E-Hijacking

The article is a bit inane, but it talks about an interesting security problem. "E-hijacking" is the term used to describe the theft of goods in transit by altering the electronic paperwork:

He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. “These tapes were not lost – they were stolen," Spoonamore said. “Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves." He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.

Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from “secure" to “standard" while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to “secure"? and three signatures were uploaded into the system to appear as if proper procedures had been followed.

“What’s important to remember here is that there is no such thing as ‘security’ in the data world: all data systems can and will be breached," Spoonamore said. “What you can have, however, is data custody so you know at all times who has it, if they are supposed to have it, and what they are doing with it. Custody is what begets data security."

This is interesting. More and more, the physical movement of goods is secondary to the electronic movement of information. Oil being shipped across the Atlantic, for example, can change hands several times while it is in transit. I see a whole lot of new risks along these lines in the future.

Posted on December 9, 2005 at 7:41 AM • 22 Comments

Comments

Roy OwensDecember 9, 2005 8:10 AM

A clever attack.

Spoonamore better hope he's right, that 15 to 20 or more people had to be involved in five simultaneous hacks. Scary thought: what if it's only one guy?

Bruce, I'm sure you're right. The success of this will inspire others.

DavidDecember 9, 2005 8:28 AM

I don't see how 15-20 people could have been involved in the UPS loss of the data tapes. There arn't even that many people that actually touch the package, and the paper waybill attached to the side of it. I've also not seen any evidence to back up this claim (UPS and Citibank havn't changed their story that it was lost).

The story about the trucking company being sued for speeding, on what civil charges? Based upon what claim -- too fast a delivery? The state can't sue you for something like this, how can a private atty. do this? Also, how did they get around the matter of breaking the simple encryption - isn't that a counter suit DCMA charge on the atty?

PS: I'm definitely not familiar with _THREE_ signatures required for transit with UPS, anyone else?

Sounds like someone is trying to scare up business.

burgerDecember 9, 2005 9:18 AM

'Electronic manifest' = UPS shipping database? Sounds like an attacker with access to UPS lay low and picked their target.

If one party has unauthorised access to (insert major parcel delivery company of your choice) then how many others do?

How many government agencies?

How much parcel shipping data from foreign states is available to an attacker who breaches the parcel company's US network(s)? Presumably all, since a single website can be used for global parcel tracking, regardless of source and destination...

KneDecember 9, 2005 9:19 AM

@David
>The story about the trucking company being sued for speeding, on what civil charges? Based upon what claim -- too fast a delivery?

They were shipping hazardous materials. Shipping hazardous materials in an unsafe manner (speeding) in the vicinity of my home or workplace is recklessly endangering my my life and welfare. I think that would be grounds for a civil suit.

Mike SherwoodDecember 9, 2005 9:20 AM

"That’s why you can’t totally trust your computer anymore"

This says a lot about the problem. I doubt many around here would assume trust, but in the outside world, most people do. I see countless instances that I would consider gross negligence regarding data security, but convincing people to take precautions is a lost cause. Security costs money, and the only thing that will ever justify that is a need to offset losses. The problem has to have a substantial economic impact before improvements will be considered.

Most of the impact from lost data is an externality to the companies involved, so the only real impact is negative press and a few dollars for the tapes.

The actual loss of a shipment of physical products is limited to the time involved in filing an insurance claim with the carrier.

All of the consequences for careless data security end up being passed on to the consumer, so there is little incentive for this process to change. It's no different than fraud being cost effective for credit card companies.

ARLDecember 9, 2005 9:21 AM

In CA a lawyer can sue based on a wrong against a "unknown" group of people. An example was the suites being brought against nail salons for reusing bottles of nail polish.

My guess is that the trucking company was putting people in danger.

JarrodDecember 9, 2005 10:35 AM

Not anymore, ARL. This was overturned by the voter-passed Prop 64 in Nov 2004. There now has to be an actual complainant and plaintiff, and that plaintiff cannot be asked to do so by the attorney. The risk of similar lawsuits was a major reason for the failure of Prop 79 (I think that was it) because while it would have setup a statewide discount prescription program, it also would have allowed attorneys to sue companies for excessive profits, and to do so "in the public interest" which is code for "we sue and keep all of the money awarded."

