Son of Stuxnet: "invisible," memory-resident malware stalks the world's banks

Originally published at: http://boingboing.net/2017/02/08/son-of-stuxnet-invisible.html

…

Hard to feel sorry for the banks at this point. If they don’t understand cyber security by now, then fuck 'em.

…and their customers too!

Calling…

As long as the banks’ losses would come out of the executives’ quarterly bonuses, then yeah…

But I don’t expect it’ll work that way

One thing I understand about cyber security is that there’s always some new exploit. Security isn’t something you set up and forget about.

Banks can’t just air gap their servers and call it a day. Customers expect to do their banking on-line. Bank-to-bank data transfers need to happen, as well as data transfers with companies the bank does business with. The price of being connected is security vigilance.

Unless you want to go back to couriers in armoured trucks and a 5-10 day wait for all transactions to go through. Oh, and only updating your passbook in person, at your home branch, with the teller writing in the information by hand. Basically roll everything back to the late 1940s.

No? Then stop this “fuck the banks” BS.

Which is something they don’t get. They think they can just buy an off the shelf solution (Nortons, McAfee, etc), install it on the computers and leave it at that. So something like this happens and they are surprised.

It also doesn’t help that execs usually view the IT group as a money sink and don’t understand why they can’t get rid of it and just outsource.

And not using fucking Windows for critical infrastructure…

They didn’t just stick with off the shelf solutions. They contacted a high end computer security service like Kaspersky labs to evaluate their systems. It is through the course of due diligence that a highly sophisticated computer security research team found this impressively stealthy exploit.

A less competent computer security firm would not have found this Mal ware.

This isn’t a case of password = “password”

Bollocks. I’ve talked to enough IT bank people to earn the right to say that.

Oh, I’m sure there’s some, but on an international level – bollocks.

Besides, on a bleeding obvious level: McAfee and Norton don’t run on the mainframes used to track account histories.

That might not be a bad idea. Has accelerating the financial system provided any benefit to anybody besides the owners? I suppose people who live paycheck-to-paycheck might need their funds immediately, but I don’t mind if my creditors take a while to cash my check.

The thing about going back to the 1940s is, it worked fine in the 1940s. And it creates jobs for quill pen manufacturers!

I’m rather fond of the tech level of the 1940s (except for medical tech, and energy sources. But most other things.). Paper-based banking would absolutely destroy the commercial internet, though.

Ugh. I’d have to suck up to shoe store managers and beg them to order flats in my size again.

Yup, yup, yup. I have signed so many NDAs that I can’t talk any specifics. And as you say, financial institutions don’t just go down to Best Buy and install AV on their domain controllers and call it a day.

Jesus Christ, while that isn’t criminally illegal, you will get your [REDACTED] licenses pulled so fast your head would spin.

There are still many foreign banks that really don’t understand cyber security well. That creates a “weakest link” problem where $10 routers can lead to international multi-million dollar hacks.

Even though I’ve never heard of a direct mainframe attack from the outside, business models are changing so fast inside most banks these days that consumer-facing ancillary systems that are not very well secured are being connected to the core banking systems which create security holes that are almost impossible to plan for and detect.

Microsoft does love to tell bank execs that they don’t need the mainframes anymore and that Windows is more than good enough to handle that level of data.

Must! Not! Tell! Stories!!

(In general it is much, much better than perhaps you suppose. Not what I would call outstanding, but in general pretty good)

In that case, I stand corrected.

see my statement above. Not saying it to be an ass, just that my mind is now changed on this issue.

I have the dubious distinction of crashing a mainframe at [REDACTED] facility in [REDACTED]. Yes, windows can be as stable as a mainframe.

Indeed it is much better than say, 5-10 years ago…most banks have plugged the worst of the holes but they are still discovering new gaps every day. It’s the unintended consequences of hooking together systems that were never meant to talk to each other.

Having worked in the industry for many years myself, I make it a point to avoid certain institutions where I have direct knowledge of their internal IT practices.

Can’t name any names either but let’s just say I’ll never do business with…(rhymes with: Belles Largo).

HAHAHAHAHAHAHAHA!!!

That’s something I can’t talk about either, but (looks around suspiciously) they obviously have their customers best interests at heart… Right? Hey Jeff[at]********, right?