World Bank Under Cybersiege In "Unprecedented Crisis" 377
JagsLive sends in a Fox News report on large-scale and possibly ongoing security breaches at the World Bank. "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an 'unprecedented crisis.' In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public." Update: 10/11 01:15 GMT by T : Massive spyware infestations might be good cause to reevaluate the TCO of non-Windows systems on the desktop.
This was bound to happen. (Score:5, Insightful)
These days financial institutions consider IT (and other) security as something that costs them money, without giving them any benefit.
Will this wake them up?
I hear the question "Can we afford"? when talking about security in IT shops. The question that I am coming back with is "Can we afford not to"?
Just how many more banks machines are compromised? How about Federal and Local Government's machines and networks.
If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.
I Hope They Destroy This Monster (Score:1, Insightful)
It is an evil instrument, of human enslavement and degradation.
It is empire, with shackles of dependency and credit.
It kills children by starvation, as it extracts demands for medicines.
It is Satan's rectum, poised over the third-world.
Fox is like the National Enquirer (Score:4, Insightful)
Blaming the Chinese is useless (Score:5, Insightful)
First thing I would do is launch my attack from a compromised host in country X while being in country Y
reputable source? (Score:4, Insightful)
Does anyone have a link to a story on this from a reputable news source?
Ooh... Fox News says the IP address is from China! (Score:2, Insightful)
Does the IP address indicate a Chinese intrusion, or is that just a spin?
Re:Blaming the Chinese is useless (Score:1, Insightful)
First thing I would do is launch my attack from a compromised host in country X while being in country Y
Lastly, I would blame China. With most countries bring in a financial crisis, China would take the fall and bail us out.
Re:This was bound to happen. (Score:5, Insightful)
These days financial institutions consider IT (and other) security as something that costs them money, without giving them any benefit.
Will this wake them up?
I hear the question "Can we afford"? when talking about security in IT shops. The question that I am coming back with is "Can we afford not to"?
Just how many more banks machines are compromised? How about Federal and Local Government's machines and networks.
If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.
For most financial institutions their primary goal when it comes to information assurance is to pass audits. As you stated security is usually a cost center and they do what ever they can to keep that cost down. This generally means doing just enough work to make them compliant and as well all know, compliant != secure. I do not beleive these incidents will change anything unless the financial institutions are forced to a higher standard. I will continue to hope that they will see the light.
Security? (Score:5, Insightful)
Face it, no matter how secure a system is, if it is usable by humans it can be breached. Easily.
There is anywhere from a 100 to 1000 hackers/crackers/slimeballs out there that are ready and willing to take on each and every system. Ones that claim to be "secure" are just a bigger target. There is no such thing as a completely "secure" system that is usable and accessible by ordinary humans. True security would require controlled physical access, multiple authenticating factors, and so on. None of this is going to happen for an accessible system usable by "ordinary humans".
About all that is realistic is to minimize the damages. Face the fact that if you are a target you are going to lose. Try not to lose too much.
Prosecution of the break-in? Forget it. It's the Internet. It is International. If it looks like it is coming from China, it could be real or it could be a proxy. There are no effective International laws that will assist in any sort of prosecution. There is no supra-national police force that will break down the door of the cracker and haul them away. Nothing is going to happen. Unless the guy is a complete idiot that brags about it.
Re:Fox is like the National Enquirer (Score:1, Insightful)
Let me guess, you would believe it if it were on MoveOn.org, right?
Re:0wn3d (Score:4, Insightful)
Frankly, it doesn't surprise me. As far as I've ever determined, if someone with extremely sophisticated knowledge of computer networks and OSes wants to get into a system, they will find a way. Especially a country with the population of China - can you imagine the size of computer-based espionage departments they could have going no problem? I used to know guys who were insanely skilled with finding exploits by just browsing through source code. I thought it was insane - I'd never know how to figure that out, but they would always find some minor flaw that was exploitable. Imagine a freaking team dedicated to doing that. Or even a team that takes network hardware components that are known to be used by this bank (that information can be easily gained via social engineering, no question). Reverse engineer the network hardware's firmwares etc., or even better, social-engineer the manufacturer to get in-detail system specs. I mean.. seriously, I'm not surprised at all, because someone (or some group of people) who's determined, organized and skilled enough could break into any damn system they wanted. That said, it's still fucking horrible and frustrating that such ultra-sensitive data is basically a "free-for-all" for someone for the past year or however long.
