Put Your Hacking Skills To The Test With Facebook’s
Open-Sourced Capture The Flag Platform -
Those just starting out in the cybersecurity field can now test their hacking skills in a safe and secure environment.
Today, Facebook announced that it is open-sourcing its Capture the Flag (CTF) platform on GitHub to encourage students and developers to learn more about online security and bugs, according to Venture Beat.
Capture the Flag competitions are used at hacker conventions such as Def Con, highlighting attacks and vulnerabilities in computer security.
Gulshan Singh, a software engineer on Facebook's threat infrastructure team, competed in CTFs during his days at the University of Michigan, and successfully found a job in his chosen field.
"It exposed me to a fun and practical side of security that I didn't get in class," he said in a company blog post. "I learned about RSA encryption in my computer science courses, but CTFs taught me how to break it when it wasn't properly implemented, which happens all the time in the real world. It's a lot of fun to learn this offensive side of security, but at the same time learning about these flaws makes you a better defender, as well."
This is not the first time Facebook has open-sourced its in-house programs. The company has more than 200 projects on GitHub, and in 2015, it open-sourced Infer, a code-verification tool that eliminates bugs found in mobile apps. It continues to open-source a number of other tools, such as Transform, a piece of software used to stream users' 360-degree virtual reality videos.
"Anybody will be able to run their own CTF competition — schools, universities, conferences," Javier Marcos, a Facebook security engineer who developed the first version of the software as part of a project in 2013, told Fortune.
He said the company has all the requirements for the different events and institutions to hold their own competitions, including a digital game map, registration page and a scoreboard.
CTFs offer a legally safe way to take on some hacking challenges.
"The current set of challenges include problems in reverse-engineering, forensics, Web application security, cryptography, and binary exploitation," Singh said. "You can also build your own challenges to use with the Facebook platform for a customized competition."
- See more at: http://www.techtimes.com/articles/157648/20160511/put-hacking-skills-test-facebook-open-sourced-capture-flag.htm#sthash.jzX9CZTN.dpuf
Facebook open-sources Capture the Flag competition platform to teach developers about cybersecurity
Facebook has today announced that it’s open-sourcing its Capture the Flag (CTF) platform to encourage students and developers to learn about online security and bugs.
Capture the Flag competitions are used in the computer security realm, including at hacker convention Def Con, to highlight attacks and exploits often found in the real world. They are effective ways of teaching amateurs and professionals about common or unfamiliar exploitation techniques.
Facebook itself has run CTF competitions for a number of years and has used its CTF platform at events across the world. Now, the social network giant is opening its in-house platform to the masses by releasing it on GitHub.
Above: Facebook: Capture the Flag
Gulshan Singh, a software engineer on Facebook’s threat infrastructure team, said that one of the reasons he was successful in gaining employment in his chosen field was due to his experience competing in CTFs at the University of Michigan. It “exposed me to a fun and practical side of security that I didn’t get in class,” he explained. “I learned about RSA encryption in my computer science courses, but CTFs taught me how to break it when it wasn’t properly implemented, which happens all the time in the real world. It’s a lot of fun to learn this offensive side of security, but at the same time learning about these flaws makes you a better defender, as well.”
So why, exactly, does Facebook choose to make some of its technology available to everyone?
Last year, the company’s head of open source, James Pearce, explained why it seeks to align itself with the developer community through open-sourcing, and it boils down to three things. The first is ideology — Facebook was built by Mark Zuckerberg using open-source tools. Second is innovation — it can help achieve scale much faster when many minds are working on the same problems. And finally, it’s good for business — Facebook can “build better software, write better code, our engineers are able to work with more pride, and we’re able to retain the world’s best engineers because they know they can open-source their work,” said Pearce.
Facebook has another reason for open-sourcing CTF: The cybersecurity industry will reportedly be short by 1.5 million people by 2020, so it’s in the company’s interests to encourage science and technology students to follow a path into this field. By making CTF open-source, anyone from schools to universities to companies can host their own competitions and conferences to help teach computer science and aspects of security, including forensics, reverse-engineering, and cryptography.
