Finnish Bank OP Under Persistent DDoS Attack 92
An anonymous reader writes The Finnish bank OP Pohjola Group has been a target of a dedicated DDoS attack for days. The attack, which investigators said was launched from both Finland and abroad, began on New Year's Eve. OP was forced to open a helpline for customers unable to confirm payments or transfer money because of jammed systems. On Saturday the firm said it would compensate people for any losses or late payment fees incurred as a result of attack. On Sunday morning the bank tweeted that its services were operating normally and even customers based outside Finland were able to access their accounts — and that it was still monitoring traffic carefully to try and ward off any renewed strikes. However, on Sunday afternoon further denial of service attacks took place delaying payments and preventing access to banking services for OP customers. A formal police complaint has been filed and OP says that KRP is looking into the case.
Re: (Score:3, Funny)
God prefers stone tablets. They last longer, at least if you don't intentionally smash them...
Re: (Score:2)
No. You login as AC over http.
Firesheep (Score:2)
If you log in to Slashdot as a user, the password is sent over HTTPS, but then your session cookie is sent over HTTP where anyone can Firesheep it [wikipedia.org] and pretend to be you. Only subscribers are protected from cookie copying.
Am I tepples, or am I pretending to be?
Re: (Score:2)
How interesting that you post it in a story about a DDoS. Want to give us ideas how to deal with that spam?
Re: (Score:2, Interesting)
Sure... Linux will solve all DDoS problems with fairy dust and other magic.
I'm by no means a fan of Windows, but install any odd Linux distribution of a few months old on a public IP address, with most standard features enabled and let's see how long it lasts without getting exploited.
Also, Linux solves nothing if you're on the receiving end of a very large DDoS. The only thing that will help you then is sufficient bandwidth, sufficient server capacity and dedicated, specialized filtering equipment. Then ag
Re: (Score:2)
Not every problem is a nail. No matter how much you love your hammer.
Re: (Score:3)
Now, that's harsh.
It's enough to ban the people using it. It's not the OSs fault when users give dancing pigs [wikipedia.org] higher priority than security.
Fight dancing pigs with Trusted Network Connect? (Score:2)
So what do you propose to fight dancing pigs? Should governments make it illegal for members of the general public to own a machine that both connects to the Internet and gives the owner administrative access? Or should ISPs require PC owners to surrender administrative access to the ISP using something like Trusted Network Connect, as Alsee predicted would happen sometime this year [slashdot.org]?
Re: (Score:2)
No. But we have to address it soon or we WILL get what you propose. Because that's probably what governments would certainly enjoy, and with insecure computers littering the net with their garbage, they have every excuse to demand it.
I'd be very happy about laws that make you responsible for what your computer does on the net. I'm required to keep my car in good repair so the brakes work and the lights indicating what I'll do, too, if I want to participate in traffic (not to mention that I'm required to kno
What antivirus is sensible in your opinion? (Score:2)
Without going overboard with it, I'd already consider it quite just and reasonable if people kept their system updated (which is the default setting for contemporary systems) and took reasonable care to avoid infections (installing some sensible antivirus should do).
Can an antivirus be called "sensible" if it has only batch scanning like ClamAV as opposed to "real-time" scanning? If not, what "sensible" antivirus might users of GNU/Linux or OS X use?
Re: (Score:2)
I was giving examples. Take "just and reasonable" precautions and you're fine. Whatever just and reasonable is would be up to a court.
What? It's not like we don't have insanely fuzzily defined laws already, what's one more?
But seriously. If you don't like my definition, come up with a better one. One thing is certain, we will get some kind of legislation in this matter. Corporations are losing money and it's impossible to catch the actual criminals. You know how this ends.
Unless we can find a sensible solut
ISP-approved antivirus (Score:2)
I was giving examples. Take "just and reasonable" precautions and you're fine.
I agree in principle. I also agree with you that early legislation will cause wide-reaching unintended consequences.
Whatever just and reasonable is would be up to a court.
