Security researchers say they've developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.
The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.
To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference's organizer.
They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack Security experts had known that TKIP could be cracked using what's known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.
The work of Tews and Beck does not involve a dictionary attack, however.
To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a "mathematical breakthrough," that lets them crack WPA much more quickly than any previous attempt, Ruiu said.
Tews is planning to publish the cryptographic work in an academic journal in the coming months, Ruiu said. Some of the code used in the attack was quietly added to Beck's Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.
WPA is widely used on today's Wi-Fi networks and is considered a better alternative to the original WEP (Wired Equivalent Privacy) standard, which was developed in the late 1990s. Soon after the development of WEP, however, hackers found a way to break its encryption and it is now considered insecure by most security professionals. Store chain T.J. Maxx was in the process of upgrading from WEP to WPA encryption when it experienced one of the most widely publicized data breaches in U.S. history, in which hundreds of millions of credit card numbers were stolen over a two-year period.
A new wireless standard known as WPA2 is considered safe from the attack developed by Tews and Beck, but many WPA2 routers also support WPA.
"Everybody has been saying, 'Go to WPA because WEP is broken,'" Ruiu said. "This is a break in WPA."
If WPA is significantly compromised, it would be a big blow for enterprise customers who have been increasingly adopting it, said Sri Sundaralingam, vice president of product management with wireless network security vendor AirTight Networks. Although customers can adopt Wi-Fi technology such as WPA2 or virtual private network software that will protect them from this attack, there are still may devices that connect to the network using WPA, or even the thoroughly cracked WEP standard, he said.
Ruiu expects a lot more WPA research to follow this work. "Its just the starting point," he said. "Erik and Martin have just opened the box on a whole new hacker playground."
Friday, November 7, 2008
Monday, November 3, 2008
U.S. Army Says Blogging Site 'Twitter' Could Become Terrorist Tool
The U.S. Army is flagging the popular blogging service Twitter as a potential terrorist tool, the Agence France-Presse news agency reported Sunday.
A recently released report by the 304th Military Intelligence Battalion contains a chapter entitled "Potential for Terrorist Use of Twitter," which expresses concern over the increasing use of Twitter by political and religious groups, the AFP reported.
"Twitter has also become a social activism tool for socialists, human rights groups, communists, vegetarians, anarchists, religious communities, atheists, political enthusiasts, hacktivists and others to communicate with each other and to send messages to broader audiences," according to the report.
"Twitter is already used by some members to post and/or support extremist ideologies and perspectives," the Army report said.
The blogging service and social networking site has previously sent out messages known as "tweets" faster than news organizations during such major news events as the July Los Angeles earthquake and the Republican National Convention in Minneapolis.
"Terrorists could theoretically use Twitter social networking in the U.S. as an operation tool," the Army report said.
A recently released report by the 304th Military Intelligence Battalion contains a chapter entitled "Potential for Terrorist Use of Twitter," which expresses concern over the increasing use of Twitter by political and religious groups, the AFP reported.
"Twitter has also become a social activism tool for socialists, human rights groups, communists, vegetarians, anarchists, religious communities, atheists, political enthusiasts, hacktivists and others to communicate with each other and to send messages to broader audiences," according to the report.
"Twitter is already used by some members to post and/or support extremist ideologies and perspectives," the Army report said.
The blogging service and social networking site has previously sent out messages known as "tweets" faster than news organizations during such major news events as the July Los Angeles earthquake and the Republican National Convention in Minneapolis.
"Terrorists could theoretically use Twitter social networking in the U.S. as an operation tool," the Army report said.
Monday, October 27, 2008
FTC Shuts Down 'Male Enhancement' Spam Operation
CHICAGO — E-mail inboxes may be clogged with a little less spam — at least for a while.
Authorities said Tuesday they have shut down one of the largest spam operations in the world, a vast network involving countries from New Zealand to China and the United States.
The spammers sent out billions of e-mails in recent years encouraging people to click through to Web sites that allegedly used false claims to peddle prescription drugs, as well as "male enhancement" and weight-loss pills.
The Federal Trade Commission received more than 3 million complaints about the spam and related Web sites, illustrating the scale of the operation, officials said.
The sites, including one called "Canadian Healthcare," were difficult to distinguish from legitimate online pharmacies — making the pitches more persuasive, said Steve Baker, the FTC's Midwest Region director.
