Contrary to Popular Belief…

by Hank Berkley
Contributing editor

A nationwide network of ATMs in Chile was recently hacked, and while there is not a lot of public information about costs and damages, some of the details about how this came about were released. This week we have decided to use this case as the basis of a fictionalized cyber crime to examine what can be learned at someone else’s expense. The following account is a somewhat embellished version combined with some typical scenarios that we have witnessed. Some of this might seem overly technical – but it is to make a point.

Eduardo was a software tester who worked for Redbanc, a company that runs a network of over 2,600 ATM machines throughout Chile. To make this work Redbanc has network connections to most of the large banks in the country. Eduardo had gone to school to learn software development but took this job as a foot in the door in a large IT organization.

One day Eduardo received an email at work purportedly from a major bank that suggested it was looking for software engineers. He responded that he was interested. The North Korean hackers who had sent the original phishing email recognized the email address of a Redbanc employee and jumped into action sending a follow-up message that suggested a Skype meeting. All of the communications to Eduardo were in perfect Spanish.

It is always best to stop a cybercrime as early as possible. In this case that means that Redbanc should have blocked the initial phishing email. There is no system to catch 100% of these attempts, but there are many that are relatively inexpensive and will block some. Awareness training could also have helped had Eduardo recognized the nature of the first email.

The meeting was setup to take place after work hours. Eduardo took his company laptop from the office and went to the local Starbucks where he used the free WiFi to “chat” about the position.

It is difficult to second-guess Redbanc, but we have seen far too many employees given laptop computers when it is not appropriate. Laptops have higher initial costs, higher failure rates, the risk of being stolen and typically slower performance than a desktop PC, yet some companies provide them to a large percentage of their workforce*. While Eduardo might have still been in contact with the hackers, if he didn’t have a company laptop, he might have used his personal PC and not infected the company’s machine.

Connecting company equipment to public networks should be a “no-no”. All communications to Eduardo’s laptop were forced to go through security systems when he was in the office. While those systems may or may not have detected anything, they were certainly ineffectual when they were bypassed. A simple change to the laptop could have forced all communications back through a VPN to Redbanc’s network. Even just a security policy that was in place that mandated that Eduardo manually use a VPN connection might have helped.

While at Starbuck’s Eduardo was encouraged to apply for the job using the firm’s standard application. Using Skype the hacker provided Eduardo with a program called ApplicationPDF.exe which Eduardo installed on his laptop.

The actual infection came when Eduardo downloaded and installed what turned out to be malware. Downloading software can be stopped in so many ways today using technology that exists on most systems, yet Eduardo was able to do it. And he was able to install the software meaning he had administrator rights on the machine. Something that can be disabled readily by the company. Eduardo’s job did not require the ability to install new software on his machine. He had more access than he needed.

The following day Eduardo brought his laptop back to the office and logged in. The malware was able to capture his ID and password and send it to the hackers.

Just having his ID and password would not have been as big an issue if Redbanc used multi-factor authentication (MFA). With MFA a hacker might need access to Eduardo’s cell phone to confirm the login.

Not only was his laptop “owned” by the bad guys, but because his machine was on the same network at all of the ATM machines, they had access to a significant asset. And then there were all the banks that were connected to Redbanc who were also at risk.

One has to wonder why a production ATM network would be connected to any users. What is called “network segmentation” has been common practice for a long time.

Implicit here is the lack of vendor review by the banks connected to Redbanc. Had even one of them done a proper analysis at least some of this would have been discovered.

The Redbanc network was never shutdown back in December of 2018 when they were hacked and no one is publicly saying what, if any, consequences there were.

The point of all this is not to identify all the mistakes that were made in allowing the North Koreans to gain access. The point is that everything had to be perfect for them to get as far as they did. People talk about the need for the good guys to be “right” 100% of the time, but if Redbanc had blocked them with any single method, it could have possibly stopped the intrusion. This is not to say that the hackers would not find alternative routes – but why leave the front door opened?

Cyber security endeavors don’t need to be complicated or expensive to thwart evil doers. While perfection is not attainable, every step you take has the potential to make a big difference. You may not block a dedicated hacker but applying common sense techniques can make you significantly safer.

* According to Dell most companies have about 15% laptops and 85% desktop machines. It depends on the nature of the business.