Joe BuckDecember 9, 2005 12:00 PM

ARL: in the SF Bay Area we've had a breakout of severe skin infections, often causing permanent damage, at nail salons from pedicures. This is not related to nail polish, but there are plenty of non-frivolous reasons to sue nail salons these days.

See this article. Oozing skin ulcers and boils, fun stuff.

But evidently the problem was "incorrect disinfection of foot-spa chairs", not reused nail polish.

I'd have no problem with "tort reform" if it were accompanied by much tougher government safety regulation; someone has to put fear into the hearts of those who would endanger the public by cutting corners.

Class action lawsuits are simply a form of privatization, leaving safety regulation to the private sector. If you don't like them, they need to be replaced with public regulation.

Davi OttenheimerDecember 9, 2005 12:05 PM

This is an excellent counter-example to the ID Analytics report that was published yesterday. They essentially suggested that more granular risk data is available and should be provided to victims, which sounds fine. But they also suggested that the largest ID "breaches" could be classified as low-risk (and be exempt from disclosure) because there *might* be less than 1 in 1,000 victims. Their analysis was based on four breaches with half a million identities over the past six months. I discuss the report a bit more here:

http://davi.ottenheimer.com/blog/?p=124

DavidDecember 9, 2005 1:04 PM

@kne

I know of several locations near my house where folks have lobbied to get the speed limit set to 30 mph (or lower) where the normal posted speed in FL is 35 (residential streets). Suppose that those trucks were doing 35, technically it's speeding, but it's normal everywhere *but* where those lobbied interests have set it lower.

Is *THAT* reckless endangerment? Awfully tough to prove, even with hazardous waste.

Also, IMHO without links and backup evidence we'll *NEVER* know if this was even real or just a figment of his imagination, eh?

gradyDecember 9, 2005 1:48 PM

"Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously"
So, prior planning and scripting an attack based on a previous trial run are impossible to do on these systems then?
Sounds more like someone doesn't want to admit that this kind of action can be taken by a few talented and/or well placed individuals.

David DonahueDecember 9, 2005 2:03 PM

I wonder why nobody is saying that standard backup security practices were not followed by Citygroup. All backup tapes shoud be encrypted and the keys hand synchronised to vendors who need to load them on remote systems.

Then there is no data compromise if the tapes are stolen.

GotToBTruDecember 9, 2005 10:31 PM

My everyday job involves the sending and receiving of such data (EDI - electronic data interchange). Much of EDI is conducted unencrypted over the internet or phone lines. Some is sent signed and encrypted using protocols like AS1, AS2, and AS3 (RFC 1767).

another_bruceDecember 10, 2005 1:22 AM

i'm skeptical of spoonamore's account. 15-20 people hacking 5 different systems simultaneously? 4 days to find out about it? corporate spokesliars are shameless.

RLCJDecember 10, 2005 3:38 PM

To defend against similar attacks in the future, it would be useful to know WHO conducted this attack.

They could have redirected any number of shipments of valuables. They could have used the same approach on several different shipments. But they chose only the banking data. And there are been no reports of that data being used to breech bank accounts.

So what kind of a group would go to great lengths to steal banking information, ignore other valuable goods, and then not use the info to steal money?

It can't be any criminal organizations.
It doesn't fit the MO of corporate espionage.
This type of operation was most likely an intelligence operation.

Ours or theirs?

RogerDecember 10, 2005 7:48 PM

@RLCJ:
"They could have redirected any number of shipments of valuables. ...But they chose only the banking data."

Other reports indicate that organised crime is willing to pay anywhere between 50 and 1000 bucks per account for this sort of information. At 3.9 million accounts, that's somewhere between $200 million and $3.9 BILLION. There just aren't many types of shipment that are worth anything even in the ballpark of this -- and the few that come close, say, a few tonnes of diamonds or pharmaceutical morphine -- are certainly not anything the trucker could offload without noticing something fishy. So these guys DID go after the big money.

"They could have used the same approach on several different shipments."

Who's to say they didn't? Two of the victims in this case are still trying to pretend it didn't happen. If the other company didn't fess up, we still wouldn't know. This is another advantage to stealing data: unless it's Californian personal data, companies are likely to keep quiet, so you can try the same technique over and over again.

"And there are been no reports of that data being used to breech bank accounts."

How would you know if there were?

