Al-Qaeda 'Battle of Guantanamo' cyberattack a no-show

A planned cyberattack against U.S. financial institutions by Islamic jihadists has so far failed to materialize, Internet security observers said Friday.

The U.S. Department of Homeland Security (DHS) warned of the possible attack Thursday, apparently prompted by discussions earlier in the week in a jihadist discussion forum, said Adam Raisman an analyst with the SITE (Search for International Terrorist Entities) institute, which tracks terrorists.

The attack, dubbed "the Electronic Battle of Guantanamo" by jihadists, had been scheduled to start Friday and last until the end of the month, Raisman said. It was planned in retaliation for the U.S.'s holding of suspected terrorists at the Guantanamo Bay, Cuba, prison camp, he said.

Both Raisman and Jose Nazario of Arbor Networks Inc.'s Security Engineering and Response Team said they saw no evidence of an attack coming Friday. Arbor, which monitors the Internet backbone for distributed denial-of-service attacks, saw no new attempts to create large attacks, Nazario said.

The threat, which DHS attributed to the al-Qaeda terrorist group, seems out of step with the group's past efforts to focus on physical damage instead of cyberdamage, Nazario said. "We think there's a low chance that this is ready to go," he added.

Earlier Friday, DHS spokeswoman Joanna Gonzalez downplayed the possible attack, saying her organization had "no information to corroborate the threat," and was sending out the alert "out of an abundance of caution."

Over the past few months, jihadists had threatened similar attacks against the Vatican and Royal Air Maroc Web sites, Raisman said.

By Friday afternoon, Internet research firm Netcraft Inc. had seen no downtime on the U.S. financial Web sites that it monitors, according to Rich Miller, an analyst with the company.

Even if an attack were launched, it would require a certain degree of technical sophistication to succeed against major financial institutions, which are generally pretty well defended, he said. "We're talking about sites that have put a lot of security in place," he said.

The U.S. Congress has required financial institutions to take strong measures to protect customer privacy since 1999, when the Gramm-Leach-Bliley Act passed, added Pam Johnston, a lawyer with the Foley & Lardner LLP law firm and former federal prosecutor focused on bank fraud. "Banks have been at the forefront of sophistication" in protecting online data, she said.

While neither the Vatican nor Royal Air Maroc threats resulted in successful attacks, there have been widespread denial of service attacks in the past. In January, about 800 Danish Web sites were hacked in response to the furor over a Danish newspaper's publication of cartoons depicting the prophet Mohammed.

Cybersecurity experts disagreed about whether the latest DHS warning was useful. Banks have taken several measures since the Sept. 11. 2001, terrorist attacks on the U.S. to secure their data, said Vivek Mehra, chief enterprise architect for global financial services at Keane Inc., an IT consulting firm.

"The threat is overstated," Mehra added. "[The warning] is almost meaningless. It doesn't really change anything."

But Johnston and Arbor's Nazario said DHS did the right thing by alerting financial institutions of the threat. "It gives companies a chance to ask their IT guys, 'Are we buttoned down?'" Johnston said.