- Email: [email protected]
Bringing security to ATM
August I 995
out of commercial transactions, such as retail and banking. It should also be possible to cope with Increases in damage from computer viruses. Guidance has been released on keeping viruses out of computer systems. In a related move, the Ministry of Posts and Telecommunications called on manufacturers of personal computers to develop systems that are safeguarded against long-range listening devices, Hacking devices are readily available and can pick up data from PC terminals with almost 100% accuracy within a range of 80 metres. In Japan, corporations are not very aware of the need to defend their computer systems, An MIT1 official warned Japanese companies not to be deceived by the nation’s low hacking statistics. “The number of reports is small because many Japanese companies are unaware of the hackers.” The rapid expansion of the Internet is increasing the vulnerability of corporate and government computer networks.
Citicorp bank accounts breached A Russian computer hacker and his accomplices successfully breached “a large number” of corporate bank accounts at Citicorp last year, stealing $400 000 and illegally transferring $1 1.6 million more before being arrested this year, according to the Wall Street Journal Europe. After the initial $400 000 was stolen, Citibank cooperated with the authorities, allowing the transfer of $12 million from New York accounts. An electronic trail was used to identify all of the conspirators, Citicorp claims that this is the first time its payment systems have been successfully compromised and the crime
01995 Elsevier Science Ltd
Network Security
The
becorni&g hard k
hqakms can crack the
CCXhS.
is
used.
requirement far
highlights the potential vulnerability of banks in a world increasingly bound by networks, Many banks privately acknowledge that hackers constantly try to penetrate their accounts. They regularly monitor electronic bulletin boards where the hackers post the correct telephone numbers required to access accounts. Industry experts were shocked that Citicorp’s security was breached by a 28-year-old Russian hacker, named as Vladimir Levin, working on a laptop computer. Levin is said to have been working with another Russian Evgueni Korolkov. In June, last year, Levin and another individual penetrated Citicorp’s accounts in New York and began transferring funds to Korolkov’s companies and to bank accounts in six other countries including Israel
and Switzerland. Over the next SIX months $10 million was transferred. The FBI arrested an individual last August who told the agency of the scheme. According to Citicorp, no current or former employee of the company was involved in the scheme. However, some bankers speculate that someone with inside knowledge of Citicorp’s security procedures helped perpetrate the crime. Six others have been arrested, but the $400 000 stolen has yet to be recovered.
Bringing security to ATM A new working group within the Asynchronous Transfer Mode (ATM) Forum will meet to start hammering out the first specifications geared toward
3
August 1995
Network Securlfy
securing ATM networks, Commun/catlons Week reports that eariy adopters of ATM equipment and services are beginning to find security shortcomings as they start to move their private implementations of ATM onto public networks. The problem with ATM at thls point is largely that the technology doesn’t have the direct hooks in It to handle security. The ATM Forum’s new ad hoc working group on security will attempt to define the scope of the work needed to bring appropriate levels of security to ATM. To exploit the full potential of ATM’s ability to send data, video and voice simultaneously. ATM must be run end to end, exposing the security gap. Lockheed Martin has ATM circuits between Its Palo Alto and Sunnyvale sites and Pacific Bell’s public ATM network, which, In turn, connects to a San Francisco Bay Area regional ATM network, exposing the company to a potentially large number of technically aware hackers. To address the problem, Lockheed Martin disabled the Ethernet ports on its workstations before connecting them to the public ATM network, and It Is testing hardware-based prototype encryption solutions developed by the National Security Agency and Sandia National Laboratories. The minimum level of ATM security should provide authentication of ATM end points and switches at the ATM transport level, as well as a method of distributing shared encryption keys for protecting data integrity.
