http://www.newsmax.com/archives/articles/2001/6/27/144203.shtml Charles R. Smith Wednesday, June 27, 2001 Fear of Hacking Slowing Industry to Halt The dirty little secret in the Internet industry is exactly how insecure and inconvenient online banking really is. The real reason for the failure of Internet banking is security. According to a recent survey, poor security was the second most often cited reason for dropping online banking. After all, if the U.S. Army, the Nasdaq and FAA are vulnerable to hackers, then a bank account must be easy meat. Banks have instituted a number of physical security features in order to erect barriers between the hacker and your money. These physical security features include a waiting period for all transactions, forcing customers to go to a branch to verify transactions, and passwords. Online bank users are encouraged to change their passwords regularly and users frequently are locked out after typing errors. The transaction is then sent using 64-bit or 128-bit encryption to your bank. However, recent advances in computer technology mean that even these elaborate levels of security can be beaten and cracked. The Allies cracked password security in 1942, 64-bit encryption is considered weak, and 128 ciphers have recently come under attack. In addition, the typical hacker has changed. Instead of a single teen-age student with little or no social life, the modern hacker now wears a uniform. In November 2000, Major General Dai Qingmin, director of the People's Liberation Army Communications Department of the General Staff HQ, wrote a major paper on "Information Warfare." According to General Dai, Chinese army pre-emptive attacks on American civilian computer and information systems will use "information warfare techniques which differ from U.S. IW plans." The PLA has reserve Information Warfare units located in the cities of Datong, Xiamen, Shanghai, Echeng, and Xian, each developing specialty capabilities to attack U.S civilian computers. For example, the Shanghai unit is focusing on attacking wireless telecom networks and double-encryption passwords. In his November paper, General Dai outlined several Chinese Info-war strategies. General Dai's paper included such hacker techniques as jamming or sabotaging enemy info systems, giving a false impression while launching an Info-war attack, and blinding and deafening an enemy with false impressions. The Chinese army is deadly serious about attacking U.S. civilian computers. The recent massive PLA Taiwan invasion exercise included an Info-warfare operation in the Shenyang Military Region, simulating attacks on U.S. civilian computers. The Pentagon is not ignorant of the problem either. During a recent U.S. military exercise, U.S. Air Force "red team" hackers were able to shut down American military and civilian satellite communications. The Air Force "red team" also demonstrated the vulnerability of American power grids to Info-warfare attacks. Nor is the security issue isolated to the U.S. In May 2001, the European Parliament issued a report recommending that all European institutions and businesses use encrypted e-mail because of suspected American monitoring. The European Parliament report is only half right. All e-mail is monitored and recorded. Every e-mail passes through dozens of computers while traveling over the Internet. In fact, Web sites that offer free e-mail frequently store and monitor your information. If you can read your private e-mail, then someone else can, too. This little-known fact escaped even the brilliant Bill Gates during the Microsoft v. U.S. trial. During the case, U.S. Deptartment of Justice lawyers were able to recover and submit Mr. Gates' own e-mail as evidence. The European Parliament is right to call for general use of modern ciphering software. In comparison, the U.S. continues to rely on 1960s commercial security designs that can be successfully attacked by modern supercomputers, or worse, nothing at all. Ironically, it is now possible to match the powerful pad ciphers used by captured Russian spies. According to Dr. David Kahn, a sitting member of the National Security Agency Cryptography Museum, the pad systems are "unbreakable in both theory and in Practice." The U.S. Internet industry should take note of the slim numbers enrolled in online banking because of poor security and privacy issues. The fact remains that few trust the Internet for banking and only the ignorant will continue to send private e-mail in un-ciphered text. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 00:07:50 PDT