Saturday, September 29, 2012

29-Sep-12: How worried should we be if some of the world's smartest banks are reeling from this week's on-line terror attacks?

Without attracting major headlines, some of the world's largest banks have been targeted this week by a series of coordinated Distributed Denial of Service (DDoS) attacks, bringing havoc to commerce and threatening worse to come. Far from being defeated, the attacks were called off by the attackers themselves on Thursday [source].

The attacked banks that we know about from news reports include Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank. What happens in these incidents is that massive amounts of traffic including malware are channeled to the websites and non-consumer web-servers until they are overwhelmed and are forced to shut down until the attack is repelled, or it passes. 

How serious is it all? "No bullets have been fired, but rest assured, this is truly a terrorist strike at the United States", says a security expert, Paul Rothman, writing ["Cyber Terror Rages In The Banking Sector"] on the Security Infowatch website yesterday. A CNN article ["Major banks hit with biggest cyberattacks in history"] puts into perspective this way:
"The volume of traffic sent to these sites is frankly unprecedented," said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. "It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack." [More]
In the Chicago Tribune (and also the LA Times), an article this past Wednesday was headlined "Banks fail to repel cyber threat: Attacks that have tied up bank websites show U.S. financial institutions' vulnerability to electronic terrorism". It describes how "a shadowy but well organized hacker group in the Middle East has disrupted the electronic banking operations of America's largest financial institutions in recent days, underscoring U.S. vulnerability to online terrorism..."

You may have been thinking this was the work of the usual suspects: Chinese or Bulgarian hackers, out to steal whatever low-hanging fruit is out there. So allow us to tell you that a unit of Hamas called Izz ad-Din al-Qassam Cyber Fighters has already claimed 'credit' and calls the attacks "Operation Ababil". They have launched similar attacks in the past but, if it's them, this is their largest by far. 

We don't know (of course) but Alperovitch of CrowdStrike says the Hamas group has credibility: they announced the attack ahead of time [source], and listed the banks that were going to be hit next. He says that technologically what they was "not that sophisticated -- it just took significant planning". On the other side of the ledger, Hamas also claimed they would attack the New York Stock Exchange but it appears trading has continued there without interruption [source].

Another source says this is the work of something called Arab Electronic Army [source] while the chairman of the US Senate's Homeland Security committee said Tuesday it's being done by Iran (who deny it) and specifically a body called the Quds Force, a "secretive Iran military unit blamed for terrorist activity". Their involvement, he said, is a response to U.S. sanctions placed on Iran in connection with its nuclear program, according to the LA Times. And attacks are "a powerful example of our vulnerability". Not exactly what we want to hear in these dangerous times.

What the rest of us might be thinking at this point is, if this is going so badly (and evidently it is), and major banks can be impacted despite their substantial investment in security systems, what else is at risk? Air traffic control systems? Electric power grid networks? The Security Infowatch article we quoted above says "The prospects are mind-numbing, and frankly, scary. Are we ready for them?"

Are we ever ready for terrorism?

No comments: