Florida Bank Suffers Online Security Breach

Newsbytes ^ | 18 Apr 2002 | Brian McWilliams

[general_re]

Yeah, I was trying to keep it simple and avoid getting into session keys and the like, but you're quite right. And the other failure of SSL that I can envision quite readily is that users are pretty much conditioned to click "Accept" whenever that certificate popup rears its head. You could pop up a window that says "Shiznit Security double-d*mn you-bet certifies that this is Microsoft's certificate! And we really mean it!" - and most people would happily click okay and continue merrily along ;-)

Or what was the Digicrime one? Go here and click on the link that says "Still with ActiveX?" - it's harmless but amusing ;)

[general_re]

I had an algorithms prof who used to illustrate technical versus human factors by saying that without accounting for good staff security practices, all the technical methods in the world were useless - it would be like triple-deadbolting, barricading, and nailing shut your front door, but leaving the window next to it wide open ;)

[Credo]

Scheier emphasizes the human element. You could have a perfect cryptographic algorithm and lose the keys. Implementation is 90 percent of the ball game.

Most people assume cryptography is a silver bullet and can solve everything. One never assumes the cryptographic technique is unbreakable. The question is what will it take to break it and sloppy key implementation is an invitation to hackers.

[muleboy]

I saw this headline early this morning. After noon came word on the news of the FBI's warning of credible threats to northeast banks, which reminded me of the hoax a few days ago, that I had already forgotten.

My head is spinning.

Is it paranoid to presume that the next great terror attack will not utilize airplanes into tall buildings, but electronic disruptions that destroy our faith in "modern" commerce?

[Soul Citizen]

mQGiBDyqdEYRBADt7/p62m/gzu6N5Uufx3VUjN53x5CbgbtzAEYyeI1EhhUr9ppu jH1txNV3p+u+tv+R/wEScO0kP0UM1I5pghUGpLzVhh6xLKH3nOa9seiMxOKu1as9 IRy/E0D26GG80y1vyLZMkxiQwE+EWKMaKtscpAiLOohfTbnOW83EA98DNQCg/5ym v3XnThw0hQXjxBhUesB9MJ0EAMcF/XrbyYrQKn1Y+fJzjcVV4dWZjK6KEPtFKfmG noYXbemyjT1wWsUr85kD6RiSou8wksUZPNsgbCa/M4CSwPZdhCSQSdqBQP7jVFW3 uN7aJQWYN9GN29id7Dho7m2+L9xeDAjKJhlezVDtRE/4su9DY+HJudP6EWQwsk4I g7RqBACfa3ffINgaCtd8NCjkWwW6Kadbd/UBpJbDGLJFiMkO6+OXu/m/XcFFQ9iX no/jCvrPqtxYCfjr0+OYdhOBhWklc26Fht28xBVYDSypYTG+P9FQuTXheNLIPdD2 1t65Sb5O15d3z6+w9q3FZPcyxrq+KvXXJp1aYELGF3ExeNLsILQpQW5kcmV3IEty YW1lciA8YWVrcmFtZXJAYWNzdS5idWZmYWxvLmVkdT6JAE4EEBECAA4FAjyqdEYE CwMCAQIZAQAKCRCEy5MinUHct8D6AKCcG6MV+hgoDLrqriixyPjSq6H2xgCfdEiX Kz+UUvx8oxgiK4ANME0GaLq5BA0EPKp3nxAQANJKuycpNz+DlgI+pg1E/MYU/C/9 avs6jEELl8rxr2LLDps2U4VnCm3pDkYDQR2BrXTZa+a2navZLsGFv3nXvH2jGdRp MbYd6HgeXV/95tTXLDpBFWx6r4AvmLUBXQI3XGUBJksDdFHC5dvtKRUGXF1ajqx3 54wydQQsMHyad+2OBILoyvBNTc/hFrqXDfKuM/MOx/uFZV6m0jJHbR/RlxXNvIw8 OsG6z0CIcUG3JveUW5N4U+4Cu+z02E8QyS6CsmjgjASJQGcNTn9gR00One+M7Vk2 5T6vUV85CP7Zn3yzlVq8igjLigoIOjL/aqenLR4nSOO+ShQ223c0V7U16RFcyn1y 9obESEEK9TOjc13ddi1/gk35YN+WZ/FgT3L5ZmHn3wvMw/PNQb3I0ekUGhxxH2xz xbxJ3sER5pAYdw1CwuJ/HY7HmmwbcuQmWYZhbLq9u5x7k/oX+13fXAYETeE8JSsA fNPIBkg1qh0rWmxMQcPJoKUQWn00hyBxPsxLaLBpQlvAS/lmQ3j17kqoq+8p9H26 fHIWrWxk+PqCHzWj87s1xp7YrMUcPkw6aK+3B67iMXxSTF5MMQ+GZT0XLmWw9Ub8 AG1njgGlyi+3piDq/dpNq/laSdA5272AcBrAENQPKsLdiprVrhfDQYznE9/UczPN P+ZncK+Ksr01jQXhAAICD/oC9gZ+0SlTzptIVevuROI2l6AlOT3EBGv3gjdKIZEF F6MBFbJTHI/NGFbXh8ZxKzEqVHphREU+cpJ4MfBNEMKfoUYpqFx21VS0kK25miZV NOWbeHzP3vfwqlokq7KupaV3GvLJ4XSPqAA37JbYWBjattBuIRhGR+SL4YOHe0ny TbY86FBKL2akz0agUdJvUrM+YPDg7vle+w9pQ1OASSVPxWTHY7k72dfVxONnBN+c n//ttm1FWQI6Ne9YVQJQ4UHvutkoz426SBQQom0Qe8ykk2RFzpYTYSli4wryCJan mb+WWSD+EojqoxPNTZWIhzGUNYAskW264LcEHU7EtUmqpip/6QFcq+Jeq961Jyb0 QDdDZd0NAorLrbMhGe04Tck2UZHHv06LwuSi/RvkVee2N1tCo7/Pf3Bz0Y1acYcj o8iMXWMdlzu2p//szS5OzAcB6sBdyw++EcY/c/T3lPcV+JS6l3pjjlPaOLOfe59t nGZcdkONW97Dv3xGGdPPYu1gAD582yqlJCrbhKs1GLz4zLmW4iAUjB7+K+ITmCjc dhhVSElDMeiUT6mIlGlgDh9oBNzKqZkF2AZ/OKpiYAPMqzKSQqEJTpBiynFBujN3 oDUE+yGuwM9RrF+SpnwZQWlwk6BS2QltdS/2wej+VULxd1lUwF+IHF2cdFarPyoW Q4kARgQYEQIABgUCPKp3nwAKCRCEy5MinUHct9jQAKC/3zzc81/cPYkO1C7eZfTW 9waodgCgqBfvruU0fKPfsarDS34fwgEV+7E= =yPI8

