{{This article was originally posted on December 24, 2016. Lost and found, it is posted again. }}
The Central Bank of Bangladesh was broken a while ago and over 81 million dollars heisted. Though there were traces to try and hack into over a billion dollars a minor error in the part of the hackers led to the heist being uncovered and duly blocked. 2 months on the case has completely gone away from our minds as we move on with our everyday lives knowing that such disasters might never strike again.
When people built the Titanic they claimed it was unbreakable, yet it was broken in its maiden voyage. The feeling or sense of security may not be in actuality the realization of security. As was the case with the Central Bank of Bangladesh.
I had been following this case as much as I could due to my varied interest in communications and communications security. This case was interesting for me from the communications point of view, mainly in how the communications infra-structure was utilized for the heist.
Due to the sensitivity of the case a lot of forensic analysis is being carried out around the world to try and figure out what happened, how it happened, what were the weak links exploited and how. Recently a forensic report article on the Reuters (http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO) caught my eye. At first I just read through it as any other article on forensic analysis and accepted the findings by thinking it would happen to others too. Scrolling back up to the heading some words stood out with prominence — cheap switches and no firewall. Then I read the article again, but this time trying to put Nepal and Nepali organizations in the places where Central Bank of Bangladesh was mentioned.
Since I am an “IT” guy, during most of my visits to organizations I am shown either full or parts of their IT infra-structure. If I am doing work on system design or development then 100% of the time I am shown the entire IT infra-structure. In most cases I have seen cheap switches, that we normally tend to use at home, being used in even very large organizations or even in financial institutions. I don’t know much about the firewalls as I am not a working computer security professional, but I see the hardware.
I remember a time while talking to a security professional and him telling me that the Government of Nepal should not give licenses to people to use certain frequencies because the security professionals and institutions used them. I disagreed with him on the term that atleast one knows that these licensees could be using the frequency. What happens if a malicious use uses them without a license? These days a Software Defined Radio costs less than 20 dollars, is easily passable as a USB dongle and can be used to scan and read frequencies in the range from 100MHz to 3.7GHz. This means the device can scan the GSM bands, wifi bands besides the VHF and UHF bands that are most commonly used for all communications in Nepal. Wifi scanners on mobiles can break into Wifi networks within minutes if security features are not activated properly.
The advantage of IT far more outweigh the disadvantages and threats from it. So avoiding IT is not a solution, but being prudent and living upto the challenges is a better way ahead. Understanding that the weakest link controls the strongest of security is crucial here and should be given priority. The usual notion of it has worked and will continue to work should not be accepted. An openly available statistics on security breaches available at http://bhutabe.blogspot.com/2015/04/nepal-web-security-status.html on Nepal looks pretty dismal.
This brings me back to the Reuters article and the usage of cheap switches and lack of firewall. I feel we can agree that most organizations do use cheap switches. Also that most organizations do not run any firewalls. Also most organizations run softwares where quality is compromised to cost.
This I call the “Cheap Chinese” syndrome.
Since our markets have been flooded with low quality Chinese products (disclaimer : I am not saying all Chinese products are low quality) at extremely reduced prices we have flocked onto them for all of our needs,
The biggest problem in Nepal is that most human resource in organization do not really have sufficient knowledge regarding the usage of IT. Therefore the hardware and software are compromised for price rather than quality. Most organizations lack policies or practices that help better use the boon of IT and communications technology. Most organizations do not have or do not commit enough budget to better enhance their IT infra-structure.
All this helps me frame a dire question in my mind — are we on the path to become the next big victim???