Risk
10/11/2008
08:32 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

World Bank (Allegedly) Hacked

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.These days, it's tough for any bank to ask for trust from the public. But that's essentially what the poverty-fighting World Bank Group is asking us right now. Trust us: We haven't put the money you've loaned us at risk. The risk this time doesn't involve overleveraged loans or the failure to mark collateralized loans to fair market value. Instead, the risk comes from whether the World Bank took reasonable steps to secure its infrastructure, to what level it was breached, and if it's now being straightforward with the (little) public disclosure the organization has provided so far.

Before we take a look at the FoxNews.com report, let's look at what the World Bank said after the news story went public:

"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."

To FoxNews.com's credit, they claim to have reached out to World Bank officials before running with the story:

Requests for on-the-record interviews with Zoellick and other top officials were declined.

Perhaps it would have been a better idea for the World Bank to share, even what little it could have without jeopardizing any current investigations, before the story ran. At least it would have been proactive in its argument against the "falsehoods," "errors," "misinformation," and "leaked e-mails taken out of context." If it had done that, the story would have had a much different tone.

The bigger question on this point is why, and how, the e-mails were accidentally or purposefully leaked in the first place.

Here's how our Kelly Jackson Higgins summed up the breach from FoxNews.com's report:

According to the FoxNews.com report, World Bank employees have been ordered to change their passwords three times in the past three months in the wake of the attacks, which spanned somewhere between 18 and 40 of its servers in multiple hacks, which began last year. The published report says there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews apparently obtained an internal e-mail message and memos from the World Bank in response to the attacks that illustrate the complicated series of events and the agency's response to them.

The revelation of breaches at the World Bank could not come at a worse time given the global financial crisis, but security experts say the hacks were coincidental and unlikely to be tied to the economic developments. The World Bank provides financial and technical assistance to developing countries, and includes 185 member nations on its board.

The World Bank also didn't respond to Dark Reading's request for interview.

While the nature of this alleged breach is foggy, the public allegations to date include the charge that attackers had access to a wide swath of the World Bank's network for nearly a month; a July attack may have began from a compromised SYSTEM ADMINISTRATOR account; and that several Web servers were involved in the attack.

We'll have no idea how this potential attack occurred, and to what depths it reached, unless the World Bank comes out publicly and explains it, or the issue ends up in court. If the allegations that a sys admin's account was compromised and that the attackers had access to network traffic for nearly a month are accurate, the only safe assumption is that any systems that touch these areas of the network are at significant risk of having been breached.

It's also quite possible that if the Web servers were vulnerable, that this situation consists of multiple attackers infiltrating vulnerabilities they each discovered independently.

The only takeaway we have so far is, whether or not you believe that your organization will be attacked and that the press will learn of the attack, you'd better have a plan devised in how you're going to respond. The worst could happen -- and you don't want to be making decisions at that time in a state of panic.

That plan had better be devised by your risk and security managers, business leaders, legal teams, as well as communications staff. How you respond when the events (or various interpretations of them) go public will set the tone of the news story for a long time.

The people who will be reading those reports are your current customers, suppliers, employees, and business prospects. They all deserve to know and have confidence that no matter what happened, the situation is now under control.

As of the time I published this blog post, I was unable to locate any public statement from the World Bank on its Web site regarding these suspected incidents.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.