The imagined threat associated with "Trusted Network Connect" is that ISPs might require all subscribers to run ISP-approved antivirus on an ISP-approved kernel. If there's no available antivirus for a particular operating system, the ISP will just decline to approve the operating system and thus won't give the subscriber an IP address outside its private internet. The court would likely end u
Re: (Score:2)
Well, it should be fairly trivial to fool the "trusted" (i.e. untrustworthy) crap. A VM should do, if that fails an old crate posing as the "official" machine would probably suffice. It'd need to be tested, but so far I cannot think of any kind of scenario where you'd hand over the hardware to me AND can reasonably expect it to do what you want.
Same problem that banks have with their applications: You cannot "trust" a machine that is essentially not under your control.
But I don't even want it to go that far
Re: (Score:2)
Well, it should be fairly trivial to fool the "trusted" (i.e. untrustworthy) crap. A VM should do
The virtual TPM's key wouldn't be signed by any established PC or motherboard maker.
if that fails an old crate posing as the "official" machine would probably suffice.
In this situation, the "old crate" would be acting as an Internet gateway appliance, and the ISP would require the subscriber to run the ISP's "supplicant" on the "old crate". This supplicant would check the TPMs of the machines behind it.
so far I cannot think of any kind of scenario where you'd hand over the hardware to me AND can reasonably expect it to do what you want.
Tell that to Microsoft, Nintendo, and Sony Computer Entertainment.
Re: (Score:3)
More than you'd even know. If it wasn't for blasted NDAs... let's say the Finns are in good company.
Technical fix... well, there are a few things that we could do to make such DDoSs harder to pull off.
First, if it's a DoS that relies on flaws in software or configuration (Slowloris et al), there's an easy fix for that: Hire an admin who knows what he does, patch the crates, install the relevant mods and don't use crappy default configs.
Let's move on to the more difficult to handle stuff, i.e. what we usuall
Re: (Score:1)
Mitigating this it technically of course possible, but completely unfeasible
It's perfectly feasible to foreclose the lion's share of amplification attacks. All that's needed is for network operators to drop packets with source addresses that don't originate from their networks. This problem has been discussed for decades [ietf.org] now but lazy network operators still can't be bothered to engage basic egress filter rules. My ISP will happily pass along packets with source addresses that they don't own; hell, I can send out packets with source addresses that don't even belong to ARIN and my
Re: (Score:2)
Yes, but unless there is a law requiring that, nobody will implement it. Why should I implement something that benefits not me but someone else (who is under attack)?
Such things can only be solved by governments. Nobody would want to deal with expenses that benefit only someone else.
Too OP (Score:3, Funny)
Gaah (Score:2)
New mouse does this. Wanted to mark funny, ended up as troll. Replying to fix.
Re: (Score:1)
So get protection (Score:5, Insightful)
There are service providers that specialize in DDoS mitigation. Some of them already host banks (lots of them, in some cases), and have multiple terabits of bandwidth available to survive DDoS attacks with minimal impact. They're able to mitigate attacks in the hundreds of gigabits.
They're not cheap, but they work, and banks tend to be able to afford it.
Re:So get protection (Score:5, Insightful)
Well, 2 things here: The Finnish banks are rather tiny compared to large international banks and national banks in larger countries. There are only 5,4 million people in the entire country. Secondly, this is the first time to my knowledge that a DDoS attack has done anything to any bank here. All the banks use 2-step verification process, so even in a hypothetical worst case scenario in which somehow attackers would manage to get their hands into some login info, that would not compromise the funds of the customers. Not that that would be possible with a plain DDoS attack.
In the end it comes down to the cost-benefit ratio: sure i'd be nice to have protection from DDoSing, but unless this starts to become so commonplace as to actually start costing them significant amounts of money/customers, I doubt it will happen.
Re:So get protection (Score:5, Interesting)
In the end it comes down to the cost-benefit ratio
The DDOS attack is likely to have a ransom attached to it, so it boils down to two options; spend money on honest and reliable uptime protection, or submit to the attackers dishonest and fickle protection racket. I'm pretty sure the first option would be cheaper in the long run, sure it's a relatively expensive line item on an IT budget but not enough to seriously damage the total budget of a small bank.
Comment removed (Score:4, Informative)
Re:So get protection (Score:5, Informative)
That "tiny" finish bank has US$3.23 billion in revenues, around US$900 million in net income, and nearly 13 thousand employees. They can afford to pay a bit more for their servers.