“Although news reports about security bugs are now commonplace, it’s not always obvious how people find these flaws and how you can develop the skills needed to find and protect against malicious exploits,” added Singh. “CTFs provide a safe and legal way to try your hand at hacking challenges.”
Tuesday 10 May 2016
Latest Android Hacking Apps 2016
1 Hackode Download Link - Hackode Hackode : The hacker’s Toolbox is an application for penetration tester, Ethical hackers, IT administrator and Cyber security professional to perform different tasks like reconnaissance, scanning performing exploits etc. #2 Androrat Download Link - Androrat Remote Administration Tool for Android. Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server. #3 APKInspector
Download Link - APKInspector APKinspector is a powerful GUI tool for analysts to analyse the Android applications. The goal of this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code. #4 DroidBox Download DroidBox DroidBox is developed to offer dynamic analysis of Android applications. #5 Burp Suite Download Burp Suite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
#6 ZanTi Download Zanti zANTI is a comprehensive network diagnostics toolkit that enables complex audits and penetration tests at the push of a button. It provides cloud-based reporting that walks you through simple guidelines to ensure network safety. #7 Droid Sheep Download Droid Sheep DroidSheep can be easily used by anybody who has an Android device and only the provider of the web service can protect the users. So Anybody can test the security of his account by himself and can decide whether to keep on using the web service. #8 dSploit Download dSploit dSploit is an Android network analysis and penetration suite which aims to offer to IT security experts/geeks the most complete and advanced professional toolkit to perform network security assessments on a mobile device. #9 Arpspoof Arpspoof is a tool for network auditing originally written by Dug Song as a part of his dsniff package. This app redirects traffic on the local network by forging ARP replies and sending them to either a specific target or all the hosts on the local network paths. #10 Shark for Root Traffic sniffer, works on 3G and WiFi (works on FroYo tethered mode too). To open dump use WireShark or similar software, for preview dump on phone use Shark Reader. Based on tcpdump.
#11 Nmap for Android Nmap (network mapper) is one the best among different network scanner (port finder) tool, Nmap mainly developed for Unix OS but now it is available on Windows and Android as well. Nmap for android is a Nmap apps for your phone! Once your scan finishes you can e-mail the results. This application is not a official apps but it looks good. So above is all about Latest Android Hacking Apps 2016
Saturday 7 May 2016
Railway ministry denies IRCTC hacking
IRCTC has a combined user base of 10 million and around 500,000 tickets are sold on its portal every day
The railway ministry on Thursday sought to allay users' concerns about reports of alleged hacking of the Indian Railway Catering and Tourism Corporation (IRCTC) website.
“There has been no hacking of the IRCTC website. No such incident has been detected by the technical teams of the Centre for Railway Information Systems (CRIS) and IRCTC. Technical investigations have also not indicated any unusual activity with respect to various (e-ticketing) system components,” the ministry said.
It said the preliminary report of a six-member committee set up to look into the matter has not found any indication of a breach of security in any of the databases of the e-ticketing system. The ministry promised to carry out further checks once the “purported leaked data” are made available, even as the committee continues to investigations.
However, the ministry said “no Denial of Service (DoS) or DDoS attack has been successful”, fuelling suspicion whether a DDoS attack did occur on the IRCTC website on Tuesday. A DDoS attack is said to have occurred when hackers sitting at multiple locations or operating from multiple servers or identities launch a simultaneous and coordinated attack on a particular website or machine to bring it down.
“The main motive of a DDoS attack is to make the chosen machine or website unresponsive through multiple bad requests,” a software engineer who did not wish to be identified explained. “This is different from a DoS attack, where it is launched by a hacker from a single location or server,” he added.
The official statement also said the gaps reported by Standardisation Testing Quality Certification Directorate (STQC), an arm of the Department of Electronics and Information Technology, in their penetration testing have been addressed, implying the presence of such gaps. IT security of the e-ticketing system is ensured through security audits conducted by STQC.
