[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FT on NsCPunxsters
Financial Times, Sept 27, 1995
Cracks in the code
Peter Martin calls for an easing of US restrictions on
the export of encryption technology
Encryption used to be a subject of interest only to spies
and mathematicians. But the central role that the
electronic transmission of information is playing in
commerce and society make it now a technology of enormous
practical relevance. Two recent stories out of many
exemplify this trend.
Citibank lost $400,000, it is alleged, to a Russian hacker
who managed to crack its clients' passwords. The solution
to this security problem: a new generation of encrypted
passwords that are much harder to crack.
And Netscape Navigator, the leading "browser" program for
the Internet's fast-growing World Wide Web, has been shown
to have flaws in its encryption routine. In theory at
least, these make it possible for outsiders to read
encrypted data sent over the net -- such as credit card
numbers. Netscape acknowledges the problems and says it
will have fixes available by today.
Is this crucial technology vulnerable to determined attack
by hackers and fraudsters?
Before considering the question, remember that the
introduction of any new technology highlights risks
uncomplainingly borne for years. The safety precautions
demanded of the Channel tunnel are one example, as compared
with those required of traditional trains or ferries.
Similarly, it is argued, people have been unhesitatingly
using analogue mobile phones, reading credit card details
over the telephone, and sending off faxes into the ether
without any of the panic that now surrounds the issue of
Internet security.
The comparison is an instructive one, but not entirely
fair. What worries Internet users is not so much that a
determined enemy might target them for eavesdropping, or
even that chance might put their credit card details in the
hands of a dishonest person.
Instead, they worry about the Internet's unstructured
nature under which messages are passed from computer to
computer across the world until they reach their final
destination.
In principle, this would allow a criminal to leave a
"sniffer" program lurking, electronically, at one of the
nodes, recognising credit card numbers as they passed by,
and scooping them up for subsequent exploitation. People
also fear an attack on the computers of merchants selling
goods over the Internet -- each containing thousands of
credit card numbers. The fear is thus not one of random
theft but of systematic brigandage.
Encryption is all that stops such fears paralysing
electronic commerce before it has properly begun. It is
therefore in the general public interest that effective
encryption be widely available.
The Netscape problem illustrates how easy it is for the
inherent mathematical strengths of a modern encryption
scheme to be overcome by an oversight in its supporting
plumbing. One of the faults in Netscape's encryption, for
example, stems from too predictable a method of generating
the random numbers needed to make the scheme work.
It also illustrates how, once a code-breaker's task is
simplified by such a weakness, today's powerful networks of
cheap computers make it quick to crack even the most
sophisticated encryption schemes. The narrower the range of
numbers through which the cracker's computers must sift in
order to find a meaningful answer, the greater the
probability of breaking the code within a useful amount of
time.
All the more reason, then, for non-Americans to view with
dismay a US policy which restricts the international
distribution of the most powerful forms of encryption. For
national security reasons, the US insists that the version
of Netscape sold outside North America must contain a
weaker form of encryption than that available to Americans
and Canadians.
The international version is restricted to a 40-digit
"key", while the North American version uses 128 digits.
The longer the key, the greater the time and computing
power required for the code to be cracked. In principle,
given enough computing power, even a message encoded by a
very long key could be cracked in time. In practice,
however, the task of cracking many millions of messages to
find one that is of interest makes messages secure as long
as the key has enough digits.
Amateur code-crackers claim to have broken the 40-digit
version of the Netscape encryption scheme. Their claim is
hard to verify. But there is no doubt of the weakness in
the random-number generation procedure; Netscape has
verified it.
This fault is common to both North American and export
versions of the program, so it does not result from the US
government restrictions on key length. The occasion reminds
us, however, that effective encryption is essential to the
growth of electronic commerce. And it teaches us that
simplifying the code-breaker's task -- by error in
Netscape's case, by deliberate diktat in the case of the
government restriction is an easy way to make transmissions
vulnerable.
There was never much justification for the US determination
to weaken exported encryption products. There is less now.
[End]
---------
NYT, Sept 27, 1995
Russians Arrest 6 In Computer Thefts
St. Petersburg, Russia, Sept 26 (AP) -- Russian police
officers have arrested six more people in a $10 million
computer theft from Citibank here, but the masterminds are
said to remain at large.
An officer in the organized crime division was quoted by
the Itar-Tass news agency as saying that six people had
been arrested in St. Petersburg on swindling charges
stemming from the case involving Citibank, the chief unit
of Citicorp. Weapons and tax-evaslon charges may also be
filed.
The police confiscated two computers and a number of
computer diskettes, plus weapons and cash from the
suspects.
Bank and law-enforcement officials say a gang of thieves in
St. Petersburg broke into Citlbank's electronic
cash-management system scores ot times and transferred
money into their own accounts.
Several people have been arrested abroad and face charges
in the United States, including Vladimir Levin, 28,
reportedly the group's computer hacker.
Citibank officials said they recovered all but $400,000 and
upgraded the cash-management systems's electronic security
after the theft.
[End]
---------
FT, Sept 21, 1995.
Extradition in Citibank hacking case
A British court yesterday approved the extradition to the
US of Mr Vladimir Levin, the Russian science graduate
accused of an attempted $10m (6.5m pounds) computer hacking
fraud on Citibank. ...
Mr Levin has been charged in the UK with offences under the
Computer Misuse Act, forgery and false accounting. The US
authorities are now drawing up similar charges to bring
against him.
Mr Levin is one of six people arrested over the alleged
attempted fraud on Citibank. An FBI inquiry into the
incident is continuing and it is believed that others are
still being sought.
When Mr Levin is returned to the US, he is likely to be
closely questioned by the authorities, who are anxious to
discover more of the technical details of the alleged
attempted fraud.
Mr Levin, who was arrested earlier this year travelling
through Stansted airport in the UK, would appeal against
the court's decision, his lawyers said. He has 14 days to
lodge an appeal to the High Court in London. ...
[End]