Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT Technology

$10 Router, No Firewall Blamed In $80M Bangladesh Bank Hack (reuters.com) 96

Earlier this a year, a spelling mistake in an online bank transfer prevented nearly $1 billion heist at Bangladesh's central bank and the New York Fed. The hackers, however, still had managed to steal about $80 million. Bangladesh government blamed the New York Fed for not spotting the suspicious transactions earlier. As it turns out, they should also be taking some blame, if not all. An anonymous reader writes: Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said. The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.
This discussion has been archived. No new comments can be posted.

$10 Router, No Firewall Blamed In $80M Bangladesh Bank Hack

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Friday April 22, 2016 @12:26PM (#51965763)

    Make the 81M come of the VP's bonus.

    That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.

    • by anegg ( 1390659 ) on Friday April 22, 2016 @12:28PM (#51965789)
      If I were analyzing their security, I would be much more concerned with the "no firewall" comment than how much they spent on a switch... No firewall, really? Bet they saved a lot of money not having to put that in place and monitor it....
      • by anegg ( 1390659 ) on Friday April 22, 2016 @12:35PM (#51965849)

        Ok - after reading the article, I think they might not have had any security architecture whatsoever. No compartmentalization of data flows. No firewall. Probably no monitoring. And judging from the comments, no traffic accounting/auditing capability.

        It seems like they had no understanding of the IT risks at all.

        • by GungaDan ( 195739 ) on Friday April 22, 2016 @12:45PM (#51965933) Homepage

          Coming soon - this bank outsources IT to neighboring India.

          • Coming soon - this bank outsources IT to neighboring India.

            They couldn't do that for $10 though. Based on the sophistication( or lack of it), It looks like the teenage son of the bank president set this up based on his experience in setting up a home network..

            • They couldn't do that for $10 though. Based on the sophistication( or lack of it), It looks like the teenage son of the bank president set this up based on his experience in setting up a home network..

              Don't forget to chmod -R 777 / -- makes life easier.

          • There's probably thousands of cases where it's the other way round. Bangladesh is cheaper.

        • I am guessing they lack the know-how in house, and was unwilling to spend real money to keep full time IT staffs on board, so they instead hired some consultant who billing them a few thousand dollars for a ten dollar router...

          • I wouldn't even go that far. I expect a manager was tasked to setup the network. So he just did what he would do for his home network.

        • by Anonymous Coward

          after reading the article, I think they might not have had any security architecture whatsoever

          Something doesn't add up. With those kind of assets, why wasn't this system hacked a long, long time ago?

      • The comment on the cheap switch was that they had the SWIFT servers connected to the same dumb switch as other unprotected computers in the building. More expensive switches would have allowed them to isolate those servers on their own network, as would one extra dumb switch dedicated to those servers, but either would have required them to install a router to link the two networks. It's all ultimately just a "no firewall" issue.
      • by l0n3s0m3phr34k ( 2613107 ) on Friday April 22, 2016 @05:11PM (#51967967)
        That article is crap lol. This article is far more interesting... [voanews.com] Like how one of the security researches was abducted for several days, "malware was specifically designed to hijack access to the Swift network", Bangladesh Finance Minister A.M.A Muhith saying local banking officials were "100 percent" involved in the scandal, Rizal Commercial Banking Corporation (RCBC) President and CEO Lorenzo Tan ordering people to "move the money", how much of it has already been converted into Chinese casino chips, etc. This would make a great movie, it's so convoluted and messed up lol. It's even got "a man previously linked to illegal drug operations, Kim Wong, as the mastermind." per Philippines Senator Sergio Osmeña.
    • I dunno... (Score:5, Interesting)

      by Okian Warrior ( 537106 ) on Friday April 22, 2016 @12:53PM (#51965997) Homepage Journal

      Make the 81M come of the VP's bonus.

      That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.

      I dunno... reading through the hacking team [schneier.com] break-in (by which I mean, reading the hacker's first-person description [pastebin.com], it's unclear to me how *anyone* could be considered responsible for these sorts of things.

      The hacked system should encrypt passwords, use a salt, have offsite backups that are regularly tested... all that "of course" stuff applies.

      But I'm not at all sure how having a modem or router hacked could be the responsibility of the system.

      How can you tell? Is there an exploit for your high-end Juniper firewall [wired.com]?

      The hacking-team narrative suggests that the person who did it replaced the [router?] firmware with a custom one with his own backdoor. A single 0day exploit on an internet-facing appliance.

      Did someone intentionally weaken the PRNG in your Intel CPU at the mask level? Did someone replace the firmware on your hard drive? Is your BIOS compromised?

      I read where someone put malware into the firmware of an intelligent *battery*.

      Welcome to the future: everything has firmware, and all firmware can be reflashed by the factory.

      (The update service installed when you install our product will automatically upgrade the system as needed. Just download and execute! This fixes the rendering issue in the Tagalog language pack, it's a *must have* upgrade!)

      I'm not sure how anyone can guarantee their systems are secure any more.

