Posted on 04/19/2002 8:27:28 AM PDT by UnsinkableMollyBrown
A large commercial bank in Florida said Wednesday that "an Internet hacker" penetrated the security of its systems earlier this month and made off with a file containing 3,600 online-banking customer names and addresses.
Officials of Republic Bank said the attacker managed to get past the bank's security firewalls but did not access account balances or transactions of its online banking customers.
According to Internet records, the server hosting Republic's online bank, located at http://secure.republic.openbank.com , is operated by Atlanta-based S1 Corp. [NASDAQ:SONE], a leading provider of electronic finance services to banks, credit unions, insurance providers and investment firms.
Chris Rogers, a spokesperson for S1, said the technology firm's systems and applications were not involved in the security incident at Republic.
"Nothing came in through us. This had nothing to do with S1," said Rogers.
Republic Bank's main Web site at http://www.republicbankfl.com is running Microsoft's Internet Information Server (IIS) version 4.0 and is hosted by Advances.com of Ft. Lauderdale.
A spokesperson for Republic said the bank learned of the security breach after the attacker contacted the bank two weeks ago. Republic withheld notifying customers about the incident until Wednesday at the request of the FBI, the representative said.
Republic spokesperson Harry Costello said he had no information about why the attacker contacted the bank about the breach, or whether the individual was cooperating with Republic.
Republic's customers who do not use online banking were unaffected by the security breach, according to the company.
The bank has hired an independent team of security consultants to review its security, according to a press release.
According to Costello, Republic has begun contacting affected customers and will give them the option of changing their passwords and other sign-on information. Republic Bank originally partnered with S1 in 1996 to become the first Florida-based bank to offer Internet banking to its customers, according to a March press release.
Republic Bank is online at Republic Bank
S1 Corporation is at S1 Corp
I am subscribed to about eight different internet security newsgroups. About two months ago, an article came across my screen that caught my attention. New research points to the fact that governmental computing power (read China, Russia, Iraq, & etc.) can break 128 bit encryption. 128 bit encryption is the de facto standard on the web. Sites from Amazon.com to Paypal.com to your friendly neighborhood bank use 128 bit encryption. Don't use internet banking, unless from a shielded account.
Another slightly on topic story. Last week, again in Florida - What is it with that state?!, officials retrieved highly sophisticated equipment to gather bank card numbers and pin numbers. The perp had placed a pencil can near an atm, and it contained a miniture camera. Nearby, police found a receiver to record the information. It was in the base of an ashtray, filled with sand and cigarette stubs. And they found a unit inside the card swiping mechanism that read the information on your card then transmitted it to the receiver. That interesting fact was that the unit was so slender that the bank machine could read the info, too. Making the transaction work without a hitch, i.e. the victims would never know.
Bottom line, you better have a back up plan if your bank account goes up in smoke. Hmmm, they always said to diversify in the stock market. We should probably diversify in banking, too.
What is the evidence for this? Do you have a link on this research?
Thanks.
It is standard (and allowed) precisely because it is breakable.
Schneier also runs the Crypto-Gram newsletter, which is devoted to computer security issues in general. Bruce is a bona-fide cryptographer, with real experience in the field, and has the rare ability to cut through the hype and really analyze security and cryptography issues. You can read back issues and sign up for the newsletter here - I highly recommend it.
I don't know what you know, so I apologize in advance if you already know all this - I'm not trying to talk down to you, really ;) But briefly, the difference between symmetric and asymmetric encryption is how the keys work. With symmetric encryption, if I want to send you a coded message, you and I would have the same key - I use the key to encrypt it, and you use the exact same key to decrypt it. This is how SSL encryption for websites like your bank works. And it's very secure if properly implemented.
But with asymmetric encryption, there's two keys - this is what is known as public/private key encryption. And how it works is this - if you want me to send you encrypted messages, you would generate a pair of keys, one public and one private. And the public one is just that - public. You give it to me and to the entire world, because I use that public key to encrypt messages TO you, and anyone who has that key can encrypt messages that only you can read.
