Hacktivists claiming to be part of Anonymous, which over the summer attacked PBS, vowed last weekend to "erase" the New York Stock Exchange from the Internet on Oct. 10. The attack, the group claimed, was being waged in support of the Occupy Wall Street protests.
Some members of Anonymous, however, have disputed the claims made on YouTube about a denial-of-service attack. Anonymous' Twitter handle, AnonOps, posted a tweet this week saying it had no plans to hack Wall Street. But it's hard to know what to believe.
"They're not very organized," says Gartner analyst Avivah Litan. "I don't know how credible it is. We should not dismiss their threats, because they have gotten close to sensitive systems in other organizations in the past. But it's hard to know what, if anything, will happen."
Neither the NYSE nor the Secret Service could be reached for comment about this threat.
Is a Take-Down Possible?Security experts say they're confident, given the amount of warning Anonymous has given, that the NYSE should be well prepared to ward off a cyber attack. "I have to think that the New York Stock Exchange is one of those systems that has a lot of fail-over sites," Litan says. "I don't think Anonymous can take them down."
The problem, however, is that no one really knows what type of attack the group might wage. The assumption has been an attempted DDoS attack, but the attack could come from another angle entirely.
Wendy Nather, research director of the enterprise security practice at The 451 Group, says much can be gleaned from the way Anonymous positioned its threat.
"It's interesting that they used the word 'erase,'" she says. "That sort of implies that they plan to make the stock exchange invisible on the Internet, rather than taking it down."
And making the NYSE invisible points to a specific kind of attack, one that targets the NYSE's domain name system registration. "It's kind of like taking over their phone number," she says. "If someone tried to call, they would not get through. It works the same way online. You just wouldn't be able to find the site."
"They might do something with the registrar that keeps the registration for the NYSE, convincing people who work for the registrar to change the registration," she says. "But there are different avenues they could pursue to change it or hijack it for a period of time. It's basically just redirecting the DNS listing."
Changing Cyberthreat LandscapeHow organizations react to threats like these is tricky.
"What is interesting to me, based on the past track record of Anonymous, is that these kinds of threats induce high levels of panic," says IT security and privacy attorney David Navetta. "They don't even need to do an actual hack in order to cause an impact or send a message."
Even if the so-called hacktivists do nothing, organizations still have to prepare. That means examining all of the possible avenues of attack. "Given what the NYSE knows about the goals of Anonymous and their own network, they will probably be keeping a very close eye on their own domain name registration," Nather says. "And they probably have other steps in place to react to a denial of service attack. Those are the two immediate."
Mike Smith, an online security expert with Akamai Technologies, says the message is likely the most damaging part of the NYSE threat, given that parts of Anonymous have denied the claims.
"There is a certain amount of hyperbole that Anonymous uses to get supporters to its cause," Smith says. "The type of protestors that they are recruiting absolutely love comments like 'We'll erase this organization off the Internet.'" Organizations have to be mindful of threats, while also being careful not to overreact.
Threats have to be acknowledged, but since most of the motivation behind threats from groups like Anonymous is to get publicity and attention, organizations walk a fine line between mindful reaction and giving the hacktivists just what they want: attention.
But the hacktivist movement cannot be ignored. As Nather points out, groups such as Anonymous don't have to be organized, nor do their attacks have to be coordinated, to have an impact. "Not all members of Anonymous have the same goals or intentions, so it's even more difficult to figure out what they want," she says. "You don't have to be big or rich or have credit cards or property worth stealing to become a target." You just have to make the wrong person angry.
For groups like Anonymous, it's more about proving a point, or hacking just to prove it can be done. Fundamental infrastructural changes that address some of the weaknesses hacktivists often exploit, like inter-site dependencies, are being addressed. "One solution going forward may be to redesign some of the utilities that the Internet shares in common forms of attack," Nather says.
But that's only part of the solution.
"Eventually, there will be a bad hit, we just don't know when it's coming," Litan says. "One day one of these guys will succeed. They've gotten close to causing some serious damage before."