[ISN] Cyber Security Questions Persist at World Bank

From: InfoSec News <alerts_at_private>
Date: Mon, 3 Nov 2008 02:28:18 -0600 (CST)

By Richard Behar
FOX News
November 02, 2008

Is the World Bank in the middle of a security meltdown?

Over the past year, as FOX News reported three weeks ago, the bank has 
suffered a series of Internet attacks that penetrated at least 18 and 
perhaps as many as 40 of the bank's data servers. Moreover, spyware was 
apparently installed on computers inside the bank's treasury unit in 
Washington. The bank denies that sensitive data was compromised in any 
of the attacks.

Now, FOX News has learned, hundreds of employees of an India-based 
technology contractor that World Bank president Robert Zoellick ordered 
off the agency's property last April on security grounds are still 
working for the financial institution. They have been transformed in 
recent months into bank staffers or shifted onto the employment rolls of 
other contractors.

These revelations raise more questions about the safety of sensitive 
information at the world's largest and most influential anti-poverty 
lender. They also raise questions about the dependence of the bank on 
outside contracting help to maintain an information and communications 
system that is a hodgepodge of both semi-obsolete and cutting edge 
technologies, and far less secure than many people around the world have 
reason to expect.

The significance of those weaknesses is still far from clear . 
especially as the bank strenuously denies that any of them exist. Yet 
despite those denials, FOX has learned, the bank's top executives 
recently held secret meetings to discuss whether the institution should 
sever all ties with outside information technology vendors. For the time 
being, according to inside sources, the bank has put the process of 
signing new information technology contracts on hold. (A bank spokesman, 
who insisted on anonymity, denied both the secret meetings and the hold 
on contracts.)

The World Bank doles out $25 billion a year for 2,000 development 
projects around the world, ranging from hydro-power plants in India to 
highways in China, from the privatization of state enterprises in Niger 
to the modernization of tax-collecting systems in Bulgaria. It also 
manages a $70 billion investment portfolio, and owns one of the largest 
repositories of confidential data about the economies of its 185 
member-nations, down to such minutiae as the amount of hard currency 
that any central bank holds in real time, meaning the current state of 
its accounts. That information is voluntarily handed over on the 
assumption that it will remain confidential.

Knowing what's inside the World Bank's databases could be worth billions 
to speculators, hedge funds or governments anxious to increase their 
leverage or even destabilize other national economies in the current 
financial turbulence. In short, confidence in the bank's information 
security system is nearly identical with confidence in the bank itself.

While the lending agency is denying that any sensitive data was 
compromised by the computer breaches, internal memos and testimony from 
inside sources suggest that it may in fact already have suffered the 
greatest security breach ever at a global financial institution, a 
series of intrusions - starting in mid-2007 - that the bank's senior 
technology manager in an email called "this unprecedented crisis."


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
Received on Mon Nov 03 2008 - 00:28:18 PST

This archive was generated by hypermail 2.2.0 : Mon Nov 03 2008 - 00:37:27 PST