Slashdot Mirror
$10 Router, No Firewall Blamed In $80M Bangladesh Bank Hack (reuters.com)
Earlier this a year, a spelling mistake in an online bank transfer prevented nearly $1 billion heist at Bangladesh's central bank and the New York Fed. The hackers, however, still had managed to steal about $80 million. Bangladesh government blamed the New York Fed for not spotting the suspicious transactions earlier. As it turns out, they should also be taking some blame, if not all. An anonymous reader writes: Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said. The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.
Make the 81M come of the VP's bonus.
That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.
That's what happens when your security depends on stuff made in China.
More H-1b visas! Send them our way since they're so good at securing their own networks.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Presumably, if money is moved solely though digital means, it would be far easier to track where it ends up?
I'm god, but it's a bit of a drag really...
It is not the $10 router's fault. If you have an international network, you must treat the network itself as hostile. On an international scale you simply cannot have a network that can be trusted as only having known devices and actors connected to it. On that scale you must assume that unapproved devices will be attached. Given this, the failure is in the design of the authentication system, not the network.
They should have used pfSense.
They've got some decent hardware too, though more than US$ 10: https://www.pfsense.org/products/
Headline states $10 router, but story states $10 switches. Who's not paying attention?
Good point, App Guy! If they were running their bank using apps they would have been on wifi, and they'd at least have been behind NAT and had a minimal firewall.
It would be an improvement!
Because if only they had spent that extra dollar... In fact, the article point out that if they had used "more sophisticated routers" (costing hundreds of dollars) they could have monitored what was going on... Yet even cheap switches often support logging. Meanwhile, once they were in and considering how it sounds like they were setup, the hackers could have wiped the logs anyways (although admittedly it'd be easier to miss some of the logs if there were lots of switches).
Overall, it's pretty clear the internal switches were about as much to blame as them failing to use monster cables. Unless they used monster cables...
I miss GNAA more every day.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
Most banks screw their own customers first. A bank screwing itself is something else. Another reason to use a credit union.
Someone gets so much money to implement secure banking network, pockets 90% of it, buys a bunch of cheap switches and calls it "done".
I saw same kinds of things when I was working in a West African country.
I am guessing they lack the know-how in house, and was unwilling to spend real money to keep full time IT staffs on board, so they instead hired some consultant who billing them a few thousand dollars for a ten dollar router...
ELOI, ELOI, LAMA SABACHTHANI!?
If you buy a cheap switch/router/hub you get a poor performance switch/router/hub or an unreliable switch/router/hub, not a hackable network. The protocol is totally encrypted end to end and getting access to a switch won't give you the keys to anything. So, the cheap switch/router/hub is totally irrelevant in this picture.
Next, the lack of a firewall, again here, it all depends on how the network is built. Is it a single computer, single purpose network and the only port open on the computer is the port required by the SWIFT network? If yes, adding a firewall won't make it more secure neither. It is already listening on the port that would have been open by the firewall anyway. On another hand, if the computer is listening on multiple ports with pieces of software known to be flawn, it is likely to be vulnerable to an attack and maybe the encryption keys have been stolen or maybe not. We still don't know how the attack was successfully completed. So far, it is more likely someone just gave the keys and password to the hackers. It could be an inside job.
BTW, expensive switches/routers/hubs are not necessarily more secure than cheaper one. They are made to be more reliable on 7/24 operations and have an larger capacity. That's where most of the price difference is justified to the customer
Achille Talon
Hop!
Make the 81M come of the VP's bonus.
That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.
I dunno... reading through the hacking team break-in (by which I mean, reading the hacker's first-person description, it's unclear to me how *anyone* could be considered responsible for these sorts of things.
The hacked system should encrypt passwords, use a salt, have offsite backups that are regularly tested... all that "of course" stuff applies.
But I'm not at all sure how having a modem or router hacked could be the responsibility of the system.
How can you tell? Is there an exploit for your high-end Juniper firewall?
The hacking-team narrative suggests that the person who did it replaced the [router?] firmware with a custom one with his own backdoor. A single 0day exploit on an internet-facing appliance.
Did someone intentionally weaken the PRNG in your Intel CPU at the mask level? Did someone replace the firmware on your hard drive? Is your BIOS compromised?
I read where someone put malware into the firmware of an intelligent *battery*.
Welcome to the future: everything has firmware, and all firmware can be reflashed by the factory.
(The update service installed when you install our product will automatically upgrade the system as needed. Just download and execute! This fixes the rendering issue in the Tagalog language pack, it's a *must have* upgrade!)
I'm not sure how anyone can guarantee their systems are secure any more.
If the State department can't secure their computers, what hope is there for regular mortals?
It's a bank, the first thing they'll do is cry like bitches to the government and demand bailouts like a bunch of takers.
The important thing is that they didn't buy the 15$ router.
Even if you decide to turn to a life of crime.
North Korea's been hurting under the new sanctions. The amount of money that was almost stolen is insane for a person to steal but makes sense for a country (or more specifically, a military and ruling party) to steal. It was a well-organized effort involving many people. They were caught because of a mistake that an English-speaker wouldn't make.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Hahahaha!
And i never troll.
I'm here for the experience, not the Hyperbole.
Don't bother with LUDDITE tapas, smart app appers know that Applebee's has half price Apps after 10! That way you can buy twice the beer and make your apps more appy!
They're still blaming "hackers with hacks", and apparently whoever matters to them does not buy it any longer.
So it's not "wrong trust boundary" but "a new twist on talking crap". There's no information to be had from derping derps other than they are derping. And anybody talking about the cyber bogeyman with untold powah to "hack", most certainly is talking crap. This is not less true for most of the computer security industry having established "talking crap" as the industry best practice. These shmucks are derping, and so they are derps, and so they are talking crap. Q.E.D.
