Sekiur My Thoughts

Earlier this year, the World Bank suffered a server security breach in which hackers were able to compromise critical servers.

In what Fox News characterized as an “Unprecedented Crisis“, were one of the largest repositories of sensitive data about the economies of every nation, had been raided repeatedly for more than a year.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

• Click here to see the e-mail.

The crisis comes at an awkward moment for World Bank president Robert Zoellick, who runs the world’s largest and most influential anti-poverty agency, which doles out $25 billion a year, and whose board represents 185 member nations. This weekend, the bank holds its annual series of meetings in Washington — and just in advance of those sessions, Zoellick called for a radical revamping of multilateral organizations in light of the global economic meltdown.

The bank’s chief information officer, Guy De Poerck, has engaged Price Waterhouse Coopers to do a confidential million-dollar assessment that is expected to tell him what’s going on in his own department.

What is very peculiar about this story is that no other news agency has reported the event and that Fox News was able to acquire internal e-mails and memos regarding the attack.
Jack Conde, Senior Enterprise Risk Management Officer at World Bank shared with executives on July,10, the extent of the breach here. According to the memo at least 17 servers were breached and were slowly being taken offline to perform forensics.

The memo goes on to say what steps they will take in the future to prevent information leaving the network, like implementing an outgoing firewall rule preventing communications being initiated from within the network.

A major effort is underway to implement a firewall rule that will bar all outbound traffic from server networks to the internet with exceptions made for servers with a legitimate reason to make such connections. To this end, ISG staff is creating a daily report of traffic which will be vetted by ISG service managers and OIS to insure that all exceptions are explained and justified. The rule will be implemented on Friday. This effort will curtail any data lost from production servers in the future.

This a normal reaction to a breach, were measures that should have been in place were not, but any such action should always be considered carefully to determine if it will actually prevent data loss or provide a false sense of security.

In the age of spyware, malware, keyloggers and hamachi, the biggest threat to corporate data comes from within.

What would be achieved by a firewall rule restricting Internet access? Well, absolutely nothing when the servers have access to every PC on the internal network and subsequently these PC’s have inherent access to the Internet.

In this particular situation were the attacker was able to compromise in excess of 17 servers and go undetected for so long, can only lead to 2 conclusions. Either the security guys are clueless or the attacker or attackers knew what they were doing.

In plainspeak: “They had access to everything,” says the source. “They had the keys to every room at the bank. And we can’t say whether they still do or don’t until we fully and openly address what’s happening here.”

Now this is not a small business, a law firm, or a retail chain. This is the World Bank, so I am inclined to believe that the keepers of the data are professionals and subsequently it would be wise to think that the attacker is not stupid.

Having access to the servers that were compromised and knowing that sooner or later someone was going to discover the breach, it wouldn’t be far fetched that the attacker would create false accounts and personnel records to back them up in the SAP (ERP), HR and Secure ID systems of the 10,000 plus employee organization.

This would give an attacker the capability to restore access once the breach was discovered triggering the containment plan. Additionally the attacker had gained system administrator access providing access throughout the corporation, providing the potential of creating backdoor’s into virtually any desktop computer in the network.

After FOX News published its story, a World Bank spokesman issued the following statement:

“The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

“Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank’s Treasury, procurement, anti-corruption or human resources departments.”

In the security field, you have to be paranoid and levelheaded, specially if you are working in an outfit like this.

Hey World Bank…. if you need a hand… drop be a line.

Just had to pass on what transpired today. I started a Tech Support call to Microsoft Partner Support at 9:05 this morning. The call was initially answered in Redmond by the Partner Group. It was then transferred (via IP) to India for First Level Support – this lasted for two hours, when it was kicked up to another level in tech support, and transferred (Again, via IP) to Montreal, CA. After another half hour, I had to attend a meeting, so the call was transferred (in house) to one of my Techs. He stayed on the line for another 1.5 hours, and then transferred the call back to me.

So at this point, I have had a live call that has been bounced over two continents, and in house over three extensions – this is at the 4-Hour point in the call.

The tech from M$FT then says that he needs a disk placed in the server – I place him on hold and call my contact, who is not there, so I transfer the call to my cel phone, and jump in the car and drive 15 minutes to the customer site. Stick the disk in, and resume troubleshooting on site and on the Cel, which has the call bridged through our Trixbox and out to my cel phone.

Two hours and 48 minutes later, and the M$FT guy is still not done, and my cell phone is going dead. Remote over to my desk at the office, call one of the people at my office and tell them I am giving them the call back, and to transfer it to a desk phone back where I am. I then bring up Flash Operator Panel, and put the call on his desk.