"These sites are really professionally constructed," he said. "Some years ago you used to be able to tell the bogus things because they looked cheesy and had misspellings. Anymore, I don't think that's true."
The operation violated the federal CAN-SPAM Act of 2003, meant to restrict commercial spam, by using false header information to hide the origin of messages, not offering an opt-out link and failing to list a postal address, the FTC said.
As part of their inquiry, FTC staff made undercover purchases from the sites. No one asked the clandestine buyers to provide verification of a prescription and the shipped drugs did not include doctors' instructions or dosage information, officials said.
A federal judge in Chicago issued a temporary injunction to halt the operation and also froze its assets. The Federal Bureau of Investigation is investigating and those involved could also face criminal charges, Baker said.
Those spearheading the enterprise, known as "Affking" on the Internet, included a U.S. and a New Zealand citizen, according to court documents.
Servers in China hosted the Web sites and the drugs were shipped from India, while operatives in Cyprus and the former Soviet republic of Georgia processed credit card information, Baker said.
The case should remind consumers to beware of spam, he said.
"If you find your way to these Web sites through spam, you should really be asking yourself if you can trust them at all," Baker said.
Authorities said Tuesday they have shut down one of the largest spam operations in the world, a vast network involving countries from New Zealand to China and the United States.
The spammers sent out billions of e-mails in recent years encouraging people to click through to Web sites that allegedly used false claims to peddle prescription drugs, as well as "male enhancement" and weight-loss pills.
The Federal Trade Commission received more than 3 million complaints about the spam and related Web sites, illustrating the scale of the operation, officials said.
The sites, including one called "Canadian Healthcare," were difficult to distinguish from legitimate online pharmacies — making the pitches more persuasive, said Steve Baker, the FTC's Midwest Region director.
"These sites are really professionally constructed," he said. "Some years ago you used to be able to tell the bogus things because they looked cheesy and had misspellings. Anymore, I don't think that's true."
The operation violated the federal CAN-SPAM Act of 2003, meant to restrict commercial spam, by using false header information to hide the origin of messages, not offering an opt-out link and failing to list a postal address, the FTC said.
As part of their inquiry, FTC staff made undercover purchases from the sites. No one asked the clandestine buyers to provide verification of a prescription and the shipped drugs did not include doctors' instructions or dosage information, officials said.
A federal judge in Chicago issued a temporary injunction to halt the operation and also froze its assets. The Federal Bureau of Investigation is investigating and those involved could also face criminal charges, Baker said.
Those spearheading the enterprise, known as "Affking" on the Internet, included a U.S. and a New Zealand citizen, according to court documents.
Servers in China hosted the Web sites and the drugs were shipped from India, while operatives in Cyprus and the former Soviet republic of Georgia processed credit card information, Baker said.
The case should remind consumers to beware of spam, he said.
"If you find your way to these Web sites through spam, you should really be asking yourself if you can trust them at all," Baker said.
Tuesday, October 21, 2008
Experts: Zombie Cell-Phone Hack Attacks May Be Next
Some of the most vicious Internet predators are hackers who infect thousands of PCs with special viruses and lash the machines together into "botnets" to pump out spam or attack other computers.
Now security researchers say cell phones, and not just PCs, are the next likely conscripts into the automated armies.
The mobile phone as zombie computer is one possibility envisioned by security researchers from Georgia Tech in a new report coming out Wednesday.
The report identifies the growing power of cell phones to open a new avenue of attack for hackers.
Of particular concern is that as cell phones get more computing power and better Internet connections, hackers can capitalize on vulnerabilities in mobile-phone operating systems or Web applications.
Botnets, or networks of infected or robot PCs, are the weapons of choice when it comes to spam and so-called "denial of service attacks," in which computer servers are overwhelmed with Internet traffic to shut them down.
Botnets are so troubling because they have massive computing power and a seemingly endless supply of newly infected PCs to replace old ones that are wiped clean or taken offline.
Millions of PC have fallen victim. The owners typically never know.
The Georgia Tech researchers say that if cell phones become absorbed in botnets, new types of moneymaking scams could be born.
For example, infected phones could be programmed to call pay-per-minute 1-900 numbers or to buy ringtones from companies set up by the criminals.
"The question is, can they do it effectively — make a lot of money without much risk?" said botnet expert Joe Stewart, director of malware research with SecureWorks Inc. "And if they can, then they will do it."
