Wake-up week for Web security
| ST. LOUIS
This week's unprecedented attacks against high-profile Web sites have revealed with startling clarity what security experts have been warning for years: Cyberterrorism is real and here to stay.
The threat will sorely challenge the world's traditional security apparatus because it poses entirely new threats.
Hijackers of the future may take over Internet sites rather than airplanes or buildings. Guerrillas of the 21st century could begin targeting e-commerce instead of government installations.
Despite the careful planning evident behind this week's actions, there's no public evidence so far that it was the work of an organized group. But the alternative is equally chilling: A lone hacker (or, more correctly, a "cracker") may have brought to a temporary halt a few of the world's largest e-businesses.
Either way, the attacks signal a new era in which anyone with an ax to grind may find the Web too tempting a target to pass up. Recent conflicts, such as Kosovo and China- Taiwan tensions, have featured cyberattacks. Even this week's action - the electronic equivalent of a shot across the bow - was enough to rattle Wall Street and galvanize the White House into action.
"This is war," says James Adams, founder of Infrastructure Defense Inc., an intelligence organization for cyberspace based in Alexandria, Va. "Conflict has migrated to cyberspace, and it's going to be a long and bloody conflict.... What you see," he says, "is this whole series of challenges government is not well-equipped to address. The private sector is the front line. We are all of us the front line."
Major Web sites crash
Although governments and security firms are working on solutions, this week's attacks represent the most public demonstration yet of how vulnerable today's Internet is. On Monday, Yahoo!, the Web's most trafficked site, was so overwhelmed with incoming bogus data that customers couldn't use the service for three hours. On Tuesday, other online firms including bookseller Amazon.com, retailer Buy.com, and auctioneer e-Bay, fell victim to a similar "denial-of-service" attack. On Wednesday, sites including e*Trade and ZDNet.com, a provider of technology news, came under fire.
These electronic bombardments did little damage besides depriving the sites of an hour or two of sales. The companies say no customer information was compromised and no money stolen. At this point, no one knows whether the point was to demonstrate an Internet weakness or to prepare for something larger.
Shortly after NATO's bombing of the Chinese Embassy in Belgrade, security experts detected a significant rise in electronic attacks against US government Web sites. The attacks appeared to be coming from Internet service providers in China, they add, although many of these may have originated in the US.
This week's attacks may prove far less sinister. "This was done for publicity," says Avi Fogel of Network-1 Security Solutions in Waltham, Mass. "I'm concerned about the attacks that we don't hear about."
"This is more a flexing of muscles," adds Patrick Taylor, vice president of risk assessment at Internet Security Systems in Atlanta. "You don't see them relentlessly pounding ... one company."
Attrition, a Web site that tracks Internet hacking events, received an anonymous e-mail Tuesday from someone claiming to have perpetrated this week's action to "put a 'Scare' into Internet stock holders." The action did help push down the Dow Jones Industrial Average 258 points Wednesday.
The FBI is just beginning its investigation. Attorney General Janet Reno pledged Wednesday to pursue the case "in every way possible.''
And last month, President Clinton proposed boosting federal spending on computer security to $2.3 billion next year - partly to attract a cadre of computer whizzes to help protect US networks.
The hacker incidents threaten to tarnish the Web's image at a time when it has been rising rapidly to become a mainstream venue for shopping and communicating. Consumer awareness of security issues may not have kept pace with the Internet's soaring popularity.
Indeed, the open, decentralized structure of the Internet complicates law-enforcement efforts, security experts say.
Tapping an army of computers
For example, the perpetrator(s) of this week's action carefully covered their tracks. They used software programs that plant themselves into dozens, sometimes up to a couple thousand, Web-connected computers (known as servers). At a given signal, the software took over unsuspecting machines, which began to flood particular sites with bogus data.
Such attacks are hard to defend against, because the data come from so many apparently innocent machines. Tracing the action back to the perpetrator poses special problems because, among other things, the packets of data are "laundered" in the process.
Such "denial-of-service" attacks are growing in popularity. Last summer, security experts began noticing the electronic bombardments, involving up to 2,000 servers and a program called Trin00.
By early September, a similar program appeared called Tribal Flood Network (TFN) and supposedly written by a programmer known as "Mixter." TFN was quickly followed by another version called Stacheldraht (German for "barbed wire"), succeeded in December by TFN2K, also apparently by Mixter.
These denial-of-service tools were simple enough that even a modestly skilled hacker could use them. "The tools appear to be undergoing active development, testing, and deployment on the Internet," the National Infrastructure Protection Center warned in late December.
Solutions exist. But "it will take some effort to put the defenses in place," says Dan Stevenson, director of Internet research at MCNC, a nonprofit corporation in Research Triangle, N.C. At best, it will take months to make the required changes in technology and management procedures at the Internet's high-traffic choke points, security analysts suggest.
Until then, the potential for more such attacks remains. "These computers are no longer these trivial things that run word processors; there's a lot that depends on them," says Mark Chen, a technology officer at Kroll-O'Gara, a security firm in Palo Alto, Calif. "The thing that we have to be vigilant about and prepare for and try to prevent is the concerted attack by the well-funded attacker."
(c) Copyright 2000. The Christian Science Publishing Society
