
Bangladesh Bank exposed to hackers by cheap switches, no firewall - r0h1n
http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO
======
dboreham
This article states that the systems related to SWIFT transfers were supposed
to be on an isolated network, but were not. Specifically that cheap unmanaged
switches were used rather than expensive managed switches that would have
allowed network isolation. Of course anyone who understands network security
would point out that to rely on switch-based isolation alone is too risky.
Switches can be compromised and mis-configured and sometimes don't provide the
expected level of isolation even when correctly configured.

~~~
antsar
Not to mention that L2 networking alone should not make or break security.
What about host-based restrictions? What about authentication, authorization?

Security comes in layers, and L2 networking is one of those layers. But
blaming this on switches is like blaming a home invasion on your fence because
someone jumped over it and walked into your open door.

~~~
tremon
Of course, professionals know better than to blame the equipment. But the
presence of unmanaged switches in a network for high-volume transactions
between banks is a red flag the size of China. I don't think "blame it all on
the switches" is the point the article is trying to make. The switches are
mentioned to signal the complete lack of network security at the bank.

We use this kind of signaling a lot: I work in IT, and we regularly perform
entry-audits for new SMB customers. We use phrases like in the article to
illustrate the competence level of the client: "the desktops are still on XP",
"their network is a single /16", "they have Sweex switches", "the main
equipment room is shared with the janitor". That doesn't necessarily mean that
there's nothing else wrong at the client, and there may even be a good reason
for that particular situation -- but between engineers, it still provides a
good indication of what the client environment is like.

More on topic, I have to ask: doesn't SWIFT (which is a global organization
specifically for interbank communication) have security baselines for
connected banks to meet? Don't they perform physical audits before connecting
a new bank to their network, and recurring audits thereafter? How on earth can
there be "a handful of central banks in developing countries that [are]
equally insecure", yet still connected to SWIFT?

They're banks FCOL, operational security should be their core business. It's
not like they can't afford it, just one less Bentley for the CEO.

~~~
godzillabrennus
I worked in infrastructure consulting for a few years and share your point of
view. Often times managers and directors of i.t. are appointed into a position
because of who they know not what they know.

I witnessed the meltdown of a privately held global business that had us
redesign and rebuild their corporate network during an expansion.

The week I was on site at their HQ they hired 400 new people, so it's safe to
say they were expanding quickly. At the time they had a global network of
satellite connections that routed back to corporate for Internet access.
Before we arrived, each location had access to one another, to every device at
corporate, and to their other u.s. based sites that connected via mpls. The
network had a bunch of residential grade Linksys routers hooked up as switches
and AP's throughout their building, and oh so much bad wiring that we were
pulling hundreds of pounds out a day... We spent over 100 hours just plugging
everything in and removing the residential equipment. We put in VLAN's
isolated by a firewall and acl's for important devices, enabled a proxy for
some of their global Internet access, and a bunch of other things to increase
redundancy.

We followed up a few times and aided them in configurations, assuming things
were going well. A year after our last chat they called us up in a panic! They
had a crypto locker variant crawling along their global network locking up all
their data. ALL OF THEIR DATA!

Basically, they told us they couldn't figure out how to manage the network we
built and the owners didn't want to pay us to do it. They decided they would
rip out all the equipment they bought and paid for plus paid us to configure
and they put everything back on one network with residential gear.

They then decided they would share the important files off each hard drive
across the network with everyone because it took too much time to configure
security and they thought that since they had mcafee they were safe.

No backups. No disaster recovery.

They fired the poor i.t. director that day. They filed for bankruptcy
protection that month. Last I checked the owners formed a new entity and
somehow retained one of the products they sold out of the proceeding company.
They are a much smaller company now.

Anyway. If you see any Linksys routers in production within a business you
know what's up. You should expect this.

------
walrus01
This is totally unsurprising to anyone that has seen in person the state of
"enterprise" IT at a large organization in India, Pakistan or Bangladesh.

