Cybank breaks new ground; rejects public-key encryption
--- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: Ian Grigg <iang@systemics.com> MIME-Version: 1.0 Precedence: Bulk Date: Sat, 13 Jul 1996 22:55:43 +0200 From: Ian Grigg <iang@systemics.com> To: Multiple recipients of <e$@thumper.vmeng.com> Subject: Cybank breaks new ground; rejects public-key encryption This taken from their pages (http://www.cybank.net/cb-encr.htm) --------------------------------- Security and Encryption Cybank software is protected by multiple encryption and identification systems, some can be seen, others are invisible. Cybank cash can be traced back to the original account it belongs to. Cash Keys cannot effectively be modified with disabling them. Because cash keys are also password protected, they can only be created and spent by the authorised account holder. Cybank uses an encryption matrix of 380 characters. Cybank can safely transfer any Cash Key or message from point A to point B via the Internet. Cybank DOES NOT use Public Key Encryption (which has proven to be insecure). Here is a sample encrypted code, see if you can understand it: 193404158201838932119642777371870823541340764 [...] ------------------------------- I wonder if they intend to publish the protocols :-) -- iang iang@systemics.com --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "'Bart Bucks' are not legal tender." -- Punishment, 100 times on a chalkboard, for Bart Simpson The e$ Home Page: http://www.vmeng.com/rah/
Actually, it doesn't take too much effort to discover them yourself. Get a visual basic discomplier (VB version 4 compatible need, I think), and go for It. I cracked version 1.5 of the Cybank software - I could load up an ".INI file" with as much "value" as I wanted. Basically, they seem to convert ASCII characters to the decimal value of the hex code, then add, subtract etc on that value, along with some XOR'ing of the resulting string and an embedded table of data. Oh, and it's all "locked" by the serial number, generated from the install date and time. Yeah I trust it - not. I hesitate to distribute the discomplied source code I used, asince it may get used by the unscrupulous to do trusting Cybank customers out of their hard earned money. Maybe, enough resquests will convince me otherwise. Or, take a challenge, - it took me 6 hours to achieve this, including learing enough VB3 (ther version I cracked, 1.5 was in VB3). Lyal -- All mistakes in this message belong to me - you should not use them!
"Lyal" == Lyal Collins <lyalc@ozemail.com.au> writes:
Lyal> I hesitate to distribute the discomplied source code I used, Lyal> asince it may get used by the unscrupulous to do trusting Cybank Lyal> customers out of their hard earned money. Maybe, enough Lyal> resquests will convince me otherwise. People need to learn that the sort of snake oil that is being sold as "secure" just won't cut it. Your concern for the customers of Cybank is valid, however, so I propose something along these lines: Announce, very publicly, such that every Cybanlk customer would hear about it in time, that you have cracked their hokey little non-crypto scheme, and that you intend to publish your work in a full-disclosure paper to be published on Month Day, Year. I would recommend a number of appropriate newsgroups, relevant mailing lists (individually posted, not CC'd), and some letters to the editor of the New York Times, San Jose Mercury News, the Wall Street Journal and other high-readership papers. As soon as someone in the media carries it, it'll spread like wildfire. Further, I would recommend some guidelines about when to post the published paper (and I would do it on a number of FTP sites as close to simultaneous as you can.) Do it on a Monday, so there are plenty of business days for Cybank to deal with it when the initial round of bad guys trying the attack will strike. Do it between 1100 and 1700 ET, so that you do it during business hours. -- C Matthew Curtin MEGASOFT, LLC Director, Security Architecture cmcurtin@research.megasoft.com http://www.research.megasoft.com/~cmcurtin/ Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet
participants (3)
-
C Matthew Curtin -
Lyal Collins -
Robert Hettinga