The Georgia Tech researchers say a big appeal of cell phones for hackers is that the devices are generally always on, they're sending and receiving more data, and they typically have poor security.
Antivirus software would suck up massive amounts of battery life, which is a killer on a mobile device.
"This is the perfect platform [for hackers]," said Patrick Traynor, an assistant professor of computer science at Georgia Tech and a contributor to its Emerging Cyber Threats Report.
One big hurdle hackers will face is learning how the cellular networks work and adapting their attacks.
Unlike the wide-open world of Internet providers, cell phone operators have tighter control over their networks, which means they could shut down the lines of communication between infected phones much easier.
Traynor noted that researchers have very little hard evidence that hackers are already targeting cell phones. But successfully attacking cell phones requires that people do a lot of Internet browsing and downloading programs onto their phones, and that is just starting to happen now.
"There are some challenges for the adversaries, but we've seen them overcome the challenges in their way before," Traynor said.
Now security researchers say cell phones, and not just PCs, are the next likely conscripts into the automated armies.
The mobile phone as zombie computer is one possibility envisioned by security researchers from Georgia Tech in a new report coming out Wednesday.
The report identifies the growing power of cell phones to open a new avenue of attack for hackers.
Of particular concern is that as cell phones get more computing power and better Internet connections, hackers can capitalize on vulnerabilities in mobile-phone operating systems or Web applications.
Botnets, or networks of infected or robot PCs, are the weapons of choice when it comes to spam and so-called "denial of service attacks," in which computer servers are overwhelmed with Internet traffic to shut them down.
Botnets are so troubling because they have massive computing power and a seemingly endless supply of newly infected PCs to replace old ones that are wiped clean or taken offline.
Millions of PC have fallen victim. The owners typically never know.
The Georgia Tech researchers say that if cell phones become absorbed in botnets, new types of moneymaking scams could be born.
For example, infected phones could be programmed to call pay-per-minute 1-900 numbers or to buy ringtones from companies set up by the criminals.
"The question is, can they do it effectively — make a lot of money without much risk?" said botnet expert Joe Stewart, director of malware research with SecureWorks Inc. "And if they can, then they will do it."
The Georgia Tech researchers say a big appeal of cell phones for hackers is that the devices are generally always on, they're sending and receiving more data, and they typically have poor security.
Antivirus software would suck up massive amounts of battery life, which is a killer on a mobile device.
"This is the perfect platform [for hackers]," said Patrick Traynor, an assistant professor of computer science at Georgia Tech and a contributor to its Emerging Cyber Threats Report.
One big hurdle hackers will face is learning how the cellular networks work and adapting their attacks.
Unlike the wide-open world of Internet providers, cell phone operators have tighter control over their networks, which means they could shut down the lines of communication between infected phones much easier.
Traynor noted that researchers have very little hard evidence that hackers are already targeting cell phones. But successfully attacking cell phones requires that people do a lot of Internet browsing and downloading programs onto their phones, and that is just starting to happen now.
"There are some challenges for the adversaries, but we've seen them overcome the challenges in their way before," Traynor said.
Monday, October 13, 2008
Fake YouTube Sites carry virus
SAN FRANCISCO — Savvy Internet users know that downloading unsolicited computer programs is one of the most dangerous things you can do online. It puts you at great risk for a virus or another time bomb from a hacker.
But even some sophisticated surfers could get taken in by a sneaky new attack in which criminals create fake YouTube pages — dead-on replicas of the real site — to push their malicious software and make it look like it's safe stuff coming from a trusted source.
A program circulating online helps hackers build those fake pages. Users who follow an e-mail pointing them to one of the pages would see an error message that claims the video they want won't play without installing new software first.
That error message includes a link the hacker has provided to a malicious program, which delivers a virus.
Even worse: once the computer is infected, it's simple for the hacker to silently redirect the victims to a real YouTube page to see videos they were hoping to see — and hide the crime.
The tactic itself isn't new: There's a constant push by criminals to build more convincing spoofs of legitimate sites to trick people into downloading harmful software. And the latest attacks don't target any vulnerability in the YouTube site.
But it highlights the fact that criminals are getting better at creating bogus sites and developing so-called "social engineering" methods to fool people.
Fortunately, truly alert Internet users can still see the telltale warning signs with the fake YouTube pages.
