Attacks/Breaches
4/4/2013
10:38 AM
50%
50%

Banks Hit Downtime Milestone In DDoS Attacks

Top 15 U.S. banks have experienced double the downtime from same period last year. Lawmakers demand passage of a cyber threat intelligence sharing bill.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
In recent weeks, U.S. banks and financial services institutions have seen their website downtime double, compared to just one year ago.

That finding, first reported by NBC News, comes via Keynote, which maintains dummy accounts with the country's top 15 banks, which it uses to monitor site uptime and availability to customers by attempting to log into its accounts every five minutes.

Keynote didn't immediately respond to an emailed request for a copy of its research. But spokesman Aaron Rudger told NBC that for the six-week period ending on March 31, 2013, the 15 banks' sites were effectively unreachable by customers for a total of 249 hours, or 2% of the time. Compared with the same period last year, the banks only saw 140 hours of downtime, which Rudger said could largely be ascribed to their performing regularly scheduled maintenance, which often occurs at night.

[ Did a monster hack slow down the entire Internet? Read DDoS Attack Doesn't Spell Internet Doom: 7 Facts. ]

The finding that U.S. banks are experiencing double their normal levels of downtime suggests that the distributed denial-of-service (DDoS) attacks being waged under the "Operation Ababil" banner -- the self-described Muslim hacktivist band calling itself the al-Qassam Cyber Fighters -- are having a demonstrable impact on banks' ability to ensure that customers can connect with their websites.

The al-Qassam Cyber Fighters Tuesday announced via Pastebin the fifth week in what it's called the third wave of its banking attacks, and reported that last week, the websites of American Express, Ameriprise Financial, Bank of America, BB&T, Citizens Financial and KeyCorp had been targeted, and customer complaints left on the Site Down website suggested that at least some of those sites were seeing higher than normal levels of disruption.

The Operation Ababil attacks were first launched in September 2012, accompanied by demands that all copies of a film that mocks the founder of Islam be removed from the Internet. The attacks continued with a second round that began in late 2012.

Multiple U.S. government officials have dismissed the film-removal demands as a red herring, and accused the Iranian government of sponsoring the attacks. But a senior member of the House Intelligence Committee, Rep. Adam Schiff (D-Calif.), told NBC News Wednesday that the FBI and "other law enforcement agencies are following up aggressively to identify the responsible parties" behind the DDoS attack campaign, suggesting that the Iranian connection might still be tentative.

Regardless, with each new round, the attackers appear to be refining their attack tools and techniques, as evidenced by the fact that they've been able to compromise otherwise legitimate third-party websites, often by using vulnerabilities related to WordPress or involving PHP, and turn them into staging grounds for launching DDoS attacks that have achieved sustained floods of 70 Gbps and 30 million packets per second. Furthermore, security experts have said that the bank attackers don't even appear to be using all of the firepower at their disposal.

Accordingly, are stronger defenses required? Responding to the Keynote downtime findings, the chair of the House Intelligence Committee, Rep. Mike Rogers (R-Mich.), told NBC News Wednesday that the bank DDoS attacks -- which he blames on the Iranian government -- highlight the need for U.S. government intelligence agencies to share threat intelligence with the private industry. "These banks are among the best in the country when it comes to cyber security, but even they are having trouble keeping up with attacks that have the sophistication and the level of resources that a nation-state entity like Iran can devote to them," he said.

Accordingly, Rogers called on Congress to pass the controversial Cyber Intelligence Sharing and Protection Act (CISPA) that he's co-authored with C.A. Dutch Ruppersberger (D-Md.), which he claimed would enable the government "to share cyber threat information with these banks to help them get ahead of these attacks."

But Rogers offered no evidence to support his assertion that access to better attack signatures would somehow immunize banks' networks against DDoS attacks. A spokesman for Rogers wasn't immediately available by phone to discuss the Congressman's comments.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/22/2013 | 2:05:57 AM
re: Banks Hit Downtime Milestone In DDoS Attacks
The banks have obviously invested a serious amount of time and money investigating the losses that they are suffering due to the downtime. Here is a great idea, that if the banks involved are not doing already they most definitely should be doing, is to hire private investigators of their own. I am sure that it would be worth their time and money to mutually invest in a solution, that being aggressively persuading and counter attacking, or at the very least keeping hackers occupied with menial tasks that take time? It sounds like the banks know where and who the attacks are coming from, that has got to be a useful piece of information.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.