iTrax's  Instablog

Last week econoTwist's reported on what most likely was the largest cyber attack on US banks, ever. Now, it turns out, that it was only the beginning of something much larger - and even more scarier - the largest computer attack in the history of the Internet. The biggest DDoS attack ever recorded is said to be jamming crucial infrastructure all over the world and causing widespread congestion. But this has nothing to do with the Anonymous or other online activists - this is in fact the first full-blown real mafia war online we've ever seen. I'm afraid it won't be the last.

"These guys are just mad."

Patrick Gilmore

(click to enlarge)

According to BBC, five national cyber-police-forces are investigating the attacks. The attackers have used a well-known tactic called "Distributed Denial of Service (DDoS)," which floods the intended target with large amounts of traffic in an attempt to render it unreachable. But they have also found a way to amplify the effect, creating a data-tsunami of 300 gigabyte per second - three times larger than any DDoS attack we've seen before.

The intended main target appears to be Spamhaus, a European organization that maintains a blacklist of ISPs that supposedly host "spam gangs" and who refuse to stop serving them as customers.

Spammers are - plain and simple - the marketers of organized crime, making it possible for counterfeit products, medicine and illegal (child) pornography to reach potential customers worldwide. They are the "street pushers" of internet dope.

And the competition seems to have reached a whole new level.

As you can imagine, Spamhaus has no shortage of enemies, given its line of business. But most rumors point to the Dutch spammer CyberBunker who that prides in hosting anything - except terrorist material and child pornography. Cyberbunker brags on its Web site that it has been a frequent target of law enforcement because of its "many controversial customers." The company also claims that at one point it fended off a Dutch SWAT team. "Dutch authorities and the police have made several attempts to enter the bunker by force," the site says. "None of these attempts were successful."

However, up until now these cyber cowboys have fought their internal battles mostly by blocking each others traffic. But this time the Dutch were really, really angry.

Sven Olaf Kamphuis, an Internet activist who claims he is a spokesman for the attackers, says in an online message to The New York Times that Cyberbunker was retaliating against Spamhaus for "abusing their influence."

According to the NYT, they got help from Eastern European and Russian gangs.

"Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet. They worked themselves into that position by pretending to fight spam," Mr. Kamphuis says.

Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18. A spokesman for Spamhaus says the attacks began on March 19, but have so far not stopped the group from distributing its blacklist.

Patrick Gilmore, chief architect at Akamai Technologies, confirms Spamhaus's role as generator of Internet spammer lists.

Commenting on Cyberbunker, he says: "These guys are just mad. To be frank, they got caught. They think they should be allowed to spam."

Mr. Gilmore also explains that the attacks consists of concentrate data streams that are larger than the Internet connections of entire countries.

He compares the technique to using a machine gun to spray an entire crowd when the intent is to kill one single person.

If you want to read what the involved parties have to say for themselves - here are some links:

• CyberBunker
• A2B
• Spamhaus

Amplified Attack

What makes this case specially interesting (and disturbing) is that the cyber criminals seems to have found a way to amplify the attacks.

Professor Alan Woodward of the University of Surrey, one of the UK's premier computer security experts, says that the attack "seems to be orders of magnitude larger than anything seen before," and highlights the technique that's been used.

"The thing that got people talking is that it's a DNS amplification attack. The point is, if you're targeting something and the target has a 10 Gbps switch, you only have to throw 11 Gbps at it and you've pole-axed the system. If it is at 300 Gbps, then potentially some of the main infrastructure is being affected, though I'm not sure how much it's really affecting it."

The company that Spamhouse called for help, (Cloudflare), provides an even more detailed explanation:

"The largest source of attack traffic against Spamhaus came from DNS reflection… This method has become the source of the largest Layer 3 DDoS attacks we see (sometimes well exceeding 100Gbps). Open DNS resolvers are quickly becoming the scourge of the Internet and the size of these attacks will only continue to rise until all providers make a concerted effort to close them…"

"The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control."

Exactly, How Dangerous?