Why are you the only one who can read them? You gave the key out to the world, right? Wrong. You have a pair of keys - the public key encrypts, but only the private key can decrypt the message. You kept the private key to yourself - that's why it's private, after all - so you're the only one in the world who can decrypt messages that were encrypted with your public key.
But the way that public-key encryption works is that it generates keys by relying on very large numbers (prime factors, if you're interested). And because of how these numbers are generated, they're vulnerable to advances in mathematics (better and more efficient factoring algorithms). Which is what Bernstein's research is getting at - in certain limited circumstances, his work in factoring could theoretically be used to attack public-key encryption, if the key were short. So the solution is to use a longer key.
Here's a public key, just so you can see what they look like - this one is mine, and it is 4096 bits, which should be very secure for many years to come. Now that you have it, you could use it to encrypt messages to me that only I can read:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use
mQGiBDyqdEYRBADt7/p62m/gzu6N5Uufx3VUjN53x5CbgbtzAEYyeI1EhhUr9ppu
jH1txNV3p+u+tv+R/wEScO0kP0UM1I5pghUGpLzVhh6xLKH3nOa9seiMxOKu1as9
IRy/E0D26GG80y1vyLZMkxiQwE+EWKMaKtscpAiLOohfTbnOW83EA98DNQCg/5ym
v3XnThw0hQXjxBhUesB9MJ0EAMcF/XrbyYrQKn1Y+fJzjcVV4dWZjK6KEPtFKfmG
noYXbemyjT1wWsUr85kD6RiSou8wksUZPNsgbCa/M4CSwPZdhCSQSdqBQP7jVFW3
uN7aJQWYN9GN29id7Dho7m2+L9xeDAjKJhlezVDtRE/4su9DY+HJudP6EWQwsk4I
g7RqBACfa3ffINgaCtd8NCjkWwW6Kadbd/UBpJbDGLJFiMkO6+OXu/m/XcFFQ9iX
no/jCvrPqtxYCfjr0+OYdhOBhWklc26Fht28xBVYDSypYTG+P9FQuTXheNLIPdD2
1t65Sb5O15d3z6+w9q3FZPcyxrq+KvXXJp1aYELGF3ExeNLsILQpQW5kcmV3IEty
YW1lciA8YWVrcmFtZXJAYWNzdS5idWZmYWxvLmVkdT6JAE4EEBECAA4FAjyqdEYE
CwMCAQIZAQAKCRCEy5MinUHct8D6AKCcG6MV+hgoDLrqriixyPjSq6H2xgCfdEiX
Kz+UUvx8oxgiK4ANME0GaLq5BA0EPKp3nxAQANJKuycpNz+DlgI+pg1E/MYU/C/9
avs6jEELl8rxr2LLDps2U4VnCm3pDkYDQR2BrXTZa+a2navZLsGFv3nXvH2jGdRp
MbYd6HgeXV/95tTXLDpBFWx6r4AvmLUBXQI3XGUBJksDdFHC5dvtKRUGXF1ajqx3
54wydQQsMHyad+2OBILoyvBNTc/hFrqXDfKuM/MOx/uFZV6m0jJHbR/RlxXNvIw8
OsG6z0CIcUG3JveUW5N4U+4Cu+z02E8QyS6CsmjgjASJQGcNTn9gR00One+M7Vk2
5T6vUV85CP7Zn3yzlVq8igjLigoIOjL/aqenLR4nSOO+ShQ223c0V7U16RFcyn1y
9obESEEK9TOjc13ddi1/gk35YN+WZ/FgT3L5ZmHn3wvMw/PNQb3I0ekUGhxxH2xz
xbxJ3sER5pAYdw1CwuJ/HY7HmmwbcuQmWYZhbLq9u5x7k/oX+13fXAYETeE8JSsA
fNPIBkg1qh0rWmxMQcPJoKUQWn00hyBxPsxLaLBpQlvAS/lmQ3j17kqoq+8p9H26
fHIWrWxk+PqCHzWj87s1xp7YrMUcPkw6aK+3B67iMXxSTF5MMQ+GZT0XLmWw9Ub8
AG1njgGlyi+3piDq/dpNq/laSdA5272AcBrAENQPKsLdiprVrhfDQYznE9/UczPN
P+ZncK+Ksr01jQXhAAICD/oC9gZ+0SlTzptIVevuROI2l6AlOT3EBGv3gjdKIZEF
F6MBFbJTHI/NGFbXh8ZxKzEqVHphREU+cpJ4MfBNEMKfoUYpqFx21VS0kK25miZV
NOWbeHzP3vfwqlokq7KupaV3GvLJ4XSPqAA37JbYWBjattBuIRhGR+SL4YOHe0ny
TbY86FBKL2akz0agUdJvUrM+YPDg7vle+w9pQ1OASSVPxWTHY7k72dfVxONnBN+c
n//ttm1FWQI6Ne9YVQJQ4UHvutkoz426SBQQom0Qe8ykk2RFzpYTYSli4wryCJan
mb+WWSD+EojqoxPNTZWIhzGUNYAskW264LcEHU7EtUmqpip/6QFcq+Jeq961Jyb0
QDdDZd0NAorLrbMhGe04Tck2UZHHv06LwuSi/RvkVee2N1tCo7/Pf3Bz0Y1acYcj
o8iMXWMdlzu2p//szS5OzAcB6sBdyw++EcY/c/T3lPcV+JS6l3pjjlPaOLOfe59t
nGZcdkONW97Dv3xGGdPPYu1gAD582yqlJCrbhKs1GLz4zLmW4iAUjB7+K+ITmCjc
