On Dutch Banking Woes and DDoS Attacks

DDOS-attackIf you don’t live in the Netherlands or don’t happen to have a Dutch bank account, you can certainly be forgiven for not having caught wind of the major banking woes that have been plaguing the Dutch. For weeks now, massive DDoS attacks (linked article in Dutch) have brought low the online services of several banks, interrupting mobile payments and slowing down overall online financial traffic. At the center of the digital storms is ING, which was hit first (Dutch) and is hit the most often (Dutch), but Rabobank, ABN AMRO and SNS Bank are also frequent targets. Dutch online payment system iDeal has also been attacked several times, impacting virtually all Dutch banks as well as the many online retailers that use it.

What the goal behind this wave of DDoS attacks is, is as yet unknown, but there are several possible motives at play. It could be simple vandalism, a rather hefty attempt at misdirection to cover up real hacking attempts, or it could have something to do with ING and ABN AMRO being implicated or involved with investigations into tax evasion through offshore banking by the ICIJ. The latter seems unlikely, as most of the DDoS traffic appears to be coming from Romania (according to hackers collective HacksIn – I had a link about that, but lost it somehow) and no motive has made itself known thus far. It was a matter of time until Anonymous came along to jump on the bandwagon, and indeed its Dutch chapter appears to have done so this week when someone posing as Anonymous posted a message on Pastebin. In it, they claim to know who is behind the DDoS attacks (a group of Muslim extremists called Izz al-Din al Qassam Cyber Fighters), and that the Dutch people should go out and collect their money from these banks because it is not safe there.

There are, however, some issues with this post on Pastebin. Firstly, the group they blame for the DDoS attacks is in fact the group responsible for attacks on US BANKS, and there is no discernible link between the US banks being hit or the Dutch banks currently under attack. The motive for the attack against US banks seems clear: Izz al-Din al Qassam demands the removal of the movie “Innocence of Muslims” from Youtube. Once the movie is removed the attacks will stop, they claim. To my knowledge, no such demands have been made here in the Netherlands.

The second issue is that the advice posed by Anonymous would, in fact, immediately collapse the Dutch financial market, as no Dutch bank is currently strong enough to survive such a proposed bank run. They simply don’t have sufficient cash in their vaults. In other words: this is a really bad idea.

So what now?
For starters, ING should hire someone who knows how to communicate during a crisis. Its obvious that they suck at it. They’ve finally stepped off their “Silence, Evade, Deny” strategy but its taken a while. All major companies should look into this, because they may very well be next. Second, major companies with a serious online presence should really start taking this stuff seriously. DDoS attacks are hardly new material to deal with, and proper impact negation tactics have been around for a while. If your income is dependant on online services and this income is significant, get a real ISP that understands this and has expertise in countering such digital vandalism such as Arbor Networks or Prolexic.

The bad news is that according to a recent Prolexic report, DDoS attacks are getting increasingly stronger. They have seen the first 130GB/s DDoS attack this year, and during the first quarter of this year the average attack bandwidth was 48.25GB/s, which signifies a whopping 718% increase over last year. The increase seems to come from a change of victims in the botnets (Dutch) they use. Apparently, they are now targeting web servers especially for their higher bandwidth capacity, which in turn increases overall attack bandwidth. On top of that, the DDoS attack seems to have regained its popularity because the targetlist is growing. Airlines such as KLM (Dutch) and Dutch authentication firm DigID (Dutch) have also recently been hit with massive attacks. In an effort to stave off this wave of disruptions, the Dutch National Cyber Security Center has been organising collective defense (Dutch) between Dutch banks, but it seems they may have to include firms from other walks of life as well. I think we can safely conclude that this avenue of attack is still very worthwhile and won’t be going away anytime soon.

In fact, things may get a lot worse if this newly discovered DDoS technique gets incorporated. Apparently Incapsula mitigated a small attack of 4GB/s recently, and they traced it back to a single source. Generating 8 million DNS queries per second, causing ALL of the 4 GB/s traffic by its lonesome, certainly qualifies it to be called a DDoS Cannon instead of a lowly bot. I don’t know if it is technically feasible, but imagine 100K+ systems doing this.

Wrapping up this piece, I would like to ask mainstream news reporters to please start learning some basic truths about information security. Stop referring to DDos attacks as “(sophisticated) cyber attacks”. They’re not. A DDoS attack is annoying, yes. But on the scale of sophistication they rate roughly as digital graffiti. Also, some major outages are caused by stupidity from the victim rather than an outside source. At least ONE major outage on april 4th of this year at ING was caused by someone messing up certain files that had to be read into a system. This caused a major outage and customers seeing the wrong amount on their bank accounts. This incident was also the most significant failure of ING’s webcare / crisis communication because they didn’t do anything until the problem was almost fixed (many hours later). Still, mainstream media fed the panic frenzy that it was an external “sophisticated cyber attack” until the absolute very end. Very poor reporting if you ask me. Proper reporting matters because your news is read by people who take it for immediate truth. You can, and do, cause panic and unrest when you blow things out of proportion, so please stop doing so. Thank you.

Dutch MoD releases Defense Cyber Strategy

At long last, the Dutch Ministry of Defense has published a crucial piece of Cyber Doctrine by publishing its Cyber Strategy [PDF Alert – Dutch]. It was given quite a nice introduction by the Dutch Minister of Defense Hans Hillen, who introduced it during the MoD’s Cyber Symposium in Breda on the 27th of june. During this introduction it was also asserted that over 90% of all attacks to Dutch military systems and networks was of Chinese origin, which made me wonder why we haven’t heard any political outcry yet, but I digress as this is not the topic I had in mind of treating today. Let’s get to the document in question: It’s a total of 18 pages long and the introduction of the Dutch Cyber Defense Strategy is, as is often the case in such documents, very telling. The language used should be looked at as defining terms by which the rest of the document can be interpreted.

