Iran has reportedly launched a series of attacks on US banks, raising dire implications not just for geopolitics, but also for cloud security.
Since the fall, a series of major US banks -- including Bank of America, J.P. Morgan Chase, and Citigroup -- have seen their websites stumble and falter as a result of massive DDOS (distributed denial of service) attacks.
Today, the New York Times is reporting that unnamed "government officials" are saying the attacks are the work of Iran, "most likely in retaliation for economic sanctions and online attacks by the United States." A former official, and security expert, James A. Lewis, has said there is "no doubt within the U.S. government that Iran is behind these attacks."
One reason not to suspect activity by an organized and powerful cybercriminal operation is that nothing was stolen, and no credit card information was compromised. The objective of the breach seems to have been to cause disruption.
At this point, you might be tempted to breathe a sigh of relief. At least Iran is hammering high-street banks rather than the power grid or transit systems. But the bad news is that these attacks seem to have exposed the vulnerability of cloud computing for the first time.
Security researchers reported last October that these attacks were originating from hacked datacenters rather than from giant botnets. Using the cloud, the intruders were able to generate quantities of traffic described as "overwhelming." The new information is that the datacenters were hacked, not by savvy thieves, but by a potential enemy.
The implications should be obvious to everyone, although perhaps not to the group of US Senators which has been blocking cybersecurity legislation designed to protect the national infrastructure.
First, we can foresee botnets being superseded by malicious "cloudnets."
Second, assuming major banks are not migrating key functions to cowboy cloud suppliers, reputable cloud vendors are indeed vulnerable to breaches.
Third, if a potential enemy can disrupt the banking system via the cloud, then there other things they can disrupt too.
What do we take away from this? Politically, it undermines the argument that the private sector can be trusted to maintain cybersecurity -- specifically relating to the national infrastructure -- without oversight. At an enterprise level, it's yet another reminder that cloud security isn't just something to chat about: It's a live issue.
Last month, I wrote a blog called Waiting for Shoes to Drop: The Year in Security. In response to my blog, David Silversmith pointed out that just because we hadn't heard the shoe drop, didn't mean anything. He was right. The shoe just dropped, and it made quite a thud.
Nothing wakes us up faster than a scare. However, based on recent behavior, I don't know whether even this will prompt Washington to act. I really hope I'm way off base here.
I'm afraid you probably are. I don't mean this to be perceived as a partisan comment, but I think the perception that Congress has, as its prime objective, stopping the "other side" doing stuff is fair.
The Senate lobby which has been blocking goverment oversight of the infrastructure has plenty of business support.
@Kim Davis: If the lobby has business support, would said businesses re-think their stances considering the victims in this case were all big business themselves? Pardon me if I mix metaphors, but as soon as shoes start hitting financial fans there's a different reaction to the drops.
I take your point, Scott, but I'm not sure infrastructure companies will be sufficiently goaded to action by hits to banks. Something needs to strike closer to home -- which could be very unpleasant.
... unnamed "government officials" are saying the attacks are the work of Iran, "most likely in retaliation for economic sanctions and online attacks by the United States"
@Kim - so if these unnamed officials are so on top of it as to know who is behind the attacks, and their motives, why did they lack the technology or foresight to block these attacks to begin with. I would rather they spend less time on identifying a culprit and disecting their motives, and spend more time speculating the where and how of the next attack and protecting against it.
Frankly, Lin, who knows what they're doing? Certainly the US government seems to have devoted resources to cyber exploits directed against Iran (Stuxnet, Flame). Perhaps they didn't invest enough in preparing for retaliation.
I normally agree with your posts Kim and have no difficulty with the content. However, this one is leaving me with a giant question mark above my head.
How do we get from a DDoS on a public facing consumer website to disrupting the banking system, or worse? There seem to be a lot of assumptions there.
I agree. I'm not quite getting how you're making the leap you appear to be making here. How exactly did this work? How do you know they used public cloud services? It's quite alarmist and without more detail, I'm not sure what to make of it. I agree with others that the New York Times details are sketchy at best. We know that New York Times reporters have been manipuated by government officials in the past to carry out their own agendas. I don't see any real evidence pointing to Iran. I don't see anything solid beyond some unamed sources trying to raise alarms. I'm surprised that you're so quick to believe it without more concrete evidence to support the claim.
The New York Times published the newsworthy detail that officials are saying Iran is responsible. Now whether you believe the officials or not is another question, but generally speaking the Times can be relied on to report what they are saying accurately.
The details of the exploit were actually revealed a few months ago, but kept a low profile, partly because nothing was stolen, partly because there was no suggestion of nation state involvement. See, for example, the article I linked to: "Recent Bank Cyber Attacks Originated From Hacked Data Centers, Not Large Botnet".
The majority of the banking attack traffic does not appear to have been generated by client bots, but rather from compromised servers in data centers...
Not sure if I understand you correctly, Kenton, but if DDOS attacks could bring down banking websites for extended periods, that would surely be disruptive to the banking system.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Edward Snowden was so convinced that the Prism program involved secretive surveillance through Internet backdoors that he walked out on his job and his girlfriend, spoke to the media, and resigned himself to jail, or worse. It turns out, he might just be wrong.
In one of the nastiest -- not to mention large scale and long-term -- hacking exploits yet to be reported, it appears that the Chinese army has been rummaging through the data of those who have served in the US Armed Forces.
ASA Risk Consultants added its voice this week to the slowly growing chorus of voices demanding a coordinated international response to cyberattacks. In a research note circulated by IDG, ASA asserts that "nations will need to come to an agreement on how cyber warfare should be handled."
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
If you listen to the hype, clouds are everywhere. But if you look at the data, it turns out most customers say they still wouldn't use cloud computing for mission-critical apps or data. What's holding them back? Fritz investigates.
The sooner purveyors of cloud computing services can pass muster, security-wise, with financial services companies, the sooner cloud computing will really go mainstream.
Earlier this year, Heartland Payment Systems was breached by Russian hackers who had also hit 300 other financial institutions. The scope of the Russian operation is mind-blowing and points to a new era in cyber attacks.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
