Russell's Blog

Evidently, cyber-jihadists are planning to launch an attack on the web sites of US stock market and banking web sites, or so the U.S. Computer Emergency Readiness Team has learned from a blog somewhere.

I'm sure the security operations people at those institutions are glad for the heads up, although they are probably a little busy dealing with the millions of other attacks that hit those web sites every day. The NYSE's web site, and the web site of all major stock exchanges, are not strictly necessary for critical operations. In the unlikely event that the attacks succeed (where millions of other similar attacks fail), there would be no impact on the exchange itself. In any event, it doesn't seem as if website defacement is a major concern. Christopher Westfall, Managing Editor of KPMG's Banking Insider wrote in the Winter 2005 report "The State of the Banking Industry" :

"Usually, [remote] attacks against systems or networks are transient and don't have a long-term impact," [Goldman-Sachs vice president Byron] Collie said. Remote cyberattacks usually lack the widespread network access rights needed to cause serious damage. "Without access, no amount of technology will help," Collie added.

In the past, terrorists have used external computers as their method of attack in a few less-than-successful campaigns. Collie pointed to "cyberwar" between Israelis and Palestinians between October of 2000 through January of 2001. During that period, attackers from 23 countries hit eight governments, mostly with denial-of-service attacks and Web site defacements touting pro-Israeli or pro-Palestinian causes.

"There was a lot of hype in the media, so a lot of things that followed came under the definition of cyberterrorism," he said. Last summer, several banks and other financial industry firms were put on higher alert after detailed information identified several buildings as terrorism targets. But an employee with even the lowest security clearance into a financial services firm’s network can do enormous damage.

Website defacement is one of the least important threats to a financial company, with the possible exception of online banks (though even online banks usually separate their public websites from their banking web applications). If I were a security operations officer at a major company, I would be tempted to treat the main part of the public website as a sort of punching bag for people who are angry at the company. I might deliberately allow defacement of the website every now and then, on the grounds that this will probably satisfy most determined attackers. Having scribbled their message across the main home page, they would likely be less inclined to attack assets that are actually important.

So, as long as the DHS is recycling marginally credible threats of annoying mischief that it finds on obscure blogs, I might as well reveal that I am planning to explode some expensive TV broadcast satellites using focused beams of my own brain waves.

Pete, why did you have to go and shoot holes in that perfectly good paper? What did it ever do to you?

Then again, I write equations on perfectly good paper. If I were the paper, I'd take the holes.