Case Study: Data Fellows uses 255-bit blowfish technology to stop data hacking

A well-known high street bank set out to foil future cyber bandits from implementing a combined attack. This is their story

A well-known high street bank set out to foil future cyber bandits from implementing a combined attack. This is their story

The recent Melissa scare affected many security conscious organisations like telecommunications company Lucent and even Intel and Microsoft Corporation. The software giant was forced to shut down its mail servers for several hours, while data security teams checked the system for the virus. The reason that this virus caused so much concern was the speed with which it spread. According to virus experts at Data Fellows ( a specialist in anti-virus and data security ( over 100,000 users were affected within the first few hours of the virus appearing on the Net. Even though both these companies have stringent security measures, the anti-virus software was still compromised.

A well-known high street bank recently upgraded its already formidable defences to foil any future cyber bandits. Data Fellows was heavily involved in the project. The threat that the bank most feared was a combined attack designed to peel away its defences and allow a hacker to cause damage to its system.

A user either accidentally or maliciously introduces a program into system. These dangerous programs could be viruses, Trojans or even commercial programs like Netbus. This rogue code can cause damage to the infected machine, but a more sinister attack involves the monitoring of network traffic using a variety of commercial utilities. The traffic could be sniffed for passwords, sensitive documents or possible loopholes in security.

Windows NT standard password security can be broken with enough processing time by any computer. The multi-part attack would theoretically try to obtain higher level passwords and the administration rights that go with them. The ultimate aim would be to obtain enough information about the system to either cause extensive damage or to potentially defraud the bank. This scenario is very unlikely without the assistance of an inside employee, but as networks grow larger - vetting all potential users of your network is more difficult.

To prevent this, Data Fellows implemented a multi-level security system. An overall policy was implemented from the central domain administrator using a security policy enforcer, which is resident on each user's machine. Each machine monitors all data coming in from email or floppy disk for possible dangerous content, like viruses, macros or Trojan horses. This software also forbids the installation of any unauthorised programs by the user and notified system administrators to any attempts to breach in policy. This limits the possibility of sniffing and remote controls software running on a machine without the consent of network supervisors.

To prevent the policy enforcer somehow being circumvented, all traffic across the network is heavily encrypted using 255-bit blowfish technology, to stop any possible data sniffing. Any attempts by software to send data from the network to an external source, which breaks policy, can be blocked and also generates an alert to administrators. The blowfish technology used by this system is currently the most secure encryption algorithm. Theoretically any code can be broken with enough raw processing power, but even the world's most powerful computer would take about 7 million years to break this code.

Financial institutions realise they are obvious targets for virus and hacker attacks, but other companies should consider the effect of sensitive information being obtained by competitors, share holders or even employees within the company. USA Today reported that at the start of 1998 Pixar, the graphics company behind hit film Toy Story, had a anonymous email circulated around the company containing the salaries of 400 employees. This information might breed resentment towards well paid staff, as well making future salary negotiations more awkward. Whether this was a breach in physical or network security is unclear. File locking and encryption may have prevented this situation. In the banking world, disclosure of sensitive documents could cost the company far more than just staff dissent or loss of reputation.

The protection system at work in the bank has been designed to be multi-layered, with anti-virus software playing an essential part in an overall security policy. The bank has learned to regard viruses as symptoms of a possible breach in security. To date they have not suffered any virus, document or network breaches within their new, tightened security procedures. Instead of waiting for attempts to breach the system, teams of security consultants routinely test and probe it for loopholes and backdoors, reporting any problems back to the network administrators to evaluate.

Complete protection is never a certainty and will never be achieved through technical means alone. A combination of technical and management dedication is required. Where the rewards are great - as in a bank - you can bet that the best minds outside are working on the problem. This requires diligent efforts on the inside to foil their efforts.

Will Garside

Read more on Privacy and data protection