      If the State department can't secure their computers [cnn.com], what hope is there for regular mortals?

    • by rahvin112 ( 446269 ) on Friday April 22, 2016 @05:16PM (#51968017)

      You are apparently unaware of how finances work in states like Bangladesh.

      1. The government apportions the appropriate money for a task assuming market. Rates
      2. Department head siphons off 5% of the money and uses it to pay for Hookers and Blow.
      3. The Department manager awards the contract to a friend who then gives them 10% of the money remaining back as cash.
      4. The department representative responsible for ensuring the requirements are met then gets his 5% remaining kickback as well to look the other way as the requirements are not met. There are various other kickbacks as well, the city inspector and other involved.
      5. The company now responsible for the implementation has lost about 25% of the total. They then taken their 50% profit and buy $10 off the shelf routers to do a job that had originally required commercial grade products with support contracts and zero day support.

    • That $10 switch seems alot of like some cost reduction yahoo is calling the shots and does not want to pay for the needed costs to due it right.

      GDP per capita in Bangladesh is 750$US/yr. A $10 switch sounds like a wild extravagance.

  • by smooth wombat ( 796938 ) on Friday April 22, 2016 @12:31PM (#51965823) Journal

    More H-1b visas! Send them our way since they're so good at securing their own networks.

  • Presumably, if money is moved solely though digital means, it would be far easier to track where it ends up?

    • by Qzukk ( 229616 )

      money is moved solely though digital means

      I think you're looking for bitcoin. In this case the money was sent to a bank in the Philippines where almost certainly someone had opened an account with stolen ID, and closed the account out in cash as soon as the transaction cleared.

      • and closed the account out in cash as soon as the transaction cleared.

        I think it unlikely that one would be able to close an account and walk out with the equivalent of millions of dollars. What bank has such large sums of cash available for customers to withdraw?

        • Many countries operate out of suitcases full of cash.

          I used to work for a Bangla guy who'd pay in $100 bills rather than write a check. Perfectly legit, tax-paid business, but he dealt in cash.

          • Many countries operate out of suitcases full of cash.

            I am quite sure that cash is more common in many non-Western countries. But millions of dollars worth? That would be out of the ordinary.

        • I think it unlikely that one would be able to close an account and walk out with the equivalent of millions of dollars.

          Depends how much of it you "accidentally" leave in the manager's office.

          P.S. if he says he needs some extra to cover "fees and expenses", he's not ripping you off. That's for the police chief.

    • by Salgak1 ( 20136 )

      . . . until you move it to payment cards, and buy items with it. . . or any of several thousand OTHER ways of laundering the money. Disposable accounts. Cash Cards. et cetera ad nauseam . . .

  • It is not the $10 router's fault. If you have an international network, you must treat the network itself as hostile. On an international scale you simply cannot have a network that can be trusted as only having known devices and actors connected to it. On that scale you must assume that unapproved devices will be attached. Given this, the failure is in the design of the authentication system, not the network.
  • Confusion? (Score:3, Informative)

    by Anonymous Coward on Friday April 22, 2016 @12:38PM (#51965879)

    Headline states $10 router, but story states $10 switches. Who's not paying attention?

  • Most banks screw their own customers first. A bank screwing itself is something else. Another reason to use a credit union.
    • by geek ( 5680 )

      Most banks screw their own customers first. A bank screwing itself is something else. Another reason to use a credit union.

      Don't be so sure on the credit union. All they do is take the money and then put it in the coffers of another bank. You're still at the mercy of the banks with a credit union, its just that now you have a middle man between you.

      • Sometimes, when liability is concerned, a middleman is what you want.

      • You're still at the mercy of the banks with a credit union, its just that now you have a middle man between you.

        My credit union doesn't charge a fee for having a checking account, making an in person transaction with a teller, or using an out of network ATM. The monthly fees I pay for being a credit union customer is zero.

  • All the information is totally irrelevant to determine the cause of the breach.

    If you buy a cheap switch/router/hub you get a poor performance switch/router/hub or an unreliable switch/router/hub, not a hackable network. The protocol is totally encrypted end to end and getting access to a switch won't give you the keys to anything. So, the cheap switch/router/hub is totally irrelevant in this picture.

    Next, the lack of a firewall, again here, it all depends on how the network is built. Is it a single compute

    • by ledow ( 319597 ) on Friday April 22, 2016 @01:33PM (#51966359) Homepage

      I work in a school.

      Our switches cost 2000 GBP each, and we have a firewall that costs on the same order. They have features you cannot get on anything cheaper (RADIUS, et al are "freebie" features nowadays - we're talking direct MDM on the switch and all kinds of security).

      The question is not "was the $10 switch to blame?" but "why would you ever use a $10 switch anyway?" These people are storing money thousands of times more than anything we ever have to deal with, for thousands more customers than we will ever have, with thousands of times more budgets than I will ever see.

      And their stuff isn't even from the "19" rack networking" section of the catalogue. It's from the "bargain buys for home uses to 'double up' their network cables" section.

