$10 Router, No Firewall Blamed In $80M Bangladesh Bank Hack

Earlier this a year, a spelling mistake in an online bank transfer prevented nearly $1 billion heist at Bangladesh's central bank and the New York Fed. The hackers, however, still had managed to steal about $80 million. Bangladesh government blamed the New York Fed for not spotting the suspicious transactions earlier. As it turns out, they should also be taking some blame, if not all. An anonymous reader writes: Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said. The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.

Make the 81M come of the VP's bonus

[Joe_Dragon]

Make the 81M come of the VP's bonus.

That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.

Re:Make the 81M come of the VP's bonus

[anegg]

If I were analyzing their security, I would be much more concerned with the "no firewall" comment than how much they spent on a switch... No firewall, really? Bet they saved a lot of money not having to put that in place and monitor it....

Re:Make the 81M come of the VP's bonus

[anegg]

Ok - after reading the article, I think they might not have had any security architecture whatsoever. No compartmentalization of data flows. No firewall. Probably no monitoring. And judging from the comments, no traffic accounting/auditing capability.

It seems like they had no understanding of the IT risks at all.

Re:Make the 81M come of the VP's bonus

[GungaDan]

Coming soon - this bank outsources IT to neighboring India.

Re:Make the 81M come of the VP's bonus

[wagnerrp]

The comment on the cheap switch was that they had the SWIFT servers connected to the same dumb switch as other unprotected computers in the building. More expensive switches would have allowed them to isolate those servers on their own network, as would one extra dumb switch dedicated to those servers, but either would have required them to install a router to link the two networks. It's all ultimately just a "no firewall" issue.

Re:Make the 81M come of the VP's bonus

[l0n3s0m3phr34k]

That article is crap lol. This article is far more interesting... Like how one of the security researches was abducted for several days, "malware was specifically designed to hijack access to the Swift network", Bangladesh Finance Minister A.M.A Muhith saying local banking officials were "100 percent" involved in the scandal, Rizal Commercial Banking Corporation (RCBC) President and CEO Lorenzo Tan ordering people to "move the money", how much of it has already been converted into Chinese casino chips, etc. This would make a great movie, it's so convoluted and messed up lol. It's even got "a man previously linked to illegal drug operations, Kim Wong, as the mastermind." per Philippines Senator Sergio Osmeña.

Re:Make the 81M come of the VP's bonus

[rahvin112]

You are apparently unaware of how finances work in states like Bangladesh.

1. The government apportions the appropriate money for a task assuming market. Rates
2. Department head siphons off 5% of the money and uses it to pay for Hookers and Blow.
3. The Department manager awards the contract to a friend who then gives them 10% of the money remaining back as cash.
4. The department representative responsible for ensuring the requirements are met then gets his 5% remaining kickback as well to look the other way as the requirements are not met. There are various other kickbacks as well, the city inspector and other involved.
5. The company now responsible for the implementation has lost about 25% of the total. They then taken their 50% profit and buy $10 off the shelf routers to do a job that had originally required commercial grade products with support contracts and zero day support.

Re:Make the 81M come of the VP's bonus

[magarity]

That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.

GDP per capita in Bangladesh is 750$US/yr. A $10 switch sounds like a wild extravagance.

The answer is obvious

[smooth+wombat]

More H-1b visas! Send them our way since they're so good at securing their own networks.

Confusion?

Headline states $10 router, but story states $10 switches. Who's not paying attention?

Re:Router != Switch

[Aighearach]

Good point, App Guy! If they were running their bank using apps they would have been on wifi, and they'd at least have been behind NAT and had a minimal firewall.

It would be an improvement!

Re:Router != Switch

[Killall+-9+Bash]

I miss GNAA more every day.

Irrelevant information

[AchilleTalon]

All the information is totally irrelevant to determine the cause of the breach.

If you buy a cheap switch/router/hub you get a poor performance switch/router/hub or an unreliable switch/router/hub, not a hackable network. The protocol is totally encrypted end to end and getting access to a switch won't give you the keys to anything. So, the cheap switch/router/hub is totally irrelevant in this picture.

