Forgot your password?
typodupeerror
Security The Almighty Buck Your Rights Online

World Bank Under Cybersiege In "Unprecedented Crisis" 377

Posted by kdawson
from the wolf-really dept.
JagsLive sends in a Fox News report on large-scale and possibly ongoing security breaches at the World Bank. "The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned. It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an 'unprecedented crisis.' In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public." Update: 10/11 01:15 GMT by T : Massive spyware infestations might be good cause to reevaluate the TCO of non-Windows systems on the desktop.
This discussion has been archived. No new comments can be posted.

World Bank Under Cybersiege In "Unprecedented Crisis"

Comments Filter:
  • by Anonymous Coward on Friday October 10, 2008 @12:35PM (#25329025)

    These days financial institutions consider IT (and other) security as something that costs them money, without giving them any benefit.

    Will this wake them up?

    I hear the question "Can we afford"? when talking about security in IT shops. The question that I am coming back with is "Can we afford not to"?

    Just how many more banks machines are compromised? How about Federal and Local Government's machines and networks.

    If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.

    • by g0es (614709) on Friday October 10, 2008 @12:52PM (#25329291)

      These days financial institutions consider IT (and other) security as something that costs them money, without giving them any benefit.

      Will this wake them up?

      I hear the question "Can we afford"? when talking about security in IT shops. The question that I am coming back with is "Can we afford not to"?

      Just how many more banks machines are compromised? How about Federal and Local Government's machines and networks.

      If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.

      For most financial institutions their primary goal when it comes to information assurance is to pass audits. As you stated security is usually a cost center and they do what ever they can to keep that cost down. This generally means doing just enough work to make them compliant and as well all know, compliant != secure. I do not beleive these incidents will change anything unless the financial institutions are forced to a higher standard. I will continue to hope that they will see the light.

      • by wkk2 (808881) on Friday October 10, 2008 @01:08PM (#25329499)
        Why wasn't all traffic limited to white listed addresses and that traffic limited to VPN connections using tamper resistant encryption hardware?
        • by ScrewMaster (602015) * on Friday October 10, 2008 @01:31PM (#25329809)
          Because bankers are traditionally among the cheapest bastards on the planet. Rich people frequently are ... it's part of why they got to be rich in the first place. Furthermore, in the modern world the contents of a bank's hard drives are much more valuable than what's in their steel-lined vaults. I don't think they've fully come to grips with that, or they'd have spent more money on information security.
          • by upside (574799)

            I'm sure you're right. The World Bank, however, is not a bank per se, more a non-profit organisation. Not saying' they'd be any better in terms of investing in IT security.

          • by TubeSteak (669689) on Friday October 10, 2008 @02:13PM (#25330387) Journal

            Furthermore, in the modern world the contents of a bank's hard drives are much more valuable than what's in their steel-lined vaults. I don't think they've fully come to grips with that, or they'd have spent more money on information security.

            Insurance companies act as private regulators in a 'free' market.

            Banks buy insurance for the contents of their vault, meaning their insurance company effectively dictates the minimum requirements for the bank's physical security. Higher cost security is balanced against lower insurance rates.

            Physical security is a mature field.
            Internet security is not and probably will not be for some time.

            • Re: (Score:3, Insightful)

              by blair1q (305137)

              Physical security is a mature field.
              Internet security is not and probably will not be for some time.

              Sure it is. I've had this printed out and posted on the bulletin board behind my head for about 24 years now:

              THE INTERNET IS NOT SECURE

              That's all the maturity any Internet Security personnel need.

          • by jvkjvk (102057) on Friday October 10, 2008 @02:50PM (#25330883)

            Furthermore, in the modern world the contents of a bank's hard drives are much more valuable than what's in their steel-lined vaults.

            Yes, but valuable to who? Do the banks lose any money if the info is hacked? If there is no financial cost to these break ins at the institutions where they happen why in the world would such a profit oriented institution spend any money beyond the bare minimum to ensure they aren't jailed for malfeasance (although I would argue that doing so in itself is malfeasance)?

            I don't think they've fully come to grips with that, or they'd have spent more money on information security.

