InfoSec 2013: British Banks Threatened By DDoS Boom

British banks are preparing for a massive distributed denial of service (DDoS) onslaught, as the same group that hit US banks shifts some of its attention to European organisations.

Operation Ababil, which is being led by a group of attackers calling themselves the Izz ad-Din al-Qassam Cyber Fighters, pummelled US banks this year and last, taking their customer-facing services offline.

Bank of America and Wells Fargo took particularly nasty hits, with application layer attacks and other DDoS strikes measuring up to 70Gbps leaving online accounts inaccessible for many.

The hacking group, which claims it is taking action over the appearance of a controversial video entitled “The Innocence of Muslims”, has now turned its attention to European organisations, according to a number of security experts. Some believe the group are nation state-funded, with Iran cited as the most likely sponsor.

DDoS strikes banks

A handful of major European banks have been disrupted by DDoS attacks in recent months, including HSBC and ING, which warned on its Dutch site earlier this month its customer-facing systems had been hit. US banks continue to be  disrupted, after a fresh campaign was kicked off earlier this year.

TechWeekEurope understands HSBC was targeted by Operation Ababil, but it is unclear whether ING was hit by the group.

Dell SecureWorks is investigating the technical side of the campaign, working with law enforcement, and Don Smith, technology director at the security firm, said there were “segments of the market that are very concerned about the impact of DDoS”.

Smith warned DDoS could be conducted on a large scale with “relative ease”, saying DDoS was becoming a risk not just to the Internet economy, but to the general economy too. “It’s not good.”

At the same time, DDoS attacks are getting ever more frightening. Figures from Arbor Networks, taken from over 250 global ISPs and Arbor’s customers, showed this year had already seen a large number of super-powered attacks. The number of attacks over 20Gbps is already almost equal to the figure of the entirety of 2012.

Of the attacks Arbor was able to trace, 17 percent came from China, making it the number one source of DDoS strikes, compared to 15 percent in the US.

Akamai reported in its State of the Internet report the number of DDoS attacks has grown by more than 200 percent year-over-year, as its customers reported 768 DDoS attacks in 2012. The commerce industry was the number one target.

It is believed a new DDoS record was set last month, when attacks aimed at taking anti-spam group Spamhaus offline saw a 309Gbps attack on a Tier 1 network provider.

UK banks are certainly concerned about the threat of DDoS. Joerg Weber, head of global attack monitoring at Barclays, told TechWeekEurope DDoS was something that had very high visibility at both the board and technical levels.

But it is not the sheer scale of attacks that scares Weber. In fact, massive DDoS strikes are easier to detect and therefore mitigate, he explained.

“If you throw someone 300Gbps it is easy to fingerprint, but if you throw 50Gbps it is a lot more difficult to fingerprint and block,” he added.

“The figures in themselves I’m not that bothered about – it’s more what type of attack is it, what does it consist of and how does it fit our mitigation strategy.”

According to Arbor’s director of research Dan Holden, Operation Ababil’s attacks have focused on the application layer, targeting pieces of the banks’ websites rather than throwing epic amounts of traffic at ports. And that’s what European firms should really watch out for.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • e-Security and ICT Infrastructure as a Basic Social Provisioncybercrime duits

    On 3 December 2012 a survey by Nu.nl reported that within two years from now cyber attacks would be viewed as the greatest business risk to the Netherlands, posing an even greater threat than economic uncertainty.

    Almost half of the companies questioned (48%) indicated that they would support additional protections against the online theft of intellectual property. Furthermore, 51% were in support of efforts to negate the effects of serious cyber espionage. What can the various players on the Dutch IT infrastructure scene do to address these issues? What is the best direction for policy to take now to address the rising issue of cybercrime?

    The Analysis

    Our understanding of the effects of cybercrime has grown rapidly in the past few years as our administrative and legal frameworks have risen to combat the new challenge. Nevertheless, few fully realise the effects cybercrime will come to have during our lifetimes, especially considering how dependant we now are upon the Internet in our daily lives. Cybercrime as a threat has grown so fast that a comprehensive solution to it does not yet exist.

    The Prognosis

    What will happen if the current tendency towards internet based machine-control continues? What will the implications of cybercrime be to cars with IP addresses, for instance? The potential exists for malicious programmers to bring traffic or other infrastructure to a standstill. This threat is more imposing than many of us might think: the first cases have already arisen of centrifuges, airplanes and nuclear power stations being compromised, along with a few rare cases of bridges and other infrastructure.

