Attacks/Breaches
4/4/2013
10:38 AM
50%
50%

Banks Hit Downtime Milestone In DDoS Attacks

Top 15 U.S. banks have experienced double the downtime from same period last year. Lawmakers demand passage of a cyber threat intelligence sharing bill.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
In recent weeks, U.S. banks and financial services institutions have seen their website downtime double, compared to just one year ago.

That finding, first reported by NBC News, comes via Keynote, which maintains dummy accounts with the country's top 15 banks, which it uses to monitor site uptime and availability to customers by attempting to log into its accounts every five minutes.

Keynote didn't immediately respond to an emailed request for a copy of its research. But spokesman Aaron Rudger told NBC that for the six-week period ending on March 31, 2013, the 15 banks' sites were effectively unreachable by customers for a total of 249 hours, or 2% of the time. Compared with the same period last year, the banks only saw 140 hours of downtime, which Rudger said could largely be ascribed to their performing regularly scheduled maintenance, which often occurs at night.

[ Did a monster hack slow down the entire Internet? Read DDoS Attack Doesn't Spell Internet Doom: 7 Facts. ]

The finding that U.S. banks are experiencing double their normal levels of downtime suggests that the distributed denial-of-service (DDoS) attacks being waged under the "Operation Ababil" banner -- the self-described Muslim hacktivist band calling itself the al-Qassam Cyber Fighters -- are having a demonstrable impact on banks' ability to ensure that customers can connect with their websites.

The al-Qassam Cyber Fighters Tuesday announced via Pastebin the fifth week in what it's called the third wave of its banking attacks, and reported that last week, the websites of American Express, Ameriprise Financial, Bank of America, BB&T, Citizens Financial and KeyCorp had been targeted, and customer complaints left on the Site Down website suggested that at least some of those sites were seeing higher than normal levels of disruption.

The Operation Ababil attacks were first launched in September 2012, accompanied by demands that all copies of a film that mocks the founder of Islam be removed from the Internet. The attacks continued with a second round that began in late 2012.

Multiple U.S. government officials have dismissed the film-removal demands as a red herring, and accused the Iranian government of sponsoring the attacks. But a senior member of the House Intelligence Committee, Rep. Adam Schiff (D-Calif.), told NBC News Wednesday that the FBI and "other law enforcement agencies are following up aggressively to identify the responsible parties" behind the DDoS attack campaign, suggesting that the Iranian connection might still be tentative.

Regardless, with each new round, the attackers appear to be refining their attack tools and techniques, as evidenced by the fact that they've been able to compromise otherwise legitimate third-party websites, often by using vulnerabilities related to WordPress or involving PHP, and turn them into staging grounds for launching DDoS attacks that have achieved sustained floods of 70 Gbps and 30 million packets per second. Furthermore, security experts have said that the bank attackers don't even appear to be using all of the firepower at their disposal.

Accordingly, are stronger defenses required? Responding to the Keynote downtime findings, the chair of the House Intelligence Committee, Rep. Mike Rogers (R-Mich.), told NBC News Wednesday that the bank DDoS attacks -- which he blames on the Iranian government -- highlight the need for U.S. government intelligence agencies to share threat intelligence with the private industry. "These banks are among the best in the country when it comes to cyber security, but even they are having trouble keeping up with attacks that have the sophistication and the level of resources that a nation-state entity like Iran can devote to them," he said.

Accordingly, Rogers called on Congress to pass the controversial Cyber Intelligence Sharing and Protection Act (CISPA) that he's co-authored with C.A. Dutch Ruppersberger (D-Md.), which he claimed would enable the government "to share cyber threat information with these banks to help them get ahead of these attacks."

But Rogers offered no evidence to support his assertion that access to better attack signatures would somehow immunize banks' networks against DDoS attacks. A spokesman for Rogers wasn't immediately available by phone to discuss the Congressman's comments.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/22/2013 | 2:05:57 AM
re: Banks Hit Downtime Milestone In DDoS Attacks
The banks have obviously invested a serious amount of time and money investigating the losses that they are suffering due to the downtime. Here is a great idea, that if the banks involved are not doing already they most definitely should be doing, is to hire private investigators of their own. I am sure that it would be worth their time and money to mutually invest in a solution, that being aggressively persuading and counter attacking, or at the very least keeping hackers occupied with menial tasks that take time? It sounds like the banks know where and who the attacks are coming from, that has got to be a useful piece of information.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.