            They will only spend more money on information security when it becomes DIRECTLY more costly or DIRECTLY more risky (e.g. probability of COST) to hold off. This news does nothing to counter my viewpoint - no actual loss occurred (no fines, no assets moved, no nothing) to the Bank itself. All actual loss occurred to the groups that had their data stolen. As long as institutions can say "Whoops!" and everything goes along it's merry way nothing will change.

            • by TubeSteak (669689) on Friday October 10, 2008 @04:22PM (#25332013) Journal

              This news does nothing to counter my viewpoint - no actual loss occurred (no fines, no assets moved, no nothing) to the Bank itself. All actual loss occurred to the groups that had their data stolen. As long as institutions can say "Whoops!" and everything goes along it's merry way nothing will change.

              Reputation is an asset, especially in banking.
              Banks and Corporations spend millions on advertising to build up their brand.

              The World Bank has been having some rough times recently, Wolfowitz last year and now this.
              When they get publicly embarrassed/humiliated/[adjective] it damages their reputation.
              Though their reputation is intangible, the cost to repair the damage is not.

        • by Skal Tura (595728) on Friday October 10, 2008 @01:56PM (#25330109) Homepage

          Doesn't help if a whitelisted host is aswell infected. No single technique, or category of security is enough, it needs multi-tiered, multi-level security in cases such as this. All task specific.

          Furthermore, there shouldn't be a single "full access" account, except for "root", and anyone working on root access would need to be required to work as a team of 2 or 3 persons, all coming from separate divisions/offices/departments, no prior contact, randomly chosen. Why?

          Humans are always the weakest link in security, and if someone is being watched when working on a server maintenance, the second fellow could report such an incident. Offer an prize for bringing up if there's a suspicion, immediately bringing that server down, and even if it was a failed suspicion, there should be somekind of reward for just being suspicious.

          This data is too critical to let any single person to have access in privacy. every action taken on the server should be logged, and automatic heuristic analysis done on it. Aswell, for all data in and out, network or removable media. It is all doable, given the right persons to do it, it's even cost-effective.

          Automation is the key to cut costs.

          There's plenty of methods to do something with high security, given creatively, sane, suspicious people planning for all of it.

          My 2 cents.

        • by bertok (226922) on Friday October 10, 2008 @07:08PM (#25333767)

          When I was studying computer science at university, I had read about all these fancy cryptographic techniques, and I imagined that banks were these encrypted, firewalled fortresses of IT security, monitored by the most competent, most vigilant administrators.

          I was very wrong.

          Let me tell you about my experience of IT security in banks.

          A couple of years ago, I was sent to one of Australians largest banks. I was there for a 1 week engagement to install the latest virus scanner software on some servers. It sounded like a great opportunity to have a look at some high-end systems and see how they were managed. So I turn up in the morning, and start unpacking my laptop, when the project manager warns me:

          "Don't plug your laptop into the network. We have to make sure you have the latest patches and AV first."

          I fully understood his position, of course, they couldn't just let some random guy plug some a laptop into the network. It was a bank after all, security matters. I was Wrong. He corrected me:

          "Oh no.. that's for your own protection! There's hundreds of viruses on this network, if you plug an unpatched machine into it, it'll be infected in seconds."

          I was stunned. He wasn't even joking. I did plug my laptop in (which was well patched), and ran Ethereal for a few minutes, during which time I saw several viruses attempting to hack my machine. It was incredible. I've never seen that kind of attack rate anywhere, and I've been to large, unfirewalled university networks and school networks.

          In fact, I didn't even really need to plug myself in. There was a WiFi connection available, with an easily recognisable SSID (the name of the bank). Of course, it was unencrypted, unsecured, and plugged directly into the desktop LAN.

          Next, I got a tour of the data center, which was an eye-popping experience in itself. The bank had recently invested in fancy new retina-scanning door locks. It looked like it was straight out of a James Bond movie. However, it was taking too long to program in every person who needed access into the system, so they had simply propped the door open with a bucket. The inside of the room was just as scary. I walked past DOS machines, Windows 95 "servers", and I saw at least one NT 3.x machine. This was in 2005.