Re:Before anyone mods the parent down.... (Score:5, Insightful)
Actually, I never assumed for a moment that the parent was a left wing nut. I assumed he was a right wing nut. There is a certain section of conservative opinion that believes any international multilateral body (I'm looking at you, U.N) is the spawn of satan.
Sensitive data? (Score:4, Insightful)
sensitive data about the economies of every nation
What's so sensitive about the economy of a nation that it must be kept secret, thereby not even allowing the nation itself (the people) to know about it?
Re:First post??? (Score:4, Insightful)
I hope you were being sarcastic because Russia is nowhere near immune from what is going on. In fact, they keep closing [forbes.com] their stock market [usatoday.com] because of what's going on.
Re:This was bound to happen. (Score:5, Insightful)
Re:This was bound to happen. (Score:3, Insightful)
"Will this wake them up?"
Highly doubt it. The problem with IT security breaches is that they're like earthquakes, flooding, or stock market crashes. They're too rare, too big, and too uniformly disastrous -- there generally won't be enough people left who remember it next time to do anything about it.
Urgent message to mods re: Satan's rectum (Score:5, Insightful)
Please, please, please mod parent comment down. The last thing we need is for the phrase "It is Satan's rectum, poised over ..." to become a new Slashdot meme.
I mean can you imagine:
- an item about Linux and posts like "It is Satan's rectum, poised over capitalism";
- an item about fascism and posts like "It is Satan's rectum, poised over our freedoms";
- an item about the Cheney/Bush government and posts like "It is Satan's rectum, poised over privacy and the U.S. Constitution"
- an item about a new Windows version and posts like "It is Satan's rectum, poised over the computer world";
Yech! Please stop it before it starts!
Re:This was bound to happen. (Score:3, Insightful)
These days financial institutions consider IT (and other) security as something that costs them money, without giving them any benefit.
Will this wake them up?
I hear the question "Can we afford"? when talking about security in IT shops. The question that I am coming back with is "Can we afford not to"?
Just how many more banks machines are compromised? How about Federal and Local Government's machines and networks.
If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.
For most financial institutions their primary goal when it comes to information assurance is to pass audits. As you stated security is usually a cost center and they do what ever they can to keep that cost down. This generally means doing just enough work to make them compliant and as well all know, compliant != secure. I do not beleive these incidents will change anything unless the financial institutions are forced to a higher standard. I will continue to hope that they will see the light.
Under ordinary economic circumstances you would be absolutely correct, i.e., why should they care about security, leaks don't cost them anything. Right now, though, they're being hit in the parts of their anatomy they love best ... their wallets. Furthermore, as many people have pointed out the survival of banking institutions is as much a matter of perception as it is liquidity, and I know how I perceive the World Bank Group right about now. It doesn't take much for already-skittish investors and bank customers to start shifting their money elsewhere. In this case, WBG has taken a big hit in the trust department, and the only way out of this is to invest big in security, and hope people believe them when they say they've fixed the problem.
Re:Before anyone mods the parent down.... (Score:5, Insightful)
Re:This was bound to happen. (Score:5, Insightful)
Re:reputable source? (Score:1, Insightful)
I believe GP said a reputable source.
Re:0wn3d (Score:4, Insightful)
Re:Before anyone mods the parent down.... (Score:3, Insightful)
But, but...it's more fun to blame it on capitalism. Oh, and Bush.
Possibly. (Score:4, Insightful)
It is interesting, though, that it has been about a year since the current run on the stock markets and world finances began. (The current credit crunch, if you look at the graphs, is simply a continuation of a trend that began probably about April last year.)
Now, to use the oft-quoted "correlation does not prove causation", it would be totally absurd to say that the coincidence of dates proves the current problem is related to the cyber-attacks. Lots of things probably happened in April of last year. To pick one out, just for the sake of picking something, would be stupid. However, if I were in charge of IT security at the World Bank, I would be wanting to know if sensitive or classified information was continually exposed over that period that would permit someone to destabilize things.