Steve Linford, chief executive for Spamhaus, says that this kind of attack power would be strong enough to take down government internet infrastructure.

"If you aimed this at Downing Street they would be down instantly, They would be completely off the internet."

"They are targeting every part of the internet infrastructure that they feel can be brought down," Mr Linford says.

"There's certainly possibility for some collateral damage to other services along the way, depending on what that infrastructure looks like," says Dan Holden, director of security research at Arbor Networks.

"If it was done really seriously in a wider attack, then it could affect many users. Trying to take down the whole internet is impractical, but you could start to decapitate sections of it," Professor Alan Woodward says, according to gigaom.com.

So, just to summarize:

• We now have local police trawling Facebook in search of gang activity.
• The FBI is busy chasing trolls who mocks them by hacking their computers.
• Governments are making laws to forbid people from speaking their mind on their personal blogs.
• Meanwhile, the really dangerous cyber criminals are experimenting with new cyber weapons with unimaginable destruction power.

• US Banks Hit by Largest Cyber Attack Ever (But Won't Admit It)
• USA Ready to Launch Cyber Attack, NSA Chief Says
• Kaspersky: "Humanity Not Ready To Deal With The Dangers of Cyber Weapons"
• FBI Agents Hit By Coulrophobia
• Secret Plan Exposed: UN to Take Control Over the World's Internet
• Online Activities To Be Criminalized in Norway

Last week's cyber attacks against US banks were more widespread than reported. In fact, it may have been the largest attack ever, industry experts say. According to Radware, a security firm that has investigated cyber intrusions on behalf of financial firms, roughly a half-dozen institutions endured digital assaults at around the same time, Tuesday. But only JPMorgan Chase (JPM) and BB&T (BBT) have so far confirmed the incident.

"If you have a leak in a boat, you can build a bigger boat so the leaks won't mathematically sink your boat. That's been fundamentally the process many folks have been taking."

Carl Herberger

(click to enlarge)

The attacks followed a threat earlier Tuesday by the al-Qassam Cyber Fighters, a group that has claimed responsibility for a series of incursions since September that have bogged down websites at some of the nation's biggest banks and prevented customers from accessing their accounts. Tuesday's attacks "were the largest attacks we've seen to date in scale," says Carl Herberger, vice president of security solutions at Radware.

The group, which has vowed to continue its campaign until YouTube takes down a trailer for an anti-Muslim film, said it would target JPMorgan Chase, Bank of America (BAC), Citibank (NYSE:C), PNC Financial (PNC), Fifth Third Bancorp (FITB), Union Bank, BB&T (BBT) and Capital One (COF) for another round of assaults, AmericanBanker.com reports.

"The one that was advertised to the world was Chase, but I can tell you that almost on an hourly basis banks were being attacked, which is a very substantial campaign."

"If you actually measure the response time of some of these banks that are being attacked, you can see that they are under duress," Herberger says. Adding: "Most of them labored for hours on end with little or no response."

Herberger declined to say which banks beside Chase weathered attacks on Tuesday, citing confidentiality agreements between Radware and its clients.

BB&T spokeswoman Merrie Tolbert said in an email that the Winston-Salem, N.C., bank "experienced intermittent outages yesterday" but said the bank was able to restore service quickly. Daniel Weidman, a spokesman for Union Bank, said in an email the bank's website also "experienced intermittent outages" on Tuesday before resuming regular operation.

Citigroup, Fifth Third and Capital One spokespeople said their companies' websites functioned normally on Tuesday. Bank of America's websites also continued to operate without incident, according to a source close to the company.

"If you have a leak in a boat, you can build a bigger boat so the leaks won't mathematically sink your boat. That's been fundamentally the process many folks have been taking. We see few instances of fixing the leak, "Herberger says.

While banks continue to take steps to strengthen security, hackers continue to hone their capabilities and can outmatch banks' best efforts to deter them, experts say.

(click to enlarge)

Can Be A Diversion

IT employees at banks are dealing with malicious coders at all ends.