[Soul Citizen]

A large commercial bank in Florida said Wednesday that "an Internet hacker" penetrated the security of its systems earlier this month and made off with a file containing 3,600 online-banking customer names and addresses. Officials of Republic Bank said the attacker managed to get past the bank's security firewalls but did not access account balances or transactions of its online banking customers. According to Internet records, the server hosting Republic's online bank, located at http://secure.republic.openbank.com , is operated by Atlanta-based S1 Corp. [NASDAQ:SONE], a leading provider of electronic finance services to banks, credit unions, insurance providers and investment firms. Chris Rogers, a spokesperson for S1, said the technology firm's systems and applications were not involved in the security incident at Republic. "Nothing came in through us. This had nothing to do with S1," said Rogers. Republic Bank's main Web site at http://www.republicbankfl.com is running Microsoft's Internet Information Server (IIS) version 4.0 and is hosted by Advances.com of Ft. Lauderdale. A spokesperson for Republic said the bank learned of the security breach after the attacker contacted the bank two weeks ago. Republic withheld notifying customers about the incident until Wednesday at the request of the FBI, the representative said. Republic spokesperson Harry Costello said he had no information about why the attacker contacted the bank about the breach, or whether the individual was cooperating with Republic. Republic's customers who do not use online banking were unaffected by the security breach, according to the company. The bank has hired an independent team of security consultants to review its security, according to a press release. According to Costello, Republic has begun contacting affected customers and will give them the option of changing their passwords and other sign-on information. Republic Bank originally partnered with S1 in 1996 to become the first Florida-based bank to offer Internet banking to its customers, according to a March press release. Republic Bank is online at Republic Bank S1 Corporation is at S1 Corp

[Mitchell]

Thanks very much for the links.

[Bush2000]

Paging the "expert" in cryptography to comment...

[Demidog]

This article is from the WashingtonPost. There is a moratorium on posting fulltext from there until the lawsuit is resolved. "Newsbites" is section of the Washington Post and is not it's own publication. Be careful.

[general_re]

We have a resident cryptographer? Go figure... ;)

[general_re]

Mmmph. I didn't know that - if the Admin Moderators can modify thread titles and the like, surely they can clip the story posting to an appropriate length without yanking the thread altogether. Right? ;)

[UnsinkableMollyBrown]

Didn't know that. I just received it via email...

[UnsinkableMollyBrown]

I no longer have the article, but I did post links that discuss the research.