It's almost certain that unencrypted sensitive information would be present on e-mail servers, which is stupid and naive, and members of the World Bank who don't make use of secure methods of communication for sensitive material should be made to walk the plank regardless of whether any harm was done. The IT managers who allowed unencrypted data to be present and who did not properly install suitable intrusion countermeasures should follow shortly thereafter. In the (extremely dubious and unlikely, but arguably possible) circumstance that the crisis is related to the infiltration, then the game changes from a mere fix-things-up and discipline-the-bastards scenario to a more severe lockdown-the-damn-network-now-defcon-1 type of situation.
The former simply means you need to apply suitable patches and/or servers, and maybe hire a pirate ship to escort the former employees to shark-infested waters. Since this is the most likely situation by far, that's all they need to do. But concealing it hasn't helped them apply the measures they needed, or the attacks could not have continued the moment it tripped the first intrusion detector. In this case, the secrecy has caused severe harm to the World Bank, but probably nobody else. Like I said, this is the most likely.
The worst-case is that we're seeing a positive feedback loop. Sensitive/classified information on volatile situations that could cause those situations to get considerably worse being posted, then lifted and used to do exactly that, causing people to post even more such information, and so on. Positive feedback loops are not simply a technological problem but an entire attitude problem and social engineering problem. That requires more than IT security, because IT security can't debug or firewall the brain. Yet. Such a loop might easily require a complete organizational shutdown, because no amount of patching will help. It needs a major attitude shift - not just on the part of internal employees but also on the part of all countries involved - and that takes time. If it's the mind that's the vulnerability -AND- it is causing massive devastation, the World Bank would have to shut down all operations completely. Otherwise, you can't guarantee killing the loop. The chances this would need to happen are extremely slim, but as I said, it is technically possible, and you can't afford to be piecemeal when it comes to such scenarios.
If it's so unlikely, why mention it at all? Because the timing -is- interesting (a crisis is uncommon, so two parallel financial crises should raise eyebrows), along with the fact they even see it is as a crisis is exceptionally interesting, the fact that their response has been one of paralysis (suggesting a non-trivial people problem, rather than an idiotic individual or an unpatched machine), and the fact that everyone else's management of their perceived problem isn't managing it in the least, is suggestive that (a) the wrong problems are being fixed, and (b) that there is a lot of pressure to avoid fixing - or even seeing - the right problems. Suggestive isn't proof, of course, which is why I'm more interested in whether they're even looking to see if this is a possibility.
You must be new around here (Score:3, Insightful)
Secrecy is the hallmark of your government. There are good reasons for this. Bush-Cheney would be dangling by piano wire at this moment if the American public could freely see into what they've done and how they did it. (Actually there's more than enough of what we know they've done.)
It's one reason why a Democrat isn't permitted to be elected; Obama-Biden have threatened to prosecute criminal acts under Bush-Cheney. You can bet that puts the fear of god into them. Too many powerful people have too much to lose.
Re:This was bound to happen. (Score:5, Insightful)
Furthermore, in the modern world the contents of a bank's hard drives are much more valuable than what's in their steel-lined vaults. I don't think they've fully come to grips with that, or they'd have spent more money on information security.
Insurance companies act as private regulators in a 'free' market.
Banks buy insurance for the contents of their vault, meaning their insurance company effectively dictates the minimum requirements for the bank's physical security. Higher cost security is balanced against lower insurance rates.
Physical security is a mature field.
Internet security is not and probably will not be for some time.
What??? Where do you get that? (Score:4, Insightful)
The world bank makes HUGE loans to entire nations and imposes draconian reform rules and regulations, requires real assets as collateral, usually the target nation's most valuable raw resources, and charges interest. If that ain't a bank of sorts, what is?
Re:This was bound to happen. (Score:4, Insightful)
Furthermore, in the modern world the contents of a bank's hard drives are much more valuable than what's in their steel-lined vaults.
Yes, but valuable to who? Do the banks lose any money if the info is hacked? If there is no financial cost to these break ins at the institutions where they happen why in the world would such a profit oriented institution spend any money beyond the bare minimum to ensure they aren't jailed for malfeasance (although I would argue that doing so in itself is malfeasance)?
