December 17, 2005

Sighting of near-extinct beast - the profitable crypto attacker

Regular readers know that I frequently stress that many threats are unvalidated in that they derive from a textbook or a security salesman's hyperactive imagination. So it behoves to collect data on what are validated threats. In what might be a first and is certainly an event of rarity, we now have a report that indicates two cryptosystems that were breached in an attack of value.

The first looks like a classical insider attack against a digsig system by tricks that bypassed the checking of the signatures by switching their need off.

It is the second one that is of more interest as it looks like a direct attack on the encryption system, rather than a bypass attack.

E-Hijacking new threat to trucking

by Sean Kilcarr, senior editor - Nov 3, 2005 4:02 PM

WASHINGTON D.C. The growing use of telematics for both gathering truck performance data and for sending and receiving shipping documents also exposes trucking to a new form of crime called "e-hijacking."

At a special trucking safety and security seminar hosted by law firm Patton Boggs LLP here in the nation's capital, Stephen Spoonamore, CEO of data security consulting firm Cybrinth, gave examples of recent e-hijacking events to illustrate why data security in trucking needs tightening.

He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. "These tapes were not lost - they were stolen," Spoonamore said. "Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves." He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.

Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from "secure" to "standard" while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to "secure" and three signatures were uploaded into the system to appear as if proper procedures had been followed.
"What's important to remember here is that there is no such thing as 'security' in the data world: all data systems can and will be breached," Spoonamore said. "What you can have, however, is data custody so you know at all times who has it, if they are supposed to have it, and what they are doing with it. Custody is what begets data security."

Another case involved a fleet of 350 trucks shipping hazardous materials using telematics to download and track vehicle operating data in real-time - monitoring engine speed, hard braking events, etc.

Spoonamore said the data streams coming from those vehicles only used a basic level of encryption - codes broken by what he called an "enterprising" local law firm that proceeded to download four months of operating data on each truck - especially the actual road speed of each truck over that period, down to the decimal point. The law firm then sued the trucking company for speeding violations, using the carrier's own telematics data against it.

"[Telematics] can tell you at 2 a.m. precisely where your truck is - but do you know where your data is at that time? That's why you can't totally trust your computer anymore," Spoonamore cautioned.

Note the difference between the two: the hackers in the first had to expose themselves to significant costs to attack the system; this is in accordance with the goal of the security, being to raise the costs of the attack. In the second, once cracked, the costs of the attack were fairly minimal and there was little exposure. So much so that the attacker successfully entered court and displayed all!

Other bloggers have picked it up (EC pointed to Bruce Schneier). Chris Walsh quite correctly points out it is uncorroborated, and the notion of an insider attack involving 15-20 people has to be treated with care if not outright suspicion. Still, something happened, and this is one to watch in our developing threat scenario.

Maybe we can now start a count of how many times the crypto is attacked!

Addendum:I incorrectly attributed the comments above to Adam, it was Chris who posted over on Emergent Chaos.

Posted by iang at December 17, 2005 09:48 AM | TrackBack

Insiders must be audited and tested to derive a risk level ie the listening function of security. A simple question might be asked if information of any value is being moved what is the risk. The method used to determine the risk did not include any evidence of testing and traps within the test for verification of the intended procedures out come. So what verification points can protect the theft of valuable information probably none since a better method would have copied the information in shipment and attributed it to delays in shipping. The correlation of the movement of third party providers employed for transportation of valued information requires a unified tracking method. A good example that might make some folks perk up is if gps information on troop movements where intercepted and altered only a little bit. The delay and inaccurate information could prove critical in a long haul theatre scenario like bombing runs from California to China. If the coordination of the supporting bombing needed to be timed with troop movements the Chinese might intercept the information and alter its accuracy. This could prove devastating in re-supply and deployment. The timing of events and the has a critical component that needs to be built into security systems so the state of security is not static. The FSA in London shuts down its registry during the weekends and this presents a changing security posture for maintenance. The bank shipping tapes of information should have had a manifest registry that could not be altered or with restricted access. The shipping company is a mere transporter and not aware of the cargos significance which in itself is a security feature. It is the shippers’ responsibility to ascertain the proper method of shipping based on the value of the information or material. If for example you shipped a kilo bar of gold in a shoe box using the US Postal service and it where stolen who can you blame but yourself. So the anonymity does not protect the shipping party from inside attacks because it is no longer anonymous. The loss of anonymity is a threat. To test for this threat traps must be devised and scenarios run to determine the risk and critical points of failure. The assumption of anonymity is the failure to assess the insiders as a threat. So the human engineering of counter espionage must be considered when the mundane information of clients is exposed to theft by internal enemies. Of course this reflects on the lack of concern banks and financial institutions have for clients in general. The banks have attained an undoing of some of the basic reasons for the United States via the new and improved bankruptcy code that cost $100 million and four years to undo the concept of debtors prisons a primary reason for the Revolutionary War. The banks where following the example established by child support laws that incarcerate the Dead Beat Dads a juridical method of imprisoning a debtor. So the property rights of individuals has eroded under eminent domain laws established by fiat of the Supreme Court via the taking of property for the greater good of the state redistributed to enhance the revenue rolls of the political subdivision. The institutions that hold valued information on their clients feel comfortable abusing their clients with no recourse. The utter abandonment of this institution by their users will create havoc similar to Goths approaching the walls of Rome and Rome without a penny to for an army. So as the institutions that have benefited from monopoly positions via legislative fiat fail to reinvest in the society they have no recourse but to fail when the users revolt from the inside and outside. These institutions are informational in essence and have the teeth of real police and armies for backing but they are under assault from the Gothic informational equivalents.

Posted by: Jim Nesfield at December 17, 2005 11:10 AM

Posted by: Dave Birch at December 20, 2005 11:19 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.