I would lay the blame for all of that at the feet of the security officer for the bank. Seems to me all the blame is at the feet of the executive officers of the bank who gave it an electronic presence without sufficient security. Financial institutions are supposed to have responsibility and oversight in place, not have worse security than my parents home.
There is no difference.
Consumer grade routers have a HUGE failing point (I haven't verified yet if it can be worked around by making/reflashing the bootloader to 'boot closed' or not.) In the event of a power outage, reinitialization of the router/switch bridges all ports. In the event the router/switch operating system doesn't come up the switch is left in 'dumb switch' mode store and forwarding all packets via all ports (unless the ethernet address is already in the 'dumb switch' cache.) The router/switch does not return to 'all ports closed' or 'configured settings' modes until the OS (in my experiments, linux) has initialized and booted all the way to userspace. In the even the OS is corrupted and never boots, or voltages were low enough during initialization to fail it into an unknown state, it also fails opens.
While this might not seem like a big deal for the average consumer, this is a huge potential privacy breach as well as security breach since intentionally 'blipping' the power grid where a desired consumer router is located (and not on ups) can allow you to kill firewalling between the router/switch and the network resulting in layer 2 access to a target network and thus the ability to map out target network topology, or provide false dhcp settings to computers on the network who automatically request network configuration when ethernet comes back up, also allowing you to gather suspected internal IPs by the DHCP renewal requests.
While this is a good example of the dangers of using some of this equipment at that level, it should really be broadened to a discussion of the perils of consumer grade equipment as a whole, and whether these issues are due to dangerous defaults in hardware or simply software level misconfiguration (opening all ports by default in the bootloader.)
Most of my apple laptop batteries died in perfect condition but with corrosion on the internal connectors between cells. Probably because they used politically correct solder instead of lead.
I'm sorry, why is Wi-Fi intrinsically using NAT? You are barely more knowledgeable than the OP, and at least he has a humorous, sarcastic point.
If it ain't broke, don't fix it.
My old workplace had an IT worker apply for a job who prided himself on finding the CHEAPEST possible solution to any problem. For example, he would grab any discarded printers or computers he could find on the side of the road or in dumpsters. The used appliance shelves at thrift stores were his source for cable modems and such. He bragged about how his last employer hadn't needed to spend much on IT because he cobbled together whatever was needed for cheap.
Now, he was applying for a job with a company who routinely spent more on office food catering for the fun of it than his prior company's entire budget, so we were not overly concerned with acquiring network hardware from somebody's trash can. He didn't get the job.
But I can see where someone with that kind of skill at finding a cheap way to do something might be considered a huge asset. And banks, being penny-pinchers, I can imagine he would have fit in well in such an operation and felt great about using used hardware.
Sig for hire.
Not that I'm against firewalls or managed switches or anything like that, but shouldn't the primary security control really be end-to-end encryption and strong auth at the OS level? I understand that in less secure environments we can rely on IP addresses and stuff like that for part of our protection. But at a bank I would hope that things would be secure even if your switch and firewall are both compromised.
Of course, if you can't even get the simple things like a switch and firewall right, you have no hope of properly securing the OS. (why yes, that was a shot at the network guys! Feel free to fire back, as flamewars are fun for all here on /.!)
Those mudders on Higgins' Moon better be careful.
Being some huge banking system, SWIFT should have requirements for anyone connecting to their network. The US's regulatory compliance means little if we allow non-compliant systems to connect via links like this. Their website even has white papers talking about cybersecurity, IT risk management, etc. But their site also preaches quite a bit about "speed" and "ease of use", so to me it feels like SWIFT itself set up an atmosphere for their members to play fast-and-loose. There are security products that are actually FREE that they didn't even bother to use? There are numerous free applications for log analyzing, firewalls, intrusion detection, etc. Yet all these also require employees that know how to set these up and use them. Reading around the web, they've identified two Chinese nationals, and the casinos are also Chinese owned. SWIFT themselves are claiming their systems where never breached, ignoring their own reports of " sophisticated malware was deployed by the attackers on the SWIFT servers to process and authorise SWIFT transactions."
On top of this all, there seems to be an indication that plain-old corruption had something to do with this, and that "Atiur Rahman...had kept details of the grand theft secret for weeks, seemingly even from senior government officials". So, they knew about a breech, choose to do nothing, then someone actually finally used the breach to commit the heist. If Atiur had reported the breech perhaps it could have been resolved before the money was actually stolen?
Sounds like it was setup to be hacked... No firewall...
There is so much cheating in Indian "computer science" courses, that is no wonder that thay have no competence. A lesson for those who would outsource to India to save money. Cheap engineers are too expensive.
Near the end of the article is the better info...
The SWIFT connected computers should have at least been hived off into a separate VLAN. They weren't.
The loss is not as bad as it seems. Sure $80M was stolen, but they made savings on those $10 routers, so that's maybe only $79,999,500 lost... not so bad as we first thought.
Be nice. Slashdot readership is no longer technical. Be happy that he (almost) did better than Hollywood screenwriters.
Serious? Seriousness is well above my pay grade.
Wi-fi isn't intrinsically using NAT. However, the very cheapest consumer access points are all using it by default.
I wasn't presuming that a company that used second-hand switches would buy an enterprise-grade access point, which of course wouldn't come with any of that "router" stuff, because the router wants to do that. I'm assuming they would use a second-hand consumer "soho" model. Customers would return it as broken if it didn't do NAT out of the box!