I don't think they've fully come to grips with that, or they'd have spent more money on information security.
They will only spend more money on information security when it becomes DIRECTLY more costly or DIRECTLY more risky (e.g. probability of COST) to hold off. This news does nothing to counter my viewpoint - no actual loss occurred (no fines, no assets moved, no nothing) to the Bank itself. All actual loss occurred to the groups that had their data stolen. As long as institutions can say "Whoops!" and everything goes along it's merry way nothing will change.
Opportunistic conmen (Score:4, Insightful)
Well keep in mind in the 1997 Asian Financial Crisis the IMF recommended the Asian Governments to do about the opposite of what the USA is doing now.
http://en.wikipedia.org/wiki/Asian_financial_crisis [wikipedia.org]
"The IMF's support was conditional on a series of drastic economic reforms influenced by neoliberal economic principles called a "structural adjustment package" (SAP). The SAPs called on crisis-struck nations to cut back on government spending to reduce deficits, allow insolvent banks and financial institutions to fail, and aggressively raise interest rates."
Raise interest rates, allow insolvent banks and institutions to fail (even if they are "too big to let fail"). And allow them to be bought up by foreigners. How'd the USA like it if AIG got bought up by China/Japan (they do have enough money, it's just that they know it'll annoy their number 1 customer ).
Go compare what the USA is doing now to the IMF's recommendations in 1997.
So, forgive me if I see the IMF as evil. The World Bank? Probably the other arm ;).
They're both just tools for the US to increase its power over the rest of the world.
Re:Sensitive data? (Score:2, Insightful)
What's so sensitive about the economy of a nation that it must be kept secret, thereby not even allowing the nation itself (the people) to know about it?
Uh, passwords, bank account numbers, and all sorts of info that would let people walk away with money that wasn't theirs?
Riiiight (Score:1, Insightful)
It's one reason why a Democrat isn't permitted to be elected
Riiiiight . . so when Obama gets elected what happens to your conspiracy theory then? I'm guessing I won't hear about it then, so I want to get your reaction now.
Re:This was bound to happen. (Score:4, Insightful)
This news does nothing to counter my viewpoint - no actual loss occurred (no fines, no assets moved, no nothing) to the Bank itself. All actual loss occurred to the groups that had their data stolen. As long as institutions can say "Whoops!" and everything goes along it's merry way nothing will change.
Reputation is an asset, especially in banking.
Banks and Corporations spend millions on advertising to build up their brand.
The World Bank has been having some rough times recently, Wolfowitz last year and now this.
When they get publicly embarrassed/humiliated/[adjective] it damages their reputation.
Though their reputation is intangible, the cost to repair the damage is not.
I don't believe it. (Score:1, Insightful)
We all know what's going down in the so-called 'finacial world' right now. Somewhere somebody wants to sink some 9-to-12-digit money-loss to the bottom of the ocean with a block of concrete tied to its feet without others noticing it - thus this shady cover-up story. I don't trust it a bit.
Believe me, people, the stuff we're hearing on the news and in every official channel, in Europe but in the USA especially, its 80% total and utter bullshit. You don't seriously believe that people who don't care squat about who's money they're burning think twice about oomphing the next inflation and deficit spree on top of the old one that just blew up sky high on the tab of current market values still in play in the real economy? I thought so. I trust these people who do even more than fake a break-in to get back to business as usual.
I think this story couldn't be farther from what it is presented as. Especially if it comes from the US Reichspropaganda Ministry 'Fox News'.
Posted anonymously from somebody with a few-digit sum of slashdot comments. Yeah, I'm starting to get that paranoid. And for good reasos too.
Re:Before anyone mods the parent down.... (Score:3, Insightful)
"You never said exactly what forces this country to accept the loan."
Just a guess... if the politicians accepting the loan are thoroughly corrupt, which most politicians are, their plan is to siphon off a large percentage of the loan, as it comes in to their country, and store the proceeds in to Swiss bank accounts. After that they don't care if the their home country can't pay off the loan they are rich globe trotters, gambling in the best casinos and serviced by world class hookers. They never go back to the bankrupt third world shit hole they destroyed to get rich. One of Wolfowitz's big themes when he was running the World Bank was corruption and that corruptiom had to be rooted out before money flowed to a country. I don't think he was very successful at that since it turned out he had his own problem with corruption, giving a high paying job and raises to his mistress. And of course the Bush administration in which Wolfowitz served has proved to be one of the more corrupt administrations in U.S. history. Corruption is hard to fix when everyone is doing it.