“Audit trails are maintained for access to the system and all sensitive data like passwords are stored in encrypted form. In addition, round-the-clock monitoring is done by a team of experts. Strict physical checks are already in place in the Data Centre, including restricted access and CCTV cameras,” the rail ministry said.
Indian Railways’ e-ticketing system stores two kinds of data, sensitive information including credit card details, login id and passwords which can cause financial risk in case of leakage, and other data such as mobile numbers and email ids. The ministry said no sensitive data have been leaked and other data sets (mobile number, email ids) are available with multiple electronic service providers, including e-commerce firms and telemarketers. So far, leaks through service providers of IRCTC have not been established.
Experts said the government’s efforts at containing cyber attacks are wanting. “The kind of proactive focus the government needs to focus on cyber security breaches is not there. Denial of hacking is not a solution. IRCTC needs to investigate what sort of due-diligence was done to prevent such an attack. The country is sourly missing a dedicated cyber security legislation,” said Pavan Duggal, an advocate who specialises in Cyberlaw and E-Commerce law.
The latest case began with the Inspector General (IG) of Maharashtra’s Cyber Cell informing the chief commercial manager (CCM)-Western Railways on Tuesday that large volumes of data belonging to users may have been compromised. The CCM, in turn, informed the Railway Board, which called an emergency meeting and decided to form the high-level committee.
IRCTC has a combined user base of 10 million and around 500,000 tickets are sold on its portal every day. The railways’ e-ticketing arm has now requested the IG-Cyber Cell, Maharashtra, to share the data sets or complaints that have triggered the investigation to ascertain the source of the hack. IRCTC Managing Director A K Manocha, who attended Tuesday’s emergency meeting, has written to Delhi Police’s Cyber Cell to look into the matter.
IRCTC website hacked: Personal information like PAN Card & mobile numbers of 1 crore customers feared LEAKED!
Mumbai, May 5: The website of the Indian Railways Catering and Tourism Corporation (IRCTC) was hacked and the personal information of around 1 crore users is feared to be leaked, said reports on Thursday. The official website of the Indian Railways, IRCTC is the biggest travel e commerce website in India and lakhs of transactions are conducted by the site everyday. With the reported leak, safety and security questions about the customers’ personal information like PAN card numbers and other details have arisen.
The hacking occured late on Tuesday night and the site has now been brought under control. But the fears of personal information of thousands of customers being misused still remain. A high-level meeting took place in Delhi regarding the hacking. Senior IRCTC officials discussed what measures could be taken to ascertain how far the hackers had gone. Speaking to Mumbai Mirror, AK Manocha, Managing Director of IRCTC revealed that so far, there has been no complaint from any customer, but Delhi police’s cyer cell has been informed.
customers have to fill in important information for online reservations and when stolen, the same can be used by miscreants to create forged documents. ”The data is a valuable asset and can be sold to corporations who may use it for targeting potential consumers,” an IRCTC source was quoted as saying by TOI. Personal data of the users like email ids and mobile numbers which are also filled in, while making online bookings, can be used by telemarketers for promoting their respective products or services and spamming the customers with unwanted messages.
However, sources said that it was unlikely that bank details or credit card details are leaked since the website, since the payment gateway takes the customer out of the website during the online payment. Once the user is directed to the bank site, there are less chances of information getting leaked as these have better security. The hacking occurred even after the Railways reportedly spent Rs. 100 crores last year, for the upgrading of the website.
Friday 6 May 2016
Anonymous Launches Month-Long Hacking Campaign Against Banks
It started with the Bank of Greece.
The hacking collective Anonymous has already launched one successful campaign against banks and has more planned.
Members of the secretive collective on Tuesday successfully hacked the Bank of Greece, an unidentified official at the bank told Reuters. According to the official, the hackers were able to take down the Bank of Greece website, but it only “lasted for a few minutes.” The bank’s security systems prevented any data leaks, the official toldReuters.
Still, it was an ominous threat that could have an impact on banks across the world. Indeed, an apparent Anonymous member said in a video posted to YouTube that members of the hacking collective have decided to attack “central bank sites across the world.” While the video didn’t say which bank websites would be attacked, it was noted that the campaign would last 30 days.
