While this is an astonishingly large criminal heist, we should look at this from a business perspective. The largest take from a single bank sounds to be around $10M. The first russian bank I could find in Wikipedia, Alfa-Bank, had a net income in 2010 of $550M, meaning that if they were the ones hacked they would have lost about 2% of their annual PROFIT. What would be the capital, operational, and efficiency cost of a major security overhaul be? Probably more than $10M. Moving to a new system like qubes or even a more standard desktop Linux variant could very well terrorize me more than the losses from hacking.
Lots of industries just live with a certain degree of loss- retail in particular sees about 1.8% of inventory lost due to "shrinkage", the polite term for shoplifting and employee theft. While stores will take steps to reduce their loss, they can't be extravagant or they will lose customers (I stopped shopping at a drug store that put deodorant behind plexiglass) or cost more than the problem (rfid trackers on every candybar.)
Given that perspective I think we as technical professionals need to be a little more restrained in our recommendations. Enterprise decision makers are very receptive right now to projects involving security due to hacks like this and Sony, but we as technical professionals still have to speak to the whole of their concerns.
So what defenses should an organization employ to prevent these types of attacks?
From this non-technical article, it looks like they penetrated employees' computers and used their credentials, which makes sense because it's probably the weakest link.
It reminds me the philosophy/motivation behind Qubes OS [1]: there is no server security without client security.
What are banks running on employee computers these days? I'm guessing Windows. Do they have anything beyond what typical corporate IT does to Windows machines (install virus checkers, auto updates, most users don't have root)?
Clearly that's not sufficient. It sounds like you want some kind of strict compartmentalization like Qubes. There's probably no reason that an e-mail client like Outlook needs to share any state with whatever app they used to manage accounts. Besides perhaps sharing a clipboard for cutting and pasting a tiny amount of info.
The machines probably need secure boot and attestation of the root file system state too. It's pretty bad that in this attack and I think in the Anthem case that attackers were inside their network for such a long period without detection.
I also remember a DEFCON talk where a penetration tester said the hardest site he ever worked on was where they had a strict "star" network topology. None of the computers in the enterprise could talk to each other or even see each other. All communication had to be proxied through a central hub, which would audit all the connections.
Do any banks do that now? Is there any reason they couldn't in practice? I imagine that there isn't really a need for two tellers in the same office to be sharing files directly with each other. Let alone tellers in different offices. I've never worked at a bank do I have no idea what their networks are like. Possibly there would be some uptime concerns with a centralized system like that.
I'm just brainstorming and wondering if anyone has direct work-related experience.
I know it's silly to think that banks would be better than anyone else, but good lord, malware running on machines capable of transferring millions of dollars that's able to send out video feeds from the network without anyone noticing?! Your various IT/Security teams should be absolutely ashamed. And then the banks don't even have to stand up and admit their incompetence publicly; that's a total disgrace.
That's the state of corporate security I guess. I've dealt with corporate IT departments over the years where they put these "processes" in place to mitigate these security issues but it's all a load of rubbish. Filling in forms to tick boxes so that everyone can go home happy pretending there's security going on, when really their network is a leaky sieve.
At one point I saw a release by a 3rd party supplier to a large corporate system that included privilege escalation, blatantly, at the start of a T-SQL script. It was done because the IT department refused to carry out the action on request via the official channel but it was work that needed to be done to complete a project. The 3rd party knew the admins would just be running scripts as SA so they escalated their own account to do what they needed to do later.
I know it's silly to be so frustrated about it, but we've all dealt with crappy banking systems for years, with totally insane security measures; meanwhile hackers can just walk away with millions using a bit of malware.
Six years ago I was an intern at a Wall Street firm for a year. The firm that I worked for used an account system that was built in the early 90s and relied on all employees learning special terminal commands to access anything. I can't really go into detail for fear of being sued, but suffice to say the system was archaic. I was amazed that a multi billion dollar company relied so heavily on and invested so little in something essential to the business.
The IT department seemed to use the following logic to justify it: the system served its purpose, the legacy employees already knew how to use it and the developers who made it were long gone thus it was cheaper and easier to just leave it be. While my firm had plenty of developers that could rewrite the system from scratch, their attention was devoted solely to money making endeavors like trading platforms and client facing projects.
