Hackers take $81M from Bangladesh's central bank by pwning its $10 second-hand routers


#21

Bangladesh is not in India.


#22

The implication is that the bank bought its routers from such a vendor.


#23

What’s written to disk, to manage your risk,
And monitors all you do.

What’s keeps a good track
And Covers your back,
It’s log, Log, LOG

It’s Log, Log,
It’s dense, it’s wordy, you schlep
It’s log, log
You’d better get good with grep.

Everyone wants a log.
Go out and find a log
Hope you are writing logs
Go on and get your log, log, log ,log, log.

From BLAMMO


#24

I would, but that would make me disappointed with discorse which powers these forums, not boing boing’s blog…and really discorse is fantastic software. either way this wouldn’t qualify me for the list.

i’ve been disappointed about not being on the list, but rob has made a clear rule that meta-disappointment doesn’t qualify you for the list either.


#25

that is awesome!


#26

Does that mean 1/5 is not much?


#27

Assuming everyone is assuming? Yikes!


#28

WHY. CANT. I JOIN. THAT CLUB!?

So disappointed.


#29

And I gotta say @beschizza, that’s mighty disappointing.


#30

Bangladesh != India, that’s probably the problem.


#31

is pwning a real word yet? otherwise I will just decide to read it as ‘pawning’ in this headline.


#32

We run our soon-to-be-made-obsolete wide-area network (WAN) on plenty of secondhand, slightly melted, slightly fried hardware or cheap/used hardware. Secondhand hardware is the least of one’s problems typically, as long as sensible precautions like strong passwords, locked WiFi, closed ports, updates run 24/7, adequate firewalling, and lots of monitoring of logs (things already mentioned in this thread, basically) have already been put in place.

Our friends, acquaintances and even some of our own clients chuckle at our obsessive, incessant updating and patching, laugh at our perceived paranoia. A year ago, we started a secondary business de-hacking hacked web sites that were under the so-called supervision of those who are evidently a lot less paranoid that my partner and me. Plenty of looooooong work-nights over here, but our hosted sites are robust and security’s been solid, year after year. Even when our logs show >40,000 rejected hack attempts per hour and I have had to unplug our Cisco routers for a few seconds to keep the wires connecting us to The Rest of The World from melting. And we only have one rack of servers. I don’t even understand how we could count as worth the bother.

Any bank but by Jah especially a central bank on which an entire nation’s monetary system depends has a responsibility to hire the best, cut no corners, and be insanely vigilant re staffing the right kind of extra smart humans to run the joint successfully, competently. Banks are natural targets for thieves (hackers or IRL robbers) the same way fat ungulates will draw hungry lions, every time.

It’s humans who are in charge of buying the bank’s hardware and running it anyway.

If this bank is like all other banks run for profit, I am going to assume that the predominant corporate mindset prevailed there: fat profit margins are sacrosanct. If that bank’s BoD or operators gave a serious damn about security, Bangladeshi human capital is readily available. My partner works various contractor IT gigs, and his Bangladeshi colleagues here on H-1B visas are seriously smart. Bangladesh in all likelihood doesn’t lack local talent. Stinting on hiring, or stinting on pay for good hires is going to end particularly badly at a bank. A central bank.

Ye gods.

Or maybe it’s all a fluke. Maybe this was just a brand new exploit on some level, and it caught the adequately compensated, market-rate-paid sysadmins et al unawares.


#33

Je-ZUSS. What are the odds? Seriously. It’s… almost… like someone could have made sure there were no firewalls…

Industry standards. Standard OP SEC. Fer christssakes they should just have talked to @japhroaig for 10 minutes and he’d have given them more than enough reasons to do the basics correctly.

(and always glad to see a Picard pic, thanks for that!)


#34

Thank you for sharing your story. Interesting.

Why is your WAN turning obsolete? And what does the network serve now? Is it for web hosting?


#35

Our WAN is part of our ISP service for our community. Once Time-Warner finally gets installed out here (which is soon), I fully expect that our clients will switch from the bonded T-1 line they (and our servers) share to more bandwidth at a much lower price. There’s no way we can compete with Time-Warner on price. The revenue we earn from that part of our business is barely a break-even these days, so it will all come as something of a relief.

Web hosting will proceed, but we will likely move our rack to a co-working hub that is served by Google Fiber, which started installing in Austin-proper last month, in the trendiest/most expensive zip codes first. I am guessing that, based on how cool my community is, Google Fiber will reach our section of the ATX-megaplex by 2030 if it bothers to do so at all. Many of my friends will, as I, count that as a very very mixed blessing and an indicator of something precious [and desirably livable] having fled our area for good.


#36

This topic was automatically closed after 5 days. New replies are no longer allowed.