Posted on 04/19/2002 8:27:28 AM PDT by UnsinkableMollyBrown
A large commercial bank in Florida said Wednesday that "an Internet hacker" penetrated the security of its systems earlier this month and made off with a file containing 3,600 online-banking customer names and addresses.
Officials of Republic Bank said the attacker managed to get past the bank's security firewalls but did not access account balances or transactions of its online banking customers.
According to Internet records, the server hosting Republic's online bank, located at http://secure.republic.openbank.com , is operated by Atlanta-based S1 Corp. [NASDAQ:SONE], a leading provider of electronic finance services to banks, credit unions, insurance providers and investment firms.
Chris Rogers, a spokesperson for S1, said the technology firm's systems and applications were not involved in the security incident at Republic.
"Nothing came in through us. This had nothing to do with S1," said Rogers.
Republic Bank's main Web site at http://www.republicbankfl.com is running Microsoft's Internet Information Server (IIS) version 4.0 and is hosted by Advances.com of Ft. Lauderdale.
A spokesperson for Republic said the bank learned of the security breach after the attacker contacted the bank two weeks ago. Republic withheld notifying customers about the incident until Wednesday at the request of the FBI, the representative said.
Republic spokesperson Harry Costello said he had no information about why the attacker contacted the bank about the breach, or whether the individual was cooperating with Republic.
Republic's customers who do not use online banking were unaffected by the security breach, according to the company.
The bank has hired an independent team of security consultants to review its security, according to a press release.
According to Costello, Republic has begun contacting affected customers and will give them the option of changing their passwords and other sign-on information. Republic Bank originally partnered with S1 in 1996 to become the first Florida-based bank to offer Internet banking to its customers, according to a March press release.
Republic Bank is online at Republic Bank
S1 Corporation is at S1 Corp
Or what was the Digicrime one? Go here and click on the link that says "Still with ActiveX?" - it's harmless but amusing ;)
Most people assume cryptography is a silver bullet and can solve everything. One never assumes the cryptographic technique is unbreakable. The question is what will it take to break it and sloppy key implementation is an invitation to hackers.
My head is spinning.
Is it paranoid to presume that the next great terror attack will not utilize airplanes into tall buildings, but electronic disruptions that destroy our faith in "modern" commerce?
Sure... now they do this...
No, I'm just a silly little Java developer who insists that there's no such thing as an 'unbreakable' code.
In the past, I've been pretty clear that I don't trust the 128 bit encryption.
My reasoning? These systems are business systems that will have to run for at least 5, more likely 10+ years.
128 is *probably* safe today. 60/40, I think. But I'd say there's about a 40% chance that it's already been cracked, and it's only a matter of time before the ecommerce world has it's first 'Nimda'-level security problem.
And given the coming advances in hardware and software, there's no way this stuff is safe for the minimum 5 year lifespan of these tools.
Well, you're right as far as it goes. Give me enough time and money, and I'll eventually crack any code you like. But the 'eventually' part is the important part - there's a difference between "theoretically crackable" and "practically crackable".
Keep in mind that with a 128-bit keyspace, there are 340,282,366,920,938,463,463,374,607,431,770,000,000 possible keys, only one of which is the right one for a given message. This does not bode well for attempts to brute-force decrypt a message encrypted with a 128-bit key - if we assume a machine capable of attempting 1,000,000 keys per second, then it will take 10,790,283,070,806,014,188,970,529 YEARS to work through the entire keyspace. Now assume I can try 1 billion keys per second - that's still 10,790,283,070,806,014,188,970 years to work through the entire keyspace.
On the average, of course, you'll work through half the keyspace before finding the right key, but half that time is...a really, really, long time. And in the worst case, you'll have to try every single one of the possible keys to find the right one. Contrast this with a message encrypted using a 40-bit keyspace, which a machine capable of running 1 billion keys per second will crack in 18 minutes, worst case. So, sure, in theory, I can crack ANY encryption by brute forcing it, but as a practical matter, forget it.
But maybe you mean that there's some weakness in 128-bit encryption that renders it vulnerable to means other than brute-force. But we've been talking about 128-bit encryption like it's something monolithic - which 128-bit algorithm is vulnerable? RC4? CAST? IDEA?
And does it really matter? If one turns out to be weak, there's plenty of other strong algorithms to choose from. And the new Advanced Encryption Standard which will be deployed over the next few years uses 256-bit keys - that's a keyspace of
115,792,089,237,316,195,423,570,985,008,690,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possible keys. That's a sh*tload of keys to try if you need to crack it.
So, the bottom line is you're much too pessimistic about the safety of 128-bit encryption. Sooner or later, it'll fall, but that day is a long, long, long way away. There just isn't enough computing horsepower to make it practical to crack.
And there's empirical evidence that the government can't crack it any better than anyone else. PGP generally uses either 128-bit CAST, 128-bit IDEA, or 160-bit Triple DES to encrypt. Remember the Nicky Scarfo case last year? Nicky was a reputed mobster who used PGP on his machine to keep his files secret, files that the FBI wanted to get their hands on. If they had a way of cracking it, back door or brute force, they could have just gotten a warrant, seized the computers, and broken it at their leisure. But they didn't - they got a warrant, snuck into his office, and installed a keyboard sniffer to grab his PGP password. Why would they do that if they didn't have to?
Commercial, private sector cryptography has come a long, long way in the last thirty years. I'd wager good money that cryptography in the private sector is as good as anything that any government anywhere in the world is capable of producing, including the much lauded NSA. Period. It's no accident that when the government wanted a new algorithm for AES, they turned to the private sector for options, and not the NSA...
I once thought that about many things. But in the technology world, next year is a long, long, long way away.
And I'm thinking the massive advances in OO software design are overturning all preconcieved notions of what software is capable of. Notions built on algorithm-based processing. Especially with a massively parallel computer, as are now becoming more powerful and more common. There are a lot of powerful, complex new design patterns that are redefining what is possible with software. We're certainly at the point where one good idea, in either hardware or software, can render any type of encryption worse than useless.
And both you and I must concede that there is a possibility such a breakthru has already been achieved, somewhere. And the odds of it happening increase with every day.
The theory that a 128 bit key is secure is a nice theory.
But that's all it is.
I respect what you're saying, and I certainly am aware that I could be wrong. But once you've heard as many 'uncrackable' claims as I have, it becomes to take new claims seriously.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.