    Can e-security be improved? One should monitor vital points continuously by a security operating center (SOC). It is doubtful that the publication of a bi-annual paper will continue to be of use for much longer with technology moving as quickly as it is. A better model would be more in line with the current mode of practise in aviation. When the FAA inspector comes to visit, he really has the opportunity to see everything. When something out of order is detected, such as in the case of the new Boeing Dreamliner for instance, the whole fleet becomes grounded, providing a powerful economic incentive to keep the business permanently in order.

    The Cure: Develop E-Security as a Basic Societal Need

    Where can realistic solutions be found? Firstly, we require ICT infrastructure to be included in our list of basic social requirements. Belonging alongside the likes of hydrology, dikes, energy and sewers, information must be allowed to flow freely as an essential need, just as roads, dikes and drains are basic needs. It’s not just about safe access either, but all the essential elements of digital and digital business needs, such as E-ID, the digital signature, registered mail and perhaps even the digital notary.

    To my mind, the regulations governing the security of digital infrastructure belong within a Ministry of Infrastructure and Environment, possibly in combination with Security and Justice. They are completely analogous to other social infrastructures. Perhaps in the initial phase the recently established (Dutch) European Network for Cyber ​​Security (ENCS) might fulfill its stated role as regulator. The Dutch National Cyber ​​Security Center (NCSC) or perhaps TNO’s CyberLab’s might be able to add to this by acting as a supervisor. As ‘Rijkswaterstaat’ is responsible for coordinating roads and dikes, it should also form the supervisory body for basic ICT infrastructure.

    As a citizen I can assume that I should be able to drive safely over a publicly maintained bridge. While the internet is hardly a bridge, I should be able to assume that it is a safe and well-regulated place. I should be able to perform important tasks, such as sending my tax papers safely to the ‘Apeldoorn tax office’ safely.

    In line with the reasoning that e-security and ICT are basic social provisions, there should be a measure of public guardianship of digital space. To put this into practise however, it will be difficult to make a commercial case for the monitoring of internet traffic. Just like the cameras overseeing a mall, which are neither paid for nor monitored directly by tenants, I feel we will need to move towards a system of public funding along the lines of an ‘ICT tax’.

    To address DDoS attacks, we should not directly regulate businesses, but we should rather look towards the two Dutch international internet exchanges. At least 90% of DDoS attacks come from abroad. These could be stopped at the border by the use of two large ‘anti-DDoS scrapers’, which in my view would be an efficient solution. I feel ‘Brussels’ would love this solution!.

    Positioning ICT as basic social infrastructure does complicate the issue of whether the government should have control over the information to be conveyed. While this is probably another issue entirely, it looms over the entire discussion, and I personally feel that moves in this direction should be opposed wholeheartedly. ICT companies should only have to commit to serving their customers and to offering secure communications as a matter of social responsibility and of reasonable practise suitable to the Netherlands.

    Internet companies should also contribute to raising awareness of the risks to cybersecurity by drawing attention to the fact that smartphones are also computers and likewise require e-security measures, for example by informing customers at the point of purchase. At present, the vast majority of smartphones are operating completely unsecured, which is not really an ideal state of affairs considering the amount of online banking performed through such devices.

    The good news for businesses here should be that, should ICT become classified as ‘basic infrastructure’, it should fall under the lower VAT rate. This is a consequence of this argument which should both save the customer money and benefit competitiveness in the market for service delivery. To strengthen this point: a German judge recently ruled that internet access should be perceived as a basic social need.

    It is increasingly important that ICT players work together in the future. This could take the form of cooperation in the framework of the ENCS or under the direction of TNO, with other parties and political leaders being engaged to carry out this vision.

    ICT as basic social infrastructure is just too important to be left entirely to the market. Internet service providers really should not take the initiative to act as a watchdog but, in line with the preceding argument, one of the Ministries should take on this role.

    Further Actions

    Software is not currently regulated with regards to product liability. Cars, planes and pharmaceuticals must adjust to meet requirements and must relate to various licenses, so why is this not the case for software? The damage that can be caused by faulty software is certainly large enough.

    E-security assessments audits should be included in regular audits, with companies falling below a reasonable security level being forced to improve their standards. This is crucially important in sectors such as banking, in which valuable financial data can be extremely dangerous if stolen. Including cyber security as part of the audit process would introduce a substantial incentive for more awareness in this area in business.

    Final Remarks

    Perhaps an elementary school course on the internet is long overdue, along with a government campaign on cybercrime along the same lines as “safe sex”, designed to increase citizens and businesses’ awareness of cybercrime and its prevention. Ultimately, it is necessary to address this topic at a European level, perhaps even by granting Ms Kroes in Brussels some influence on the Googles and Microsofts of this world.

    The strategies I have outlined here should provide a guide for those considering going down this route. It is now more important than ever to take a firm approach to internet security.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

3 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

3 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

3 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

3 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

3 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

3 days ago