Sabotage of Top Web Sites
How do you find out if your house is secure? One answer: try to bust in and see how hard it is. The cyberspace equivalent is what a northern Virginia company called Global Integrity was doing last week - paying half a dozen young computer whizzes to break into Web sites run by their clients. These are so-called white hats, whose goal is to identify weaknesses in Internet security so they can be fixed before people bent on crime or simple mayhem (the "black hats," naturally) can take advantage of them. It's an endless war, and last week the bad guys opened a new front. They attacked some of the brightest stars of the new economy - sounding a loud warning that the burgeoning world of e-commerce could be more vulnerable than anyone thought. "This is a big wake-up call," said Bill Marlow, senior vice-president at Global Integrity. "They've got our attention."
Precisely who "they" are, however, remained a mystery - and may stay that way for a long time. Unknown hackers broke into computer systems and planted software that recruits machines into an unwitting army programmed to bombard targeted Web sites with millions of messages. The result of such an assault - called a "denial of service," or DoS - is that the sites are overwhelmed and legitimate users cannot get in. It started on Monday, when Yahoo!, the most popular Internet portal, went down for three hours and, administrators revealed later, a site run by music retailer HMV Canada had to stop for an hour. The next day, it was the turn of other high-profile sites: Amazon.com, CNN.com, Buy.com and the eBay online auction house. On Wednesday, the cyber-vandals attacked the No. 2 Internet brokerage firm, E*Trade, and the technology news publisher ZDNet. Customers were denied access for up to several hours. "It's like somebody turned over a truck on the highway in front of a store and you can't get to it," said Marlow.
The good news was that the sites remained secure. The hackers did not break into them; no personal data or credit-card information was stolen. The bad news was it became clear that the fastest-growing sector of the economy has no easy way to deflect such attacks, and law enforcement agencies face major obstacles in preventing them. In the United States, the FBI launched a major investigation and President Bill Clinton convened a summit meeting of government and business leaders this week on Internet security. Clinton instructed his National Security Council to take the lead - showing his administration regards the attacks as a security threat as well as a significant economic disruption.
The stakes are high, both for the companies being targeted and for the North American economy as a whole. E-commerce has exploded - doubling in Canada alone last year to $11 billion, and projected to top $90 billion by 2003. The stocks of companies affected dipped partly because of the DoS attacks, but the effect is potentially larger. Kerk Hilton, spokesman for Jaws Technologies Inc. of Calgary, which produces software to protect information systems from outside attack, sounded a warning that will only become louder. Any company that relies on the Internet - and nowadays that means almost all big firms - could be affected. "Any business that is using e-mail or operates a network is vulnerable," said Hilton. "It's not just the e-commerce companies."
In fact, the sudden alarm could be a windfall for Jaws and other firms that specialize in computer security. As other tech stocks fell back, they jumped - Jaws by 26 per cent in two days. Companies that rely heavily on e-business will have to beef up security - if only to reassure customers. No wonder spokesmen for security firms were front and centre, issuing dire warnings about the seriousness of the hacker threat. Most companies already have software designed to detect intruders, and are now being advised to build in filters against DoS attacks. At the same time, Internet service providers will likely come under pressure to construct defences against the new menace.
However serious the threat turns out to be, it is hard to fight. Attacks like those of last week could be launched using software programs readily available on the Internet. The best-known are called Trin00, Tribe FloodNet (or TFN) and Stacheldraht (German for barbed wire). All operate by planting programs that can flood a Web site with messages. As the site struggles to respond, it exhausts its capacity and can shut down entirely. The DoS programs have been widely distributed only since last summer, but private security firms and the FBI had been warning about them for several months.
Hacking already carries stiff penalties. In the United States, a first offence is punishable by up to five years in prison and $250,000 (U.S.) in fines. In Canada, interfering with someone else's use of a computer is considered mischief and is also punishable by up to five years. The problem is tracking down the perpetrators. The programs used last week can disguise the source of the attack, and unlike a virus planted in a computer system by a hacker they do not leave a "signature" that can be traced back to the attacker. Last weekend, FBI investigators were zeroing in on computer systems in California and Oregon that were used in the attack, and were checking on a hacker nicknamed "Mixter" in Germany.
Most police forces are hampered by limited resources. The U.S. justice department set up a new unit, the National Infrastructure Protection Center, in 1998, but it is still understaffed. Government agencies can't find enough people with the right kind of computer training, especially when they are in heavy demand by private industry. In Canada, the RCMP has 30 officers responsible for computer crime and is looking for another 20. But, said Sgt. Tom Pownall at RCMP headquarters in Ottawa, finding them is a challenge because of the combination of computer and legal training they need.
Another obstacle is the tension between traditional law enforcement and the wide-open culture of the Web. Police need co-operation from companies whose computers are taken over by hackers, but the companies may not want to be dragged into a complicated investigation. And Web entrepreneurs are allergic to any suggestion of government interference in such a free-flowing medium - even in the name of cracking down on the latest brand of cyber-crime.
THE VANDALS' BATTLE PLAN
The cyber-assaults on Yahoo! and other Web sites last week are known in the industry as denial of service, or DoS, attacks. Here's how they work:
1. The Commander
Using techniques and software readily available to a computer-savvy teenager, the attacker detects and takes control of three or four other vulnerable computers on the Net, such as e-mail or other servers.
2. The Generals
The owners of these computers, known as hosts, may be unaware the attacker has placed special programs on them, which in turn command hundreds of other vulnerable computers.
3. The Firing Line
At the attacker's signal, the host computers trigger the other machines to send out a barrage of messages at a target Web site's servers, the high-capacity computers running the site.
4. The Victim
The Web-site server keeps trying to respond to the thousands of incoming messages, eventually shutting out, or severely restricting, legitimate Web users. And since the messages have fraudulent (known as spoofed) return addresses, site administrators literally don't know what hit them.
Maclean's February 21, 2000