Depositories are being targeted by both denial of service attacks, in which botnets bombard a financial services company's website in order to shut it down and disrupt services to customer; and invasive malware that infects customers' sometimes insecure devices and compromises their accounts.

Often denial of service attacks "can be a diversion," says Dave Ostertag, a computer security expert and a global investigation manager with Verizon. At the same time, criminals might be trying to extract financial information from a bank using a variety of different techniques, he says.

There are, of course, prescriptions banks can follow in order to block some fraudulent money transfers.

Sergio Fidalgo, BBVA Compass' chief information officer, says his bank hedges against instances of high-tech theft by inserting people and processes into transactions. "There is not a single point of failure in which we rely on from a security perspective," he says. "It's not just about detecting, preventing and fighting the attacks... we have procedures that have to be strictly met when we talk about money leaving the bank."

Human beings, however, can only catch so much, says Barak Eilam, president of Israeli tech vendor NICE Systems for the Americas.

Eilam stresses that though computers can only do so much, they certainly pare down what could be indomitable threats to banks by flagging suspicious activity. "Because of banks' scale, complexity, and sophistication … this is where technology comes in place," Eilam says. "Technology helps."

Even then, people will always be susceptible to social engineering attacks in which hackers pick up just enough information about a person to fool a bank employee into moving a victim's money, or worse.

Still, as Herberger sees it, banks continue to play catch-up:

"How is it we've gotten to the point where we've had the largest financial institutions, the most handsome security departments and all of the regulators, where there was a risk to begin with and numerous vulnerabilities that are exploitable, and yet we haven't been able to resolve it?"

Good question.

FULL POST@AmericanBanker.com

Related by econoTwist's:

• Gigant Social Media Security Hole in Banking
• US Federal Reserve: Hacked, Tapped and Smacked
• Citibank Hacked: 200.000 Credit Card Numbers Stolen, May Affect 20 Million Customers
• Online Banking Malware Has Surfaced
• Hackers: Wall Street Is An Easy Target
• Hackers Target The New York Stock Exchange
• And Here We Go: Nasdaq Stock Exchange Hacked!
• The Cyber War: Complete Coverage
• The Cyber War (Complete Coverage) Part 2: A New Battlefield
• The Cyber War (III): Complete Chaos

Or at least bend the rules… It has to do with the very nature of innovation; pushing the boundaries, trying new things, doing it different, living outside the box. But the tragic death of 26-year-old hactivist, Aaron Swartz, have highlighted some very interesting perspectives on the relations between law and regulation on one hand, and innovation and entrepreneurship on the other. As it turns out, three of the greatest entrepreneurs of our time, Steve Jobs, Bill Gates, and Mark Zuckerberg, start by innovating near the edge of the law.

"The word "hacker" has an unfairly negative connotation from being portrayed in the media as people who break into computers. In reality, hacking just means building something quickly or testing the boundaries of what can be done."

Mark Zuckerberg

(click to enlarge)

And the fact is, if these titans of industry had faced the same sort of overly aggressive prosecution that the late Aaron Swartz did, they could have been threatened with being locked away and branded felons before ever starting Apple, Microsoft, or Facebook. They might have even faced a ban against their use of computers, rather than using them to create hundreds of thousands of jobs.

Steve Jobs, Bill Gates, and Mark Zuckerberg. All three are credited with creating some of the most successful businesses in the history of the Internet, but they also have something else in common: they got their start by doing something that probably would have been classified as "illegal" by the same authorities that threatened Aaron Swartz with 35 years in prison and drove him to commit suicide.

In the aftermath of the Aaron Swartz' death, several online communities have joined a campaign that aims to reform the US computer law - known as the CFAA.

The Electronic Frontier Foundation (EFF) is a driving force behind the campaign, and according to the EFF the CFAA and other computer crime laws shouldn't't allow overzealous prosecutors to lock away the next Steve Jobs or Aaron Swartz for years, or even to threaten to do so in order to force them to plead guilty.

"In all of their names, it's time we bring some proportionality back to computer crime laws, both in their scope and in the penalties they provide," Trevor Timm at EFF.org writes on their website.