As for the "Enterprise Architecture Group" (ie the developer department) that I interned in, the big problem was the heavy reliance on third party development companies. While the firm wanted to hire more developers, simply put very few developers want to work for banks (it's funny though that people in finance would have killed to work at the firm). It would take 6 months to a year on average to fill a developer position and they would have to pay a big premium over the average dev salary with a large yearly bonus.
In order to keep up with all the various projects, they would pay third party development/consulting companies millions to come in and create apps. While this allowed the firm to get the necessary apps "done", it created the most crazy spaghetti architecture you could ever imagine. All these different apps were built using different companies/languages/platforms/technologies then thrown together in a big mish mash of iframes and duct tape. The fact that any of them were able to communicate with each other at all was a miracle. I don't actually blame the developers themselves for this, they would constantly voice their concerns while the completely clueless department head/"architects"/project managers/business analysts would shoot them down. They would say things like "I understand your concerns but Super Consultancy X says that they would do it and it will only take 12 to 18 months!! They are even available to help support the app once its finished!!". Security and use experience were not even on the company's radar, only making money.
So what defenses should an organization employ to prevent these types of attacks?
Infrastructure architect at a major Bitcoin exchange here.
It's about defense in depth. Processes. An architecture level stance like "do not trust the client, the server, the network, the data center, the hardware provider, or any particular stage within those three elements". Each element validates the other. An alarm raised by inappropriate behavior at any point will shut down an entire instance, cell, or data center before allowing an attacker a foothold.
The only way to realistically take such a stance without going broke or becoming functionally paralyzed is infrastructure level automation beyond what is common in the industry. Hence, cue for meaningful cloud infrastructure management systems spanning private and arbitrary third party infrastructure. Docker-level stuff is about 1/2 way, what we really need is a few degrees of abstraction beyond that.
The best defense an organization can employ, is to make departments/managers/people economical liable. This result in insurance being bought, budgets assign to risk management, and practical prevention mechanism being implemented.
No organization like being attacked, but any defensive measure that cost money will always be balanced to the potential loss, risk, and convenience of employees. If the risk feels low, the potential loss minimum (worst case, government will intervene), and employees inconvenience high from employing effective security schemes, then no such efforts tend to be used.
The weakest link was that the computer with access to $10 million+ had access to the general web and was running a general purpose operating system at all.
You don't need Qubes to secure this situation. You could use an iPad/Chromebook or a filtering proxy (whitelisted websites) and either would be sufficient.
You are never safe from targeted attacks but that doesn't mean you should run exotic architectures or give up. There's no reason not to stop carpet bomb attacks. Most of the big known breaches have resulted from those.
Don't run Outlook and don't autorun USB. That should stop most automated attacks, including all the big known ones that breached large companies such as RSA and Google.
To stop the rest, don't surf from sensitive machines, and require two factor auth such as Yubikeys or RSA dongles to log in to them.
Compartmentalize sensitive information on separate machines and networks, and externalise sanity checks of data transactions where possible.
PLEASE do not link to qubes in any security related discussion, the devs are known for their incompetence and making some rather hilarious public claims[1].
Not only that, Qubes uses a vulnerable git version from several years ago so practically anyone could go backdoor it if they cared.
I laugh whenever someone tells me that they never buy anything over the internet. Their reasoning is that they're afraid of hackers going after online transactions. It seems to me that most of the serious security problems reside in the places that keep your money or access to your money, such as banks, credit cards, or even businesses such as Anthem, etc.
Another problem that I've seen from banks is that they all use Microsoft Windows for most of their employees. That's got to be the worst OS in terms of security. Not saying that you can't break into other systems, but it is so much easier under Windows.
The scope of this is pretty stunning, but if you're going to make a billion dollars you can probably invest 100M or so in developing an organization that can pull it off.
I wonder when we'll see the equivalent of VC money in these sorts of enterprises.
It really only makes sense for organized crime to manage this within their own ranks. You already have trustworthy people, and people with the relevant skills and connections. How would you know if the "startup" you're funding isn't undercover police? If an upstart appears, just "convince" them to share in the profits.
So who ends up footing the bill? Does the bank just write it off as a cost of doing business? Also aren't financial transactions reversible among banks?
While I've never worked in banking/financial environments I do know of people who have; they often had two workstations (one for the 'public' network, the other for the systems) and weren't allowed to use software like Synergy to share the keyboard and mouse. I guess not every company does stuff like that, though.
