How to foil a bank heist

Newspapers have reported that a “zero-day” vulnerability was used to accomplish the hacking of Bangladesh Bank, which has so far cost the country about $100 million — a colossal amount. This news has surely both outraged and confused the public, most of whom have no idea what a zero-day exploit is.

Quite simply, all complex software (like operating systems and web browsers) inevitably have bugs/defects.

This is because they were written by programmers who are generally concerned with writing software that works, not software that is perfectly bug-free.

Achieving the latter is generally impossible given real-world constraints of time and budget.

This reality of software engineering means that any complex software will sometimes be found to have a security vulnerability, is a bug that can be exploited by malicious software called malware or spyware to either damage or steal valuable data from a computer.

The latter is what seems to have happened at Bangladesh Bank. The question is: What can be done to prevent this?

The likelihood of having a zero-day vulnerability and of it being exploited by hackers is much greater if one is using computers that are using pirated or discontinued operating systems such as Windows XP, for which Microsoft stopped issuing security updates last year.

Essentially, Windows security updates ensure that some zero-day vulnerabilities are fixed as the Microsoft programming team become aware of them and are able to fix them. As a result of Microsoft security updates for Windows XP being discontinued, there is no way for anyone running Windows XP to secure their computer.

So the first thing that organisations such as Bangladesh Bank should do is to eliminate any remaining copies of Windows XP; the same applies to pirated copies of any version of Windows.

Every PC should run an operating system which is supported with security updates, and IT departments should ensure that the latest security updates are applied regularly.

The question is whether or not Bangladesh Bank IT staff did this properly.

The free/open-source Linux operating system also has a system of security updates. This presents the possibility of migrating organisations like Bangladesh Bank to Linux instead of Windows. In fact, migrating from Windows to Linux is a valid strategy to help prevent malware.

The majority of malware is written to exploit Windows rather than Linux, for the simple reason that there are far more PCs running Windows and it yields a larger number of target users/organisations.

As the Linux user base expands, there may well be more malware created to target Linux.

However, a critical point is that IT personnel familiar with Linux are usually accustomed to securing web servers (which usually run Linux, and are exposed to the Internet) from hackers.

This experience normally teaches them the details of security issues such as firewalls and VPN (virtual private vetworks) which are essential when it comes to securing IT networks from hackers.

Training government IT staff in Linux network administration and Internet security would yield obvious benefits. It would also open up the possibility of migrating government departments to Linux to increase security and save money.

Many government organisations around the world use Linux exclusively. For example, the French national police has migrated 65,000 computers to Linux, with savings of tens of millions of dollars per year. The most popular version of Linux for desktop use is Ubuntu Linux (www.ubuntu.com) which is free to download for anyone, including governments.

However, governments can also buy a support contract from Canonical Software UK, which is the company that produces Ubuntu Linux.

The Chinese government currently uses a version of Ubuntu Linux customised for its needs called Ubuntu Kylin, for use on government computers.

The Bangladesh government should also consider migrating to Linux in order to improve IT security and help prevent any further attempts at hacking.

Another point to consider is that IT departments staffed with competent people and proper security monitoring facilities are fundamental to the IT security of any organisation, an essential IT job in critical environments like Bangladesh Bank (and for that matter, any bank or government department) is network/security monitoring.

It is standard practice to have an IT Security Operations Centre (SOC) in any such setting where all network traffic, in and out, is monitored 24 hours a day, 365 days a year.

The Bangladesh Bank hacking occurred on a long weekend — apparently there is no properly manned and managed SOC there, or the weekend wouldn’t make any difference.

Critical IT networks have to be secured all the time, not just weekdays. Any lacking in this department needs to be resolved quickly by Bangladesh Bank.

The working of the SOC has to be subjected to frequent audits by outside experts to provide maximum chance to improve security and prevent hacking.

The question should be asked: How many other banks and government departments are lacking a functioning SOC and regular IT security audits?

Are they all just sitting ducks waiting to be hacked? These issues need to be taken seriously and resolved now, or there will likely be more hacking in the future.