          Eventually, I got around to planning the AV software upgrade. Except it wasn't. It was first-time-install, because the majority of their servers had no AV. The amount of work required to verify compatibility during for a the rollout was deemed too expensive, and I never did get to install the AV software. They did buy the licenses though, so it's entirely possible they installed it themselves. It's possible, but I wouldn't bet on it.

      • Re: (Score:3, Insightful)

        by ScrewMaster (602015) *

        These days financial institutions consider IT (and other) security as something that costs them money, without giving them any benefit.

        Will this wake them up?

        I hear the question "Can we afford"? when talking about security in IT shops. The question that I am coming back with is "Can we afford not to"?

        Just how many more banks machines are compromised? How about Federal and Local Government's machines and networks.

        If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.

        For most financial institutions their primary goal when it comes to information assurance is to pass audits. As you stated security is usually a cost center and they do what ever they can to keep that cost down. This generally means doing just enough work to make them compliant and as well all know, compliant != secure. I do not beleive these incidents will change anything unless the financial institutions are forced to a higher standard. I will continue to hope that they will see the light.

        Under ordinary economic circumstances you would be absolutely correct, i.e., why should they care about security, leaks don't cost them anything. Right now, though, they're being hit in the parts of their anatomy they love best ... their wallets. Furthermore, as many people have pointed out the survival of banking institutions is as much a matter of perception as it is liquidity, and I know how I perceive the World Bank Group right about now. It doesn't take much for already-skittish investors and bank cust

    • by ScrewMaster (602015) * on Friday October 10, 2008 @01:14PM (#25329571)

      If you had enough financial data somebody could cause an economic collapse - I wonder what it would look like.

      Probably something like this [msn.com].

    • Re: (Score:3, Insightful)

      by dcollins (135727)

      "Will this wake them up?"

      Highly doubt it. The problem with IT security breaches is that they're like earthquakes, flooding, or stock market crashes. They're too rare, too big, and too uniformly disastrous -- there generally won't be enough people left who remember it next time to do anything about it.

    • by conlaw (983784)
      It's not just financial institutions; every company I or a friend has worked for, has considered legal, accounting and IT "as something that costs them money, without giving them any benefit."

      Obviously, we workers in those areas aren't making money for the company and it's virtually impossible to get them to understand how much money we have saved them by refusing to assent to a bad contract or by preventing the spread of malware by requiring strict adherence to the rules about what programs may be used o

    • by Venik (915777)
      Banks and insurance industry treat IT as overhead and so they get what they pay for. Not to mention that most of these companies outsource IT support to the lowest bidder, which, in turn is either based in India, China, etc. or has subcontractors in these countries. The impact on security is not unexpected. I work with some of these guys on a regular basis and I am not particularly impressed with their technical skills or their adherence to security procedures. Not to say they don't have competent people, i
  • Sounds good. Hope it ends up on Wikileaks. I predict there will be some highly deserving people burnt at the stake if that information gets out to the public.

    • Re: (Score:3, Funny)

      by iplayfast (166447)

      I expect the slashdotting will have an effect :)

  • Well . . . (Score:5, Funny)

    by arizwebfoot (1228544) * on Friday October 10, 2008 @12:38PM (#25329069)

    while also trying to keep the news from leaking to the public

    Oops

    --
    Oh Well, Bad Karma and all . . .

  • previously, i thought the markets were melting down due to gay marriage

    perhaps this is the obvious run up to 2012 and the end of the mayan calendar

    paranoid schizophrenics, want to help me out here?

    • Re: (Score:3, Informative)

      Psychologically, you don't need schizophrenics, and their paranoid delusions are probably too far out there to be what you're looking for. Just stop with someone with delusional disorder.

      • Re: (Score:2, Flamebait)

        by megamerican (1073936)

        The people who are delusional are the ones who think you can fix the problem of inflation with more inflation.

        There has been talk about closing down the international markets and starting a new Bretton Woods [bloomberg.com] type agreement. Of course this new agreement has probably been written and just waiting for this crisis, just like the PATRIOT ACT was written before 9/11 and the current bailout bill was written back in March.

