Islamic hacktivists' bank attack claims gain credibility

Experts say executive order from President on cybersecurity would not help in instances such as Tuesday's Wells Fargo attack

The denial of service attack that disrupted the Wells Fargo & Co. electronic banking operations Tuesday was the fourth since last week. And it appears to lend some credence to threats and claims that the Izz al-Din al-Qassam Cyber Fighters, the military wing of Hamas, the Islamic party that governs the Gaza Strip, are behind them.

The group claimed responsibility for DoS attacks against Bank of America, JPMorgan Chase and Citigroup Inc. that disrupted online operations, and said the attacks would continue "until the Erasing of that nasty movie" -- a reference to a trailer of the independent film "Innocence of Muslims," which Muslims say insults the Prophet Muhammed.

This week, it said it had conducted Tuesday's Wells Fargo attack and that its next targets would be U.S. Bancorp and PNC Financial Services. Reports surfaced on Wednesday saying customers of those two institutions were having trouble accessing their websites.

Since the attacks began, there have been multiple theories floated about the source.

U.S. Sen. Joseph Lieberman (I-Conn), chairman of the Senate Homeland Security Committee, said last week in an interview on C-SPAN's "Newsmakers" program that he believed a unit of Iran's Revolutionary Guard Corps was behind them.

Also last week, the FBI issued a fraud alert, warning financial services firms that cybercriminals might try to disrupt their websites in an effort to distract them from noticing fraudulent wire transfers.

Some security experts said at the time that they might not even be attacks, but simply internal technical problems, similar to what shut down GoDaddy recently. Or, that they might simply be low-level attacks by anti-capitalist groups with a political agenda.

And even now there is not unanimous agreement that Izz al-Din al-Qassam Cyber Fighters is behind all the attacks. The group has not made good on all of its threats. It had also said it would attack the New York Stock Exchange, but trading has continued normally there.

Dmitri Alperovitch, chief executive of CrowdStrike, a private security firm investigating the attacks, told the Los Angeles Times that the claims "appear to be accurate in terms of predicting future attacks. But I wouldn't necessarily take at face value any of its claims about attribution or the video."

Whatever their source, the attacks have prompted some renewed calls for more coordination between the private sector and government, which was the goal of the 2012 Cyber Security Act (CSA) that failed in Congress last month.

But so far, they have not been even close to catastrophic, partially because, as a number of security experts have noted, DoS attacks are among the oldest and most basic, and do not require highly skilled computer programmers or advanced expertise.

[Related stories: Banks can only hope for the best with DDoS attacksWells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film | Best defense against cyberattacks is good offense, says former DHS official]

Roger Thornton, CTO of AlienVault, called them "the digital equivalent of having a group of protesters block the entrance to a building or tie up the phone lines."

"These attacks can be a nuisance and can cause real damage or even physical harm at times -- if the 911 response system was tied up when you needed an ambulance, for example," he said. "But just like the protesters blocking a branch of the bank, a DDoS attack is very hard to prevent, somewhat inevitable regardless of your security posture and is not an attack that results in data stolen or systems permanently damaged."

And Thornton said there is already "a pretty good system for sharing threat data between the Department of Homeland Security and the financial services community today through a program run by FS-ISAC (Financial Services Information Sharing Analysis Center). There are already communication lines in place and these programs are part of the reason our banks are still operating in spite of such hostile threats."

Gary McGraw, CTO of Cigital, said he is a bit puzzled at all the interest in the recent wave of attacks. "These sorts of attacks happen all the time," he said. "I'm not sure why there seems to be more interested in these."

But he is certain that the banks don't need help from the government with DDoS attacks. "Google and Amazon don't need the government to help them with DDoS. That's ridiculous," he said.

Paul DeSouza of the Cyber Security Forum Initiative said the private sector and government have different roles to play. "The private sector should be responsible for deploying the necessary technologies and controls to include trained personnel to be able to continue to operate through and in cyberspace in the protection of their assets even under attack," he said.

"The role of the government should be of a supporting nature to include cyber intelligence and knowledge sharing capabilities," he said. "Offensive cyber responses are reserved to governmental actors with the appropriate authorities to engage in full spectrum cyber operations."

But Jody Westby, an attorney and CEO of Global Cyber Risk, said the problem is not so much coordination between the private and public sector in the U.S., but internationally.

"Cybercriminals today have effectively analyzed what jurisdictions lack skilled law enforcement, where cooperation is lacking or nil, and where cybercrime laws are either non-existent or civil penalties," she said.

"Meanwhile, we do not have effective cross-border cooperation and law enforcement support to counter the attacks. Until we address cybercrime, these attacks will continue to be sophisticated, ingenious, and successful," Westby said.

She said financial institutions do a good job overall in defending against attacks, but believes political leaders should at least be speaking out. "The President or State Department should show some diplomatic muscle," she said, even if the attacks are from a nation state. "Cyber Command does not have the legal authority to assist private sector networks."

She and others also say an executive order from the President to implement some of the provisions of the CSA, which is said to be close to being announced, would not help in this situation. "An executive order from the president could not expand the jurisdiction of the Defense Department and Cyber Command," she said.

Roger Thornton agrees. "Indicting and extraditing these actors from their home jurisdictions is next to impossible, so legal recourse is difficult," he said, adding: "I'm not sure there is much that [the President] could do."

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)