NZX has fallen victim to one of the oldest and crudest forms of cyber-crime
Wednesday, 26 August 2020
ANALYSIS: The NZX has fallen victim to one of the oldest and crudest types of cyber-crime, with access to its website blocked during two consecutive days by a “denial of service” (DoS) attack.
Cybercrime is getting more sophisticated and attackers wealthier.
It is a vicious cycle that stems from governments’ unwillingness to invest in enforcement or to adopt innovative approaches such as banning the payment of online ransoms.
But that is not what we are seeing here.
**READ MORE:
* NZX website down again in apparent second attack
* Major DDoS attack causes NZX power outage, trading halt
* Heavy trading on NZX sparks inquiry into technical problems
**
DoS attacks are the online equivalent of turning up to a bank with a baseball bat and a handwritten demand to fill up a duffel-bag with cash.
There is in essence nothing sophisticated about them.
The NZX has not been hacked.
Instead, unknown attackers have harnessed a bunch of computers and directed them to bombard the NZX website with requests to connect, overloading the exchange’s servers and crashing its site.
The computers used to launch the “attack” will most probably be owned by innocent consumers or businesses and will have previously been compromised by malware.
Control over those computers will then have been bought by the DoS attackers from the earlier hackers in one of the many online markets set up to facilitate such transactions.
The owners of the computers that are bombarding the NZX’s website may not even know they have been compromised and hijacked to conduct the attack.
As the attackers will have only bought the keys to a network of compromised computers from another criminal they will tend to be hard to track down.
The motivation for DoS attacks is usually financial but can sometimes be ideological or political.
The only way to profit from DoS attacks is usually to demand money from the business with the promise that the attack will stop if they pay up.
In general, DoS attacks have become less of problem over the years.
A common defence is to work out where the spurious requests bombarding a site’s servers are coming from and block the attack at or as near to its source as possible.
It is always possible for an attacker to buy a new batch of compromised computers and renew their attack as may have happened to the NZX on Wednesday.
It can involve a bit of “whack a mole” but in the end it is usually possible – but an effort – to close down attacks over time.
Cloud computing has taken much of the sting out of DoS attacks.
If businesses host their web services on cloud computing platforms such as Amazon Web Services or Microsoft Azure it should be possible (for a fee) for them to scale up their server banks at short notice to cope with whatever attackers are throwing at them, as they don’t need to actually own the hardware.
That is the reason that key online services such as Google Search are not vulnerable to DoS attacks in practice and why they tend to be more of a nuisance for mid-sized organisations and non-profits.
But putting all their services into the cloud is still not always the easiest option for organisations that might have their own quite specific requirements about the way their data is stored and handled.
A small stock exchange that might not have the resources or ability to scale up its IT infrastructure at short notice, but which still suffers reputational damage if it is offline, makes the perfect target.
But only if it pays up to stop the attack, which in the case of NZX seems pretty unlikely.
There are growing calls among technologists – particularly in the wake of the growing ransomware threat – to make it illegal for organisations to pay ransoms or blackmail demands.
But arguably there is no particular incentive on cyber-security agencies that are paid to keep tabs on cyber-crime to advocate for policies such as that.