Bank hacked because of 10$ router without firewall

[ParanoidWallet]

According to this article from Business Insider, Bangladesh central bank was hacked. As from the title, the issue was a 2nd hand 10$ without any firewall configured... The hackers got away with around 81$ millions, but the whole hack attempted to transfer 951$ millions. Most of the payments got automatically blocked. Another 20$ millions were on it's way to Sri Lanka, but a misspelling in the company's name raised a red flag and the transfer got blocked.

Quote

Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said.

I cannot believe that a central bank in any country would lack this quality of equipment. Not sure if this is just an issue in Bangladesh, but I do hope that banks all over the globe takes another look into their own systems to detect week links, after all, everyone uses credit cards and they are connected to the banks...

Link to business insider article: http://uk.businessinsider.com/r-bangladesh-bank-exposed-to-hackers-by-cheap-switches-no-firewall-police-2016-4?utm_content=buffer04ba7&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer?r=US&IR=T

[mikat]

that's not stupid... that is completely retarded.

[Arty]

I thought i heard about this a month ago?

 

 

 

http://www.forbes.com/sites/arafatkabir/2016/03/16/after-hackers-steal-81-million-what-now-for-bangladesh-central-bank/#782ea4194a83

[vanished]

just, wow.

[imreloadin]

I bet they store all of their data on RAID 0 arrays too because they don't want to sacrifice speed also.....

[mikat]

Just now, imreloadin said:

I bet they store all of their data on RAID 0 arrays too because they don't want to sacrifice speed also.....

24 1 tb seagate desktop drives in raid 0

[crystal6tak]

2 minutes ago, mikat said:

24 1 tb seagate desktop drives in raid 0

No, 48 500 gb HDD's in raid 0, gotta use them second hands bro

[mikat]

1 minute ago, crystal6tak said:

No, 48 500 gb HDD's in raid 0, gotta use them second hands bro

yes lol,

or 3000 8 gb flash drives in raid 0 (if you can even have that many devices in a raid lol)

[Trik'Stari]

I would laugh if it turned out that this was committed by the paid astroturfers that Hillary Clinton is sending onto the interwebs to fight people that don't like her.

 

Gotta get that bribe money somewhere right?

[GreezyJeezy]

funny as fuck.

[Mr.Meerkat]

1 minute ago, crystal6tak said:

No, 48 500 gb HDD's in raid 0, gotta use them second hands bro

No, you mean 200 120GB HDDs in raid 0 right? Gotta use even older drives man...

[mikat]

2 minutes ago, Trik'Stari said:

I would laugh if it turned out that this was committed by the paid astroturfers that Hillary Clinton is sending onto the interwebs to fight people that don't like her.

 

Gotta get that bribe money somewhere right?

wait are people defending hillary clinton? 

[I am an SSD]

17 minutes ago, ParanoidWallet said:

 

 

8 minutes ago, imreloadin said:

I bet they store all of their data on RAID 0 arrays too because they don't want to sacrifice speed also.....

Why would the engineers know about RAID 0? They couldnt put up a firewall

[RedWulf]

3 minutes ago, crystal6tak said:

No, 48 500 gb HDD's in raid 0, gotta use them second hands bro

Thats the next upgrade, right now they're at this lol

 

Either way, I'm not even that disappointed in a cheap router, but you can still have decent security with crap routers. This is full on 10 year old son of the manager needed a job  

 

 

[mikat]

3 minutes ago, RedWulf said:

Thats the next upgrade, right now they're at this lol

 

Either way, I'm not even that disappointed in a cheap router, but you can still have decent security with crap routers. This is full on 10 year old son of the manager needed a job  

 

 

yes, that's where my idea came from

[Trik'Stari]

4 minutes ago, mikat said:

wait are people defending hillary clinton? 

Yeah, a superpac is spending a couple mil paying people to go on twitter, reddit, news comment sections, to "correct" the alleged "misinformation" being spread about her.

 

Also known as astroturfing, which I was fairly sure is illegal.

[mikat]

3 minutes ago, Trik'Stari said:

Yeah, a superpac is spending a couple mil paying people to go on twitter, reddit, news comment sections, to "correct" the alleged "misinformation" being spread about her.

 

Also known as astroturfing, which I was fairly sure is illegal.

yup lol

[captain cactus]

Big cooperations usually go with the ultra cheapest stuff available, even though the slightly more expensive stuff saves them from a whackton of headaches and is the cheaper option in the end just because it fails less. I mean, look at the Dutch Railways Fyra debacle. NS (the Dutch railways operator) could've gone to anybody with experience in trains. Siemens, Bombardier, Alstom, the whole lot, but nooooo, lets go for the cheapest option: an Italian company that's been around since 2001 with very little experience and what you get is a train that breaks down (like, bottom panels breaking away from the train) on the 1st day of regular service, never driven at its intended speed of 250 km/h, and was in service for a whopping 40 days (yes, days) before it was withdrawn from service because of the technical problems with the damn thing. It cost the NS a lot more than needed because of all the breakdowns, which could've been prevented by going with the slightly more expensive trains that didn't break down all the time. Not one Fyra train ever arrived on schedule during those short 40 days of service. Not one.

[Bouzoo]

1 hour ago, Arty said:

I thought i heard about this a month ago?

You did, but it was released today why the hack was possible, so to say.

[shermantanker]

2 hours ago, mikat said:

yes lol,

or 3000 8 gb flash drives in raid 0 (if you can even have that many devices in a raid lol)

That is a lot of USB ports.

[RexinOridle]

In Bangladesh, you don't have to hack, you can just take whatever and run.

[Mooshi]

It always amazes me that large businesses even bother using such low end equipment when millions of customers are at stake. 

[Godlygamer23]

This basically tells me how seriously they don't take their security. 

[tobben]

12 minutes ago, Godlygamer23 said:

This basically tells me how seriously they don't take their security. 

They are very serious about not taking it seriously it seems. 

[LAwLz]

So this sounded really weird to me for a few reasons... Even without a firewall there should be other lines of defense in place. Do 10 dollar routers even exist, and if they do surely the entire infrastructure can't be made up of them (would probably go down several times a day because of the load)?

 

As it turns out, the headline is very clickbaity. The Forbes article says the hackers are suspected to have installed malware on the bank's officials' computers. It was not 10 dollar routers (report seem to have gotten switches and routers mixed up). The attack might have happened even with managed routers. The article itself states that better routers should have helped track how the attack was done (by having proper logs of all events on the network), but that by itself would not have stopped the attack from actually happening (because the bank didn't have anyone employed to monitor the network). The lack of VLAN seems like a huge security issue though.

 

 

TL;DR: It wasn't because of a 10 dollar router without a firewall the attack happened. A better router (or switch) would not have stopped the attack either. The bank messed up in other ways as well.

 

 

It's pretty funny that the hackers got found out because of a spelling mistake. Not because someone discovered that large sums of money were getting transferred.