For one, the Web browser won't show the real YouTube's Internet address. And to even see the malicious page, you have to first follow a link that's sent to you, which is often a tip-off that you should independently verify whether the site is legitimate.
But even some sophisticated surfers could get taken in by a sneaky new attack in which criminals create fake YouTube pages — dead-on replicas of the real site — to push their malicious software and make it look like it's safe stuff coming from a trusted source.
A program circulating online helps hackers build those fake pages. Users who follow an e-mail pointing them to one of the pages would see an error message that claims the video they want won't play without installing new software first.
That error message includes a link the hacker has provided to a malicious program, which delivers a virus.
Even worse: once the computer is infected, it's simple for the hacker to silently redirect the victims to a real YouTube page to see videos they were hoping to see — and hide the crime.
The tactic itself isn't new: There's a constant push by criminals to build more convincing spoofs of legitimate sites to trick people into downloading harmful software. And the latest attacks don't target any vulnerability in the YouTube site.
But it highlights the fact that criminals are getting better at creating bogus sites and developing so-called "social engineering" methods to fool people.
Fortunately, truly alert Internet users can still see the telltale warning signs with the fake YouTube pages.
For one, the Web browser won't show the real YouTube's Internet address. And to even see the malicious page, you have to first follow a link that's sent to you, which is often a tip-off that you should independently verify whether the site is legitimate.
Sunday, October 12, 2008
A laptop thief got caught — after the computer owner tracked him remotely.
WHITE PLAINS, N.Y. — A laptop thief got caught — after the computer owner tracked him remotely.
Jose Caceres said he used a remote access program to log on every day and watch his computer being used, and then tipped off police, leading to the arrest of a 34-year-old male suspect.
The man was charged with grand larceny, said police Lt. Eric Fischer in Wednesday editions of the Journal News.
"I reported the theft to the police and they were investigating, then I decided to sign on and see what the guy was doing with my computer," said Caceres, 27, of White Plains. "Having remote access is such an advantage, because it allows you to do something like this."
The computer was stolen in early September, he said, when he left it on top of his car while carrying things into his home.
When he first tried to figure out who had stolen his computer by logging on remotely, Caceres said he was stymied in his efforts.
Related "It was kind of frustrating because he was mostly using it to watch porn," he said. "I couldn't get any information on him."
But then the suspect typed in a name and address to register on a Web site, he said. A few hours later, police caught the suspect.
It wasn't the first time in Westchester County in recent months that tech-savvy victims have supplied police with information leading to arrests.
In May, a White Plains woman whose laptop was stolen from her apartment also used remote access technology to sign on, then activated the stolen computer's camera and snapped pictures of the man using it.
Police arrested two suspects in their 20s on charges of burglary and possession of stolen property. Authorities said both men had attended a party at their victim's apartment.
And earlier this month, police arrested a 17-year-old suspect. He was accused of trying to sell a mountain bike worth almost $3,000.
Its 13-year-old owner saw his bike for sale on eBay and contacted police. An undercover officer posing as a potential buyer set up a meeting with the 17-year-old, who was charged with possession of stolen property.
"This is what happens when you have victims who get involved and use the available technology to their advantage," said Fischer, commander of the White Plains police detective division.
Jose Caceres said he used a remote access program to log on every day and watch his computer being used, and then tipped off police, leading to the arrest of a 34-year-old male suspect.
The man was charged with grand larceny, said police Lt. Eric Fischer in Wednesday editions of the Journal News.
"I reported the theft to the police and they were investigating, then I decided to sign on and see what the guy was doing with my computer," said Caceres, 27, of White Plains. "Having remote access is such an advantage, because it allows you to do something like this."
The computer was stolen in early September, he said, when he left it on top of his car while carrying things into his home.
When he first tried to figure out who had stolen his computer by logging on remotely, Caceres said he was stymied in his efforts.
Related "It was kind of frustrating because he was mostly using it to watch porn," he said. "I couldn't get any information on him."
But then the suspect typed in a name and address to register on a Web site, he said. A few hours later, police caught the suspect.
It wasn't the first time in Westchester County in recent months that tech-savvy victims have supplied police with information leading to arrests.
In May, a White Plains woman whose laptop was stolen from her apartment also used remote access technology to sign on, then activated the stolen computer's camera and snapped pictures of the man using it.