[TechJunkYard]

The bank has hired an independent team of security consultants to review its security, according to a press release.

Sure... now they do this...

[Dominic Harr]

We have a resident cryptographer? Go figure... ;)

No, I'm just a silly little Java developer who insists that there's no such thing as an 'unbreakable' code.

In the past, I've been pretty clear that I don't trust the 128 bit encryption.

My reasoning? These systems are business systems that will have to run for at least 5, more likely 10+ years.

128 is *probably* safe today. 60/40, I think. But I'd say there's about a 40% chance that it's already been cracked, and it's only a matter of time before the ecommerce world has it's first 'Nimda'-level security problem.

And given the coming advances in hardware and software, there's no way this stuff is safe for the minimum 5 year lifespan of these tools.

[general_re]

No, I'm just a silly little Java developer who insists that there's no such thing as an 'unbreakable' code.

Well, you're right as far as it goes. Give me enough time and money, and I'll eventually crack any code you like. But the 'eventually' part is the important part - there's a difference between "theoretically crackable" and "practically crackable".

Keep in mind that with a 128-bit keyspace, there are 340,282,366,920,938,463,463,374,607,431,770,000,000 possible keys, only one of which is the right one for a given message. This does not bode well for attempts to brute-force decrypt a message encrypted with a 128-bit key - if we assume a machine capable of attempting 1,000,000 keys per second, then it will take 10,790,283,070,806,014,188,970,529 YEARS to work through the entire keyspace. Now assume I can try 1 billion keys per second - that's still 10,790,283,070,806,014,188,970 years to work through the entire keyspace.

On the average, of course, you'll work through half the keyspace before finding the right key, but half that time is...a really, really, long time. And in the worst case, you'll have to try every single one of the possible keys to find the right one. Contrast this with a message encrypted using a 40-bit keyspace, which a machine capable of running 1 billion keys per second will crack in 18 minutes, worst case. So, sure, in theory, I can crack ANY encryption by brute forcing it, but as a practical matter, forget it.

But maybe you mean that there's some weakness in 128-bit encryption that renders it vulnerable to means other than brute-force. But we've been talking about 128-bit encryption like it's something monolithic - which 128-bit algorithm is vulnerable? RC4? CAST? IDEA?

And does it really matter? If one turns out to be weak, there's plenty of other strong algorithms to choose from. And the new Advanced Encryption Standard which will be deployed over the next few years uses 256-bit keys - that's a keyspace of
115,792,089,237,316,195,423,570,985,008,690,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possible keys. That's a sh*tload of keys to try if you need to crack it.

So, the bottom line is you're much too pessimistic about the safety of 128-bit encryption. Sooner or later, it'll fall, but that day is a long, long, long way away. There just isn't enough computing horsepower to make it practical to crack.

And there's empirical evidence that the government can't crack it any better than anyone else. PGP generally uses either 128-bit CAST, 128-bit IDEA, or 160-bit Triple DES to encrypt. Remember the Nicky Scarfo case last year? Nicky was a reputed mobster who used PGP on his machine to keep his files secret, files that the FBI wanted to get their hands on. If they had a way of cracking it, back door or brute force, they could have just gotten a warrant, seized the computers, and broken it at their leisure. But they didn't - they got a warrant, snuck into his office, and installed a keyboard sniffer to grab his PGP password. Why would they do that if they didn't have to?

Commercial, private sector cryptography has come a long, long way in the last thirty years. I'd wager good money that cryptography in the private sector is as good as anything that any government anywhere in the world is capable of producing, including the much lauded NSA. Period. It's no accident that when the government wanted a new algorithm for AES, they turned to the private sector for options, and not the NSA...

[Dominic Harr]

So, the bottom line is you're much too pessimistic about the safety of 128-bit encryption. Sooner or later, it'll fall, but that day is a long, long, long way away.

I once thought that about many things. But in the technology world, next year is a long, long, long way away.

And I'm thinking the massive advances in OO software design are overturning all preconcieved notions of what software is capable of. Notions built on algorithm-based processing. Especially with a massively parallel computer, as are now becoming more powerful and more common. There are a lot of powerful, complex new design patterns that are redefining what is possible with software. We're certainly at the point where one good idea, in either hardware or software, can render any type of encryption worse than useless.

And both you and I must concede that there is a possibility such a breakthru has already been achieved, somewhere. And the odds of it happening increase with every day.

The theory that a 128 bit key is secure is a nice theory.

But that's all it is.

I respect what you're saying, and I certainly am aware that I could be wrong. But once you've heard as many 'uncrackable' claims as I have, it becomes to take new claims seriously.