Salami Attacks

Salami Attacks

by B. Michael Hale


Abstract

This research will describe an aspect of crime known as salami fraud, the salami technique, or simply, a salami attack. Though most often associated with electronic banking and electronic data interchange fraud, the concept can be applied to other scenarios with little relation to computing. In general, salami attacks take place when small, almost immaterial, amounts of assets are systematically acquired from a large number of sources. In such miniscule denominations, they frequently exist just below the threshold of perception (and detection, for that matter). The result is an ongoing accumulation of assets in such a manner that the victims, whose assets are vanishing, fail to even notice.


The Salami Analogy

The origin of the salami attack analogy is two-fold. One perspective depicts taking such thin slices off the end of a salami that there is no noticeable difference in its overall size, [1] [2]. The perpetrator, who did the slicing, then sneaks away with the stolen pieces. From another angle, the perpetrator deceptively acquires a whole salami [5], formed by aggregating tiny scraps; much like real salami is formed from chopped beef, pork, garlic, and other ingredients. Of course, to consider the potential danger of salami attacks, we must assume there is more than deli meat at stake.


Salami Technique in Electronic Banking

The most typical scheme portrayed by a salami attack is that which involves an automated modification to financial systems and their data. For example, the digits representing currency on a bank's computer(s) could be altered so that values to the right of the pennies field ( < 0.01 ) are always rounded down (fair arithmetic routines will calculate in both directions equally). Since all this rounding down produces excess fractions of cents, they must be transferred elsewhere, and, carefully, so that no net loss to the system of accounts becomes apparent, [3] [4]. This is done by merely rearranging the funds into a balance owned by the perpetrator. The final rewards could be very attractive, provided the "slices" are taken 1) at frequent intervals throughout an extended period of time and 2) from a large number of accounts.

The essence of this mechanism is its resistance to detection. Account owners rarely calculate their balances to the thousandths or ten-thousandths of a cent, and, consequentially remain oblivious. Even if the discrepancies are noticed, most individuals have better things to do (like preserve their pride) than complain about an erroneous digit in some far off decimal place. The following (alleged) scenarios will demonstrate that "slices" need not always be tiny to evade detection. In fact, they can be rather large, as long as unsuspecting and/or ignorant victims are plentiful.


Salami Technique in Information Gathering

The salami technique can also refer to aggregating small amounts of information from many sources to derive an overall picture of an organization, [3]. For instance, information from a company's web site, advertisements, trash deposits, media reports, incidents viewed first-hand, or stolen documents could be used to build a large database. Eventually the collection might include contact information, telephone numbers, company policies, daily routines, and other sensitive information. The process could be extremely slow and last a period of months or years, but nonetheless would yield an abundance of factual intelligence about potential targets.

This attack of distributed information gathering also applies to personal privacy. It seems few adverse effects can become of the information we reveal on a regular basis to movie stores, restaurants that deliver, car rental agencies, libraries, online surveys, and etcetera. We can tell individual, unrelated companies one thing such as our name, address, phone number, or age; and still maintaining a reasonable sense of privacy. Now, this privacy vanishes in the event that each company exposes (or is robbed of) these bits and pieces of information. What results is an attacker learning a significant portion of the information that appears on a driver's license, but we can expect much more devastating effects from well planned jobs with proper sources.


Summary, Conclusions, and Further Work

Salami attacks are flambouyant financial scams or exploits against privacy by large-scale information gathering. Their nature and complexity is capable of baffling the most attentive system accountants, should they ever be acknowledged. Sometimes the most insignificant things, handled in an intelligent form or fashion, can grow beyond expectation. Constant (and accurate) supervision of our assets, careful scrutiny of payments or rewards, and discrimination when releasing personal information might help reduce the success of an attack by way of the salami technique.


Bibiography

[1] Aderucci, Scott. Salami Attacks. www.all.net/CID/Attack/papers/Salami.html [This is a previous student paper written on salami attacks].

[2] Kabay, M.E. Salami Fraud www.nwfusion.com/newsletters/sec/2002/01467137.html [This is an online excerpt from a publishing in the Network World Security newsletter from 07-24-2002].

[3] The Security Database: Attack #93 Salami Attacks at www.all.net [This is a reference of threats, attacks, and defenses maintained by Fred Cohen].

[4] Handbook of Information Security Management: Law, Investigation, and Ethics. www.cccure.org/Documents/HISM/522-525.html [This is an article of several short topics referenced by visiting the CISSP Open Study Guide site].

[5] Parker, Donn B. Fighting Computer Crime: A New Framework for Protecting Information. New York: John Wiley & Sons, Inc., 1998. [This text explains why current computer security methods often fail].