In this complex computer age where information is accumulated and exchanged at a rate beyond our ability to closely monitor, an attack has been formulated to shave off small pieces of these transactions. The "salami attack" executes barely noticeable small acts, such as shaving a penny from thousands of accounts or acquiring bits of information from less secure means to gain knowledge of the whole undetected. Salami attacks go mostly undetected or unreported and few have been completely substantiated.
The origin of the terminology has a double meaning and both definitions accurately describe the methodology of a salami attack. The idea of 'salami slicing' where a small piece is cut off the end with no noticeable difference in the overall length of the original is one way of looking at it. [5] Another definition states is the creation of a larger entity comprised of many smaller scraps similar to the contents of salami. [6] Either way, salami attacks are looked at as when negligible amounts are removed and accumulated into something larger.
In order to determine the perpetrator of such an attack, one has to look at the motivational factors involved in salami attacks. Salami strikes often involve some form of financial gain but they can also be used for information gathering purposes. Often insiders, consultants, or anyone else with knowledge of the system and looking to steal money perpetrate these attacks. However, government agencies, spies, or anyone else looking to covertly gain information can also utilize salami attacks [7].
The more recognized form of a salami attack is taking the rounded off decimal fractions of bank transactions and transferring them into another account (Many will remember this a being a key plot point in such movies as Superman III and Office Space.). Banks often use decimal places beyond the penny when calculating amounts in terms of interest. If a customer earning interest every month has accumulated $50.125 in interest, the fraction of the penny is rounded according to the bank's system [3]. Such an attack was reportedly perpetrated at a Canadian bank where an insider siphoned $70,000 from other customer accounts into his own. "A bank branch decided to honor the customer who had the most active account. It turned out to be an employee who had accumulated $70,000 funneling a few cents out of every account into his own." [Green] [1]. Taking such a small fraction may seem insignificant or even invisible to the victims, but when done across millions of transactions, the accumulation can be immense for the attacker.
Other versions of this kind of attack involve economic gain through less precarious channels. Employees modifying computer-billing programs so that the customer is slightly overcharged on certain transactions fall into this category. One such case involved a rental agency that "modified a computer billing program to add five extra gallons to the actual gas tank capacity of their vehicles" [2]. Customers unaware of the tank capacities would be overcharged with very little suspicion being raised. This clever technique shows that the slicing need not be directly monetary. Exploiting customer unawareness on matters such as gasoline tank size can often go unnoticed. Another example of this happened when a gas station installed modified chips to misread how much gas was being pumped. Customers began noticing that their vehicles were supposedly taking more gas than the tank could hold. Systems to keep this in check failed to notice the attack right away because "the perpetrators programmed the chips to deliver exactly the right amount of gasoline when asked for five- and 10-gallon amounts - precisely the amounts typically used by inspectors." [2]. Salami attacks are hard to track down and examples like this show the importance of tracking even the slightest error because it could be an sign of a bigger problem.
In addition to financial gains through salami attacks, information is another asset that be accumulated in unnoticeable quantities. Acquiring small quantities of information from multiple sources or channels and piecing them together can yield a clear picture of the target. "The intelligence gathering process consists of piecing together fragments of information to predict the future. It is not tantamount to looking for a needle in a haystack, but for the right three or four pieces of hay in a haystack that will add up to a prediction of a terrorist attack." [Lake] [4]. In this example, information about an attack can be gleamed from piecing together bits of phone conversations, emails, knowledge of where the person traveled, or where they shopped can be used to discover the overall picture of the organization.
If there is one important lesson to learn from salami attacks, it is that even the minutest amount of information can be vitally important. Salami attacks are meant to go undetected and spread the burden of harm across a large number of transactions. Salami attacks stress the need for constant monitoring of a system and show that even minor discrepancies could be the breadcrumbs of a larger attack. Their difficulty to detect and the perpetrators often being close to the target make it one of the more elusive information attack methods.
1. A.P. Taco Bell-issimo San Francisco: Chronicle, 11 Jan 1997 http://catless.ncl.ac.uk/Risks/18.76.html#subj1
2. Kabay, M.E. Salami fraud Network World Security Newsletter: 07/24/02 URL: http://www.nwfusion.com/newsletters/sec/2002/01467137.html
3. Icove, David and Seger, Karl and VonStorch, William. Computer Crime A Crime fighter's Handbook. 1995 Chapter 2
4. Lake, Anthony. Leaders and Followers: Sources of Terrorism: The Middle East Forum. March 21, 2002 URL: http://www.meforum.org/article/178
5. Krause, Micki and Tipton, Harold F. Handbook of Information Security Management: CRC Press - Auerbach Publications 1999
6. Doherty. Elementary Practical Background Material for Computer Security and Computer Warfare: Lecture URL: http://www.headtrauma.com/sclass1a.ppt
7. Cohen, Fred. All.Net Security Database: URL: http://all.net/CID/Attack/Attack93.html