Re: (Score:2)
Of course they can afford to pay more, I wasn't implying that. I was just saying that unless this starts to become a regular issue I doubt they'll do it whereas larger banks really have no choice.
Re: (Score:2)
right, so that makes denial-of-service and extortion ok?
One day they might attack a service you use, then I'm sure you'll be singing a different tune.
Re: (Score:1)
It seems that they have not done even the most basic preventions, like traffic shaping. The ATM's should certainly have higher priority than internet traffic (and dedicated guaranteed throughput channel), but alas, they failed too. Same with shops, other banks, etc.
Re: (Score:2)
Though it makes you wonder if companies like CloudFront and all aren't also behind paying some money to LizardSquad and such to do DDoS attacks to promote t
Re: (Score:2)
More than one bank under attack (Score:5, Funny)
In addition to OP (Osuuspankki), Nordea has also been attacked, and even Danske Bank is having troubles at the moment, though it's not known if they're being DDOSed or if it's just the usual incompetence.
Re: To DDOS is coward (Score:1)
Why does it matter on the skill level needed? Does the attack lose cool points on the hipster level because it isn't a skilled attack?
It doesn't matter how you get the oranges up the stairs, a guy from kinkos or a ddos.
And therefore it is no surprise that ... (Score:2, Interesting)
Finland, like other countries that have had security incidents, seeks to protect itself ....
Supo wants expanded net surveillance powers [yle.fi] - 20.6.2013
The head of the Finnish Security Intelligence Service (Supo) has told the business daily Talouselämä that his organization wants increased funding and expanded powers to carry out surveillance of internet traffic.
Five years ago, the Swedish Defence Radio Authority (FRA) was authorized to warrantlessly wiretap all telephone and internet traffic that crosses Sweden's borders. According to Supo chief Antti Pelttari, Finland should consider introducing the Swedish model here as well.
"Our legal mandate is to ensure the security of the State of Finland and its social system from both internal and external threats," said Pelttari. "There must be means available to monitor what is transmitted through data networks, and the capacity to identify and evaluate anomalies," he added.
I wonder who is attacking the Finns, and who would have reason to? Russia has been menacing Finland and its neighbors in the Baltics with incursions by aircraft and submarines. There is concern that Russia may turn on Finland after Ukraine. The Baltic states and other targets of Russia have suffered similar attacks coming from Russia.
Re: (Score:2)
Well, it is a "surprise" in the sense that the connection between intelligence agencies sniffing wire traffic and stopping DDoS attacks is tenuous at best and non-existent at worst. I do not recall any intelligence agency stopping a DDoS attack, ever. That's up to the companies and network operators handling the traffic.
Re: (Score:2)
I do not recall any intelligence agency stopping a DDoS attack, ever
they'll be the DDoS attacks that were stopped, no wonder you didn't hear of them.
Re:And therefore it is no surprise that ... Putin (Score:1)
I knew it. Something was a-miss this morning, some hidden urge or itch was there. I am sure you know this feeling, you know something is wrong but do not know exactly what. You took cover away and then the difficult to identify feeling becomes a full blown itch and burn - this big monster is called Putin sending his proles to do their dirty deeds.
But seriously - I know there are technical means to mitigate such attacks but they are still an annoyance and the only way to combat those is to go after the atta
Re: (Score:2)
Seems like Supo has a pretty good motive to launch a DDOS attack on a Finnish bank. As long as they don't get caught and can blame it on some bad guys (Russia/North Korea/hackers) it looks like a good way to increase their budget.
Re: (Score:2)
I wonder who is attacking the Finns, and who would have reason to? Russia has been menacing Finland and its neighbors in the Baltics with incursions by aircraft and submarines. There is concern that Russia may turn on Finland after Ukraine. The Baltic states and other targets of Russia have suffered similar attacks coming from Russia.
Russia has a complicated history with Finland. It conquered it in the early 1800s and until the time of the last tsar, it was granted a very high degree of autonomy within
OP customer here: this must be pure vandalism (Score:5, Informative)
I see no other reason for this DDoS attack but vandalism of some sort. The attackers have no political agenda (this is a small Finnish bank, not one of the big tax-haven transfer banks like UBS. It also has no political connections/owners.