Anonymous is one of the most well-known hacking collectives in the world. The collective has no structured organization and members participate in different operations whenever they like. The group has targeted a wide range of organizations, companies, and individuals over the years, including Presidential candidate Donald Trump, Wall Street, and others.
In the YouTube video, Anonymous said that its attack on banks is an extension of Operation Icarus, a campaign the collective previously launched against Wall Street. It’s now bringing it back over the next month.
While the video failed to explain exactly why Anonymous members are deciding to attack central banks around the world, the group said that there is a “global banking cartel” that is capitalizing on the hard work of others.
“This is a call to arms, brothers, who for too long have stood for nothing but have criticized everything,” Anonymous says in the video. “Stand now, behind the banner of free men against the tyrannical matrix of institutions that oppose us. Take your weapons and aim them at the Global Banking Cartel. This is the operation to end all others. In the beginning some people may stand to lose something from this, but the powers that be stand to lose much more. Bring the rain, brothers!”
The video ends with an ominous threat: “Global Banking Cartel, you’ve probably expected us.”
It’s unknown whether Anonymous members have targeted other banks around the world or which organizations could be targeted. It’s also unknown how many members will participate in the campaign. But banks around the world might want to ensure they’ve fortified their defenses.
source "anonymous hacker's news"
10-year-old who got $10,000 for hacking Instagram reveals his other feats
What were you doing when you were just 10 years old? Were you able to find any software bugs and win a boatload of cash for it? I sure wasn’t, but a Finnish boy named Jani recently told Facebook about an Instagram bug would let anyone delete comments inside the app. The social network rewarded him with $10,000 for his discovery.
It turns out that Jani is not only good with computers already, but he has a great sense of humor.
The young computer wiz recently sent a hilarious letter to Mashable in which he details his other amazing hacks and accomplishments which are yet to net him payouts similar to what Facebook bestowed upon him.
Here’s the full letter, as originally published:
Hello good adults of the Internet, it is I, Jani, the boy genius who understands computers more than you. I would like to thank Facebook for the $10,000. I will be investing all of it in my Dave & Busters Power Card so my birthday party is better than Billy’s birthday party.
But, I assure you, I am not writing this note merely to express my gratitude. I have discovered several other flaws in the tech I use every day, and I would like to make the world aware of them now. Please pay me $10,000 for each of these.
1. There is a flaw in the Playstation network that allows my mom to turn off the game when it is late
2. Despite Ms. Snyder’s best efforts, I have once again gotten AddictingGames.net up on the school library computers
3. There is a fatal flaw in Madden 2016 that does not allow me to create 10-year-old players who defy the odds and win the Offensive Rookie of the Year award
4. There is a vulnerability in Facebook that makes all of the girls I like not like my statuses
5. Whenever my parents tell me to go to my room and play on my iPad they start fighting — I believe signals from the iPad are causing this
6. There is a massive vulnerability in Youtube that is causing myMinecraft gameplay videos to not receive the millions of views they deserve
7. The laser tag place by my house has a flaw in their receptors that allows my older brother Ricky to beat me easily no matter how hard I try
8. After several visits with my family, I have discovered and reported a grievous error in the crossword puzzle located on the Buffalo Wild Wings Kid’s Menu
9. I have found a vulnerability in my Little League team’s Squarespace page that allowed me to change my batting average to well over .900 for the season
Also, I hacked President Obama’s phone but it’s just a bunch of boring emails and “launch codes” and nothing about the next Avengers movie so who even cares.
Thank you for your time,
Sunday 1 May 2016
Top ten operating systems for ethical hackers and security researchers
A comprehensive list of most popular operating systems among hackers all around the world.
Back in August, we had posted a list of top ten hacker tools. Now we have advanced it one step further to bring you the best operating systems for hackers.
This time it is about operating systems, which have almost every necessary tool provided within. But before we dive deep, it would be great to know why a machine with a hacking oriented OS installed in it is way better than a machine running a casual OS with some platform based hacking tools. It is because a dedicated machine has benefits of hardware utilisation, anonymity (it is a major issue of interest ), and software efficiency.