      Additionally, I'm bound by PCI DSS standards which demand things like firewalls and antivirus EVEN IF there's no need for them. I promise you. And IDS and IPS and separated networks and all kinds of security. That's just to TAKE a credit card payment to pass onto the bank. The banks themselves aren't then doing more?

      It's got nothing to do with what could be true at the bank. It's about not even trying to follow industry best practices, let alone actually getting close to them.

      • In case you don't know, the SWIFT network is available to single worker companies and I believe the network infrastructure of these is probably not more than a modem-router and a computer.

        Using cheap and crappy hardware at the link layer level of a network protocol doesn't make the protocol insecure, it makes it unreliable. You cannot crack on the protocol crypto because of a cheap, crappy and bad router/switch or whatever. It is simply just not involved at all in the cryptography and this is exactly for th

      • BTW, I am not saying it is a good sounding choice to use a 10$ switch/router or whatever. I am just saying it is not the cause of the hack.
      • by tom229 ( 1640685 )
        So... Industry best practice is buying hardware you don't need simply because it does more things? I must have missed that course. The OP's argument is completely reasoned. We don't have enough information to make judgments here. There's no intrinsic requirement for everything to be behind firewall, or for every switch to cost 2 grand. So, a switch cost $10? I need more information to care.
      • "I work in a school.
        Our switches cost 2000 GBP each, and we have a firewall that costs on the same order."

        You are expending too much.

        "They have features you cannot get on anything cheaper (RADIUS, et al are "freebie" features nowadays - we're talking direct MDM on the switch and all kinds of security)."

        See? You don't need to expend so much.

        I know, I know... paying that kind of money (maybe even public money to make things even worse) gives you a sense of accomplishment: "Mum, look at me! I'm using expensiv

        • by ledow ( 319597 )

          It's not public money.
          It's a private school.
          With 1:1 BYOD's.
          With site-wide wireless.
          With site-wide PoE for CCTV, VoIP, access control and bell/speaker systems, all QoS'd.
          With need for multi-gigabit backbone.
          With device MDM so that when we block an BYOD (because it's not up to date, say, or is missing AV), it blocks it site-wide on the wireless and Ethernet, alerts, stops sending down paid-apps, etc. etc.
          And the network sockets are opened on the basis of device owner (set from VPP from Apple, Google, etc.),

    • by tom229 ( 1640685 )
      Oh no, someone that knows what they're talking about using evidence based reasoning? Try using hyperbole and you'll get more attention and karma on this generation's slashdot and larger public consciousness.
  • Even if you decide to turn to a life of crime.

  • by GameboyRMH ( 1153867 ) <gameboyrmh@@@gmail...com> on Friday April 22, 2016 @01:20PM (#51966237) Journal

    North Korea's been hurting under the new sanctions. The amount of money that was almost stolen is insane for a person to steal but makes sense for a country (or more specifically, a military and ruling party) to steal. It was a well-organized effort involving many people. They were caught because of a mistake that an English-speaker wouldn't make.

  • Hahahaha!

    And i never troll.

  • My old workplace had an IT worker apply for a job who prided himself on finding the CHEAPEST possible solution to any problem. For example, he would grab any discarded printers or computers he could find on the side of the road or in dumpsters. The used appliance shelves at thrift stores were his source for cable modems and such. He bragged about how his last employer hadn't needed to spend much on IT because he cobbled together whatever was needed for cheap.

    Now, he was applying for a job with a compa

    • Such skills are only valued by someone that thinks the ridiculously small cost of hardware is even relevant in the scheme of things. Such as a company that sees it's IT budget as an expense and not an investment in productivity. The TCO on the recycled hardware would be massive because the labor costs would dwarf any savings on hardware. And only a short sided penny pincher wouldn't see that.

      In business IT costs you need to weigh three intangibles.

      1. What's the cost of failure (in this case bankrupting the

  • Not that I'm against firewalls or managed switches or anything like that, but shouldn't the primary security control really be end-to-end encryption and strong auth at the OS level? I understand that in less secure environments we can rely on IP addresses and stuff like that for part of our protection. But at a bank I would hope that things would be secure even if your switch and firewall are both compromised.

    Of course, if you can't even get the simple things like a switch and firewall right, you have no ho

  • Being some huge banking system, SWIFT should have requirements for anyone connecting to their network. The US's regulatory compliance means little if we allow non-compliant systems to connect via links like this. Their website even has white papers talking about cybersecurity, IT risk management, etc. But their site also preaches quite a bit about "speed" and "ease of use", so to me it feels like SWIFT itself set up an atmosphere for their members to play fast-and-loose. There are security products that ar
    • SWIFT can only send money, not deduct money, so why should SWIFT require any security? Don't have it, well you pay for it.

  • Sounds like it was setup to be hacked... No firewall...
  • Near the end of the article is the better info...

    The SWIFT connected computers should have at least been hived off into a separate VLAN. They weren't.

  • The loss is not as bad as it seems. Sure $80M was stolen, but they made savings on those $10 routers, so that's maybe only $79,999,500 lost... not so bad as we first thought.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...