Iran has reportedly launched a series of attacks on US banks, raising dire implications not just for geopolitics, but also for cloud security.
Since the fall, a series of major US banks -- including Bank of America, J.P. Morgan Chase, and Citigroup -- have seen their websites stumble and falter as a result of massive DDOS (distributed denial of service) attacks.
Today, the New York Times is reporting that unnamed "government officials" are saying the attacks are the work of Iran, "most likely in retaliation for economic sanctions and online attacks by the United States." A former official, and security expert, James A. Lewis, has said there is "no doubt within the U.S. government that Iran is behind these attacks."
One reason not to suspect activity by an organized and powerful cybercriminal operation is that nothing was stolen, and no credit card information was compromised. The objective of the breach seems to have been to cause disruption.
At this point, you might be tempted to breathe a sigh of relief. At least Iran is hammering high-street banks rather than the power grid or transit systems. But the bad news is that these attacks seem to have exposed the vulnerability of cloud computing for the first time.
Security researchers reported last October that these attacks were originating from hacked datacenters rather than from giant botnets. Using the cloud, the intruders were able to generate quantities of traffic described as "overwhelming." The new information is that the datacenters were hacked, not by savvy thieves, but by a potential enemy.
The implications should be obvious to everyone, although perhaps not to the group of US Senators which has been blocking cybersecurity legislation designed to protect the national infrastructure.
First, we can foresee botnets being superseded by malicious "cloudnets."
Second, assuming major banks are not migrating key functions to cowboy cloud suppliers, reputable cloud vendors are indeed vulnerable to breaches.
Third, if a potential enemy can disrupt the banking system via the cloud, then there other things they can disrupt too.
What do we take away from this? Politically, it undermines the argument that the private sector can be trusted to maintain cybersecurity -- specifically relating to the national infrastructure -- without oversight. At an enterprise level, it's yet another reminder that cloud security isn't just something to chat about: It's a live issue.
Last month, I wrote a blog called Waiting for Shoes to Drop: The Year in Security. In response to my blog, David Silversmith pointed out that just because we hadn't heard the shoe drop, didn't mean anything. He was right. The shoe just dropped, and it made quite a thud.
Sometimes, people just do not know what to do with what they can do. It looks like kids behaviour- ok, we have done it, what's next? Eeh, have no idea,that's why lets show eveyone our buttocks-what a fun.
That's an excellent question, Mashka. The disruption was limited, nothing was stolen. Are they just flexing their muscles to deter more exploits like Stuxnet?
On your specific points, we certainly have reports saying things like: "the recent attacks showed a level of sophistication far beyond that of amateur hackers."
Radware, the security company investigating on behalf of some of the banks, has said:
"The scale, the scope and the effectiveness of these attacks have been unprecedented. There have never been this many financial institutions under this much duress."
Experts also say the attackers have infected varied cloud computing facilities with a malicious program dubbed Itsoknoproblembro, which can mask the source of the volleys. Attackers have used the bot to commandeer armies of servers that can flood banks' websites with a digital tsunami. "You have an artillery piece instead of a pea shooter," Herberger said.
Herberger says the perpetrators have exploited the trend in which banks and other companies lease processing power and software from remote servers. The result is that banks and cloud computing facilities become intertwined electronically, which can complicate a bank's ability to simply block data from particular Internet addresses when the bank comes under cyberattack. "There's a lot of brilliance in how the 'bro bot has been conceived and executed," Herberger said. Banks have "to figure out what is legitimate traffic versus illegitimate traffic."
You raise some interesting points, Kenton, although I honestly think you're problem is with the original reporting rather than my commentary. I was fairly careful:
Iran has reportedly launched a series of attacks on US banks, raising dire implications not just for geopolitics, but also for cloud security...
Today, the New York Times is reporting that unnamed "government officials" are saying the attacks are the work of Iran, "most likely in retaliation for economic sanctions and online attacks by the United States." A former official, and security expert, James A. Lewis, has said there is "no doubt within the U.S. government that Iran is behind these attacks."
Now, of course, the government officials may be mistaken, or may be lying for some reason, but it's fairly unlikely that what they are saying has been misreported. (The story went around the Internet, and there haven't been any denials from the US government.)
"a potential nation-state enemy was disrupting networks by accessing cloud computing centers"
There's where I have a problem with the article. If you had changed "was" to "could be" I likely wouldn't have stopped to question it. No one has come out with any kind of proof that this is a nation state. In fact, many people have come out and said that it could easily be done by a "hacker" group. I've done a bunch of reading on it this afternoon and here is the only thing I can find as a common thread:
Someone (or a group) has compromised a few servers in data centers with high bandwidth and pointed them at bank websites.
No where have I read anything to support it being cloud infrastructure (vs. a few data centers). No where have I read any evidence that it is nation-state sponsored. No where have I read that it was a super sophisticated attack.
I have read a whole lot of; "un-named sources", "not enough understanding", "could be", etc. I've also read that CloudFlare sees attacks of 60Gb/sec on a monthly basis. That the software doesn't require root/administrator privileges opening it up to a huge variety of potential exploit vectors (Ruby on Rails anyone?). I also found that for a few hundred bucks I could rent enough servers to easily push out this kind of bandwidth.
I have no doubt that attacks like this will increase, nor that there could be nation states that will take advantage of the opportunity to hijack large swaths of bandwidth. I just think that you've tried to prove your stance by using a bunch of media hype rather than actual facts. That's very atypical of your articles.
The thud to which I referred is the realization that a potential nation-state enemy was disrupting networks by accessing cloud computing centers. I had identified cloud security and cyberwar as the two big threats which never fully materialized in 2012.
I was wrong: in fact, before the end of the year, they had come together in a very threatening way.
Bringing down bank customer-facing bank websites may be no more than an inconvenience, but what other capabilities might the intruder's have?
Kim, while most people use their bank's website to interact with them, it isn't the only way. If I can't get through to the bank website to transfer my money, I can either walk across the street or pick up the phone. It isn't like the website that I connect to is the one that is handling all of the internal and inter-bank functions. Is it awkward and an inconvenience? Sure, but it isn't going to stop people from spending money nor banks from doing business. Again, maybe it's that Im misunderstanding things, and I'll go read the NYT article, but I'm not so sure why this is seen as such a "thud".
Not sure if I understand you correctly, Kenton, but if DDOS attacks could bring down banking websites for extended periods, that would surely be disruptive to the banking system.
The New York Times published the newsworthy detail that officials are saying Iran is responsible. Now whether you believe the officials or not is another question, but generally speaking the Times can be relied on to report what they are saying accurately.
The details of the exploit were actually revealed a few months ago, but kept a low profile, partly because nothing was stolen, partly because there was no suggestion of nation state involvement. See, for example, the article I linked to: "Recent Bank Cyber Attacks Originated From Hacked Data Centers, Not Large Botnet".
The majority of the banking attack traffic does not appear to have been generated by client bots, but rather from compromised servers in data centers...
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
If you listen to the hype, clouds are everywhere. But if you look at the data, it turns out most customers say they still wouldn't use cloud computing for mission-critical apps or data. What's holding them back? Fritz investigates.
The sooner purveyors of cloud computing services can pass muster, security-wise, with financial services companies, the sooner cloud computing will really go mainstream.
Earlier this year, Heartland Payment Systems was breached by Russian hackers who had also hit 300 other financial institutions. The scope of the Russian operation is mind-blowing and points to a new era in cyber attacks.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
