Financial Times, Sept 27, 1995 Cracks in the code Peter Martin calls for an easing of US restrictions on the export of encryption technology Encryption used to be a subject of interest only to spies and mathematicians. But the central role that the electronic transmission of information is playing in commerce and society make it now a technology of enormous practical relevance. Two recent stories out of many exemplify this trend. Citibank lost $400,000, it is alleged, to a Russian hacker who managed to crack its clients' passwords. The solution to this security problem: a new generation of encrypted passwords that are much harder to crack. And Netscape Navigator, the leading "browser" program for the Internet's fast-growing World Wide Web, has been shown to have flaws in its encryption routine. In theory at least, these make it possible for outsiders to read encrypted data sent over the net -- such as credit card numbers. Netscape acknowledges the problems and says it will have fixes available by today. Is this crucial technology vulnerable to determined attack by hackers and fraudsters? Before considering the question, remember that the introduction of any new technology highlights risks uncomplainingly borne for years. The safety precautions demanded of the Channel tunnel are one example, as compared with those required of traditional trains or ferries. Similarly, it is argued, people have been unhesitatingly using analogue mobile phones, reading credit card details over the telephone, and sending off faxes into the ether without any of the panic that now surrounds the issue of Internet security. The comparison is an instructive one, but not entirely fair. What worries Internet users is not so much that a determined enemy might target them for eavesdropping, or even that chance might put their credit card details in the hands of a dishonest person. Instead, they worry about the Internet's unstructured nature under which messages are passed from computer to computer across the world until they reach their final destination. In principle, this would allow a criminal to leave a "sniffer" program lurking, electronically, at one of the nodes, recognising credit card numbers as they passed by, and scooping them up for subsequent exploitation. People also fear an attack on the computers of merchants selling goods over the Internet -- each containing thousands of credit card numbers. The fear is thus not one of random theft but of systematic brigandage. Encryption is all that stops such fears paralysing electronic commerce before it has properly begun. It is therefore in the general public interest that effective encryption be widely available. The Netscape problem illustrates how easy it is for the inherent mathematical strengths of a modern encryption scheme to be overcome by an oversight in its supporting plumbing. One of the faults in Netscape's encryption, for example, stems from too predictable a method of generating the random numbers needed to make the scheme work. It also illustrates how, once a code-breaker's task is simplified by such a weakness, today's powerful networks of cheap computers make it quick to crack even the most sophisticated encryption schemes. The narrower the range of numbers through which the cracker's computers must sift in order to find a meaningful answer, the greater the probability of breaking the code within a useful amount of time. All the more reason, then, for non-Americans to view with dismay a US policy which restricts the international distribution of the most powerful forms of encryption. For national security reasons, the US insists that the version of Netscape sold outside North America must contain a weaker form of encryption than that available to Americans and Canadians. The international version is restricted to a 40-digit "key", while the North American version uses 128 digits. The longer the key, the greater the time and computing power required for the code to be cracked. In principle, given enough computing power, even a message encoded by a very long key could be cracked in time. In practice, however, the task of cracking many millions of messages to find one that is of interest makes messages secure as long as the key has enough digits. Amateur code-crackers claim to have broken the 40-digit version of the Netscape encryption scheme. Their claim is hard to verify. But there is no doubt of the weakness in the random-number generation procedure; Netscape has verified it. This fault is common to both North American and export versions of the program, so it does not result from the US government restrictions on key length. The occasion reminds us, however, that effective encryption is essential to the growth of electronic commerce. And it teaches us that simplifying the code-breaker's task -- by error in Netscape's case, by deliberate diktat in the case of the government restriction is an easy way to make transmissions vulnerable. There was never much justification for the US determination to weaken exported encryption products. There is less now. [End] --------- NYT, Sept 27, 1995 Russians Arrest 6 In Computer Thefts St. Petersburg, Russia, Sept 26 (AP) -- Russian police officers have arrested six more people in a $10 million computer theft from Citibank here, but the masterminds are said to remain at large. An officer in the organized crime division was quoted by the Itar-Tass news agency as saying that six people had been arrested in St. Petersburg on swindling charges stemming from the case involving Citibank, the chief unit of Citicorp. Weapons and tax-evaslon charges may also be filed. The police confiscated two computers and a number of computer diskettes, plus weapons and cash from the suspects. Bank and law-enforcement officials say a gang of thieves in St. Petersburg broke into Citlbank's electronic cash-management system scores ot times and transferred money into their own accounts. Several people have been arrested abroad and face charges in the United States, including Vladimir Levin, 28, reportedly the group's computer hacker. Citibank officials said they recovered all but $400,000 and upgraded the cash-management systems's electronic security after the theft. [End] --------- FT, Sept 21, 1995. Extradition in Citibank hacking case A British court yesterday approved the extradition to the US of Mr Vladimir Levin, the Russian science graduate accused of an attempted $10m (6.5m pounds) computer hacking fraud on Citibank. ... Mr Levin has been charged in the UK with offences under the Computer Misuse Act, forgery and false accounting. The US authorities are now drawing up similar charges to bring against him. Mr Levin is one of six people arrested over the alleged attempted fraud on Citibank. An FBI inquiry into the incident is continuing and it is believed that others are still being sought. When Mr Levin is returned to the US, he is likely to be closely questioned by the authorities, who are anxious to discover more of the technical details of the alleged attempted fraud. Mr Levin, who was arrested earlier this year travelling through Stansted airport in the UK, would appeal against the court's decision, his lawyers said. He has 14 days to lodge an appeal to the High Court in London. ... [End]