Under attack

By Lorna Davies

Financial services have become resilient in protecting themselves against most security breaches. ‘Hacktivism’ – the new term referring to hackers wishing to make a point rather gain financial benefits - has a different agenda in mind. Lorna Davies explores the truth behind the headlines.

The recent cyber demonstrators who affected websites and card payment services in revenge for cutting off services to whistle-blowing website created by Julian Assange, WikiLeaks, caused a storm in financial services organizations. The 'hacktivists', known as Anonymous, have warned they will continue their campaign for total internet freedom. The group disrupted sites belonging to finance giants MasterCard and Visa by bombarding their websites with millions of bogus visits during a campaign they called 'Operation: Payback'. The attacks came after the credit card companies and PayPal announced they would no longer process donations to the anti-secrecy organization.

While most countries have ploughed much more attention and resources into cyber security in recent years, most of the debate has focused on the threat from militant groups such as Al Qaeda or mainstream state on state conflict. But attempts to silence WikiLeaks after the leaking of some 250,000 classified State Department cables seems to have produced a popular rebellion amongst hundreds and thousands of tech-savvy activists.

Anonymous appeared to be using social networking site Twitter to coordinate attacks on websites belonging to entities it viewed as trying to silence WikiLeaks.

Senator Joe Lieberman, Sarah Palin, and others who criticized Wikileaks or stopped doing business with the document-sharing project were also hit. The WikiLeaks fall out has gone into a frenzy since the site began releasing diplomatic cables in November that have proved embarrassing for the U.S. government's diplomatic efforts.

At the time of FSTUS going to print seven people accused of being connected with the attacks had already been arrested. Police in the Netherlands arrested two teenagers in early December suspected for participating in the Anonymous 'Operation: Payback' attacks. The pair is awaiting trial for computer crimes. UK police arrested five males suspected of being part of Anonymous in January.

These new threats showcase a new wave of cyber activity. While the motivation of attackers has evolved in recent years into typically one of financial gain, 'hacktivism' has been treated as a non-financial motivation. However, this latest example shows us that hacktivism is growing and can now be considered a synonym of cyber-retaliation.

Botnet attacks

Last year WikiLeaks came under intense pressure to stop publishing secret United States diplomatic cables. Corporations either stopped working with or froze donations to the website, bowing to government pressure. This then caused the botnet attacks. Botnets are usually created by criminals who use viruses and other methods to sneak malware onto computers that then allows them to commandeer the machines for distributed denial-of-service (DOS) attacks without the computer owners knowing it. But within the 'Anonymous' attack botnets took on a different role. "It's usually somebody that's created the software who can download it onto lots of host machines around the world, and normally that happens through scam e-mail attacks and people open the link and they don't realize that a piece of software is being downloaded onto their machine," Paul Rogers, the Chairman of Vendorcom, a membership organization which represents key stakeholders in the cards and payments industry, explains. "But in this particular case the malicious software is knowingly downloaded by members of the public who want to make a protest, want to make a point, particularly to the larger card brands that are taking down the service to WikiLeaks. There are usually a whole variety of malicious software tools that attack computers in different ways. But this is a very concentrated attack, focusing on card schemes and PayPal." This is what makes these attacks more interesting and, perhaps, more daunting - because in the past, dot-net-style attacks have usually happened where computers are taken over and the owner is innocent, unknowingly downloading the virus. This is a situation where many of the perpetrators have purposely downloaded the malicious software onto their computer, to participate in hacktivism.

The hacktivist activity poses several threats to the card payments industry. The first being denial of service - as opposed to financially motivated attacks the industry is used to. "This is the first time that we see that the attacks were not targeting any financial target," agrees Ron Meyran, Director of security products marketing at Radware. "So, I think that the threat today is that cyberspace is becoming like a playground where activists are like the gangsters. They don't like something, and then they misbehave or take the law into their hands."

These attacks have certainly filled column inches and made headlines, revealing the importance of the card payment system to our everyday lives. Rogers says that the impact to the infrastructure of the industry in terms of processing transactions has been slight. "It can only register in terms of annoyance and minor inconvenience. That's not to dismiss the effect that any delay might have cardholders who expect instant access and speedy payment processing. Any impact of this type, however minor, is something that everyone involved in providing a safe and reliable card payment processing service strives every day to eliminate." But how did the hackivists go about attacking card payment giants such as Mastercard? The attacks created a huge amount of data and traffic on the victims website. "In the case of the card schemes, this would've been different sorts of inquiries, it could be very simple things, but it's just a lot of communication hitting those servers," Rogers explains.