Police arrested two suspects in their 20s on charges of burglary and possession of stolen property. Authorities said both men had attended a party at their victim's apartment.
And earlier this month, police arrested a 17-year-old suspect. He was accused of trying to sell a mountain bike worth almost $3,000.
Its 13-year-old owner saw his bike for sale on eBay and contacted police. An undercover officer posing as a potential buyer set up a meeting with the 17-year-old, who was charged with possession of stolen property.
"This is what happens when you have victims who get involved and use the available technology to their advantage," said Fischer, commander of the White Plains police detective division.
Friday, October 10, 2008
World Bank Under Cyber Siege in 'Unprecedented Crisis'
The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.
It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.
In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.
In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.
The crisis comes at an awkward moment for World Bank president Robert Zoellick, who runs the world's largest and most influential anti-poverty agency, which doles out $25 billion a year, and whose board represents 185 member nations. This weekend, the bank holds its annual series of meetings in Washington — and just in advance of those sessions, Zoellick called for a radical revamping of multilateral organizations in light of the global economic meltdown.
Zoellick is positioning himself and the bank as an institution that can help chart a new path toward global financial stability. But that reputation, more than ever, depends on the bank's stable information infrastructure.
The fact that the information vaults of the World Bank have been repeatedly pried open won't help Zoellick's case.
While it remains unclear how much data has been pilfered from the bank, it's a lot. According to internal memos, "a minimum of 18 servers have been compromised," including some of the bank's most sensitive systems — ranging from the bank's security and password server to a Human Resources server "that contains scanned images of staff documents."
One World Bank director tells FOX News that as many as 40 servers have been penetrated, including one that held contract-procurement data.
Despite the gravity of the break-ins, the bank is trying hard to pretend to outsiders it didn't happen. "There were attempts to hack the bank's computer systems last summer," says a World Bank spokesman. "However, there was no compromise of confidential information." Requests for on-the-record interviews with Zoellick and other top officials were declined.
Meanwhile, the bank's treasurer, Kenneth G. Lay, has been briefing Zoellick's senior management team regularly on the situation since April.
Other bank officials are also sleuthing. The bank's chief information officer, Guy De Poerck, has engaged Price Waterhouse Coopers to do a confidential million-dollar assessment that is expected to tell him what's going on in his own department. And a 22-page internal report by a computer security company named MANDIANT, dated August 18, fleshes out many details of the June-July breaches. But very few people have ever seen the report, and nobody has been permitted to retain a paper copy.
At the same time, De Poerck has been downplaying the problem to the bank's 10,000 rank-and-file staffers as mere intrusion "attempts" in his e-mails. Yet most of those staffers have been asked to change their password three times in the past three months.
"As previously reported in mid-July," CIO De Poerck and a senior bank treasury official wrote in an August announcement to employees, "we would like to reassure you that there is no evidence that Bank staff personal information is at risk from the recent external attempts."
It's unclear how that statement squares with an internal memo to De Poerck a month earlier revealing that a sensitive Human Resources server "that contains scanned images of staff documents" had been successfully breached. De Poerk declined to comment to FOX News about any of these details.
In reality, the situation is serious enough that federal investigators have been called in. "We're not talking about hackers playing games or messing up our website," insists a senior member of the bank's IT department at its Washington headquarters. "It's about the FBI coming last summer and saying, 'You should take a look at your systems because we think something weird is going on.' It's about the intruders knowing what information they wanted — and getting to it whenever they wanted to. They took our existing data stores and organized them in a way that they could be easily accessed at will."
In plainspeak: "They had access to everything," says the source. "They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."
The data raids are not a matter of stealing inconsequential bits and bytes. The World Bank's data center is literally a treasure trove of vital financial information from around the globe. As a clearinghouse for financial data from both governments and companies, the bank's computers could provide intruders with both a financial and intelligence gold mine — from inside information on bids and contracts to the minutes of confidential board meetings.
If the bank takes a position in a currency, for example, that currency usually moves in response to the bank's actions. Stocks and bonds can also swing up and down based on World Bank announcements. "If you know beforehand that the bank is going to put an order in for oil pipelines in Chad or healthcare systems in India, you can actually make a good amount of money," says one insider.
Although the bank typically provides only a fraction of the financing for a project, its influence on those projects is immense. Private corporations see the bank's stamp of approval as a guarantee that their own larger investments will be safe — and profitable. Knowing in advance what projects the bank's board will reject could be just as profitable.
