Tuesday, March 8, 2016

$10 switches and No Firewalls

Bangladesh Bank exposed to hackers by cheap switches, no firewall.
Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber hesit revealed.

The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials.

The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based.

Experts in bank security described the findings as disturbing."You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions," said Jeff Wichman, a consultant with cyber firm Optiv. Most of the banks in developing countries fail to adequately protect their networks because they focus security budgets on physically defending their facilities.

Cyber criminals broke into Bangladesh Bank's system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York. Most of the payments were blocked, but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remains missing. Forensic experts investigating the issue from SWIFT advised the bank to upgrade the switches only when they visited after the heist. There was a deficiency in the IT system said the spokesman, Subhankar Saha, confirming that the switch was old and needed to upgraded. The heist's masterminds have yet to be identified.

Bangladesh Bank has about 5,000 computers used by officials in different departments. The bank facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, "managed" switches, which allow engineers to create separate networks and install firewall at different levels to protect off the network from attackers. Moreover, considering the importance of the network services, the bank should have deployed staff to monitor activity round the clock, including weekends and holidays.

Many public sector organizations hosting critical national data suffers from similar issues, poorly designed infrastructure and lack of investments in upgrading IT security makes them extremely vulnerable to similar attacks on even larger scale.