I'm quite curious what the IMF and World Bank would say about the U.S. economy in recent weeks. The massive nationalization of the U.S. economy would seem to be totally contradictory to the rhetoric the U.S., through the World Bank, has spewed at the third world for decades. The U.S., U.K and many first world countries seem to have rushed to state capitalism(a.k.a. Fascism) or Socialism almost overnight in seizing control of major banks, massive attempts at market manipulation, etc. It appears free market reforms are only appropriate for economic crisis in the third world. As soon as their was a real crisis in the first world they rushed to the nationalization to solve it, something they have railed against elsewhere forever.
As an aside I learned just the other day one of the top executives at Lehman Brothers whose collapse triggered the current panic is George H. Walker IV. He is George W. Bush's cousin. His name sake, George Herbert "Bert" Walker, is one of the patriarchs of the Bush clan and rumored to have been a first class schemer. The Bush's are all named George Herbert and George Walker in tribute to him because he started them on their rise to power and riches. There is irony that one of George W's cousins is central to the economic collapse that he is using to turn the U.S. in to a Fascist/Socialist economy (Fascist if the Republicans are in power, Socialist if its the Democrats that takes the reins).
Re:This was bound to happen. (Score:3, Insightful)
Physical security is a mature field.
Internet security is not and probably will not be for some time.
Sure it is. I've had this printed out and posted on the bulletin board behind my head for about 24 years now:
THE INTERNET IS NOT SECURE
That's all the maturity any Internet Security personnel need.
Re:This could be a ruse for clamping down on Inter (Score:3, Insightful)
The US government has a long history of conjuring up fictitious demons in order to justify bringing in more police state measures.
I bet we're about to hear of a clampdown on the Internet, "to safeguard freedom and the effective operation of world markets".
Of course, the reason our government does that is because it is a government By, Of and For The People. That means our leaders are (to a limited degree) accountable to us, and have to sell us on any such nonsense they wish to implement. That they're able to do that is speaks more to the caliber of the American citizen than anything else. We should be a harder sell than we are, that's for sure. As it is, just mention children or terrorists and we'll bend right over.
Put it this way: the reason that national governments of countries such as China, or Russia, or North Korea don't have to run a con on their citizens is because those people are nothing more than subjects, serfs in fact. They have no say in what their governments do, so their governments do whatever the hell they want.
Re:What??? Where do you get that? (Score:4, Insightful)
Mafia?
Read the update as well (Score:2, Insightful)
UPDATE: After FOX News published its story, a World Bank spokesman issued the following statement: "The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.
"Taken out of context" by definition means "it happened and we can't deny it, but we're not crazy to confirm it".
I don't know why would Skype be installed, but you should read the memo a bit more thoroughly before making "bogus" claims.
Nowhere does the it say that a Lotus Notes Admin account has been compromised. It says that the Notes Server sent a notification triggered by an attempt to access the mail inbox for a (compromised) sysadm account of some guy who was on vacation.
And nowhere does it say that Microsoft was doing the forensics, it says that "Microsoft forencsics is being worked on by Charles team". Since the server they mention is a Domain controller, it would make sense that they're running some M$ software on it, wouldn't it?
I'm not saying the memo is for real, but you need to work a bit harder than that to discredit it
Re:What??? Where do you get that? (Score:5, Insightful)
1. An agency mandated to have a US citizen leading it, it's purpose is to hide the identity of predatory lenders who blackmail impoverished governments via their tresuries. Largely financed by the industrial/military complex to keep the oil flowing to the military/industrial complex. [sourcewatch.org]
2. An agency that used the Bretton Woods system [wikipedia.org] to rebuild western Europe, and has gone on to bring democracy, wealth and good govanance to much of S.America, S.E Asia, and Eastern Europe.
I have heard "the road to hell is paved with good intentions" and suspect both definitions are correct at one time or another.