Now, I feel a discussion like this one would be the perfect place for me to introduce myself and... try to sell my services but I think I'm too late to the party so I'll keep it short.
Banks are the archetype of the company that suffers through technology. They make huge investments in IT year on year, but often they end up buying overly complex solutions from 1MM consultancy companies that never get fully implemented and, worse, cause high levels of frustration that then backfire onto projects that could actually make a difference.
With every department (or vertical or region) running their own IT, many of the core functions being outsourced offshore, and innovation (ie: BYOD, Shadow IT) being ignored, some pretty serious gaps are opened in the way security is handled despite best intentions, processes or even regulatory compliance we end up with local desktop machines having direct and unrestricted access to sensitive systems _and_ the internet.
Of course, all this is very nice but at the end of the day if someone can just walk in to your office to "fix your computer" and no one bothers to check their credentials... there's only so much one can do for you.
> But the largest sums were stolen by hacking into a bank’s accounting systems and briefly manipulating account balances. Using the access gained by impersonating the banking officers, the criminals first would inflate a balance — for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened.
Sounds like a badly designed system. Usually a bookkeeping system should only accept additions and subtractions, not have direct access to the amount number. Those additions and subtractions should be versionned. It might take a lot of resource and computing power to track that many accounts, but in my opinions, if google, the NSA and amazon have big datacenters, banks should too. I don't think they really have the proper infrastructure to secure something so important like account balance. I even think the government should invest money in securing those systems and places, since it's a nerve of the economy.
So either use up to date computing methods, or hire more accountant and use paper instead.
"But the largest sums were stolen by hacking into a bank’s accounting systems and briefly manipulating account balances. Using the access gained by impersonating the banking officers, the criminals first would inflate a balance — for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened."
A naive thought...if they leave with the exact amount of money (left) in the bank, should it be seen as just "illegal inflation", rather than seeing it as a theft. Someone made a gain but nobody made a loss in any case. Banks have always created more liquidity officially through loans, except that it is legal.
As far as I understand it, the money that was transferred out did not come from nowhere... Ultimately it was the bank's money.
Edit: Meant to also mention also that the whole making-it-look-like-an-account-had-more-money concept was about making the fact that they were taking the bank's money harder to notice. It was not actually creating money that did not exist before.
Given the amount of money stolen, I wonder if bribing an insider was involved. That wouldn't be surprising to me, given that most of this was in Russia.
[+] [-] topkai22|11 years ago|reply
Lots of industries just live with a certain degree of loss- retail in particular sees about 1.8% of inventory lost due to "shrinkage", the polite term for shoplifting and employee theft. While stores will take steps to reduce their loss, they can't be extravagant or they will lose customers (I stopped shopping at a drug store that put deodorant behind plexiglass) or cost more than the problem (rfid trackers on every candybar.)
Given that perspective I think we as technical professionals need to be a little more restrained in our recommendations. Enterprise decision makers are very receptive right now to projects involving security due to hacks like this and Sony, but we as technical professionals still have to speak to the whole of their concerns.
[+] [-] tracker1|11 years ago|reply
[+] [-] chubot|11 years ago|reply
From this non-technical article, it looks like they penetrated employees' computers and used their credentials, which makes sense because it's probably the weakest link.
It reminds me the philosophy/motivation behind Qubes OS [1]: there is no server security without client security.
What are banks running on employee computers these days? I'm guessing Windows. Do they have anything beyond what typical corporate IT does to Windows machines (install virus checkers, auto updates, most users don't have root)?
Clearly that's not sufficient. It sounds like you want some kind of strict compartmentalization like Qubes. There's probably no reason that an e-mail client like Outlook needs to share any state with whatever app they used to manage accounts. Besides perhaps sharing a clipboard for cutting and pasting a tiny amount of info.
The machines probably need secure boot and attestation of the root file system state too. It's pretty bad that in this attack and I think in the Anthem case that attackers were inside their network for such a long period without detection.
I also remember a DEFCON talk where a penetration tester said the hardest site he ever worked on was where they had a strict "star" network topology. None of the computers in the enterprise could talk to each other or even see each other. All communication had to be proxied through a central hub, which would audit all the connections.
