Forwarded from: William Shenfield <william.shenfieldat_private> For seven years I was a major player in a team that developed the software used by a large number of international banks (80+). On reading this news article, I was initially surprised that there seemed to be an easy way to hack into the security of such banks. However, as the story unfolded it became clear that there was a gap between the real world and how the Media can exploit a lab exercise to propagate a scare, so I decided to look at what Messrs Bond and Clayton were actually saying: There are ways to persuade the commercially available crypto processor IBM 4758 running IBM's ATM (cash machine) support software called the "Common Cryptographic Architecture" (CCA) to export any and all its DES and 3DES keys AND all that is needed is: - about 20 minutes uninterrupted access to the device - one person's ability to use the Combine_Key_Parts permission - a standard off-the-shelf $995 FPGA evaluation board from Altera about two days of "cracking" time. What they have uncovered is important and all Security and Crypto professionals (especially software developers using encryption) need to take note as the key management principles used by the CCA (with the provided API (Application Programme Interface)) are not as secure as was thought and are used in a lot of systems. It is lucky they did not provide an example that could be easily exploited as I'm sure there are a lot out there. As stated in the news article, to exploit the flaw requires a significant amount of physical access, as you would need to be able to permanently monitor the communication lines (which are typically synchronous, not asynchronous as found in PCs). Also, there are typically other security measures in place that would make it more difficult to breach security than the article implies. It would be simpler for criminals to use a bulldozer to remove the ATM from the wall of the Bank, as has been done in the past. We need to be clear about where and what the issues are, in this case its with CCA and it's API. It is very important that this information becomes public, the next generation of products need to be built upon better foundations than the previous. However, if new vulnerability disclosure policies become widespread, everyone stands to loose, as the security of systems will not improve - how could it if we don't know about the issues. Regards, William J Shenfield DCM-On-line - Security & Technical Architect E: firstname.lastname@example.org Any opinions expressed in the email are those of the individual and not necessarily of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. If you are not the intended recipient or person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you have received this email in error please notify the IT manager. -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private]On Behalf Of InfoSec News Sent: 09 November 2001 08:59 To: isnat_private Subject: [ISN] Students crack bank pin codes Forwarded from: Will Munkara-Kerr <WillMat_private> http://www.smh.com.au/news/0111/09/world/world100.html Two British PhD students have designed a computer program to crack bank security codes which potentially gives them access to hundreds of thousands of PIN numbers, it emerged today. Armed with the software and hardware, the pair have shown that it is theoretically possible to download large amounts of confidential financial information, allowing a potential thief to steal vast amounts of cash. The two Cambridge University students plan to put details of how to crack the systems on the internet in an effort to ensure security is improved. The security breach was revealed in the BBC's Newsnight program, which outlined how it was possible to translate the 16-digit number for cash cards from data downloaded by the program. Michael Bond, 22, one of the students involved, said he felt not enough was being done to insure that the hole in security was blocked. "Banks' approach to security at the moment is too closed, they are relying on outdated concepts such as security through obscurity. "What they really need to do is pay more attention to the open community including academia and get more peer review on some of the systems that they are using. "We need to see banks being more accountable for the security of people's money." He said the breach could only be performed by bank staff with access to bank computers. The system involved is based on IBM's 4758 crypto-processor used by banks, the military and governments across the world to protect their networks. The attacks work using a combination of software developed by Mr Bond and off-the-shelf hardware costing less than STG750 ($A2,140) developed by mature student Richard Clayton. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 08:37:28 PST