        It is great to know that the institutions that helped create this mess are now the ones who wi

  • by phantomcircuit (938963) on Friday October 10, 2008 @12:41PM (#25329091) Homepage

    Well of course I can't be certain but this appears to be ntohing more than a breach of their email system (encrypt your damn email people).

    From the leaked memo "MD and CIO has directed that all external Webmail accounts be disabled immediately for all staff who have not changed their passwords yet"

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Uhh you fail at reading, from TFA:
      "In plainspeak: "They had access to everything," says the source. "They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."

    • Possibly. (Score:4, Insightful)

      by jd (1658) <imipak@yaCOLAhoo.com minus caffeine> on Friday October 10, 2008 @01:58PM (#25330141) Homepage Journal

      It is interesting, though, that it has been about a year since the current run on the stock markets and world finances began. (The current credit crunch, if you look at the graphs, is simply a continuation of a trend that began probably about April last year.)

      Now, to use the oft-quoted "correlation does not prove causation", it would be totally absurd to say that the coincidence of dates proves the current problem is related to the cyber-attacks. Lots of things probably happened in April of last year. To pick one out, just for the sake of picking something, would be stupid. However, if I were in charge of IT security at the World Bank, I would be wanting to know if sensitive or classified information was continually exposed over that period that would permit someone to destabilize things.

      It's almost certain that unencrypted sensitive information would be present on e-mail servers, which is stupid and naive, and members of the World Bank who don't make use of secure methods of communication for sensitive material should be made to walk the plank regardless of whether any harm was done. The IT managers who allowed unencrypted data to be present and who did not properly install suitable intrusion countermeasures should follow shortly thereafter. In the (extremely dubious and unlikely, but arguably possible) circumstance that the crisis is related to the infiltration, then the game changes from a mere fix-things-up and discipline-the-bastards scenario to a more severe lockdown-the-damn-network-now-defcon-1 type of situation.

      The former simply means you need to apply suitable patches and/or servers, and maybe hire a pirate ship to escort the former employees to shark-infested waters. Since this is the most likely situation by far, that's all they need to do. But concealing it hasn't helped them apply the measures they needed, or the attacks could not have continued the moment it tripped the first intrusion detector. In this case, the secrecy has caused severe harm to the World Bank, but probably nobody else. Like I said, this is the most likely.

      The worst-case is that we're seeing a positive feedback loop. Sensitive/classified information on volatile situations that could cause those situations to get considerably worse being posted, then lifted and used to do exactly that, causing people to post even more such information, and so on. Positive feedback loops are not simply a technological problem but an entire attitude problem and social engineering problem. That requires more than IT security, because IT security can't debug or firewall the brain. Yet. Such a loop might easily require a complete organizational shutdown, because no amount of patching will help. It needs a major attitude shift - not just on the part of internal employees but also on the part of all countries involved - and that takes time. If it's the mind that's the vulnerability -AND- it is causing massive devastation, the World Bank would have to shut down all operations completely. Otherwise, you can't guarantee killing the loop. The chances this would need to happen are extremely slim, but as I said, it is technically possible, and you can't afford to be piecemeal when it comes to such scenarios.

      If it's so unlikely, why mention it at all? Because the timing -is- interesting (a crisis is uncommon, so two parallel financial crises should raise eyebrows), along with the fact they even see it is as a crisis is exceptionally interesting, the fact that their response has been one of paralysis (suggesting a non-trivial people problem, rather than an idiotic individual or an unpatched machine), and the fact that everyone else's management of their perceived problem isn't managing it in the least, is suggestive that (a) the wrong problems are being fixed, and (b) that there is a lot of pressure to avoid fixing - or even seeing - the right problems. Suggestive isn't proof, of course, which is why I'm more interested in whether they're even looking to see if this is a possibility.

    • Re: (Score:3, Funny)

      by nmos (25822)

      From the leaked memo "MD and CIO has directed that all external Webmail accounts be disabled immediately for all staff who have not changed their passwords yet"

      Not to worry, I've already emailed them with a handy link to click on to log in and confirm their identities. They'll all be secured shortly.