Europe negotiates over encryption Following the US’s decision to relax export controls on some
4
encryption products (see boxed text), the UK Is leadlng Europe In an attempt to negotiate how software encryption standards should be implemented worldwide. Computer Week/y reports that an international agreement on encryption Is regarded as vital for electronic commerce to flourish. Information security specialists at the University of London have formulated a solutlon In which cryptographic keys which can unscramble messages are placed with ‘trusted third parties’ such as banks or software companies. Organizations such as the police and security services could obtain the keys from these bodies if necessary.
units to concentrate on the Internet. Services will be announced within the next few weeks. AT&T may even relax its steadfast refusal to Invest in media companies, targetlng investments that might allow It to grow a new ‘content services’ business. Analysts have said that AT&T with its high-tech global network and marketing might become a dominant force In future Internet services. The company was also caught of guard by the Internet’s explosive growth. While rivals such as MCI Communlcatlons Corp. unveiled services to let computer users use their networks to gain access to the Internet, AT&T struggled through a major reorganization of Its confuslng and sometimes conflicting online efforts.
Netscape goes public Netscape Communications Corp. plans to go public on the Nasdaq stock market in what is expected to be a very hot public offering. The Boston Globe reports that based on the projected price of $13 a share, the company would begin public life with an astronomical market capitalization of nearly $500 million. Despite forecasts, Netscape has no record of profits and has only generated $16.6 million in revenue in its first six months of sales.
AT&T finally notices the Internet AT&T has been sharply criticized over its lack of strategy regarding the Internet, but the company is finally readying for an aggressive foray onto the global network, reports the Wall Street Journal Europe. The company has organized three new business
The Authorizer INCAA Datacom’s Authorizer consists of two components: the personal identification and its recognition. Each authorized user must have their own unique Authorizer, in the form of a secret device, positioned between their workstation and modem, or built into the modem itself. The Controller sits between the network and the host computer, and is transparent to existing hardware and software. The system then offers three levels of security. Firstly, Identification of the equipment and Its location. This is automatic, continuous checking that the equipment being used by the caller Is fitted with an Authorizer which is enabled. The second level may require the user to input his PIN, depending on the application. This means that the controller now links the Authorizer personally to an individual. The
01995 Elsevier Science Ltd
out of commercial transactions, such as retail and banking. It should also be possible to cope with Increases in damage from computer viruses. Guidance has been released on keeping viruses out of computer systems. In a related move, the Ministry of Posts and Telecommunications called on manufacturers of personal computers to develop systems that are safeguarded against long-range listening devices, Hacking devices are readily available and can pick up data from PC terminals with almost 100% accuracy within a range of 80 metres. In Japan, corporations are not very aware of the need to defend their computer systems, An MIT1 official warned Japanese companies not to be deceived by the nation’s low hacking statistics. “The number of reports is small because many Japanese companies are unaware of the hackers.” The rapid expansion of the Internet is increasing the vulnerability of corporate and government computer networks.
Citicorp bank accounts breached A Russian computer hacker and his accomplices successfully breached “a large number” of corporate bank accounts at Citicorp last year, stealing $400 000 and illegally transferring $1 1.6 million more before being arrested this year, according to the Wall Street Journal Europe. After the initial $400 000 was stolen, Citibank cooperated with the authorities, allowing the transfer of $12 million from New York accounts. An electronic trail was used to identify all of the conspirators, Citicorp claims that this is the first time its payment systems have been successfully compromised and the crime
01995 Elsevier Science Ltd
Network Security
The
becorni&g hard k
hqakms can crack the
CCXhS.
is
used.
requirement far
highlights the potential vulnerability of banks in a world increasingly bound by networks, Many banks privately acknowledge that hackers constantly try to penetrate their accounts. They regularly monitor electronic bulletin boards where the hackers post the correct telephone numbers required to access accounts. Industry experts were shocked that Citicorp’s security was breached by a 28-year-old Russian hacker, named as Vladimir Levin, working on a laptop computer. Levin is said to have been working with another Russian Evgueni Korolkov. In June, last year, Levin and another individual penetrated Citicorp’s accounts in New York and began transferring funds to Korolkov’s companies and to bank accounts in six other countries including Israel
and Switzerland. Over the next SIX months $10 million was transferred. The FBI arrested an individual last August who told the agency of the scheme. According to Citicorp, no current or former employee of the company was involved in the scheme. However, some bankers speculate that someone with inside knowledge of Citicorp’s security procedures helped perpetrate the crime. Six others have been arrested, but the $400 000 stolen has yet to be recovered.
