World Bank Under Cybersiege In "Unprecedented Crisis" 377
JagsLive sends in a Fox News report on large-scale and possibly ongoing security breaches at the World Bank. "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an 'unprecedented crisis.' In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public." Update: 10/11 01:15 GMT by T : Massive spyware infestations might be good cause to reevaluate the TCO of non-Windows systems on the desktop.
Funny the Email is referencing External webmail (Score:5, Informative)
Well of course I can't be certain but this appears to be ntohing more than a breach of their email system (encrypt your damn email people).
From the leaked memo "MD and CIO has directed that all external Webmail accounts be disabled immediately for all staff who have not changed their passwords yet"
Re:so the chinese orchestrated the market meltdown (Score:3, Informative)
Psychologically, you don't need schizophrenics, and their paranoid delusions are probably too far out there to be what you're looking for. Just stop with someone with delusional disorder.
0wn3d (Score:5, Informative)
Damn, they got owned completely, 3 different times. Someone in their security department needs to get a clue. Somehow their offsite data store got accessed, then an IT consultant worker key logged them, and finally they got in again through a third party and escalated to admin rights.
3 different attack vectors, all completely successful. That is just kinda pathetic...
Re:Fox is like the National Enquirer (Score:3, Informative)
You are, it's called /. -- It's about the furthest thing from Fox you can find.
And if you wait a few moments until the global news oligopoly passes the story to all the other rags it owns, you can read the exact same text elsewhere too: http://news.google.com/news?hl=en&q=world+bank+computer+intrusion [google.com]
Oh, I'll one-up-you on the Troll...at least it's not the New York Times; there's a chance that this story is not made up fiction.
Re:Funny the Email is referencing External webmail (Score:3, Informative)
Uhh you fail at reading, from TFA:
"In plainspeak: "They had access to everything," says the source. "They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."
Re:Before anyone mods the parent down.... (Score:5, Informative)
That's not at all what actually happens. You should read John Perkins' book Confession of an Economic Hitman [amazon.com]
You can find interviews of him explaining it all over the internet. It has nothing to do with "lasse-faire" capitalism.
The IMF/World Bank gives a country (normally with a valuable natural resource) a loan it knows it can't pay off to build infrastructure that benefits only a few big corporations, normally foreign. Once the country defaults, the banks get the country to sign over its infrastructure and natural resources to them and other corporations.
That isn't capitalism of any form. It is legalized theft.
As an employee (aka What Happened) (Score:1, Informative)
As an employee, let me explain something which may not be clear: we are not a "Bank" in the sense of your neighbourhood lender, holder of money and such. We are a development agency, not much different from USAID. As such, we don't deal with personal financial data like you're accusing us of doing so.
Now, with that clarification out of the way... I agree, the way this has been handled internally is disastrous. Our largely incompetent IT team has kept us in the dark about what has been stolen and from where. There is no clear understanding of what passwords were compromised, what data was stolen and an email sent to all hands basically says "we will never know". This is infuriating to staff because it's possible that our banking (personal bank accounts, like your neighbourhood bank) details were stolen, along with tax info, personal id numbers, and so on.
My understanding of what happened is this: internally, we used to use a single password system, deployed at ridiculous expense two years ago, after years of development. (Any one chapter of the development of the single password system would qualify as a story at TheDailyWTF.) Said system would change passwords by going to every system (Active Directory, SAP, internal applications, etc) one by one and changing the password. Said system was also developed in house, with no code review and inevitably, someone discovered a flaw in it, and broke in. Since all other systems were set up to trust this password broker system, you could change an administrator password by simply telling the broker to negotiate the change.
What is aggravating most of all however, is that the breach was detected initially in July 2007, nothing was done for OVER a year and when they did decide to start cleaning up the mess, it was when a huge portion of staff were on leave or away at work on the field. So naturally, they were cut off from access, without any contact information, or even understanding what had happened.
We're still waiting to have the CIO and most of the IT staff fired. A bug can happen. Not correcting said bug for over a year once means their heads should roll. Don't count on it, though.