Bangladesh Bank exposed to hackers by cheap switches, no
firewall: police
Bangladesh's central bank was vulnerable to hackers
because it did not have a firewall and used second-hand, $10 switches to
network computers connected to the SWIFT global payment network, an
investigator into one of the world's biggest cyber heists said.
The shortcomings made it
easier for hackers to break into the Bangladesh Bank system earlier this year
and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials,
said Mohammad Shah Alam, head of the Forensic Training Institute of the
Bangladesh police's criminal investigation department.
"It could be difficult
to hack if there was a firewall," Alam said in an interview.
The lack of sophisticated switches, which can cost
several hundred dollars or more, also means it is difficult for investigators
to figure out what the hackers did and where they might have been based, he
added.
Experts in bank security
said that the findings described by Alam were disturbing.
"You are talking about an organization that has
access to billions of dollars and they are not taking even the most basic
security precautions," said Jeff Wichman, a consultant with cyber firm
Optiv.
Tom Kellermann, a former
member of the World Bank security team, said that the security shortcomings
described by Alam were "egregious," and that he believed there were "a handful" of central banks in
developing countries that were equally insecure.
… The
police believe that both the bank and SWIFT should take the blame for the
oversight, Alam said in an interview.
"It was their
responsibility to point it out but we haven't found any evidence that they
advised before the heist," he said, referring to SWIFT.
Another update. In
short, someone with legal access to the database screwed up. Interesting read.
Overnight, I received a response from the INE with answers
to some questions I had posed to them about a massive
database leak of Mexican voter data. The leak had been discovered by MacKeeper
researcher Chris Vickery.
Another interesting article for my Computer Security students. Phishing works!
After 24 days of updating my scratch
list of incidents involving phishing for W-2 information (business email
compromise), I decided to take stock and try to organize what we have so far. I was surprised to see that there were already
90 incidents. Most of
these entries were found via media reports and reports to state attorneys
general. Some were found via
KrebsOnSecurity. In a few cases, it’s
not totally clear whether an incident was a phishing attack or some other type
of breach that compromised employee information.
[Full list
follows…
Reminds me of my childhood vacations at the Jersey shore. Something smells fishy. Is the FBI still trustworthy?
Federal Prosecutors Drop Court Case to Force Apple to Unlock
iPhone
The Justice Department on Friday night dropped a
court case trying to force Apple Inc. to
help authorities open a locked iPhone, adding new uncertainty to the
government’s standoff with the technology company over encryption.
In a one-page letter filed with a Brooklyn federal
court Friday night, the government said an individual had recently come
forward to offer the passcode to the long-locked phone. The filing means that in both of the
high-profile cases pitting the Justice Department against Apple, the government
first said it couldn’t open the phone, only
to suddenly announce it had found a way into the device as the case
proceeded in court.
… The sudden
withdrawal from the case is a setback in more ways than one for the Justice
Department. It leaves unchallenged a
50-page ruling by a magistrate judge concluding the government doesn’t have
legal authority to force companies like Apple to help investigators open
devices. It is also likely to spark
further criticism from privacy advocates that government officials shouldn’t be
believed when they say the only way they can open a device is with help from
the manufacturer.
… The government’s move
to drop the case means there is no public legal case to fight with Apple,
though a February court filing indicated there were a dozen similar such cases,
most of them under seal, around the country.
(Related) Erosion of trust?
Seems a bit like old news by now, but Brad Heath reports:
The FBI guards its high-tech
secrets so carefully that officials once warned agents not to share details
even with federal prosecutors for fear
they might eventually go on to work as defense attorneys, newly
disclosed records show.
A supervisor also cautioned the
bureau’s “technically trained agents” in a 2003 memo not to
reveal techniques for secretly entering and bugging a suspect’s home to
other agents who might be forced to reveal them in court. “We need to protect how our equipment is
concealed,” the unnamed supervisor wrote.
Read more on USA
Today.
(Related)
Scott Greenfield writes:
When the existence and capacity
of Stingrays came to light, you might have thought all hell would break
loose. After all, it wasn’t just the public that was kept in the dark by
this monumental breach of privacy. It
was judges too.
The concealment of the use of
Stingray is one thing. The deceptive
claim that Stingray is little more than a trap and trace device is
another. But these
emails go to a different place. It’s not just the government concealing their
cool, secret devices from the public. Not even from criminal defense
lawyers. They are lying to the courts about using them.
Read more on Simple
Justice.
Not just the FBI? Does every
government agency have “double secret” technology to spy?
Derrick Broze reports:
Phoenix resident Brian Clegg was
concerned about a box
he witnessed being installed on a power pole. Clegg said the box was facing his house and he
believed it may have had cameras inside. The pole was owned by Arizona’s largest power
provider, SRP, who claimed no one had permission to put the box on their pole. Brian Clegg says shortly afterwards SRP sent a
crew to remove the box.
Shortly after ABC15 investigated
the matter, the bureau of Alcohol, Tobacco and Firearms and Explosives(ATF), a
branch of the U.S. Department of Justice, acknowledged
installing the box as part of an ongoing investigation. Officials with the ATF would not provide
details about their alleged investigation and would not confirm if they were
conducting surveillance in the area.
Read more on Activist
Post.
The “Founding Fathers” of e-government?
Looks like those campaign donations do buy access. (“What’s good for General Bullmoose is good
for the country!” Lil Abner)
Report finds hundreds of meetings between White House and
Google
Google and its affiliates have had at least 427 meetings
at the White House during President Obama’s tenure, according data from the
Campaign for Accountability and The Intercept.
The data,
gleaned from White House meeting logs, showed that in all, 169 Google employees
have met in the White House with 182 government officials. Not surprisingly,
Google’s head of public policy, Johanna Shelton, had the most White House
meetings of any Google employee, with 128.
The report highlights the access enjoyed by Google, which
has a expansive lobbying operation in Washington and consistently ranks among
the highest spenders. In just the first quarter of this year, Google spent $3.8
million to lobby the government.
… The
numbers also show 55 times in which Google employees took jobs in the federal
government, and 197 times when government employees went to work for
Google.
I just stumbled across this and had to record it for use later. Remember the Ferengi?
Rules of Acquisition
Da bidness of smartifying.
Hack Education Weekly News
… “A federal
judge has ruled that the Consumer Financial Protection Bureau
doesn’t have the legal authority to investigate the accreditation
of for-profit colleges,” The
Chronicle of Higher Education reports.
… The latest in
the ongoing battles over teacher tenure: “The North
Carolina Supreme Court on Friday ruled unconstitutional a state law
that phased out job protections for teachers who had already earned them,” The
News & Observer reports.
… Via
Reuters: “At least five times in the past three years, U.S. high school
students were administered SAT tests that included questions
and answers widely available online more than a year before they took the
exam.”
… “Richard Payne, director of Douglas County School
District security, spent $12,000 on 10 Bushmaster semi-automatic long
rifles that will be given to the district’s in-school security
guards,” Boing
Boing reports.
… “Businesses, nonprofits and
communities are turning to private dollars for help in establishing free
community college programs,” Inside
Higher Ed reports. Meanwhile, San
Francisco Board of Supervisor member Jane Kim has proposed
eliminating tuition at the City College of San Francisco for the city’s
residents; and Kentucky’s
newly approved budget would also offer “last dollar aid” for community
college.
… War is Peace. Freedom is
Slavery. And tracking
biometrics and keystrokes will
make education technology more secure.
… Note-taking by hand > note-taking by
computer, according to research published in Psychological Science.