dhhVSElDMeiUT6mIlGlgDh9oBNzKqZkF2AZ/OKpiYAPMqzKSQqEJTpBiynFBujN3
oDUE+yGuwM9RrF+SpnwZQWlwk6BS2QltdS/2wej+VULxd1lUwF+IHF2cdFarPyoW
Q4kARgQYEQIABgUCPKp3nwAKCRCEy5MinUHct9jQAKC/3zzc81/cPYkO1C7eZfTW
9waodgCgqBfvruU0fKPfsarDS34fwgEV+7E=
=yPI8
-----END PGP PUBLIC KEY BLOCK-----
InfoSecurityMag
Or a newsgroup discussion concerning his research
Factoring Breakthrough?
All attempts at improving customer convenience (atm cards, checkcards, "speedpass" etc) will also ease the ability of technically savy crooks to cheat the system. It's true that it's probably cheaper to not fix the problem you cite, but that mean it's the right decision.
Remember, it isn't you that looses the money when some crook hacks your card that way (though, of course, it is an inconvenience), it's the bank that loses the money. If some bank loses $100k to such fraud each year, does it make sense for them to spend $1Mil to fix it? When the thief can move on to the next trick tomorrow?
Bernstein's Factoring Breakthrough?Last fall, mathematician Dan Bernstein circulated a paper discussing improvements in integer factorization, using specialized parallel hardware. The paper didn't get much attention until recently, when discussions sprang up on SlashDot and other Internet forums about the results. A naive read of the paper implies that factoring is now significantly easier using the machine described in the paper, and that keys as long as 2048 bits can now be broken.
This is not the case. The improvements described in Bernstein's paper are unlikely to produce the claimed speed improvements for practically useful numbers.
Currently the fastest factoring algorithm is the Number Field Sieve (NFS), which supplanted the Quadratic Sieve several years ago. Basically, the NFS has two phases. The first is a search for equations that satisfy certain mathematical properties. This step is highly parallelizable, and today is routinely done with thousands of computers. The second step is a large matrix calculation, which eventually produces the prime factors of the target number.
Bernstein attempts to improve the efficiency of both steps. There are some good observations here that will result in some minor speedups in factoring, but the enormous improvements claimed are more a result of redefining efficiency than anything else. Bernstein positions his results as an effect of massive parallization. To me, this is misleading. You can always simulate a parallel machine on a single computer by using a time-sliced architecture. In his model, the "cost" of factoring is a product of time and space, and he claims that he can reduce the cost of parallel sorting from a factor of m^4 to m^3. Bernstein justifies his assumptions by claiming that a single processor needs m^2 memory, whereas an array of m^2 processors only needs constant memory. This may be true, but neglects to factor in the cost associated with connecting those processors: tying a million simple processors together is much more expensive than using a single processor of the same design with a million bits of memory. Again, it is not clear that this technique will buy you anything for practical sized numbers.