Do any banks do that now? Is there any reason they couldn't in practice? I imagine that there isn't really a need for two tellers in the same office to be sharing files directly with each other. Let alone tellers in different offices. I've never worked at a bank do I have no idea what their networks are like. Possibly there would be some uptime concerns with a centralized system like that.
I'm just brainstorming and wondering if anyone has direct work-related experience.
[1] https://qubes-os.org/
[+] [-] aidos|11 years ago|reply
I know it's silly to think that banks would be better than anyone else, but good lord, malware running on machines capable of transferring millions of dollars that's able to send out video feeds from the network without anyone noticing?! Your various IT/Security teams should be absolutely ashamed. And then the banks don't even have to stand up and admit their incompetence publicly; that's a total disgrace.
That's the state of corporate security I guess. I've dealt with corporate IT departments over the years where they put these "processes" in place to mitigate these security issues but it's all a load of rubbish. Filling in forms to tick boxes so that everyone can go home happy pretending there's security going on, when really their network is a leaky sieve.
At one point I saw a release by a 3rd party supplier to a large corporate system that included privilege escalation, blatantly, at the start of a T-SQL script. It was done because the IT department refused to carry out the action on request via the official channel but it was work that needed to be done to complete a project. The 3rd party knew the admins would just be running scripts as SA so they escalated their own account to do what they needed to do later.
I know it's silly to be so frustrated about it, but we've all dealt with crappy banking systems for years, with totally insane security measures; meanwhile hackers can just walk away with millions using a bit of malware.
[+] [-] burneraccount|11 years ago|reply
The IT department seemed to use the following logic to justify it: the system served its purpose, the legacy employees already knew how to use it and the developers who made it were long gone thus it was cheaper and easier to just leave it be. While my firm had plenty of developers that could rewrite the system from scratch, their attention was devoted solely to money making endeavors like trading platforms and client facing projects.
As for the "Enterprise Architecture Group" (ie the developer department) that I interned in, the big problem was the heavy reliance on third party development companies. While the firm wanted to hire more developers, simply put very few developers want to work for banks (it's funny though that people in finance would have killed to work at the firm). It would take 6 months to a year on average to fill a developer position and they would have to pay a big premium over the average dev salary with a large yearly bonus.
In order to keep up with all the various projects, they would pay third party development/consulting companies millions to come in and create apps. While this allowed the firm to get the necessary apps "done", it created the most crazy spaghetti architecture you could ever imagine. All these different apps were built using different companies/languages/platforms/technologies then thrown together in a big mish mash of iframes and duct tape. The fact that any of them were able to communicate with each other at all was a miracle. I don't actually blame the developers themselves for this, they would constantly voice their concerns while the completely clueless department head/"architects"/project managers/business analysts would shoot them down. They would say things like "I understand your concerns but Super Consultancy X says that they would do it and it will only take 12 to 18 months!! They are even available to help support the app once its finished!!". Security and use experience were not even on the company's radar, only making money.
[+] [-] contingencies|11 years ago|reply
Infrastructure architect at a major Bitcoin exchange here.
It's about defense in depth. Processes. An architecture level stance like "do not trust the client, the server, the network, the data center, the hardware provider, or any particular stage within those three elements". Each element validates the other. An alarm raised by inappropriate behavior at any point will shut down an entire instance, cell, or data center before allowing an attacker a foothold.
The only way to realistically take such a stance without going broke or becoming functionally paralyzed is infrastructure level automation beyond what is common in the industry. Hence, cue for meaningful cloud infrastructure management systems spanning private and arbitrary third party infrastructure. Docker-level stuff is about 1/2 way, what we really need is a few degrees of abstraction beyond that.
[+] [-] belorn|11 years ago|reply
No organization like being attacked, but any defensive measure that cost money will always be balanced to the potential loss, risk, and convenience of employees. If the risk feels low, the potential loss minimum (worst case, government will intervene), and employees inconvenience high from employing effective security schemes, then no such efforts tend to be used.
[+] [-] dguido|11 years ago|reply
You don't need Qubes to secure this situation. You could use an iPad/Chromebook or a filtering proxy (whitelisted websites) and either would be sufficient.
[+] [-] xorcist|11 years ago|reply
Don't run Outlook and don't autorun USB. That should stop most automated attacks, including all the big known ones that breached large companies such as RSA and Google.