In the introduction the Dutch MoD acknowledges that they use the digital domain for (satellite-)communications, information-, sensor-, navigation-, logistical- and weapons systems, that are dependent on secure internal and external networks of digital technology and that  this makes them vulnerable to cyber attacks.

They also acknowledge that other countries are developing offensive cyber capabilities and that non-state actors are also capable of forming a threat to Defense forces by attacking digital systems and networks. What’s interesting is that this strategy also acknowledges the blur of the lines between the combatant and the non-combatant, and also the blurring of the borders of any operational areas. Both are key components of the “Fourth Generation Warfare” principle and it seems that the Dutch MoD has at least partially accepted this principle. What makes this so interesting is that they are declaring that non-combatants may also be actively targeted. In essence, they are putting the world on notice that walking around without a uniform is no longer an automatic safe haven, and that if you’re involved with any kind of cyber attack, part of a militia or a terrorist, you have a bull’s-eye on your head. No matter where you are. Plain and simple.

The last paragraph of the introduction specifically mentions that the Military Industrial complex is already a major and consistent target of cyber attacks because they develop and produce high-grade military technology. The strategic and economic value of their digital assets is high and as such these need to be very well guarded, also in the Cyber aspect. This ties in nicely with my earlier articlebased on the MIVD’s yearly report.

For those interested in what official Dutch political documents and official questions this document ties into, here’s the official answer:

The Defense Cyber Strategy was created in answer to:

  • The publication ‘Defensie na de kredietcrisis’ of April 8th, 2011 (“Kamerstuk 32 733, nr. 1”);
  • The piece to be covered by the MoD in the National Cyber Security Strategy as I covered earlier (“Kamerstuk 26643, nr. 174”);
  • The advice given on Digital Warfare by the Advisory Council on International Questions (AIV);
  • The Advice Commission’s (CAVV) answer to the questions posed in “Kamerstuk 33 000-X, nr. 79”;

 Right, so we have that covered. Now let’s get to the meat of the document. From the onset it looks pretty promising. The strategy has six driving points and they are very broad (but relevant): 

  1. Creating an integral and integrated approach;
  2. Increasing digital resillience of the entire MoD (Cyber Defense);
  3. Developing the capability to carry out cyber operations (Cyber Offense);
  4. Reinforcing intelligence gathering in the digital domain (Cyber Intelligence);
  5. Increasing knowledge and innovative power of the MoD in the digital domain, including recruiting and keeping qualified personnel (“adaptive and innovative”);
  6. Intensifying collaboration nationally and internationally. 


Dutch Military Intelligence dives into Cyber

The Dutch Military Intelligence agency (MIVD) recently released its 2011 yearly report (in Dutch). As is usual, they covered the events of 2011, but also did some forecasting for 2012. Its especially this last bit I was interested in, and im writing this in the hope that you feel the same way.

One of the most interesting facts I extracted from the report is that the MIVD will be focusing the majority of its Cyber Warfare efforts in countering Cyber Espionage. Given that this is probably the most tangible and widely represented cyber activity currently employed, I think this is a wise choice. Add that to the fact that the Netherlands is, by far, the most connected country in Europe (highest internet penetration in Europe with 83%; highest broadband internet penetration in the world with 68% of its connections at 5mbs or faster) it would probably be a safe assumption to say that our economy is critically interwoven with the Internet. Now, I know that there’s a lot to be said about the military defending a mostly commercial and/or civil commodity, but personally I’m happy with this direction. If anything, it’s *a* direction and from what I’ve seen this has not always been the case in the past.

Three other interesting tidbits that were published in the report involved the MIVD’s future collaborative efforts. One of these is a rather obvious and expected one, but it involves their supporting the Dutch Ministry of Defense with their Cyber Operations through involvement with Taskforce Cyber. A less obvious one is their intention to support in ‘cyber-aspects’ of the Dutch military industrial complex. They don’t really go into how they intend to assist, other than that it will involve working with Dutch domestic intelligence agency AIVD. This is too bad because it sounds interesting. Considering the major cyber security breaches in the past at American defense contractors such as Booz-Allen Hamilton, Lockheed Martin, L3 Communications or Northrop Grumman, it certainly sounds pertinent. They don’t mention it specifically, but odds are good that this (and only this) is what the MIVD has in mind when they mention countering cyber intelligence. Lastly, and to me this was the most interesting, they reveal their intentions to collaborate with the AIVD to set up a special SIGINT Cyber Unit (or command – this wasn’t mentioned) to generate shared cyber intelligence. Their goals for this unit are straightforward: Assisting in cyber operations in support of regular military operations, chart threats, provide excellent cyber intelligence at all times, and to assist in attributing cyber attacks.

The report also tickled my interest in ‘cyber semantics’ when the MIVD asserted that offensive cyber operations usually include the same activities as cyber intelligence and/or cyber espionage. They also mention that cyber is increasingly important in counterintelligence, and mentioned that they would be increasingly exploiting social media such as Facebook, Hyves, Twitter et cetera. An interesting side note here is that due to severe upcoming Defense budget cuts and related contract terminations, it’s been observed that everyone in the Dutch armed forces is now suddenly absolutely perfect in every way (article in Dutch), because apparently it’s gotten to the point that calling in sick is now a bad career move. Our troops should be warned that venting their frustrations through social media is probably a bad idea at this time, however much it may be valid criticism.