Risk
10/11/2008
08:32 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

World Bank (Allegedly) Hacked

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.These days, it's tough for any bank to ask for trust from the public. But that's essentially what the poverty-fighting World Bank Group is asking us right now. Trust us: We haven't put the money you've loaned us at risk. The risk this time doesn't involve overleveraged loans or the failure to mark collateralized loans to fair market value. Instead, the risk comes from whether the World Bank took reasonable steps to secure its infrastructure, to what level it was breached, and if it's now being straightforward with the (little) public disclosure the organization has provided so far.

Before we take a look at the FoxNews.com report, let's look at what the World Bank said after the news story went public:

"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."

To FoxNews.com's credit, they claim to have reached out to World Bank officials before running with the story:

Requests for on-the-record interviews with Zoellick and other top officials were declined.

Perhaps it would have been a better idea for the World Bank to share, even what little it could have without jeopardizing any current investigations, before the story ran. At least it would have been proactive in its argument against the "falsehoods," "errors," "misinformation," and "leaked e-mails taken out of context." If it had done that, the story would have had a much different tone.

The bigger question on this point is why, and how, the e-mails were accidentally or purposefully leaked in the first place.

Here's how our Kelly Jackson Higgins summed up the breach from FoxNews.com's report:

According to the FoxNews.com report, World Bank employees have been ordered to change their passwords three times in the past three months in the wake of the attacks, which spanned somewhere between 18 and 40 of its servers in multiple hacks, which began last year. The published report says there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews apparently obtained an internal e-mail message and memos from the World Bank in response to the attacks that illustrate the complicated series of events and the agency's response to them.

The revelation of breaches at the World Bank could not come at a worse time given the global financial crisis, but security experts say the hacks were coincidental and unlikely to be tied to the economic developments. The World Bank provides financial and technical assistance to developing countries, and includes 185 member nations on its board.

The World Bank also didn't respond to Dark Reading's request for interview.

While the nature of this alleged breach is foggy, the public allegations to date include the charge that attackers had access to a wide swath of the World Bank's network for nearly a month; a July attack may have began from a compromised SYSTEM ADMINISTRATOR account; and that several Web servers were involved in the attack.

We'll have no idea how this potential attack occurred, and to what depths it reached, unless the World Bank comes out publicly and explains it, or the issue ends up in court. If the allegations that a sys admin's account was compromised and that the attackers had access to network traffic for nearly a month are accurate, the only safe assumption is that any systems that touch these areas of the network are at significant risk of having been breached.

It's also quite possible that if the Web servers were vulnerable, that this situation consists of multiple attackers infiltrating vulnerabilities they each discovered independently.

The only takeaway we have so far is, whether or not you believe that your organization will be attacked and that the press will learn of the attack, you'd better have a plan devised in how you're going to respond. The worst could happen -- and you don't want to be making decisions at that time in a state of panic.

That plan had better be devised by your risk and security managers, business leaders, legal teams, as well as communications staff. How you respond when the events (or various interpretations of them) go public will set the tone of the news story for a long time.

The people who will be reading those reports are your current customers, suppliers, employees, and business prospects. They all deserve to know and have confidence that no matter what happened, the situation is now under control.

As of the time I published this blog post, I was unable to locate any public statement from the World Bank on its Web site regarding these suspected incidents.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio