15-20 people has to be treated with care if
not outright suspicion.  Still, something happened, and this is one to
watch in our developing threat scenario.

Maybe we can now start a count of how many times the crypto is
attacked!

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/