Hacking

SPOTLIGHT ON SECURITY

Tizzy Over Bank Cyberattacks Unwarranted, Say Researchers

A week-long cyber attack on some of the nation’s largest banks last week most likely wasn’t the Armageddon headline writers made it out to be.

“It’s ridiculous to consider an attack that takes your website offline for a few hours the world’s worst nightmare scenario,” Jeffrey Carr, CEO of Taia Global and author of Inside Cyber Warfare: Mapping the Cyber Underworld,” told TechNewsWorld.

The cyber attacks on the banks started Sept. 19 and ran through most of last week. The Distributed Denial of Service (DDoS) assaults slowed down service and even disrupted it entirely at some of the websites of the institutions, which included Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank.

Izz ad-Din al-Qassam Cyber Fighters, an Islamic group, claimed responsibility for the attacks. U.S. Sen. Joe Lieberman (I-Conn.) blamed the attacks on Iran.

There wasn’t anything about the attacks that made them extraordinary, said Richard Stiennon, chief research analyst with IT-Harvest. “We can say that they were successful at attacking a website, which isn’t the most impressive thing in the world,” he told TechNewsWorld. “It’s just an indicator of how unprepared most banks are for these type of flooding attacks.”

Carr contended that the attacks were standard hacktivist fare. “It’s just another example of how botnets are used by online activists to make a statement,” he said.

“It’s wrong to blame the state of Iran for this,” he added. “This is clearly a hacktivist stunt, and it should not be used to aggravate tensions that are already high for legitimate reasons.”

Persona Grata

The Mozilla Foundation, makers of the popular Firefox Web browser, recently launched a method for authenticating identities on the Web. Called Persona, the technology, now in beta, allows a website to authenticate a visitor’s identity by using only their email address.

Anyone can establish a Persona by opening an account at persona.org. Once a person has a Persona, logging into a website that supports the technology can be done with as few as a couple of clicks.

If the technology becomes popular, passwords could become passe on the Net. But that’s a big “if.” It takes developers awhile to warm up to new stuff, noted Rapid7 Security researcher Marcus Carey. “But since it is Mozilla and since they make a browser, I imagine this will be picked up,” he told TechNewsWorld.

Unlike competing technology OpenID, Persona better preserves privacy, he maintained. “Persona accomplishes a lot of the authentication and cryptography in the browser itself,” he explained, “so there’s no provider, like a Gmail, to know everywhere you go on the Internet.” That’s because although an email address is used for authentication, the provider of that address isn’t involved in the process itself.

There is a nettle in the Persona scheme, though, points out Stuart McClure, founder and CEO of Cylance. Hackers have a single point of attack to focus on. “When a bad guy wants to go after you, he just needs to hack up that primary username/password,” he told TechNewsWorld.

Those attacks can be mitigated by adding another authentication factor, such as a code sent to a cell phone. Mozilla said it’s working on adding another tier of authorization for a future version of the technology.

Do Not Trackers Unwelcome

“Do Not Track” is a feature browser makers have added to their products to protect the privacy of Web surfers. It does so, however, at the expense of Internet marketers. That’s a consequence the Information Technology and Innovation Foundation finds offensive so last week it announced it won’t be honoring Do Not Track requests at its site.

When a browser with Do Not Track activated requests access to the ITIF’s website, its operator will receive an alert from the organization telling them their Do Not Track request is denied.

“Do Not Track is a detrimental policy that undermines the economic foundation of the Internet,” ITIF Senior Analyst Daniel Castro declared in a statement.

“Moreover, while Do Not Track might work in the short-term,” he continued, “it will be a failure in the long-term.”

“It is my hope that with this alert ITIF will be able to remind people how easy it would be for sites to block users who enable Do Not Track, and by outlining how this will likely play out, policymakers will realize this is a useless endeavor,” he said.

“Instead of chasing a proposal that is doomed from the start, they should focus on meaningful efforts to protect user privacy that do not undermine the economic system that has supported decades of innovation on the Internet,” he reasoned.

Breach Diary

  • Sept. 25: Hackers post to Internet code for Norton Utilities 2006 that they claim was taken from Symantec servers more than a year ago.
  • Sept. 25: Danish graduate student Radu Dragusin reveals he discovered a data breach at IEEE website that exposed some 100,000 usernames and passwords of members of the professional organization.
  • Sept. 27: Adobe discloses that its internal certificate code signing infrastructure was breached around July 10. At least two malicious files were signed using a valid Adobe certificate. Adobe said it plans to revoke the certificates Oct. 4.
  • Sept. 27: The Crown Prosecution Service in the UK sends letter to more than 100 people arrested in student demonstrations in 2010 and 2011 informing them that personal data about them may be been exposed to the public due to a botched response to a freedom of information request. Agency faces possible fines of more than $800,000.
  • Sept. 27: North American Electric Reliability Corp. states it is investigating data breach of Telvent, of Calgary, Canada, which makes software used by big energy companies to manage the production and distribution of electricty. Telvent characterized the breach as a “sophisticated attack” and said it had an impact on its operations in the United States.
  • Sept. 27: Forrester Research reports that only 25 percent of data breaches are the work of external attackers.
  • Sept. 27: Global Payments reports its first quarter earnings fell 27 percent due to remediation charges connected to data breach in March when as many as 1.5 million credit card numbers were compromised.
  • Oct. 1: Connecticut data breach law takes effect.

Upcoming Security Events

  • Oct. 1: Launch of “S&TI Flash Traffic,” a monthly summary of R&D activities for 14 high risk nation states — states with high levels of hacker activity or acts of cyber espionage — published by Taia Global. Annual subscription $250 until October 1, $500 thereafter.
  • October 3-5:2012 National Cybersecurity and Innovation Conference. Baltimore Convention Center, 1 West Pratt Street, Baltimore. Sponsored by SANS. Registration: US$1995.
  • Oct. 4: The Silent Restaurant Killer — Customer Data Breach. Webinar. 2 p.m. ET. Sponsored by FastCasual.com.
  • Oct. 7-13: Forensics Prague 2012. Angelo Hotel, Prague, Czech Republic. Sponsored by SANS. Course prices range from Euro 650 to Euro 3,895.
  • Oct. 9-11: Crypto Commons. Hilton London Metropole, U.K. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
  • Oct. 16-18: ACM Conference on Computer and Communications Security. Sheraton Raleigh Hotel, Raleigh, N.C.
  • Oct. 18:Suits and Spooks Conference: Offensive Tactics Against Critical Infrastructure. Larz Anderson Auto Museum, Brookline, Mass. Attendance Cap: 130. Registration: Early Bird, $295 (by Sept. 18); Standard, $395 (by Oct. 17).
  • October 20-21: Ruxcon 2012. Melborne, Australia. Registration: AUS$350.
  • October 22-23: Cybersecurity Conference. Grand Hyatt, Washington, D.C. Managed by 1105 Media. Expo Admission: Free. Conference Registation: US$295 for government employees; US$495 for others.
  • Oct. 22-25: eCrime 2012. El Conquistador Resort & Conference Center, Las Croabas, Puerto Rico. Sponsored by the Anti-Phishing Work Group (APWG). Registration US$575.
  • Oct. 25-31:Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.
  • Nov. 3-6: Information Security Forum Annual World Congress. Chicago.
  • Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels