Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/11/2008
08:32 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

World Bank (Allegedly) Hacked

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.

It seems, based on a FoxNews.com report that broke Friday that the World Bank Group suffered a series of cyberattacks during the past few months. The claims of the level of access gained by the attackers are troubling -- but the real extent of the breach remains in dispute, and unknown.These days, it's tough for any bank to ask for trust from the public. But that's essentially what the poverty-fighting World Bank Group is asking us right now. Trust us: We haven't put the money you've loaned us at risk. The risk this time doesn't involve overleveraged loans or the failure to mark collateralized loans to fair market value. Instead, the risk comes from whether the World Bank took reasonable steps to secure its infrastructure, to what level it was breached, and if it's now being straightforward with the (little) public disclosure the organization has provided so far.

Before we take a look at the FoxNews.com report, let's look at what the World Bank said after the news story went public:

"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."

To FoxNews.com's credit, they claim to have reached out to World Bank officials before running with the story:

Requests for on-the-record interviews with Zoellick and other top officials were declined.

Perhaps it would have been a better idea for the World Bank to share, even what little it could have without jeopardizing any current investigations, before the story ran. At least it would have been proactive in its argument against the "falsehoods," "errors," "misinformation," and "leaked e-mails taken out of context." If it had done that, the story would have had a much different tone.

The bigger question on this point is why, and how, the e-mails were accidentally or purposefully leaked in the first place.

Here's how our Kelly Jackson Higgins summed up the breach from FoxNews.com's report:

According to the FoxNews.com report, World Bank employees have been ordered to change their passwords three times in the past three months in the wake of the attacks, which spanned somewhere between 18 and 40 of its servers in multiple hacks, which began last year. The published report says there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews apparently obtained an internal e-mail message and memos from the World Bank in response to the attacks that illustrate the complicated series of events and the agency's response to them.

The revelation of breaches at the World Bank could not come at a worse time given the global financial crisis, but security experts say the hacks were coincidental and unlikely to be tied to the economic developments. The World Bank provides financial and technical assistance to developing countries, and includes 185 member nations on its board.

The World Bank also didn't respond to Dark Reading's request for interview.

While the nature of this alleged breach is foggy, the public allegations to date include the charge that attackers had access to a wide swath of the World Bank's network for nearly a month; a July attack may have began from a compromised SYSTEM ADMINISTRATOR account; and that several Web servers were involved in the attack.

We'll have no idea how this potential attack occurred, and to what depths it reached, unless the World Bank comes out publicly and explains it, or the issue ends up in court. If the allegations that a sys admin's account was compromised and that the attackers had access to network traffic for nearly a month are accurate, the only safe assumption is that any systems that touch these areas of the network are at significant risk of having been breached.

It's also quite possible that if the Web servers were vulnerable, that this situation consists of multiple attackers infiltrating vulnerabilities they each discovered independently.

The only takeaway we have so far is, whether or not you believe that your organization will be attacked and that the press will learn of the attack, you'd better have a plan devised in how you're going to respond. The worst could happen -- and you don't want to be making decisions at that time in a state of panic.

That plan had better be devised by your risk and security managers, business leaders, legal teams, as well as communications staff. How you respond when the events (or various interpretations of them) go public will set the tone of the news story for a long time.

The people who will be reading those reports are your current customers, suppliers, employees, and business prospects. They all deserve to know and have confidence that no matter what happened, the situation is now under control.

As of the time I published this blog post, I was unable to locate any public statement from the World Bank on its Web site regarding these suspected incidents.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.