Some insiders fear that contractors — perhaps even governments — might be seeking advance knowledge on the status of the bank's anti-corruption probes. "The bank knows the books of countries almost as well as the countries do — including the corruption at times," says one insider.
The first breach of the bank's secrets was discovered in September, 2007, after the FBI —while at work on a different cybercrime case — notified the bank that something was wrong. The feds pointed to a part of the bank's network that led out of the Johannesburg hub of the International Finance Corp. (IFC), a bank arm that lends to the private sector.
Within a week of the tip, teams of bank investigators sent to Johannesburg discovered that intruders had gained full and total access to all of IFC's worldwide information — including all incoming and outgoing e-mail — for at least six months. "They were downloading everything and anything," says one insider, who says that IFC's monitoring systems were extremely weak. "They [intruders] had full access."
Investigators discovered that the intruders were using a so-called "cluster" of IP addresses from Macao, China. But since those addresses can be spoofed (i.e., disguised) the discovery doesn't prove that the breaches actually originated in China. Nonetheless, bank officials and its executive director for China clashed behind closed doors over whether or not China's government is involved in the break-ins.
Bank sources tell FOX News that Johannesburg is one of several secret "hubs" containing a "common data store" (or CDS) that the World Bank Group has established around the globe. In layman's terms, a CDS is the cyber-world's version of a bomb shelter where every piece of an organization's data is replicated and backed up in case of a data-wipeout at headquarters in Washington. While it's known that IFC data was accessible at the hub, it remains unclear if all World Bank Group data was compromised there.
The second major breach — of the bank's treasury network in Washington — was discovered in April 2008. The World Bank's Treasury manages $70 billion in assets for 25 clients — including the central banks of some countries. It carries out substantial collaborations with the world's finance ministers on public wealth and debt management, runs an active bond-trading desk in Washington, and does everything from currency trading to capital markets financings.
After a forensic analysis of the treasury breach, bank investigators discovered that spy software was covertly installed on workstations inside the bank's Washington headquarters — allegedly by one or more contractors from Satyam Computer Services, one of India's largest IT companies.
The software — which operates through a method known as keystroke logging — enabled every character typed on a keyboard to be transmitted to a still-unknown location via the Internet.
Upon its discovery, insiders report, bank officials shut off the data link between Washington and Chennai, India, where Satyam has long operated the bank's sole offshore computer center responsible for all of the bank's financial and human resources information.
Satyam was also banned from any future work with the bank. "I want them off the premises now," Zoellick reportedly told his deputies. But at the urging of CIO De Poerck, Satyam employees remained at the bank as recently as Oct. 1 while it engaged in "knowledge transfer" with two new India-based contractors.
Satyam — one of the largest and most prestigious IT companies in India — is publicly listed on the NYSE and boasts having $2 billion in sales and more than 150 Fortune 500 companies as clients. In 2003, Satyam — it means "truth" in Sanskrit — won a much-heralded and lucrative five-year "sole source" contract to design, write and maintain all of the World Bank's information systems.
The contract — which began at $10 million and grew to more than $100 million by 2007 — was suddenly not renewed this year. Satyam so far declines to comment.
Then came the June-July breaches in Washington. They were similar to the Johannesburg attack, as the same group of IP addresses from Macao were used.
This time, however, the cyber-burglars used a different spyware. They broke into an external server run by the bank's private sector development unit. They were able to acquire passwords — including the password for the systems administrator.
That enabled them to jump into the servers at MIGA, the bank's giant insurance arm. It was there that they captured the security administrator's password as he was logging on to his computer.
It took ten days for bank officials to detect that they'd been invaded. Once they did, they shut down all external servers, except for e-mail — which it turns out the invaders were already using as their entrance point. By the end of July the invaders "had completely mapped out the topography of the bank's information systems," says one expert — "where everything was, the types of servers, and the types of files on the servers."
What the intruders did with all that information is the World Bank's most sensitive and painful mystery. It has clearly left the institution in a highly vulnerable position.
And the same may go for bank president Zoellick. Bank insiders say that he needs desperately to get the security of his own house in order. Despite the vast sums that the Bank spends on data and data storage, its information systems are deeply in disarray.
