Attacks/Breaches
4/4/2013
10:38 AM
Connect Directly
RSS
E-Mail
50%
50%

Banks Hit Downtime Milestone In DDoS Attacks

Top 15 U.S. banks have experienced double the downtime from same period last year. Lawmakers demand passage of a cyber threat intelligence sharing bill.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
In recent weeks, U.S. banks and financial services institutions have seen their website downtime double, compared to just one year ago.

That finding, first reported by NBC News, comes via Keynote, which maintains dummy accounts with the country's top 15 banks, which it uses to monitor site uptime and availability to customers by attempting to log into its accounts every five minutes.

Keynote didn't immediately respond to an emailed request for a copy of its research. But spokesman Aaron Rudger told NBC that for the six-week period ending on March 31, 2013, the 15 banks' sites were effectively unreachable by customers for a total of 249 hours, or 2% of the time. Compared with the same period last year, the banks only saw 140 hours of downtime, which Rudger said could largely be ascribed to their performing regularly scheduled maintenance, which often occurs at night.

[ Did a monster hack slow down the entire Internet? Read DDoS Attack Doesn't Spell Internet Doom: 7 Facts. ]

The finding that U.S. banks are experiencing double their normal levels of downtime suggests that the distributed denial-of-service (DDoS) attacks being waged under the "Operation Ababil" banner -- the self-described Muslim hacktivist band calling itself the al-Qassam Cyber Fighters -- are having a demonstrable impact on banks' ability to ensure that customers can connect with their websites.

The al-Qassam Cyber Fighters Tuesday announced via Pastebin the fifth week in what it's called the third wave of its banking attacks, and reported that last week, the websites of American Express, Ameriprise Financial, Bank of America, BB&T, Citizens Financial and KeyCorp had been targeted, and customer complaints left on the Site Down website suggested that at least some of those sites were seeing higher than normal levels of disruption.

The Operation Ababil attacks were first launched in September 2012, accompanied by demands that all copies of a film that mocks the founder of Islam be removed from the Internet. The attacks continued with a second round that began in late 2012.

Multiple U.S. government officials have dismissed the film-removal demands as a red herring, and accused the Iranian government of sponsoring the attacks. But a senior member of the House Intelligence Committee, Rep. Adam Schiff (D-Calif.), told NBC News Wednesday that the FBI and "other law enforcement agencies are following up aggressively to identify the responsible parties" behind the DDoS attack campaign, suggesting that the Iranian connection might still be tentative.

Regardless, with each new round, the attackers appear to be refining their attack tools and techniques, as evidenced by the fact that they've been able to compromise otherwise legitimate third-party websites, often by using vulnerabilities related to WordPress or involving PHP, and turn them into staging grounds for launching DDoS attacks that have achieved sustained floods of 70 Gbps and 30 million packets per second. Furthermore, security experts have said that the bank attackers don't even appear to be using all of the firepower at their disposal.

Accordingly, are stronger defenses required? Responding to the Keynote downtime findings, the chair of the House Intelligence Committee, Rep. Mike Rogers (R-Mich.), told NBC News Wednesday that the bank DDoS attacks -- which he blames on the Iranian government -- highlight the need for U.S. government intelligence agencies to share threat intelligence with the private industry. "These banks are among the best in the country when it comes to cyber security, but even they are having trouble keeping up with attacks that have the sophistication and the level of resources that a nation-state entity like Iran can devote to them," he said.

Accordingly, Rogers called on Congress to pass the controversial Cyber Intelligence Sharing and Protection Act (CISPA) that he's co-authored with C.A. Dutch Ruppersberger (D-Md.), which he claimed would enable the government "to share cyber threat information with these banks to help them get ahead of these attacks."

But Rogers offered no evidence to support his assertion that access to better attack signatures would somehow immunize banks' networks against DDoS attacks. A spokesman for Rogers wasn't immediately available by phone to discuss the Congressman's comments.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/22/2013 | 2:05:57 AM
re: Banks Hit Downtime Milestone In DDoS Attacks
The banks have obviously invested a serious amount of time and money investigating the losses that they are suffering due to the downtime. Here is a great idea, that if the banks involved are not doing already they most definitely should be doing, is to hire private investigators of their own. I am sure that it would be worth their time and money to mutually invest in a solution, that being aggressively persuading and counter attacking, or at the very least keeping hackers occupied with menial tasks that take time? It sounds like the banks know where and who the attacks are coming from, that has got to be a useful piece of information.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.