  • by NobleSavage (582615) on Friday October 10, 2008 @12:42PM (#25329101)
    I'd really like to read about this from a source other than Fox news.
  • by Progman3K (515744) on Friday October 10, 2008 @12:42PM (#25329111)

    First thing I would do is launch my attack from a compromised host in country X while being in country Y

  • reputable source? (Score:4, Insightful)

    by Bearpaw (13080) on Friday October 10, 2008 @12:43PM (#25329115)

    Does anyone have a link to a story on this from a reputable news source?

  • Does the IP address indicate a Chinese intrusion, or is that just a spin?

    • by djupedal (584558)
      > Does the IP address indicate a Chinese intrusion, or is that just a spin?

      Just a spin. Look for WB information to be sold soon on Craigslist Seoul.
  • 0wn3d (Score:5, Informative)

    by modemboy (233342) on Friday October 10, 2008 @12:44PM (#25329137)

    Damn, they got owned completely, 3 different times. Someone in their security department needs to get a clue. Somehow their offsite data store got accessed, then an IT consultant worker key logged them, and finally they got in again through a third party and escalated to admin rights.

    3 different attack vectors, all completely successful. That is just kinda pathetic...

    • Re:0wn3d (Score:4, Insightful)

      by necro2607 (771790) on Friday October 10, 2008 @12:57PM (#25329355)

      Frankly, it doesn't surprise me. As far as I've ever determined, if someone with extremely sophisticated knowledge of computer networks and OSes wants to get into a system, they will find a way. Especially a country with the population of China - can you imagine the size of computer-based espionage departments they could have going no problem? I used to know guys who were insanely skilled with finding exploits by just browsing through source code. I thought it was insane - I'd never know how to figure that out, but they would always find some minor flaw that was exploitable. Imagine a freaking team dedicated to doing that. Or even a team that takes network hardware components that are known to be used by this bank (that information can be easily gained via social engineering, no question). Reverse engineer the network hardware's firmwares etc., or even better, social-engineer the manufacturer to get in-detail system specs. I mean.. seriously, I'm not surprised at all, because someone (or some group of people) who's determined, organized and skilled enough could break into any damn system they wanted. That said, it's still fucking horrible and frustrating that such ultra-sensitive data is basically a "free-for-all" for someone for the past year or however long.

      • Or even a team that takes network hardware components that are known to be used by this bank (that information can be easily gained via social engineering, no question). Reverse engineer the network hardware's firmwares etc., or even better, social-engineer the manufacturer to get in-detail system specs.

        They don't need to reverse engineer OR social engineer, They just need to make an outright demand.

        http://www.yomiuri.co.jp/dy/business/20080919TDY01306.htm [yomiuri.co.jp]

        Of course this hasn't happened quite yet?

      • can you imagine the size of computer-based espionage departments they could have going no problem?

        Yes well, maybe it turns out that this newfangled Internet-thingy wasn't such a good idea after all. History will be the judge.
      • Re:0wn3d (Score:4, Insightful)

        by IchNiSan (526249) on Friday October 10, 2008 @01:45PM (#25329989)
        OR, maybe the world bank just bought some "cisco" security devices. You know, the ones made in china?
  • Do they realize yet why painting a giant target on the ground is a bad idea?
  • by Anonymous Coward on Friday October 10, 2008 @12:49PM (#25329205)

    I hear you have an opening for a security expert...

  • So this story coming out at the same time as a world-wide financial crisis.

    Has hollywood finally become reality? Is there some scarred super-villain out there somewhere petting a hairless cat laughing like a maniac as the world falls into economic ruin?
    • Re: (Score:2, Interesting)

      Is there some scarred super-villain out there somewhere petting a hairless cat laughing like a maniac as the world falls into economic ruin?

      No, is he a good-looking WASP, attended St. Paul's School and Yale (or maybe Lawrenceville and Princeton), and he made a shit-load of money while his bank was going to Hell in a hand-basket.

      And he is petting a pure bred golden retriever.

      He is not laughing, but chuckling, because you get to pay the tab.