"It can't be any criminal organizations."

On the contrary. This looks exactly like a criminal operation. In fact looking at a couple of hints:
* theft of goods in transit;
* at least one suborned insider, probably at a loan shark^W^W credit agency; and
* getting interested in cybercrime, especially theft of credit agency databases;
I'd take a wild stab at the mafia.

PeterDecember 11, 2005 12:43 PM

Some years ago there was a serious ring of thieves working at UPS. I don't remember a lot of the details, but some were managers who had access to the manifests, so things like guns, which have to be kept controlled (locked, sealed trucks/containers), were vanishing, and the containers were being resealed and docs altered to cover the replacement seals.

jayhDecember 16, 2005 1:33 PM

>>Other reports indicate that organised crime is willing to pay anywhere between 50 and 1000 bucks per account for this sort of information. At 3.9 million accounts, that's somewhere between $200 million and $3.9 BILLION

You've got to watch the extrapolation here. Just because they might pay 50-1000 per account in small quantities does not suggest that they have the resources or the willingness to buy that many names at that price. After a certain size, the operation cannot reasonably use many more accounts.

Fred SureJanuary 12, 2006 7:29 AM

What will this information be used for and who would order such information?

Anyone with comments?

SpoonamoreAugust 29, 2006 7:43 AM

Mr. Schneier,

I heard a discussion on my comments on e-hijacking was on your site. I appreciate your interest. I have just read them and am joining with comments months later. I will try to be more timely in the future.

One bit of context. This comment was taken after a presentation to a group of trucking legal and policy leaders on the risks of telematics. The Citibank case had just broken a few days before. During the Q+A I was asked about stolen data and was asked if the UPS-Citibank issue could be a telematics security breach.

I said something like: "Yes, If we assume the tapes were not lost but stolen the place it would do it would be changing the wireless clipboards."

I would like to inform your readers why it would have been 15-20 people (likely) involved in the theft end to end if in fact this was a coordinated theft.

2-3 would scout the route of the trucks and the schedual of tape back-ups.
2 - Would hack the UPS wireless clip-board system. If you wish to include the work time of the exploits they would buy, it's more.
2-3 skills would probably be needed to Hack the UPS shipping system and ERP solutions, again more if you include exploit writers.

The e-hijacking would be run to send a "live" update to the clipboard in route, after it was loaded for the day, changing a secure pickup with seperate bar-code scans to a normal pick-up. And change the delivery address to the thieves.

UPS itself then delivers the goods to the thieves designated address.

The Hack team then re-hack the system and make it appear UPS picked up from Citibank and Delivered to Esperian.

This is why I suspect it was a professional gang. They didn't just steal the tapes, they went back in and covered their tracks, and made it appear as if it was someone elses fault.

Several days passed while the three big guys (UPS, CITI and EXP) all accused each other of being to blame.

CITI claimed it sent it correctly and had records to prove it.
UPS claimed it was picked up and delivered correctly and records to prove it.
EXP said it never got nothing.

This bought the gang all the time they needed.

Meanwhile. 3-4 people break the millions of records into groups and start selling the credit scores and personal data at 5cents per$1000 in exploitable credit to major identity brokers who then resell it ID by ID to the various buyers of credit for fraud and other uses.

And yes, drumming up business is a part of what we all do in the commercial sector David and Another Bruce. I have a large number of commercial clients who value my extremely blunt and often times unpleasent habit of telling them hard news.

However in this case, no business was generated on this matter, only several intense phone calls with UPS's outside counsel asking me to stop commenting.

Several of the commenters here are on the right track. Stealing data is something one person can do with a core of talent. That has been demonstrated. It is also a dead end, data needs to be converted to cash.

Making a living for a gang stealing anything, involves a coordinated group of people who plan, study systems, and work either a closely spaced string of similar hits or a widely spaced string of unreported hits.

I spend time attempting to harden corporations against both types of attack in the IT world. In my experience in the Credit Card space, these types of attacks involve 10-30 people involved if they work. They operate just like small service companies with roles fulfilled by full time crew members and by IT specialists brought in on a (cash only of course) 1099 sort of basis.

I am in fact commenting from SE Asia where we are working on yet another problem which will hopefully result in the arrest of what I suspect will be 8-15 people.

Thanks for your work Bruce, this is an interesting forum.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..