To be sure, Bernstein does not say anything different. (In fact, I commend him for not being part of the hyperbole.) His result is asymptotic. This means that it is eventually true, as the size of the number factored approaches infinity. This says nothing about how much more efficient Bernstein's algorithm is, or even whether or not it is more efficient than current techniques. Bernstein himself says this in one of his posts: "Protecting against [these techniques] means switching from n-bit keys to f(n)-bit keys. I'd like to emphasize that, at this point, very little is known about the function f. It's clear that f(n) is approximately (3.009...)n for *very* large sizes n, but I don't know whether f(n) is larger than n for *useful* sizes n." What he means is: at some bit length these techniques will be useful, but we have no idea what that bit length is.
I don't believe in the factor of n - 3n length improvement. Any practical implementation of these techniques depends heavily on complicated technological assumptions and tradeoffs. Parallel computing is much easier to say than it is to do, and there are always hidden complexities. I think when all the math is said and done, these other complexities will even out his enhancements.
This is not to belittle Bernstein's work. This is good research. I like his novel way of using sorting techniques to carry out the linear algebra part. This might be useful in a variety of other contexts, and is likely to open up new research directions in the design of more efficient sorting networks and sparse matrix algorithms. There are other speed improvements to the NFS in this paper, and they will most definitely be researched further.
Over the past several decades factoring has steadily gotten easier, and it's gotten easier faster than anyone would have believed. Speed improvements have come from four sources. One, processors have gotten faster. Two, processors have gotten cheaper and easier to network in parallel computations. Three, there have been steady flows of minor improvements to the factoring algorithms. And four, there have been fundamental advances in the mathematics of factoring.
I believe that Bernstein's work falls under the third category, and takes advantage of ancillary improvements in the second category. And if history is any guide, it will be years before anyone knows exactly whether, and how, this work will affect the actual factoring of practical numbers.
Bernstein Paper:
http://cr.yp.to/papers/nfscircuit.ps
Hacker Kevin Mitnik (sp?) was very good at bluffing his way inside by posing as an employee and / or a janitor which allowed him to log onto company computer systems. He would also call up people who had vital information from company telephones and get information directly from them.
This person got past their firewalls and into their internal systems. There's a couple of ways to do that. One, he discovered some heretofore unknown hole in the firewall itself. Two, he exploited some well-known hole that the bank had failed to close. Or three, he was able to use some external information about the bank to present himself as a legitimate user to the bank's system - i.e., he got hold of someone's login/password and just waltzed right in.
I used to work for a bank that was in the process of implementing online account access, just like this one did, so I have something of an insider's perspective. And I'm not particularly enamored of it, myself - the technology is fine if it's implemented properly. But the human factor is almost inevitably the weak link - the best encryption and authentication in the world is useless if a cracker can just call someone in the bank and persuade them to give up their password info. Or if your IT people ever let their guard down for so much as a moment, and fail to close the holes that are invariably discovered over time.
It's a tradeoff - security versus convenience. There's no such thing as 100% perfect security, even if you air-gap your systems, but you can get pretty close if you're very careful. It's convenient for customers to have access to their accounts in such a manner, and banks are confident that the convenience will outweigh the small risks involved, just as the convenience of flying outweighs the risks for most people. They're probably right. But planes do occasionally crash, and you will see the occasional spectacular security breach of banking systems. Like I said, it's a tradeoff.
Publik skool in-cript-shun?
SSL uses both symmetric and asymmetric, but it is quite secure as you say. The biggest problems with asymmetric keys is not their length, but verification that certificates should be trusted, that they are not revoked, etc. This is sometimes left up to the programmer, and programmers can be lazy.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.