Here is the list of top ten. Note that these are based on Linux kernel hence are free and open source:
1- Kali Linux:
Kali Linux is an advanced penetration testing tool that should be a part of every security professional’s toolbox. Penetration testing involves using a variety of tools and techniques to test the limits of security policies and procedures. What Kali has done is collect just about everything you’ll need in a single CD. It includes more than 300 different tools, all of which are open source and available on GitHub.You can get it here.
2-BackBox:
Backbox is a linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments. BackBox is a lightweight OS and requires less hardware capacity. The power of this distribution is given by its Launchpad repository core constantly updated to the last stable version of the most known and used ethical hacking tools. The integration and development of new tools inside the distribution follows the commencement of open source community and particularly the Debian Free Software Guidelines criteria.
3-Parrot Security OS:
Parrot Security is an operating system based on Debian GNU/Linux mixed with Frozenbox OS and Kali linux in order to provide the best penetration and security testing experience. it is an operating system for IT security and penetration testing developed by the Frozenbox Dev Team. It is a GNU/Linux distribution based on Debian and mixed with Kali.
Parrot uses Kali repositories in order to take latest updates for almost all the tools, but it also has its own dedicated repository where all the custom packets are kept. This is why this distro is not just a simple Kali “mod” but entire new concept which relies on Kali’s tool repositories. As such, it introduces a lot of new features and different developing choices.Parrot uses MATE as a Desktop Environment. Lightweight and powerful interface is derived from famous Gnome 2, and thanks to FrozenBox highly customizable with captivating icons, ad-hoc themes and wallpapers. System look is proposed and designed by the community members and also members of Frozenbox Network, who are closely following the development of this project. Click here to download.
4-DEFT:
Deft is Ubuntu customization with a collection of computer forensic programs and documents created by thousands of individuals, teams and companies. Each of these works might come under a different licence. There Licence Policy describe the process that we follow in determining which software we will ship and by default on the deft install CD. It can be downloaded here.
5-Samurai Web Security Framework:
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test. You can simply click here to download.
6-Network Security Toolkit:
Network Security Toolkit (NST) is a bootable live CD based on Fedora Core. The toolkit was designed to provide easy access to best-of-breed open source network security applications and should run on most x86 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of open source network security tools.
What we find rather fascinating with NST is that we can transform most x86 systems (Pentium II and above) into a system designed for network traffic analysis, intrusion detection, network packet generation, wireless network monitoring, a virtual system service server, or a sophisticated network/host scanner. NST can be downloaded here.
7-NodeZero:
It is said the necessity is the mother of all invention, and NodeZero Linux is no different. There team is built of testers and developers, who have come to the census that live systems do not offer what they need in their security audits. Penetration Testing distributions tend to have historically utilized the “Live” system concept of linux, which really means that they try not to make any permanent effects to a system. Ergo all changes are gone after reboot, and run from media such as discs and USB’s drives. However all that this maybe very handy for occasional testing, its usefulness can be depleted when your testing regularly. Its there believe that “Live System’s” just don’t scale well in a robust testing environment.
All though NodeZero Linux can be used as a “Live System” for occasional testing, its real strength comes from the understanding that a tester requires a strong and efficient system. This is achieved in our belief by working at a distribution that is a permanent installation, that benefits from a strong selection of tools, integrated with a stable linux environment. Download here.
8-GnackTrack:
GnackTrack is an open and free project to merge penetration testing tools and the linux Gnome desktop. GnackTrack is a Live (and installable) Linux distribution designed for Penetration Testing and is based on Ubuntu.
Backtrack is not only a single player in the field of ethical hacking, so you can try some other distribution as well, if you are Gnome lover than must try this, however backtrack 5 is also available on Gnome platform. Just like backtrack, Gnacktrack comes with multiple tools that are really helpful to do a effective penetration testing, it has Metasploit, armitage, wa3f and others wonderful tools. Download here.
