Regular readers know that I frequently stress that many threats are unvalidated in that they derive from a textbook or a security salesman's hyperactive imagination. So it behoves to collect data on what are validated threats. In what might be a first and is certainly an event of rarity, we now have a report that indicates two cryptosystems that were breached in an attack of value.
The first looks like a classical insider attack against a digsig system by tricks that bypassed the checking of the signatures by switching their need off.
It is the second one that is of more interest as it looks like a direct attack on the encryption system, rather than a bypass attack.
E-Hijacking new threat to trucking
by Sean Kilcarr, senior editor - Nov 3, 2005 4:02 PM
WASHINGTON D.C. The growing use of telematics for both gathering truck performance data and for sending and receiving shipping documents also exposes trucking to a new form of crime called "e-hijacking."
At a special trucking safety and security seminar hosted by law firm Patton Boggs LLP here in the nation's capital, Stephen Spoonamore, CEO of data security consulting firm Cybrinth, gave examples of recent e-hijacking events to illustrate why data security in trucking needs tightening.
He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. "These tapes were not lost - they were stolen," Spoonamore said. "Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves." He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.
Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from "secure" to "standard" while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to "secure" and three signatures were uploaded into the system to appear as if proper procedures had been followed.
"What's important to remember here is that there is no such thing as 'security' in the data world: all data systems can and will be breached," Spoonamore said. "What you can have, however, is data custody so you know at all times who has it, if they are supposed to have it, and what they are doing with it. Custody is what begets data security."
Another case involved a fleet of 350 trucks shipping hazardous materials using telematics to download and track vehicle operating data in real-time - monitoring engine speed, hard braking events, etc.
Spoonamore said the data streams coming from those vehicles only used a basic level of encryption - codes broken by what he called an "enterprising" local law firm that proceeded to download four months of operating data on each truck - especially the actual road speed of each truck over that period, down to the decimal point. The law firm then sued the trucking company for speeding violations, using the carrier's own telematics data against it.
"[Telematics] can tell you at 2 a.m. precisely where your truck is - but do you know where your data is at that time? That's why you can't totally trust your computer anymore," Spoonamore cautioned.
Note the difference between the two: the hackers in the first had to expose themselves to significant costs to attack the system; this is in accordance with the goal of the security, being to raise the costs of the attack. In the second, once cracked, the costs of the attack were fairly minimal and there was little exposure. So much so that the attacker successfully entered court and displayed all!
Other bloggers have picked it up (EC pointed to Bruce Schneier). Chris Walsh quite correctly points out it is uncorroborated, and the notion of an insider attack involving 15-20 people has to be treated with care if not outright suspicion. Still, something happened, and this is one to watch in our developing threat scenario.
Maybe we can now start a count of how many times the crypto is attacked!
Addendum:I incorrectly attributed the comments above to Adam, it was Chris who posted over on Emergent Chaos.Posted by iang at December 17, 2005 09:48 AM | TrackBack