Bangladesh Bank exposed to hackers by cheap switches, no firewall

78 points by r0h1n 9 years ago | 26 comments
  • dboreham 9 years ago
    This article states that the systems related to SWIFT transfers were supposed to be on an isolated network, but were not. Specifically that cheap unmanaged switches were used rather than expensive managed switches that would have allowed network isolation. Of course anyone who understands network security would point out that to rely on switch-based isolation alone is too risky. Switches can be compromised and mis-configured and sometimes don't provide the expected level of isolation even when correctly configured.
    • antsar 9 years ago
      Not to mention that L2 networking alone should not make or break security. What about host-based restrictions? What about authentication, authorization?

      Security comes in layers, and L2 networking is one of those layers. But blaming this on switches is like blaming a home invasion on your fence because someone jumped over it and walked into your open door.

      • tremon 9 years ago
        Of course, professionals know better than to blame the equipment. But the presence of unmanaged switches in a network for high-volume transactions between banks is a red flag the size of China. I don't think "blame it all on the switches" is the point the article is trying to make. The switches are mentioned to signal the complete lack of network security at the bank.

        We use this kind of signaling a lot: I work in IT, and we regularly perform entry-audits for new SMB customers. We use phrases like in the article to illustrate the competence level of the client: "the desktops are still on XP", "their network is a single /16", "they have Sweex switches", "the main equipment room is shared with the janitor". That doesn't necessarily mean that there's nothing else wrong at the client, and there may even be a good reason for that particular situation -- but between engineers, it still provides a good indication of what the client environment is like.

        More on topic, I have to ask: doesn't SWIFT (which is a global organization specifically for interbank communication) have security baselines for connected banks to meet? Don't they perform physical audits before connecting a new bank to their network, and recurring audits thereafter? How on earth can there be "a handful of central banks in developing countries that [are] equally insecure", yet still connected to SWIFT?

        They're banks FCOL, operational security should be their core business. It's not like they can't afford it, just one less Bentley for the CEO.

        • godzillabrennus 9 years ago
          I worked in infrastructure consulting for a few years and share your point of view. Often times managers and directors of i.t. are appointed into a position because of who they know not what they know.

          I witnessed the meltdown of a privately held global business that had us redesign and rebuild their corporate network during an expansion.

          The week I was on site at their HQ they hired 400 new people, so it's safe to say they were expanding quickly. At the time they had a global network of satellite connections that routed back to corporate for Internet access. Before we arrived, each location had access to one another, to every device at corporate, and to their other u.s. based sites that connected via mpls. The network had a bunch of residential grade Linksys routers hooked up as switches and AP's throughout their building, and oh so much bad wiring that we were pulling hundreds of pounds out a day... We spent over 100 hours just plugging everything in and removing the residential equipment. We put in VLAN's isolated by a firewall and acl's for important devices, enabled a proxy for some of their global Internet access, and a bunch of other things to increase redundancy.

          We followed up a few times and aided them in configurations, assuming things were going well. A year after our last chat they called us up in a panic! They had a crypto locker variant crawling along their global network locking up all their data. ALL OF THEIR DATA!

          Basically, they told us they couldn't figure out how to manage the network we built and the owners didn't want to pay us to do it. They decided they would rip out all the equipment they bought and paid for plus paid us to configure and they put everything back on one network with residential gear.

          They then decided they would share the important files off each hard drive across the network with everyone because it took too much time to configure security and they thought that since they had mcafee they were safe.

          No backups. No disaster recovery.

          They fired the poor i.t. director that day. They filed for bankruptcy protection that month. Last I checked the owners formed a new entity and somehow retained one of the products they sold out of the proceeding company. They are a much smaller company now.

          Anyway. If you see any Linksys routers in production within a business you know what's up. You should expect this.

      • jlgaddis 9 years ago
        Well sure. Managed switches aren't a panacea, but the features they offer would have been a tremendous help towards mitigating this. At the least, the SWIFT devices (PCs, whatever) could/should have been on their own isolated subnet and VLAN, with all access to them being forced through a separate firewall.

        Even that wouldn't necessarily prevent a compromise but it would have been a helluva lot harder with little (relative) effort.

      • walrus01 9 years ago
        This is totally unsurprising to anyone that has seen in person the state of "enterprise" IT at a large organization in India, Pakistan or Bangladesh.
        • cabbeer 9 years ago
          Can you expand?
          • walrus01 9 years ago
            Without going into detail that violates an NDA or reveals who I am, I've seen the back-end database/billing/network monitoring infrastructure for the three largest mobile network operators in Pakistan. It's scary. The banks in PK are worse. The lack of giving a fuck (or clue) is endemic to the region. People in south asia build their networks the same way they build their municipal electrical grids, in-premises 230VAC electricity, and municipal gas pipeline networks (in a very scary slapped together way).

            This may be partially explained by a brain drain effect where everyone who really knows what they're doing on a *nix platform leaves the country to work for $70,000+ USD/year somewhere outside of PK/IN/BD. Those who are left are very far from the best network security, network engineering or sysadmin talents.