9-Blackubuntu:
Blackbuntu is distribution for penetration testing which was specially designed for security training students and practitioners of information security. Blackbuntu is penetration testing distribution with GNOME Desktop Environment. It’s currently being built using the Ubuntu 10.10 and work on reference BackTrack. Download here.
10- Backtrack
The other well known linux based Operating system is backtrack that is being used from few previous years and best known as the OS for network cracking and pentesting. And its also the one of the best OS that can perform various network hacks with privacy. Download here.
Bugtraq:
Bugtraq isnt a operating system but an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, and almost all new vulnerabilities are discussed there. Bugtraq team is experienced freaks and developers, It is available in Debian, Ubuntu and OpenSuSe in 32 and 64 bit architectures.
If there is any OS which is not included or deserves a better place in the list, you may let us know in the comments.
Hackers’ $81 Million Sneak Attack on World Banking
Tens of millions of dollars siphoned from the Federal Reserve Bank of New York. A shadowy set of casinos in the Philippines. A large bank in Bangladesh with creaky technology. An unknown — and perhaps uncatchable — group of anonymous thieves with sophisticated hacking skills.
What unites this curious cast of characters and enabled one of the mostbrazen digital bank heists ever is a ubiquitous and highly trusted international bank messaging system called Swift.
Swift — the Society for Worldwide Interbank Financial Telecommunication — is billed as a supersecure system that banks use to authorize payments from one account to another. “The Rolls-Royce of payments networks,” one financial analyst said.
But last week, for the first time since hackers captured $81 million from Bangladesh’s central bank in February, Swift acknowledged that the thieves have tried to carry out similar heists at other banks on its network by sneaking into the beating heart of the global banking system.
“There are many banks out there right now saying, ‘There but for the grace of God go us,’” said Gareth Lodge, a payments analyst at Celent, a financial consulting firm.
The admission that the attack was not a one-time event in a developing country but perhaps part of a broader threat has thrust Swift into a spotlight, raising questions about how securely money is being moved around the world. Some financial security experts point out the Swift system is only as safe as its weakest link.
The attack also reflects a growing sophistication among digital criminals, who for years have been breaching personal bank accounts and stealing credit card credentials. The thieves in Bangladesh may have spent months lurking inside the central bank’s computers, studying how to steal the necessary credentials to gain access to Swift.
Data Breaches in the Financial Industry
About half of the data breaches at financial institutions are made via the institutions’ web applications, according to Verizon’s 2016 Data Breach Investigations Report. The report shows the top digital threats by industry.
Share of financial industry data breaches
Card skimmers
Criminals use a
physical device
attached to A.T.M.s
to harvest victims’
financial information.
Web app attacks
Denial of service attacks
An attack that exploits security
flaws in a financial institution’s
website to hack into it, sometimes
with the aid of stolen credentials.
An attack intended to swamp
a website with traffic to slow
its performance or render
it unavailable.
48%
34
6
3
2
7
Privilege misuse
Crimeware
other
Employees or other insiders
use their positions to gain
access to financial data.
Other use of malware
for financial gain that
does not fall into the
previous categories.
It is the digital version of the heist depicted in the movie “Ocean’s Eleven,” said Adrian Nish, head of the cyberthreat intelligence team at BAE Systems, a defense and security company.
“The trend is moving from opportunistic crime to Hollywood-scale attacks,” said Mr. Nish, whose firm has analyzed the malware believed to have been used in the Bangladesh breach.
In the United States, most banks take special precautions with their Swift computers, building multiple firewalls to isolate the system from the bank’s other networks and keeping the machines physically isolated in a separate locked room.
But elsewhere, some banks take far fewer precautions. And security experts who have analyzed the Swift breach said they had concluded that the Bangladesh bank may have been particularly vulnerable to an attack.
“Swift is a great organization,” said Chris Larsen, the founder of Ripple, a financial technology company that aims to speed up global money transmissions. “But the system is fractured and antiquated. The way it is set up, you cannot totally isolate problems in a place like Bangladesh from the whole network.”
In some ways, Swift is a testament to how technology has helped all countries — including poorer ones — gain access to the financial system. But that broader access has a downside.