The CFAA can (and should) reach serious computer intrusions that cause real damage, as should related laws criminalizing identity theft, stealing trade secrets, or engaging in massive fraud. But the law needs to recognize the difference between commercial criminals and those who are merely "testing the boundaries" or engaging in youthful indiscretions. Right now, it hands prosecutors the same sledgehammer regardless.

EFF.org have also made some interesting compartment between the greatest IT entrepreneurs of our time - Steve Jobs, Bill Gates, and Mark Zuckerberg.

The conclusion is even more interesting: If they had been subjected to the same treatment as Aaron Swartz, there would be no Apple, no Microsoft or no Facebook today.

(click to enlarge)

Mark Zuckerberg

Mark Zuckerberg, the billionaire founder of Facebook, recently defended the oft-maligned term "hacker," recognizing that testing boundaries is a key part of innovation:

"The word "hacker" has an unfairly negative connotation from being portrayed in the media as people who break into computers. In reality, hacking just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad, but the vast majority of hackers I've met tend to be idealistic people who want to have a positive impact on the world."

Zuckerberg may have been speaking from personal knowledge. In 2006, while a sophomore at Harvard, Zuckerberg created a website called "Facemash" which compared photographs of Harvard's entire population, asking users to compare two photos and vote on who looked better. Zuckerberg allegedly got access to these photos by "hacking" into each of Harvard's nine House websites and then collecting them all on one site. It's not clear what this "hacking" was, but since the charges against him included "breaching security," it may have fun afoul of the law.

Steve Jobs

Zuckerberg was following in the footsteps of the technology giants before him. Columbia Law ProfessorTim Wu notes in the New Yorker that Apple co-founders Steve Jobs and Steve Wozniak, did acts that were "more economically damaging than, Swartz's."

(click to enlarge)

The two college roommates made what were called "blue boxes," cheap devices that mimicked a certain frequency that allowed them to trick AT&T's telephone system into making free long-distance calls.

They also sold blue boxes before moving onto bigger and better ideas.

"Experiences like that taught us the power of ideas…And if we hadn't have made blue boxes, there would've been no Apple," Jobs would said in an interview years later.

Bill Gates

Wu, writing about Jobs and Wozniak in the context of Aaron's death, remarked, "The great ones almost always operate at the edge."

And also Bill Gates and his Microsoft co-founder Paul Allen may have even gone beyond that edge.

In his autobiography, Allen told the story of when the two future billionaires "got hold of" an administrator password at the company they worked at before starting Microsoft. The company had timeshared computers and Allen and Gates were getting charged for using them for their personal work.

The two men used the password to access the company's accounts and set about trying to find a free runtime account so that they could carry on programming without having to pay for the time. They also copied the account database for later perusal. However, management got wise to the plan.

"We hoped we'd get let off with a slap on the wrist, considering we hadn't done anything yet. But then the stern man said it could be 'criminal' to manipulate a commercial account. Bill and I were almost quivering."

They got off with a warning instead. The rest is history.

Living on the Edge

After their close calls, Gates, Allen, Jobs, and Zuckerberg went on to create three of the biggest technology companies in the world.

While Aaron's interests were not corporate, the technological innovation he helped create and foster during his short life makes clear how much we've lost with his passing.

Kevin Poulsen at Wired.com writes:

Worthy, important causes will surface without a champion equal to their measure. Technological problems will go unsolved, or be solved a little less brilliantly than they might have been. And that's just what we know. The world is robbed of a half-century of all the things we can't even imagine Aaron would have accomplished with the remainder of his life.

Related by econoTwist's:

• Facebook Accused of Copyright Infringement for Its "Like" Button
• Microsoft Confirm: We've Been Hacked, too
• Fight For Your Right To Privacy (Or Someone Else Will)
• FBI Agents Hit By Coulrophobia
• Celebrating Internet Freedom: Martin Luther King Jr. Removed From the Web
• World Soon To Be Run by Powerful Networks, US Intelligence
• Kaspersky: "Humanity Not Ready To Deal With The Dangers of Cyber Weapons"