Next, the lack of a firewall, again here, it all depends on how the network is built. Is it a single computer, single purpose network and the only port open on the computer is the port required by the SWIFT network? If yes, adding a firewall won't make it more secure neither. It is already listening on the port that would have been open by the firewall anyway. On another hand, if the computer is listening on multiple ports with pieces of software known to be flawn, it is likely to be vulnerable to an attack and maybe the encryption keys have been stolen or maybe not. We still don't know how the attack was successfully completed. So far, it is more likely someone just gave the keys and password to the hackers. It could be an inside job.

BTW, expensive switches/routers/hubs are not necessarily more secure than cheaper one. They are made to be more reliable on 7/24 operations and have an larger capacity. That's where most of the price difference is justified to the customer

Re:Irrelevant information

[ledow]

I work in a school.

Our switches cost 2000 GBP each, and we have a firewall that costs on the same order. They have features you cannot get on anything cheaper (RADIUS, et al are "freebie" features nowadays - we're talking direct MDM on the switch and all kinds of security).

The question is not "was the $10 switch to blame?" but "why would you ever use a $10 switch anyway?" These people are storing money thousands of times more than anything we ever have to deal with, for thousands more customers than we will ever have, with thousands of times more budgets than I will ever see.

And their stuff isn't even from the "19" rack networking" section of the catalogue. It's from the "bargain buys for home uses to 'double up' their network cables" section.

Additionally, I'm bound by PCI DSS standards which demand things like firewalls and antivirus EVEN IF there's no need for them. I promise you. And IDS and IPS and separated networks and all kinds of security. That's just to TAKE a credit card payment to pass onto the bank. The banks themselves aren't then doing more?

It's got nothing to do with what could be true at the bank. It's about not even trying to follow industry best practices, let alone actually getting close to them.

I dunno...

[Okian+Warrior]

Make the 81M come of the VP's bonus.

That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.

I dunno... reading through the hacking team break-in (by which I mean, reading the hacker's first-person description, it's unclear to me how *anyone* could be considered responsible for these sorts of things.

The hacked system should encrypt passwords, use a salt, have offsite backups that are regularly tested... all that "of course" stuff applies.

But I'm not at all sure how having a modem or router hacked could be the responsibility of the system.

How can you tell? Is there an exploit for your high-end Juniper firewall?

The hacking-team narrative suggests that the person who did it replaced the [router?] firmware with a custom one with his own backdoor. A single 0day exploit on an internet-facing appliance.

Did someone intentionally weaken the PRNG in your Intel CPU at the mask level? Did someone replace the firmware on your hard drive? Is your BIOS compromised?

I read where someone put malware into the firmware of an intelligent *battery*.

Welcome to the future: everything has firmware, and all firmware can be reflashed by the factory.

(The update service installed when you install our product will automatically upgrade the system as needed. Just download and execute! This fixes the rendering issue in the Tagalog language pack, it's a *must have* upgrade!)

I'm not sure how anyone can guarantee their systems are secure any more.

If the State department can't secure their computers, what hope is there for regular mortals?

Could be North Korea?

[GameboyRMH]

North Korea's been hurting under the new sanctions. The amount of money that was almost stolen is insane for a person to steal but makes sense for a country (or more specifically, a military and ruling party) to steal. It was a well-organized effort involving many people. They were caught because of a mistake that an English-speaker wouldn't make.

Re:no surprise here

No.

More like bob we don't need a firewall just need a switch to get on the network so what can you do for $10 get a router/firewall that can't handle the load or just a basic switch that will work.

It is so painful reading your posts...

Re:Router != Switch

[tom229]

I'm sorry, why is Wi-Fi intrinsically using NAT? You are barely more knowledgeable than the OP, and at least he has a humorous, sarcastic point.

Re:$11 Router

[skids]

From the way the article words it they hadn't even segmented the broadcast domains -- the sensitive servers were in the same VLAN as everything else -- nothing to do with logging capabilities, really -- they were apparently using a dumb switch with no dot1q capabilities whatsoever.

Actually skimmed article... $10 switch = no VLAN

[WoTG]

Near the end of the article is the better info...

The SWIFT connected computers should have at least been hived off into a separate VLAN. They weren't.

Re:Router != Switch

[JWSmythe]

Be nice. Slashdot readership is no longer technical. Be happy that he (almost) did better than Hollywood screenwriters.