When I first caught wind in March of how a bank heist failed to net $1 billion due to typos, I was hooked.
It wasn’t the typos; it was that attackers had been able to bypass one of the most supposedly secure systems in place: SWIFT, the trusted bank messengering system. We assume that banks take better care of our money than anyone. The service fees alone tell us that. So we assume that these institutions understand security at a higher level than almost anyone because of all that money. We are given to expect that there are effective security processes in place to safeguard our assets, because after all, if anyone should know how to do security right, it’s a bank. Right?
A lot of banks believed they were inherently protected by virtue of being connected within this quasi-holy financial network. Except, they were wrong. And hundreds of millions of dollars have revealed some ugly truths and dangerous assumptions.
- We assume that air-gapped is absolute. It isn’t.
- We assume that private network ensures safety. It doesn’t.
- We assume that special systems operating in their own secure enclaves, with their own proprietary setups, will remain impenetrable. They won’t.
We assume that what we know is enough. That we have adequately provided for our own security. The problem is we haven’t factored in what everyone else connected to the network has failed to do.
At BSidesLV this August, I will present “A Tale of Two Servers” to lead the discussion. To the tune of $100 million, the Bangladesh heist illustrates how costly our security blinders are. Only time revealed this wasn’t a stand-alone event. Other banks came forward to report they, too, had been similarly hacked. The reality is that in these bank heists, the wolves were in the hen house long before anyone knew. And the fact is that we’re not actively looking for evil. Heck, we’re barely watching over things. When BAE systems released their analysis and breakdown of events, it was clear the skill required, the depth of knowledge to write targeted malware against SWIFT, proves attackers had more than insider help.
In my talk, away from cameras, recording devices, and safely out of earshot of my employer and clientele, we’ll talk about what’s inherently wrong with the banking system that hackers can manipulate and access. We’ll review some recent exploits and see where else they might lead because attackers are already down those trails. And we’ll have some fun playing a bit of the ‘Attribution Blame Game.’ I already called it: It was the Lazarus Group, in North Korea, with the socket wrench.
If you are interested to find out more, I will be giving a talk at BSidesLV entitled, “How to Rob a Bank or The SWIFT and Easy Way to Grow Your Online Savings,” on Wednesday, August 3, at 14:00.
I hope to you see there!
About the Author: Cheryl Biswas is a Cybersecurity Consultant, Threat Intel with KPMG in Toronto, Canada. She is fascinated by APTs, Mainframes, ICS Scada, and passionate about creating security awareness. She has a specialized honours degree in Political Science, has held a variety of roles in IT, and is ITIL designated. You’ll find her on Twitter as @3ncr1pt3d; she writes a security blog and guest blogs; and has spoken at BSidesLV, Circle City and BSidesTO. The views expressed here are solely her own, not those of her employer
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.