Today the total cost to maintain the bank's information infrastructure is at least $280 million per year. But according to one disgruntled bank staffer, "We don't even have an internal search engine that works."
The truly alarming fact, however, is that someone — or many people — seem to know their way around the bank's most valuable resource very well, even though they aren't supposed to be there at all.
It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.
In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.
In a frantic midnight e-mail to colleagues, the bank's senior technology manager referred to the situation as an "unprecedented crisis." In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.
The crisis comes at an awkward moment for World Bank president Robert Zoellick, who runs the world's largest and most influential anti-poverty agency, which doles out $25 billion a year, and whose board represents 185 member nations. This weekend, the bank holds its annual series of meetings in Washington — and just in advance of those sessions, Zoellick called for a radical revamping of multilateral organizations in light of the global economic meltdown.
Zoellick is positioning himself and the bank as an institution that can help chart a new path toward global financial stability. But that reputation, more than ever, depends on the bank's stable information infrastructure.
The fact that the information vaults of the World Bank have been repeatedly pried open won't help Zoellick's case.
While it remains unclear how much data has been pilfered from the bank, it's a lot. According to internal memos, "a minimum of 18 servers have been compromised," including some of the bank's most sensitive systems — ranging from the bank's security and password server to a Human Resources server "that contains scanned images of staff documents."
One World Bank director tells FOX News that as many as 40 servers have been penetrated, including one that held contract-procurement data.
Despite the gravity of the break-ins, the bank is trying hard to pretend to outsiders it didn't happen. "There were attempts to hack the bank's computer systems last summer," says a World Bank spokesman. "However, there was no compromise of confidential information." Requests for on-the-record interviews with Zoellick and other top officials were declined.
Meanwhile, the bank's treasurer, Kenneth G. Lay, has been briefing Zoellick's senior management team regularly on the situation since April.
Other bank officials are also sleuthing. The bank's chief information officer, Guy De Poerck, has engaged Price Waterhouse Coopers to do a confidential million-dollar assessment that is expected to tell him what's going on in his own department. And a 22-page internal report by a computer security company named MANDIANT, dated August 18, fleshes out many details of the June-July breaches. But very few people have ever seen the report, and nobody has been permitted to retain a paper copy.
At the same time, De Poerck has been downplaying the problem to the bank's 10,000 rank-and-file staffers as mere intrusion "attempts" in his e-mails. Yet most of those staffers have been asked to change their password three times in the past three months.
"As previously reported in mid-July," CIO De Poerck and a senior bank treasury official wrote in an August announcement to employees, "we would like to reassure you that there is no evidence that Bank staff personal information is at risk from the recent external attempts."
It's unclear how that statement squares with an internal memo to De Poerck a month earlier revealing that a sensitive Human Resources server "that contains scanned images of staff documents" had been successfully breached. De Poerk declined to comment to FOX News about any of these details.
In reality, the situation is serious enough that federal investigators have been called in. "We're not talking about hackers playing games or messing up our website," insists a senior member of the bank's IT department at its Washington headquarters. "It's about the FBI coming last summer and saying, 'You should take a look at your systems because we think something weird is going on.' It's about the intruders knowing what information they wanted — and getting to it whenever they wanted to. They took our existing data stores and organized them in a way that they could be easily accessed at will."
In plainspeak: "They had access to everything," says the source. "They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."
The data raids are not a matter of stealing inconsequential bits and bytes. The World Bank's data center is literally a treasure trove of vital financial information from around the globe. As a clearinghouse for financial data from both governments and companies, the bank's computers could provide intruders with both a financial and intelligence gold mine — from inside information on bids and contracts to the minutes of confidential board meetings.
If the bank takes a position in a currency, for example, that currency usually moves in response to the bank's actions. Stocks and bonds can also swing up and down based on World Bank announcements. "If you know beforehand that the bank is going to put an order in for oil pipelines in Chad or healthcare systems in India, you can actually make a good amount of money," says one insider.
Although the bank typically provides only a fraction of the financing for a project, its influence on those projects is immense. Private corporations see the bank's stamp of approval as a guarantee that their own larger investments will be safe — and profitable. Knowing in advance what projects the bank's board will reject could be just as profitable.
Some insiders fear that contractors — perhaps even governments — might be seeking advance knowledge on the status of the bank's anti-corruption probes. "The bank knows the books of countries almost as well as the countries do — including the corruption at times," says one insider.