~~~
cabbeer
Can you expand?

~~~
walrus01
Without going into detail that violates an NDA or reveals who I am, I've seen
the back-end database/billing/network monitoring infrastructure for the three
largest mobile network operators in Pakistan. It's scary. The banks in PK are
worse. The lack of giving a fuck (or clue) is endemic to the region. People in
south asia build their networks the same way they build their municipal
electrical grids, in-premises 230VAC electricity, and municipal gas pipeline
networks (in a very scary slapped together way).

This may be partially explained by a brain drain effect where everyone who
really knows what they're doing on a *nix platform leaves the country to work
for $70,000+ USD/year somewhere outside of PK/IN/BD. Those who are left are
very far from the best network security, network engineering or sysadmin
talents.

~~~
seesomesense
"This may be partially explained by a brain drain effect ..."

Arguably, nobody with a brain would still be living in a failed state that is
a sponsor of global terror.

~~~
walrus01
Now that's just xenophobic and ignorant, you expect all 175 million people to
go where? It's like blaming every single person in Maricopa County, AZ for the
actions of Joe Arpaio.

[https://en.wikipedia.org/wiki/Joe_Arpaio](https://en.wikipedia.org/wiki/Joe_Arpaio)

------
nickpsecurity
I have a feeling, but not evidence, that this bank's security was this bad on
purpose to aid the thieves. Someone in the middle or on top might be getting a
cut. Has anyone looked into that angle?

And does anyone have an I.P. address to another Bangladesh bank with $10
routers and stuff on SWIFT network? Just so I can try to SMTP a warning to
that address to help them avoid being hit, too.

------
koolba
Short of building/installing your own router how can a highly sensitive
business protect themselves from things like this? Obviously you don't want to
be running random vulnerable hardware that is never updated. But what else?

I was thinking about having multiple layers ( _security loves onions!_ ) with
interchangeably components that you roll over at random. That way any given
attack vector at one point might be mitigated by a different interface below
it. Literally unplugging and plugging things in to shake things up.

~~~
minaguib
At least from the networking perspective, it's a solved problem. You assume
the network is insecure, and encrypt the traffic.

This can be done on the protocol level, or wrapping the protocol with a secure
shell like SSL/TLS, or wrapping everything with an encrypted VPN tunnel like
IPSec.

------
cdevs
Managed switch or linksys router how the hell is it so easy to push that much
money around even if I work in that "room" and give you access to my computer
for a hour there should have been some software to notice somethings going on.
The switch is could have been a $10,000 switch and it still sounds to easy.
I'd say inside job unless scanning the up range screamed out the company name
and some easy vulnerabilities/old software versions which could have also been
the case.

------
ajonit
"Most of the payments were blocked but $81 million was routed to accounts in
the Philippines " Given that in most of the countries "Know Your Customer" (or
its variations) is strictly followed, I wonder what makes it so difficult for
multi nation police( involving interpol) to reverse track the hacker - from
money receiving accounts -> account holders -> beating the s __t out of them
to reveal senders name.

~~~
nols
KYC laws are not strictly followed in the Philippines, in fact people accused
of laundering the money in the Philippines have routinely cited bank secrecy
laws when questioned.

~~~
pakled_engineer
Even if they are followed these are likely organized international criminals
and KYC is just a speed bump for them to cruise over with stolen identities.

------
nraynaud
I don't feel comfortable attacking such a poor country on the prince of their
networking gear.

~~~
AdamN
Having lived in Kenya for 2 years, I really don't like these arguments. I'm
sure the bank has many pieces of modern equipment (cars, air conditioners,
etc...). Good IT equipment really isn't that expensive comparatively and we
all need to be on the same page about the value delivered by proper gear.

WHO has a list of essential medicines for all countries. Maybe we should have
a list of essential technologies for all organizations.

[http://www.who.int/medicines/publications/essentialmedicines...](http://www.who.int/medicines/publications/essentialmedicines/en/)

~~~
fapjacks
Yes, agreed completely. Most people have this mental image of the second/third
world (or occupied nations) that doesn't match reality. For example, when we
bombed the shit out of Iraq and destroyed most of their infrastructure and
then occupied the country, there were still flights going in and out of the
airport from Lebanon, the banks were still operating normal banking hours, the
power was still on (for a few hours a day), people still went to the market,
and poor farmers could still get gasoline to drive their crops to those
markets. The university in Baghdad still conducted research and most of the
country still had internet and cellphone access. I think popular culture has
presented this picture of "not first world" places as basically one giant
explosion, and that image is what most people see.