            • seesomesense 9 years ago
              "This may be partially explained by a brain drain effect ..."

              Arguably, nobody with a brain would still be living in a failed state that is a sponsor of global terror.

        • nickpsecurity 9 years ago
          I have a feeling, but not evidence, that this bank's security was this bad on purpose to aid the thieves. Someone in the middle or on top might be getting a cut. Has anyone looked into that angle?

          And does anyone have an I.P. address to another Bangladesh bank with $10 routers and stuff on SWIFT network? Just so I can try to SMTP a warning to that address to help them avoid being hit, too.

          • 9 years ago
          • koolba 9 years ago
            Short of building/installing your own router how can a highly sensitive business protect themselves from things like this? Obviously you don't want to be running random vulnerable hardware that is never updated. But what else?

            I was thinking about having multiple layers (security loves onions!) with interchangeably components that you roll over at random. That way any given attack vector at one point might be mitigated by a different interface below it. Literally unplugging and plugging things in to shake things up.

            • minaguib 9 years ago
              At least from the networking perspective, it's a solved problem. You assume the network is insecure, and encrypt the traffic.

              This can be done on the protocol level, or wrapping the protocol with a secure shell like SSL/TLS, or wrapping everything with an encrypted VPN tunnel like IPSec.

              • 9 years ago
              • cdevs 9 years ago
                Managed switch or linksys router how the hell is it so easy to push that much money around even if I work in that "room" and give you access to my computer for a hour there should have been some software to notice somethings going on. The switch is could have been a $10,000 switch and it still sounds to easy. I'd say inside job unless scanning the up range screamed out the company name and some easy vulnerabilities/old software versions which could have also been the case.
                • ajonit 9 years ago
                  "Most of the payments were blocked but $81 million was routed to accounts in the Philippines " Given that in most of the countries "Know Your Customer" (or its variations) is strictly followed, I wonder what makes it so difficult for multi nation police( involving interpol) to reverse track the hacker - from money receiving accounts -> account holders -> beating the st out of them to reveal senders name.
                  • nols 9 years ago
                    KYC laws are not strictly followed in the Philippines, in fact people accused of laundering the money in the Philippines have routinely cited bank secrecy laws when questioned.
                    • pakled_engineer 9 years ago
                      Even if they are followed these are likely organized international criminals and KYC is just a speed bump for them to cruise over with stolen identities.
                    • 9 years ago
                    • 9 years ago
                      • nraynaud 9 years ago
                        I don't feel comfortable attacking such a poor country on the prince of their networking gear.
                        • AdamN 9 years ago
                          Having lived in Kenya for 2 years, I really don't like these arguments. I'm sure the bank has many pieces of modern equipment (cars, air conditioners, etc...). Good IT equipment really isn't that expensive comparatively and we all need to be on the same page about the value delivered by proper gear.

                          WHO has a list of essential medicines for all countries. Maybe we should have a list of essential technologies for all organizations.

                          http://www.who.int/medicines/publications/essentialmedicines...

                          • fapjacks 9 years ago
                            Yes, agreed completely. Most people have this mental image of the second/third world (or occupied nations) that doesn't match reality. For example, when we bombed the shit out of Iraq and destroyed most of their infrastructure and then occupied the country, there were still flights going in and out of the airport from Lebanon, the banks were still operating normal banking hours, the power was still on (for a few hours a day), people still went to the market, and poor farmers could still get gasoline to drive their crops to those markets. The university in Baghdad still conducted research and most of the country still had internet and cellphone access. I think popular culture has presented this picture of "not first world" places as basically one giant explosion, and that image is what most people see.
                            • walrus01 9 years ago
                              Particularly when basic networking gear that will do the job is NOT that expensive. There are equipment importers in major south asian cities who bring in used/refurb PCs, servers and network gear. You can get a Cisco 3550-48 for $40. For an organization of this size there is no excuse to build a network with D-Links.
                            • nickpsecurity 9 years ago
                              They could've put OpenBSD on and properly configured a cheap, second-hand router with better results than they got. They owed it to their clients to do something like that to protect tens of millions in assets. So, feel free to [verbally] attack the hell out of them because they have it coming.
                              • walrus01 9 years ago
                                Most of the talent pool of qualified persons who can successfully install openbsd and configure it properly as a firewall have probably obtained foreign work visas and are not working for domestic enterprises in bangladesh, at local bangladesh salary rates. They are at minimum working for $2000/mo in the UAE as some company's IT guy.
                                • tremon 9 years ago
                                  Regardless of (lack of) local expertise, this is the SWIFT network. It connects over 200 banks worldwide. There should be ample of shared knowledge between them to bootstrap the poorest of nations (skill-wise or money-wise).

                                  Then again, I guess I shouldn't be surprised at the lack of shared responsibility. This is banking, after all.

                                  • nickpsecurity 9 years ago
                                    How many people left can read, purchase Absolute OpenBSD, and use Google? I bet more than you're suggesting. If not OpenBSD, they mighg type in secure Linux distro with better results.