ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Security & Privacy

Brislen on Tech: Coordinated cyber-attacks

Paul Brislen, Editor. 28 August 2020, 12:24 pm

Knock, knock. Who's there?

It's one of the oldest games in the world - ringing the door bell and running away - but for the New Zealand Stock Exchange the digital version has proven to be something of a problem.

Denial of service attacks (and their distributed cousins) have been around as long as there have been internet connections and by now you'd think we would have figured out how to stop them.

Denial of Service

In the early days some of these so-called attacks were just poorly configured servers failing to manage the workload. I remember the launch of the original Lotto website which would self-DOS itself by opening web browser after web browser with each click of the site thus crippling my Pentium MMX powered work PC. Or there was the fun of the Slashdot Effect, named of course for the original tech news website which was guaranteed to bring down any site that was linked to in a story.

I once interviewed Ben Goodger, the Kiwi creator of the Chrome browser, and when the Herald ran the story, some wag posted it to Slashdot which drove more traffic than the Herald had ever seen before. So extreme was the loading that Australian publications in the same stable (which had moved their services to the New Zealand operation to save costs) found themselves knocked entirely offline by one chance story.

Good times.

But that was 2004 and since then we have whole new management regimes that carefully monitor incoming data requests and take care of them. These days when a website goes down it's because of something breaking, surely? It can't be as simple as a DDOS attack? What about the company's upstream provider? What about the network optimation guys? What about the content distribution network the site uses to share its content with the rest of the world?

For a service like the NZX's website, which is critical to an essential component of our financial empire, surely it's well protected from cyber-attacks of all sorts?

Yet here we are, as I write three days in to a series of attacks that have taken the site offline as trading reaches fever pitch and sales records are ready to fall.

Of course, as quickly as our defences have matured and grown, so too have the attack vectors of the ratbags at the other end of the connection, and the tools available today are a lot more sophisticated. The actors too have changed - forget the kids in mom's basement pinging servers to find the one left unguarded; these days hackers are part of organised crime cartels driven by the commercial imperative.

And that seems to be the case here. The NZX isn't the only target - there are a multitude of financial service providers caught up in what appears to be a coordinated attack the work of an extortionist group intent on bringing in some cash.

Rather than a ransomware attack (encrypting the victim's data and holding it to ransom) this kind of attack threatens the victim with a denial of service attack unless they pay off the attacker. To prove they are serious the attacker will fire up the DDOS bots for a short period of time to prove their ability and willingness to use it. Typically the attacker will put up the price demanded each day until either the victim pays or works out how to block the traffic.

No doubt the authorities (whoever they might be) will be working to work out how the villain is and track them down to their secret lair but it raises a couple of questions that need to be answered.

Not only do we need to be smarter than these guys and actually bake cybersecurity in at a much more granular level to all our IT systems, we also need to rapidly ramp up the number of experts we have in the field and encourage more students to take up cybersecurity as a discipline as they think about career paths and getting into the workforce.

Both those things will require a change to the way we incentivise students and yes, may actually require the government to "pick winners" (something governments are notoriously reluctant to do, possibly because they're so bad at it) and say yes, we will encourage young people into this industry.

If you do know someone pondering the move, do encourage them. Not only will they have an entertaining time of it, they'll be in high demand for years if not decades to come. The demand for trained cybersecurity experts is growing like crazy at the moment and if the NZX's experience is anything to go by, that demand will slacken off for quite some time.


Comments

You must be logged in in order to post comments. Log In


Web Development by The Logic Studio