World Bank Under Cybersiege In "Unprecedented Crisis" 377
JagsLive sends in a Fox News report on large-scale and possibly ongoing security breaches at the World Bank. "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an 'unprecedented crisis.' In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public." Update: 10/11 01:15 GMT by T : Massive spyware infestations might be good cause to reevaluate the TCO of non-Windows systems on the desktop.
Before anyone mods the parent down.... (Score:3, Interesting)
Jim Rogers [wikipedia.org], Adventure Capitalist and Fox News business commentator, has said the same thing. What I'm trying to say is that the parent is not some leftist nut.
First post??? (Score:2, Interesting)
As the possible first post, I want to make sure no one thinks this is in anyway related to the markets crashing, as it stands if china did originate the attack, they are losing as much as the USA right now, and are still losing dealing with their own problems(with the food illnesses).
I was one to believe that Chinese were doing a lot of hacking on purpose to advance in cyber tactics, however this move if were caused by them, ended costing them more then it returned.
It may more have been a Russian hacker rerouting through china using tor or something.
Re:This was bound to happen. (Score:4, Interesting)
If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.
Probably something like this [msn.com].
Re:Dr. Evil? (Score:2, Interesting)
Is there some scarred super-villain out there somewhere petting a hairless cat laughing like a maniac as the world falls into economic ruin?
No, is he a good-looking WASP, attended St. Paul's School and Yale (or maybe Lawrenceville and Princeton), and he made a shit-load of money while his bank was going to Hell in a hand-basket.
And he is petting a pure bred golden retriever.
He is not laughing, but chuckling, because you get to pay the tab.
Re:This was bound to happen. (Score:5, Interesting)
Doesn't help if a whitelisted host is aswell infected. No single technique, or category of security is enough, it needs multi-tiered, multi-level security in cases such as this. All task specific.
Furthermore, there shouldn't be a single "full access" account, except for "root", and anyone working on root access would need to be required to work as a team of 2 or 3 persons, all coming from separate divisions/offices/departments, no prior contact, randomly chosen. Why?
Humans are always the weakest link in security, and if someone is being watched when working on a server maintenance, the second fellow could report such an incident. Offer an prize for bringing up if there's a suspicion, immediately bringing that server down, and even if it was a failed suspicion, there should be somekind of reward for just being suspicious.
This data is too critical to let any single person to have access in privacy. every action taken on the server should be logged, and automatic heuristic analysis done on it. Aswell, for all data in and out, network or removable media. It is all doable, given the right persons to do it, it's even cost-effective.
Automation is the key to cut costs.
There's plenty of methods to do something with high security, given creatively, sane, suspicious people planning for all of it.
My 2 cents.
World at War and hidden from normal worker bees? (Score:2, Interesting)
Re:Before anyone mods the parent down.... (Score:2, Interesting)
No, there's a fundamental difference.
Right wingers have an objection to throwing money into third world shitholes with no possibility of it's return and no possibility of it doing any good for the people of the countries.
Left wingers have an objection to throwing money at developing countries with strings attached, because it is inherently paternalistic and materialistic. the money should be granted as aid with no strings, not loans.
Either way, both the World Bank and the IMF have failed at whatever charter they ever had, and need to be dissolved.
Re:This was bound to happen. (Score:2, Interesting)
...their primary goal when it comes to information assurance is to pass audits.
This is exactly what I saw throughout the banking industry for 5 years. Most institutions hire out to a firm like Icons, Inc yearly for an automated scan that returns what amounts to a report card for the corporate officers to first overreact to and then utterly ignore. They turn it over to their developers who assure them the holes are closed and they forget about it until next year; when they undoubtedly receive a very similar report.
I have not seen many organizations who were willing to do more than what the FDIC or NCUA minimally require.
I fear it will take a *very* destructive event for them to get the message on their. Unfortunately it will be their customers or members who take the bigger beating in the long run as it's commonplace for them to simply pass on costs instead of taking responsibility for their actions or inaction. I'd suggest the FDIC and NCUA stop playing politics and take security seriously instead of pandering to the lowest common denominator. They seem to be the only real motivator that the institutions listen to.
My $0.02
Re:This was bound to happen. (Score:5, Interesting)
When I was studying computer science at university, I had read about all these fancy cryptographic techniques, and I imagined that banks were these encrypted, firewalled fortresses of IT security, monitored by the most competent, most vigilant administrators.
I was very wrong.
Let me tell you about my experience of IT security in banks.
A couple of years ago, I was sent to one of Australians largest banks. I was there for a 1 week engagement to install the latest virus scanner software on some servers. It sounded like a great opportunity to have a look at some high-end systems and see how they were managed. So I turn up in the morning, and start unpacking my laptop, when the project manager warns me:
"Don't plug your laptop into the network. We have to make sure you have the latest patches and AV first."
I fully understood his position, of course, they couldn't just let some random guy plug some a laptop into the network. It was a bank after all, security matters. I was Wrong. He corrected me:
"Oh no.. that's for your own protection! There's hundreds of viruses on this network, if you plug an unpatched machine into it, it'll be infected in seconds."
I was stunned. He wasn't even joking. I did plug my laptop in (which was well patched), and ran Ethereal for a few minutes, during which time I saw several viruses attempting to hack my machine. It was incredible. I've never seen that kind of attack rate anywhere, and I've been to large, unfirewalled university networks and school networks.
In fact, I didn't even really need to plug myself in. There was a WiFi connection available, with an easily recognisable SSID (the name of the bank). Of course, it was unencrypted, unsecured, and plugged directly into the desktop LAN.
Next, I got a tour of the data center, which was an eye-popping experience in itself. The bank had recently invested in fancy new retina-scanning door locks. It looked like it was straight out of a James Bond movie. However, it was taking too long to program in every person who needed access into the system, so they had simply propped the door open with a bucket. The inside of the room was just as scary. I walked past DOS machines, Windows 95 "servers", and I saw at least one NT 3.x machine. This was in 2005.
Eventually, I got around to planning the AV software upgrade. Except it wasn't. It was first-time-install, because the majority of their servers had no AV. The amount of work required to verify compatibility during for a the rollout was deemed too expensive, and I never did get to install the AV software. They did buy the licenses though, so it's entirely possible they installed it themselves. It's possible, but I wouldn't bet on it.
Re:What??? Where do you get that? (Score:5, Interesting)
it's interesting that this is called the "World Bank" as if it's some kind of intergovernmental financial organization and has been given the power to dictate the domestic policies of entire nations. however, the World Bank operates without transparency, is not subject to public oversight, and its executive directors are not elected nor government appointed. it's technically a "non-profit" organization, but the reigns of power are held by industry heads who use it to advance their own financial interests, often at the cost of developing nations who have pretty much no say in the World Bank's decisions.
it's scary how much power and influence the neo-cons have been able to acquire while completely bypassing the democratic process. it's no wonder more and more people are questioning the legitimacy of the World Bank as well as the IMF.