[ISN] Security Top Concern for Online Banking

From: William Knowles (wkat_private)
Date: Tue Jul 03 2001 - 09:41:12 PDT

  • Next message: William Knowles: "[ISN] Most Hacking Hides Real Threats"

    Charles R. Smith
    Wednesday, June 27, 2001 
    Fear of Hacking Slowing Industry to Halt
    The dirty little secret in the Internet industry is exactly how
    insecure and inconvenient online banking really is.
    The real reason for the failure of Internet banking is security.
    According to a recent survey, poor security was the second most often
    cited reason for dropping online banking. After all, if the U.S. Army,
    the Nasdaq and FAA are vulnerable to hackers, then a bank account must
    be easy meat.
    Banks have instituted a number of physical security features in order
    to erect barriers between the hacker and your money. These physical
    security features include a waiting period for all transactions,
    forcing customers to go to a branch to verify transactions, and
    Online bank users are encouraged to change their passwords regularly
    and users frequently are locked out after typing errors. The
    transaction is then sent using 64-bit or 128-bit encryption to your
    However, recent advances in computer technology mean that even these
    elaborate levels of security can be beaten and cracked. The Allies
    cracked password security in 1942, 64-bit encryption is considered
    weak, and 128 ciphers have recently come under attack.
    In addition, the typical hacker has changed. Instead of a single
    teen-age student with little or no social life, the modern hacker now
    wears a uniform.
    In November 2000, Major General Dai Qingmin, director of the People's
    Liberation Army Communications Department of the General Staff HQ,
    wrote a major paper on "Information Warfare." According to General
    Dai, Chinese army pre-emptive attacks on American civilian computer
    and information systems will use "information warfare techniques which
    differ from U.S. IW plans."
    The PLA has reserve Information Warfare units located in the cities of
    Datong, Xiamen, Shanghai, Echeng, and Xian, each developing specialty
    capabilities to attack U.S civilian computers. For example, the
    Shanghai unit is focusing on attacking wireless telecom networks and
    double-encryption passwords.
    In his November paper, General Dai outlined several Chinese Info-war
    strategies. General Dai's paper included such hacker techniques as
    jamming or sabotaging enemy info systems, giving a false impression
    while launching an Info-war attack, and blinding and deafening an
    enemy with false impressions.
    The Chinese army is deadly serious about attacking U.S. civilian
    computers. The recent massive PLA Taiwan invasion exercise included an
    Info-warfare operation in the Shenyang Military Region, simulating
    attacks on U.S. civilian computers.
    The Pentagon is not ignorant of the problem either. During a recent
    U.S. military exercise, U.S. Air Force "red team" hackers were able to
    shut down American military and civilian satellite communications. The
    Air Force "red team" also demonstrated the vulnerability of American
    power grids to Info-warfare attacks.
    Nor is the security issue isolated to the U.S. In May 2001, the
    European Parliament issued a report recommending that all European
    institutions and businesses use encrypted e-mail because of suspected
    American monitoring.
    The European Parliament report is only half right. All e-mail is
    monitored and recorded. Every e-mail passes through dozens of
    computers while traveling over the Internet. In fact, Web sites that
    offer free e-mail frequently store and monitor your information. If
    you can read your private e-mail, then someone else can, too.
    This little-known fact escaped even the brilliant Bill Gates during
    the Microsoft v. U.S. trial. During the case, U.S. Deptartment of
    Justice lawyers were able to recover and submit Mr. Gates' own e-mail
    as evidence.
    The European Parliament is right to call for general use of modern
    ciphering software. In comparison, the U.S. continues to rely on 1960s
    commercial security designs that can be successfully attacked by
    modern supercomputers, or worse, nothing at all.
    Ironically, it is now possible to match the powerful pad ciphers used
    by captured Russian spies. According to Dr. David Kahn, a sitting
    member of the National Security Agency Cryptography Museum, the pad
    systems are "unbreakable in both theory and in Practice."
    The U.S. Internet industry should take note of the slim numbers
    enrolled in online banking because of poor security and privacy
    issues. The fact remains that few trust the Internet for banking and
    only the ignorant will continue to send private e-mail in un-ciphered
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 00:07:50 PDT