Riot ready

Rather than bringing the industry to its knees, however, Rogers argues the attacks proved the ready-for-anything attitude of card payment industry. "The cards and payments industry is well used to these sort of attacks. These are not new. They're not common, but they are to be expected, but obviously they're not perpetrated by the type of people we're seeing these attacks being perpetrated by; they normally originate from fraudsters that are intent on credit card fraud." The media was, however, full of headlines like, 'Mastercard down - WikiLeaks responsible', so something must have happened that was substantially noticeable for consumers. The attacks hit the card scheme servers hard due to the sheer level of traffic to the sites - in particular in relation to e-commerce transactions. The servers ran slower than usual, meaning many cardholders thought the services were unavailable. "From having spoken to banks and payment processors and to one of the card schemes, I can say that there was at no time a situation where cardholders were unable to process safe and secure transactions," Rogers assures.

The nature of the attacks is such that the standard network security tools like firewall and intrusion prevention systems are unable to prevent intrusion. "Companies affected, such as Amazon, MasterCard, Visa and the Swiss Bank, must have the best firewalls and intrusion prevention systems in place, but yet they've been down for hours and more than once," Meyran explains. What advice for organizations hoping to prevent themselves from this new kind of attack would Radware recommend? "To successfully mitigate against these attacks requires multiple network security tools and technologies including signature detection technology (IPS); hardware accelerated DoS Protection to mitigate network flood attacks; and Network Behavioural Analysis (NBA) with real-time signature to mitigate application misuse attacks, all part of Radware's DefensePro patented technology as well as human experts that gather intelligence," he says. "This combination is what provides the appropriate and effective ammunition to win the battle against new and emerging network attacks including the destructive DDoS attacks ignited by WikiLeak fans and what has enabled Radware's customer to prevail against them."

Tech-savvy WikiLeak supporters also set up 'mirror sites' for WikiLeaks in response to various domain name services and data visualization companies refusing to support the site. From all the new sites continually being set up and taken down again the question remained as to the identity of many of Anonymous. The attackers could be traced, but as the attack was very distributive there were tens of thousands of sources to be ploughed through to search the users at fault. The sources were also widespread globally - not just in the U.S. - but also the UK, Russia, China and Japan - again complicating the web of sources for prosecutors to trawl through. Then there is the question of an actual crime - no information was stolen, no ransom was requested and no user account breached.  The attacks were a protest, people wanting to make a point - but the outcome for the card payment industry could have resulted in some financial loss or - perhaps more importantly - the trust of consumers for their security.

Alongside possible financial losses from sites being taken down, the potential reputational damage to firms is massive. MasterCard has been mocked widely across the net as users re-worded its distinct advertising advertising slogans: "Freedom of speech: priceless. For everything else there's MasterCard." This behaviour highlights the detrimental importance of the prevention of attacks such as this. The education and training of staff plays a vital role. Staff today must be aware of this new kind of threat - meaning human resources and technology play hand-in-hand.  "You need both a human factor and technology for behavioural analysis of incoming traffic sources," says Meyran. "In many companies they concentrate on technology but they don't invest in the human factor, so they find out that even though you have the tools, you don't have the people behind them to operate them effectively. The traffic should be suspected, and then it will be prevented."

Mobile threat

While most denial of service attacks use botnets to hijack other computers to overload websites, Meyran suggests these attacks were different as attackers were using their own computers, downloading software from Anonymous.  With mobile banking becoming increasingly common, will users be more at risk from attacks? Meyran thinks so. The banking industry is one of the prime targets of cyber attacks and although technology has just caught up with installing firewalls and other protective agents onto computers - there is not the same protection for say iPhone's and Android devices. "The danger falls on mobile banking simply for the reason that new devices are introduced with lower security," says Meyran. "People are less aware of the risks of low security mobile devices - so I don't think it's going to slow down the trend [of mobile banking]."

The attacks have sparked a trend that is growing rapidly - attacks on business applications that are not necessarily out to shut down organizations but to misuse them. "So if there's a gaming site or a gambling site, there will be fake users which will start playing in gaming codes, or if its an online business they will become new users, adding unwanted traffic to the site," Meyran explains. "Every workplace would like to believe that the users accessing their websites are real users, but machines can be controlled by the competition. We [Radware] are developing the technology which would let businesses identify whether the sources or the users that are generating transactions are real or fake users." New awareness, technology and education will aid a successful protection for the card payment industry.