The first breach of the bank's secrets was discovered in September, 2007, after the FBI —while at work on a different cybercrime case — notified the bank that something was wrong. The feds pointed to a part of the bank's network that led out of the Johannesburg hub of the International Finance Corp. (IFC), a bank arm that lends to the private sector.
Within a week of the tip, teams of bank investigators sent to Johannesburg discovered that intruders had gained full and total access to all of IFC's worldwide information — including all incoming and outgoing e-mail — for at least six months. "They were downloading everything and anything," says one insider, who says that IFC's monitoring systems were extremely weak. "They [intruders] had full access."
Investigators discovered that the intruders were using a so-called "cluster" of IP addresses from Macao, China. But since those addresses can be spoofed (i.e., disguised) the discovery doesn't prove that the breaches actually originated in China. Nonetheless, bank officials and its executive director for China clashed behind closed doors over whether or not China's government is involved in the break-ins.
Bank sources tell FOX News that Johannesburg is one of several secret "hubs" containing a "common data store" (or CDS) that the World Bank Group has established around the globe. In layman's terms, a CDS is the cyber-world's version of a bomb shelter where every piece of an organization's data is replicated and backed up in case of a data-wipeout at headquarters in Washington. While it's known that IFC data was accessible at the hub, it remains unclear if all World Bank Group data was compromised there.
The second major breach — of the bank's treasury network in Washington — was discovered in April 2008. The World Bank's Treasury manages $70 billion in assets for 25 clients — including the central banks of some countries. It carries out substantial collaborations with the world's finance ministers on public wealth and debt management, runs an active bond-trading desk in Washington, and does everything from currency trading to capital markets financings.
After a forensic analysis of the treasury breach, bank investigators discovered that spy software was covertly installed on workstations inside the bank's Washington headquarters — allegedly by one or more contractors from Satyam Computer Services, one of India's largest IT companies.
The software — which operates through a method known as keystroke logging — enabled every character typed on a keyboard to be transmitted to a still-unknown location via the Internet.
Upon its discovery, insiders report, bank officials shut off the data link between Washington and Chennai, India, where Satyam has long operated the bank's sole offshore computer center responsible for all of the bank's financial and human resources information.
Satyam was also banned from any future work with the bank. "I want them off the premises now," Zoellick reportedly told his deputies. But at the urging of CIO De Poerck, Satyam employees remained at the bank as recently as Oct. 1 while it engaged in "knowledge transfer" with two new India-based contractors.
Satyam — one of the largest and most prestigious IT companies in India — is publicly listed on the NYSE and boasts having $2 billion in sales and more than 150 Fortune 500 companies as clients. In 2003, Satyam — it means "truth" in Sanskrit — won a much-heralded and lucrative five-year "sole source" contract to design, write and maintain all of the World Bank's information systems.
The contract — which began at $10 million and grew to more than $100 million by 2007 — was suddenly not renewed this year. Satyam so far declines to comment.
Then came the June-July breaches in Washington. They were similar to the Johannesburg attack, as the same group of IP addresses from Macao were used.
This time, however, the cyber-burglars used a different spyware. They broke into an external server run by the bank's private sector development unit. They were able to acquire passwords — including the password for the systems administrator.
That enabled them to jump into the servers at MIGA, the bank's giant insurance arm. It was there that they captured the security administrator's password as he was logging on to his computer.
It took ten days for bank officials to detect that they'd been invaded. Once they did, they shut down all external servers, except for e-mail — which it turns out the invaders were already using as their entrance point. By the end of July the invaders "had completely mapped out the topography of the bank's information systems," says one expert — "where everything was, the types of servers, and the types of files on the servers."
What the intruders did with all that information is the World Bank's most sensitive and painful mystery. It has clearly left the institution in a highly vulnerable position.
And the same may go for bank president Zoellick. Bank insiders say that he needs desperately to get the security of his own house in order. Despite the vast sums that the Bank spends on data and data storage, its information systems are deeply in disarray.
Today the total cost to maintain the bank's information infrastructure is at least $280 million per year. But according to one disgruntled bank staffer, "We don't even have an internal search engine that works."
The truly alarming fact, however, is that someone — or many people — seem to know their way around the bank's most valuable resource very well, even though they aren't supposed to be there at all.
Subscribe to:
Posts (Atom)