  • First post??? (Score:2, Interesting)

    by hesaigo999ca (786966)

    As the possible first post, I want to make sure no one thinks this is in anyway related to the markets crashing, as it stands if china did originate the attack, they are losing as much as the USA right now, and are still losing dealing with their own problems(with the food illnesses).
    I was one to believe that Chinese were doing a lot of hacking on purpose to advance in cyber tactics, however this move if were caused by them, ended costing them more then it returned.

    It may more have been a Russian hacker rer

  • Security? (Score:5, Insightful)

    by cdrguru (88047) on Friday October 10, 2008 @12:54PM (#25329321) Homepage

    Face it, no matter how secure a system is, if it is usable by humans it can be breached. Easily.

    There is anywhere from a 100 to 1000 hackers/crackers/slimeballs out there that are ready and willing to take on each and every system. Ones that claim to be "secure" are just a bigger target. There is no such thing as a completely "secure" system that is usable and accessible by ordinary humans. True security would require controlled physical access, multiple authenticating factors, and so on. None of this is going to happen for an accessible system usable by "ordinary humans".

    About all that is realistic is to minimize the damages. Face the fact that if you are a target you are going to lose. Try not to lose too much.

    Prosecution of the break-in? Forget it. It's the Internet. It is International. If it looks like it is coming from China, it could be real or it could be a proxy. There are no effective International laws that will assist in any sort of prosecution. There is no supra-national police force that will break down the door of the cracker and haul them away. Nothing is going to happen. Unless the guy is a complete idiot that brags about it.

  • Sensitive data? (Score:4, Insightful)

    by Bromskloss (750445) <auxiliary.addres ... NosPAm.gmail.com> on Friday October 10, 2008 @01:06PM (#25329473)

    sensitive data about the economies of every nation

    What's so sensitive about the economy of a nation that it must be kept secret, thereby not even allowing the nation itself (the people) to know about it?

    • by toby (759) *

      Secrecy is the hallmark of your government. There are good reasons for this. Bush-Cheney would be dangling by piano wire at this moment if the American public could freely see into what they've done and how they did it. (Actually there's more than enough of what we know they've done.)

      It's one reason why a Democrat isn't permitted to be elected; Obama-Biden have threatened to prosecute criminal acts under Bush-Cheney. You can bet that puts the fear of god into them. Too many powerful people have too much t

  • bank officials [...] trying to keep the news from leaking to the public.

    They should be slammed for that! Trying to cover up their mistakes. Shameful.

  • I'm really not surprised to hear this. According to Verizon Business' 2008 Data Breach Report, 46% of reported attacks, while somewhat opportunistic, are directed towards a specific victim with knowledge of how to exploit a specific weakness. While only 15% of the reported attacks were fully targeted, I strongly believe that this number will rise. With usage of social networking sites on the rise (think Linkedin.com), it really isn't difficult to identify well-placed targets within an organization. Find en
  • Does anyone intelligent actually believe anything on FOX News anyway? There's an elect-the-Republican angle in here somewhere.

    Hmm... Fear? Check. Blame China? Check. I'm sure they'll work Terrorists and Mexicans and the French into this somehow. Blah.

  • I've always thought the next world war would be fought with I.T. tools, acquiring data, corrupting data, putting economies into turmoil. Is this what is happening? China and others(recall cybertraffic around the olympics when Georgia-Russia got into it), are they secretly waging war or deceptively setting up the next war? And what, if any response is the U.S. countering with? Is this something hidden from citizens or is it just not happening?
    • Re: (Score:3, Funny)

      >>I've always thought the next world war would be fought with I.T. tools, acquiring data, corrupting data, putting economies into turmoil.

      I hope you're right. I'd rather have my flights redirected and my credit cards canceled then be gut-shot by a 17-year-old conscript.

      After all, I'm a 2 hour drive from Canada as it is... I can just see the Tim Horton's signs going up as they politely herd us into 're-education' camps to watch hour after hour of the Red Green show.

      Yes, I've thought about this a lot.

      -b

There is no royal road to geometry. -- Euclid

Working...