The website attacks launched by supporters of WikiLeaks show 21^st-century cyber warfare evolving into a more amateur and anarchic affair than many predicted.

Cyber security has taken on a new meaning and must evolve to counter a phenomenon that is set to become an actual method of hostile engagement.

Paul Rogers is the Chairman of Vendorcom- a membership organisation that represents key stakeholders in the cards and payments industry in Europe. Its primary aim is to promote innovation, create a platform for thought leadership, provide a forum for knowledge sharing and issues resolution for its members and encourage capability development across the cards and payments industry.

Ron Meyran is the Director of security products marketing at Radware. He leads the strategic plan of Radware's IPS solutions for the enterprise, eCommerce and carrier markets. He has also been published in IT & security industry magazines and represents Radware at various industry events and trainings. Prior to joining Radware as Product Manager in 2003, Mr. Meyran worked at BrightCom Technologies, where he served as Product Manager for the company's Bluetooth product line based on a fabricated chipset and software.

WikiLeaks under attack: timeline

Sunday, November 28 2010

DDoS attack hits WikiLeaks as first set of US diplomatic cables is published.

Wednesday, December 1 2010

Tableau Software removes public views of graphics built using information about diplomatic cables - the first company to distance itself from WikiLeaks.

Lieberman calls for WikiLeaks to be taken offline.

Amazon removes WikiLeak's content from its EC2 cloud service.

Friday, December 3 2010

WikiLeaks.org stops working after everyDNS.com ends support. WikiLeaks shifts to Swedish domain.

Saturday, December 4 2010

PayPal permanently restricts account used by WikiLeaks.

Monday, December 6 2010

Mastercard withdraws ability to make donations to WikiLeaks.

Postfinance shuts down one of Assange's bank accounts.

Tuesday, December 7 2010

Visa withdraws ability to make donations or payments to WikiLeaks.

Tuesday, December 21 2010

Apple removes an unofficial WikiLeaks app from sale in the iTunes App Store just three days after it went live.

Saturday. January 8 2011

It emerges that the US justice system has obtained a court subpoena demanding that Twitter hand over all details of the accounts and private messages of five WikiLeaks supporters and members - including Assange as well as Bradley Manning (the alleged army leaker) and Icelandic MP Brigitta Jonsdottir.

UPDATE

 On Tuesday, February 15, U.S. Representative, Chairman of the Committee on Homeland Security, re-introduced legislation that will give the Department of Justice additional tools to prosecute future disclosures by WikiLeaks founder Julian Assange or similar organizations.

'The SHIELD Act' (The Securing Human Intelligence and Enforcing Lawful Dissemination Act) H.R. 705, amends the current law to clarify that it is an act of espionage to publish the protected names of American intelligence sources who collaborate with the U.S. military or intelligence community. King has previously called for the arrest of Assange - calling on Attorney General Eric Holder to prosecute the WikiLeaks founder under the Espionage Act.

NEWS

New evidence leaked online by the Anonymous collective seems to indicate that well-connected private security firms were targeting journalists sympathetic to WikiLeaks. The news comes as corporations, governments and web collectives such as WikiLeaks and Anonymous engage in continued online combat.

Emails hacked from corporate security firm HBGary Federal that targeted Anonymous imply that they and others were pitching hit pieces on journalist Glenn Greenwald of Salon.com and monitoring James Ball of The Guardian and Jennifer Lee of the New York Times, along with other journalists.

HBGary Federal's computer systems were hacked by Anonymous after the firm publicly announced they were close to unmasking the identities of high-ranking members. Shortly after the announcement, Anonymous members posted a cache of 60,000 emails belonging to HBGray Federal CEO executive Aaron Barr on the popular The Pirate Bay website as well as others.

Source: Fastcompany.com

Assange – simultaneously one of the most hated and revered people in the world – was arrested in London in December on a Swedish accusation of sexual assault. The U.S. government has indicated that Assange could be in legal jeopardy for disclosing classified information because he's "not a journalist". The federal government may seek his extradition to the United States, which has reportedly already been the topic of discussions between U.S. and Swedish officials.