[Cryptography] North Korea and Sony
ianG
iang at iang.org
Fri Dec 12 08:29:31 EST 2014
On 11/12/2014 15:04 pm, dan at geer.org wrote:
> | > "Banks Dreading Computer Hacks Call for Cyber War Council"
> | > Bloomberg, July 8, 2014
> | >
> | Are these people that clueless (which makes me even more worried about the
> | vulnerability of our financial systems), or are they trying to accomplish
> | something else?
>
>
> I do not believe that a private company can sustainably deny
> penetration by a commited state-level actor.
If it is the bank's own state, then commitment means courts means open
sesame.
But, I think it is a different thing when we are talking about say BoA
and China, or a Swiss bank and NSA. Although they may not be able to
deny every attack, I think they should be able to put up a pretty good
fight.
Spooks don't use rocket science, except in the rarest of cases, and much
of the stuff they do use routinely is similar that which any criminal
gang could specialise in over time if it works. E.g., credit card
forgery, sql injection, phishing of employees, perversion of insiders.
I think the biggest reason why a big bank can easily be attacked by a
serious attacker is because it doesn't even try to defend itself.
> That then begs the
> question of whether any particular sector or particular company
> sees itself as a target of state-level actors. It does not strike
> me as nutty for any one of the world's twenty largest banks, taking
> the current example, to think that it is now or could soon be a
> target for state-level aggression.
Well, given the SWIFT scandal of around 2008, we have the luxury of
knowing more. At the time (hearsay has it) there were no less than 3 US
agencies hacking into SWIFT though various means.
> As such, for a bank to request
> state-level protections is not nutty, even if such protections are
> likely to come with significant strings attached.
>
> Or am I missing your point/question?
As you cast it, sure, I'd agree that it is quite rational for the
bankers to ask for state-level protections.
But look a little deeper. They aren't asking for FBI protection, which
is also "state-level protection" to which they are entitled, one
suspects. They are asking for the NSA, in effect.
Which also in effect says that the FBI -- who have their secret/illegal
backchannel to the NSA -- aren't helping either.
They are also asking for a subsidy. That might say they are just used
to asking for subsidies for everything, as they also outsource any
tricky problem to someone who can be paid to provide a figleaf.
Or it might be a reflection on their view that the current security
suppliers / knowledge is inadequate at their budget levels. I'm
inclined to the former because their budget is huge and they can afford
to take the long view -- if they care.
Given all that, it would also be in a sensible regulator's interests to
refuse such a request. I can't see any upside to the request, it all
looks like downside to me. Sadly, I doubt the regulator will even blink
at such a request.
iang
More information about the cryptography
mailing list