The attack also has no way of obtaining any useful info, as all banks in Finland use one-time passwords for login.
Re:OP customer here: this must be pure vandalism (Score:5, Interesting)
russians
it doesn't take much to mount a DDoS, and one or a handful of ultranationalist douchebags felt slighted by something innocuous someone in finland did or said recently
they had to prove something about glorious russia, so down went a finnish bank
it makes sense in some propagandized loser's head
Re: (Score:2)
You are right, this does make sense. I've seen some incredible Russian propaganda (and sock puppets) around the 'net these days. It's insane.
Re: (Score:2)
By the way, I 100% agree with your sig.
Re: (Score:2)
I see no other reason for this DDoS attack but vandalism of some sort. The attackers have no political agenda (this is a small Finnish bank, not one of the big tax-haven transfer banks like UBS. It also has no political connections/owners. The attack also has no way of obtaining any useful info, as all banks in Finland use one-time passwords for login.
That part in bold is irrelevant.
Often these are a distraction to get the manpower (management in a tizzy, IT busy) doing lots of stuff while they break in somewhere else. Customer accounts are not the target. The infrastructure NOT under attack at the time IS.
It also could be as simple as "no particular reason" sometimes it is random boredom. They chose this target because they thought the logo looked stupid, or they figured they could actually accomplish something over larger perhaps "more deserving"
I'll just leave this here (Score:5, Interesting)
http://www.independent.co.uk/n... [independent.co.uk]
Re: (Score:3)
Illarionov is a bit crazy and paid (by American think tank iirc) to spout this sort of stuff. I think the chance that Putin would seriously threaten Finland is about the same that Putin would threaten Sweden. Also, Finland is very different to Ukraine in that pretty much everyone in Finland thinks Putin is crazy. In Ukraine there was and still is very strong support for Putin in some areas.
Getting out of hand (Score:3)
It's time we started charging those who launch DDOS attacks with "terrorism". They impact the entire public community of their target, with widespread damages and effects to both the user and provider of the DDOS'd services. Lock the bastards up when they're caught for far, FAR longer than happens now. :(
Re: (Score:3, Interesting)
I kind of think terrorism is not the correct tag here. Other crimes can have the same punishments etc as terrorism, so no need to put everything under terrorism. I already hate it when all kinds of stupid laws and punishments are given under the terrorism flag, even though they have nothing to do with terrorism.
Re: (Score:2)
Are you nuts? Just because it happened a few times in the past couple days we throw out common sense and sensible thinking and jump the "terrrrrism" bandwagon? Get a grip, a handful of isolated incidents with no connection whatsoever is hardly a reason to go into headless chicken mode.
Also, why not target those that make it possible in the first place? Sure, the people who execute these attacks are criminals, but what they do is abusing an infrastructure established by people who carelessly allow them to ab
Re: (Score:2)
If you think DDOS attacks have only been "in the past couple days", you haven't been paying attention to the tech news for oh, maybe FIFTEEN YEARS.
And that happens to have included government sites, hospitals, and other important infrastructure that is life threatening, not just having a financial impact.
Re: (Score:2)
OK, let me rephrase this, a few have surfaced to the public attention in the past couple days. Yes, there have been quite a few in the past. The question is, why do they just now become a public spectacle? If I was a conspiracy nut I'd probably wonder whether there is some legislation already on the horizon and we need some sort of excuse for it.
And, again, even a death penalty for DDoSing is worth jack shit. What we need to worry about is not the petty crap of some self styled crusaders of some nebulous ca
Re: (Score:2)
It's time we started charging those who launch DDOS attacks with "terrorism".
No, just denial of service and extortion. It's not terrorism. These things are already illegal.
Re: (Score:2)
Except DDOS attacks aren't "mass protests." They're a few individuals in control of massive botnets.
And they are an attack on the general public, a hallmark of terrorist activity. They're not targetting individuals, they're targetting everybody who uses the attacked service.
Could be a customer (Score:2)
Could be a customer of the disgruntled kind. At least that was my first thought.
Known Customer Lists (Score:2)
Knock Kock (Score:2)
Anyone checking the back door while the front one is being DDoSd?
It's a great distraction to take eyes of a real attack via more profitable and less visible vectors.