He then does a screened transfer to me, hits the receptionist at the school I am working at, asks for the server room, and when the phone rings and I answer, releases the call back to me!!!

Now, I am back talking to the M$FT guy, with no interruption WHATSOEVER and the call goes on for another 2 hours and 20 minutes!!!! He finally finishes what he was doing, and I sat back and looked at the statistics for the call:

9 Hours, 10 Minutes and 56 Seconds (I looked in the Log)
Three Locations and Two Continents (On the M$FT side)
Three internal Transfers, Two Offsite Transfers, and one Flash Operator Panel Call retrieval from an offsite location!!!!!!

And at no point did the call quality suffer – and all of this on a standard production Trixbox system!

Name me a system you could have done this on this easily!!!!

Source: Trixbox Forums (GSnover)

Trixbox (formerly Asterisk At Home – A@H) has definitely come a long since its beginnings in November 2004 and since I started playing around with Asterisk 2 months earlier. The convenience of being able to download an ISO and have a functional PBX in less than an hour was and is amazing.

An excellent resource is Ward Mundy’s blog Nerd Vittles, which I have also followed since early 2005 and has worked on some very cool and interesting projects augmenting Asterisk functionality. Most recently in November 2007, they released PBX In A Flash (PIAF) and have also announced a under $500 appliance with PIAF running on it.

What is Asterisk?

Asterisk is a software implementation of a telephone private branch exchange (PBX) originally created in 1999 by Mark Spencer of Digium. Like any PBX, it allows attached telephones to make calls to one another, and to connect to other telephone services including the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services. Its name comes from the asterisk symbol, “*”.

What is Trixbox?

Trixbox is a turnkey business class PBX voice communication system based on the Open Source Asterisk project. It’s no longer necessary to pay thousands and thousands of dollars for a proprietary phone system. By simply downloading software and installing it on a low end system you can have a powerful, open, and robust pbx system. From small systems with only a couple analog phone lines and extensions to large installs with multiple T1/E1 connections and hundreds of extensions, you can easily use Trixbox to meet your telephony needs.

I believe Trixbox to be the most complete distribution of Asterisk out there, although many of its features might not be used in many cases. On the other side I have heard complaints on the lack of collaboration in adding new features and fixing bugs by the guys at Fonality, which makes it less open as it were.

Parts List:

• Trixbox 2.6.1.13 IS
  • trixbox CE 2.6.1.13 (Stable) – 474,263,552 bytes – Released 10/02/08
    MD5: 0424baa0dd061e313062441083672427
    This is the current development release.
    [ Download ISO Image ] from SourceForge

• Dell GX-150 with 512MB and 80Gb

• Sangoma A200 card with 4 FXO ports

• Sangoma drivers
  

Todo List:

• Upgrade the RAM to 512Mb and the hard drive to 80Gb
• Install the Sangoma PCI A200 card
• Insert CD into CD drive and boot from disk
• Go through wizard and install Trixbox
• Login to the computer, update Cent OS and download and install the drivers
  • yum update
  • yum upgrade
  • cd /opt
  • wget ftp://ftp.sangoma.com/linux/RPMS/2.6.1.13/wanpipe-util-3.2.7.1-0.i686.rpm
  • wget ftp://ftp.sangoma.com/linux/RPMS/2.6.1.13/wanpipe-modules-2.6.18-53.1.4.el5-3.2.7.1-0.i686.rpm
  • wanrouter hwprobe
  • wanrouter hwprobe verbose
  • setup-sangoma
    • When asked which codec will be used, select MULAW – North America
    • When configuration of the analog card completes, select 1 to continue
    • When configuration of Zaptel and Wanpipe completes, select 1 to save and restart deamons
    • When asked to start wanrouter at boot time, select 1 for yes
  • ztcfg -vv (to display the analog card installed and its modules.)
• Install DynDNS client:
  • Install DAG’s GPG key
    • rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
  • Verify the package you have downloaded
    • rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm
  • yum install ddclient
• Create DynDNS account
• Configuration ddclient: (Add to the end of the /etc/ddclient/ddclient.conf file)
  • use=web, web=checkip.dyndns.com/, web-skip=’IP Address’
  • server=members.dyndns.org,      \
  • protocol=dyndns2,       \
  • login=your-login,        \
  • password=your-password        \
  • pbx.dnsalias.com

Trixbox links to several good quick install guides here and a comprehensive list of documentation here.