Bringing security to ATM A new working group within the Asynchronous Transfer Mode (ATM) Forum will meet to start hammering out the first specifications geared toward
3
August 1995
Network Securlfy
securing ATM networks, Commun/catlons Week reports that eariy adopters of ATM equipment and services are beginning to find security shortcomings as they start to move their private implementations of ATM onto public networks. The problem with ATM at thls point is largely that the technology doesn’t have the direct hooks in It to handle security. The ATM Forum’s new ad hoc working group on security will attempt to define the scope of the work needed to bring appropriate levels of security to ATM. To exploit the full potential of ATM’s ability to send data, video and voice simultaneously. ATM must be run end to end, exposing the security gap. Lockheed Martin has ATM circuits between Its Palo Alto and Sunnyvale sites and Pacific Bell’s public ATM network, which, In turn, connects to a San Francisco Bay Area regional ATM network, exposing the company to a potentially large number of technically aware hackers. To address the problem, Lockheed Martin disabled the Ethernet ports on its workstations before connecting them to the public ATM network, and It Is testing hardware-based prototype encryption solutions developed by the National Security Agency and Sandia National Laboratories. The minimum level of ATM security should provide authentication of ATM end points and switches at the ATM transport level, as well as a method of distributing shared encryption keys for protecting data integrity.
Europe negotiates over encryption Following the US’s decision to relax export controls on some
4
encryption products (see boxed text), the UK Is leadlng Europe In an attempt to negotiate how software encryption standards should be implemented worldwide. Computer Week/y reports that an international agreement on encryption Is regarded as vital for electronic commerce to flourish. Information security specialists at the University of London have formulated a solutlon In which cryptographic keys which can unscramble messages are placed with ‘trusted third parties’ such as banks or software companies. Organizations such as the police and security services could obtain the keys from these bodies if necessary.
units to concentrate on the Internet. Services will be announced within the next few weeks. AT&T may even relax its steadfast refusal to Invest in media companies, targetlng investments that might allow It to grow a new ‘content services’ business. Analysts have said that AT&T with its high-tech global network and marketing might become a dominant force In future Internet services. The company was also caught of guard by the Internet’s explosive growth. While rivals such as MCI Communlcatlons Corp. unveiled services to let computer users use their networks to gain access to the Internet, AT&T struggled through a major reorganization of Its confuslng and sometimes conflicting online efforts.
Netscape goes public Netscape Communications Corp. plans to go public on the Nasdaq stock market in what is expected to be a very hot public offering. The Boston Globe reports that based on the projected price of $13 a share, the company would begin public life with an astronomical market capitalization of nearly $500 million. Despite forecasts, Netscape has no record of profits and has only generated $16.6 million in revenue in its first six months of sales.
AT&T finally notices the Internet AT&T has been sharply criticized over its lack of strategy regarding the Internet, but the company is finally readying for an aggressive foray onto the global network, reports the Wall Street Journal Europe. The company has organized three new business
The Authorizer INCAA Datacom’s Authorizer consists of two components: the personal identification and its recognition. Each authorized user must have their own unique Authorizer, in the form of a secret device, positioned between their workstation and modem, or built into the modem itself. The Controller sits between the network and the host computer, and is transparent to existing hardware and software. The system then offers three levels of security. Firstly, Identification of the equipment and Its location. This is automatic, continuous checking that the equipment being used by the caller Is fitted with an Authorizer which is enabled. The second level may require the user to input his PIN, depending on the application. This means that the controller now links the Authorizer personally to an individual. The
01995 Elsevier Science Ltd