To stop the rest, don't surf from sensitive machines, and require two factor auth such as Yubikeys or RSA dongles to log in to them.
Compartmentalize sensitive information on separate machines and networks, and externalise sanity checks of data transactions where possible.
[+] [-] ryanlol|11 years ago|reply
Not only that, Qubes uses a vulnerable git version from several years ago so practically anyone could go backdoor it if they cared.
[1] http://en.wikipedia.org/wiki/Blue_Pill_%28software%29
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] aceperry|11 years ago|reply
Another problem that I've seen from banks is that they all use Microsoft Windows for most of their employees. That's got to be the worst OS in terms of security. Not saying that you can't break into other systems, but it is so much easier under Windows.
[+] [-] niels_olson|11 years ago|reply
Well, it's good enough for the Department of Defense, so it must be good enough for us, right?
No one ever got fired for buying Microsoft.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] ams6110|11 years ago|reply
[+] [-] ChuckMcM|11 years ago|reply
I wonder when we'll see the equivalent of VC money in these sorts of enterprises.
[+] [-] navait|11 years ago|reply
[+] [-] sehugg|11 years ago|reply
http://alienanthology.wikia.com/wiki/Weyland-Yutani
[+] [-] dmnd|11 years ago|reply
[+] [-] kule|11 years ago|reply
[+] [-] supster|11 years ago|reply
[+] [-] vitd|11 years ago|reply
Maybe, but when they steal from ATMs, there's no other bank involved in that transaction.
[+] [-] sumedh|11 years ago|reply
Pretty sure that they just write if off and call it day.
[+] [-] walterbell|11 years ago|reply
[+] [-] linuxydave|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] 001sky|11 years ago|reply
[+] [-] ukigumo|11 years ago|reply
Now, I feel a discussion like this one would be the perfect place for me to introduce myself and... try to sell my services but I think I'm too late to the party so I'll keep it short.
Banks are the archetype of the company that suffers through technology. They make huge investments in IT year on year, but often they end up buying overly complex solutions from 1MM consultancy companies that never get fully implemented and, worse, cause high levels of frustration that then backfire onto projects that could actually make a difference.
With every department (or vertical or region) running their own IT, many of the core functions being outsourced offshore, and innovation (ie: BYOD, Shadow IT) being ignored, some pretty serious gaps are opened in the way security is handled despite best intentions, processes or even regulatory compliance we end up with local desktop machines having direct and unrestricted access to sensitive systems _and_ the internet.
Of course, all this is very nice but at the end of the day if someone can just walk in to your office to "fix your computer" and no one bothers to check their credentials... there's only so much one can do for you.
[+] [-] jokoon|11 years ago|reply
Sounds like a badly designed system. Usually a bookkeeping system should only accept additions and subtractions, not have direct access to the amount number. Those additions and subtractions should be versionned. It might take a lot of resource and computing power to track that many accounts, but in my opinions, if google, the NSA and amazon have big datacenters, banks should too. I don't think they really have the proper infrastructure to secure something so important like account balance. I even think the government should invest money in securing those systems and places, since it's a nerve of the economy.
So either use up to date computing methods, or hire more accountant and use paper instead.
[+] [-] ukigumo|11 years ago|reply
[+] [-] kirvyteo|11 years ago|reply
A naive thought...if they leave with the exact amount of money (left) in the bank, should it be seen as just "illegal inflation", rather than seeing it as a theft. Someone made a gain but nobody made a loss in any case. Banks have always created more liquidity officially through loans, except that it is legal.
[+] [-] joemi|11 years ago|reply
Edit: Meant to also mention also that the whole making-it-look-like-an-account-had-more-money concept was about making the fact that they were taking the bank's money harder to notice. It was not actually creating money that did not exist before.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] DangerousPie|11 years ago|reply
[+] [-] niels_olson|11 years ago|reply
[+] [-] danielayoub|11 years ago|reply
[+] [-] niels_olson|11 years ago|reply
(the point is "monoculture", not Windows, per se. Though it is sort of the icing on the cake.)
[+] [-] TwoBit|11 years ago|reply
[+] [-] BIair|11 years ago|reply
[+] [-] zschleien|11 years ago|reply
[+] [-] taivare|11 years ago|reply
[+] [-] linuxydave|11 years ago|reply