The central bank in Bangladesh, by some accounts, employed fewer protections against cyberattacks than many other large banks. The bank, for example, used $10 routers and no firewalls, according to news reports.
The server software that the Bangladesh bank employed was a Swift product called Alliance Access, which connects banks to the central messaging system. In a sign of how seriously Swift regards the breach of Alliance Access, the group issued a “mandatory software update” last week to help its members identify possible irregularities.
Photo
The central bank of Bangladesh, in Dhaka, the capital. The heist was timed so that when Federal Reserve officials tried to contact Bangladesh, it was a weekend there and no one was working. By the time central bankers in Bangladesh discovered the theft, it was the weekend in New York and the Fed was closed.CreditAshikur Rahman/Reuters
“These hackers figured out this was a weak point on the periphery, and they went for it,” said Jeffrey Kutler, editor in chief at the Global Association of Risk Professionals, a trade group. “But they were not able to compromise the core.”
Swift’s core is built on technology that has been evolving for decades. What began in 1973 as a relatively small network of 240 banks in Europe and North America is now a sprawling network of 11,000 users that includes both banks and large corporations. At first, Swift could be used to authorize payments across national borders. But it is now also used to transmit messages related to domestic payments, securities settlements and other transactions.
Swift’s growth in recent years — it set a record for messages in March — reflects the increasingly global and interconnected nature of finance. But it also shows the risk of so many financial instructions running through a single system made up of a patchwork of banks and companies with varying levels of online protection.
Each bank on the Swift network is identified by a set of codes. And it was the codes assigned to the Bank of Bangladesh that were recognized — correctly — by the Federal Reserve Bank of New York when it transferred $81 million of the Bangladesh bank’s money to the Philippines, not knowing that someone, somewhere, had stolen the credentials of the Bangladesh bank and installed malware to cover his or her tracks.
Initially, the thieves requested the transfer of $951 million into a handful of bank accounts in Sri Lanka and the Philippines — a number that prompted the New York Fed to ask the Bangladesh bank to reconfirm that it indeed wanted to move the money.
In the end, the Fed processed only five of the 35 fraudulent payment requests, after it could not reconfirm with officials in Bangladesh.
The hackers seemed to time the attack perfectly: When officials from the Fed tried to reach out to Bangladesh, it was a weekend there and no one was working. By the time central bankers in Bangladesh discovered the fraud, it was the weekend in New York and the Fed offices were closed.
To conceal the crime, the malware disabled a printer in the Bangladesh bank to prevent officials from reviewing a log of the fraudulent transfers.
Photo
Representative Carolyn B. Maloney, Democrat of New York, has called for an investigation into the theft.CreditRobin Caplin/Bloomberg
The money was transferred to accounts in the Philippines and then into the Philippine casino system, which is exempt from many of the country’s anti-money-laundering requirements.
The New York Fed has been criticized for letting the $81 million slip out. Representative Carolyn B. Maloney, a New York Democrat and member of the Financial Services Committee, has called for an investigation, warning that the breach “threatens to undermine the confidence that foreign central banks have in the Federal Reserve, and in the safety and soundness of international monetary transactions.”
The New York Fed said in a statement that “there is no evidence that any Fed systems were compromised” and that the transfer of the money had been “fully authenticated” by Swift.
Swift, which prides itself on its secrecy and low public profile, also put out a statement about the attacks. But its executives declined to speak on the record about the episodes, which are still under investigation. The group’s chairman, Yawar Shah, who is a senior executive at Citigroup, also declined to comment.
In its statement, Swift emphasized that the hackers had been able to breach only some of the banks that communicate over Swift, not the network itself.
“The commonality in what we have seen is that (internal or external) attackers have successfully compromised banks’ own environments,” Swift said.
Even if officials at the Bangladesh bank had employed the highest of security measures, the thieves displayed a level of skill, cunning and determination that may have been able to penetrate a far more secure system.
“If you have an attacker who really wants to get in and knows there is a big prize,” Mr. Nish said, “keeping them out over the long term is really difficult.”
