In late January , hackers shut down eBay, Yahoo! and eTrade, as well as several other Web sites for anywhere from 90 minutes to three hours with "denial of service" attacks, which involved several "hijacked" computers sending multiple e-mails to the attacked sites. In this type of attack, hackers use many computers, with each sending many simultaneous information requests to servers hosting Web sites.
The effect is similar to having hundreds of people calling the same phone number at once. With enough calls, the local circuit (usually defined by the three-digit exchange) is locked up and no one in the entire circuit can receive a call even if individual phones are not being used. Yahoo! and the other companies that were attacked can handle hundreds of concurrent Internet connections, much like a local circuit, but they couldn't handle the several thousands of messages involved in the "denial of service" attacks. A few weeks later, the FBI Web site was similarly struck.
The effectiveness and broad reach of these hacker attacks focused attention on the issue of Internet security. According to a Computer Security Institute of California survey, companies suffered an estimated $521 million in losses due to computer crime in 1999. The amount has been growing every year, keeping in step with the growth of Internet usage.
Internet crimes, and security efforts to prevent them, have increased even more in early 2000, according to Mark Zajicek, daily operations team leader for the Cert Coordination Center, Carnegie Mellon University, Pittsburgh. The Cert Coordination Center has monitored various Internet attacks and security issues since 1988, when there were fewer than 80,000 connections to the Internet, compared to millions today. Since 1988, the number of security "incidents" reported to the center has grown from 6 to more than 8,200. The biggest jump was between 1998 and 1999--from 3,734 to 8,268.
And, athough the "denial of service" attacks cost the targeted companies hundreds of thousands of dollars in lost business, they were less harmful than several other potential security problems. They only disrupted business until the e-mail logjam was cleared. They didn't disrupt any internal data, nor did they steal credit card numbers or other important information, or destroy files, as some viruses do.
Opening the (Bill) Gates
"While the security industry has worried about very high level attacks, much less sophisticated attacks have occurred," says George Friedman, founder and chief technology officer for Infoworks.
Shortly after the "denial of service" attacks, there were a handful of well-publicized incidents in which hackers stole credit card numbers and posted them on the Web. In one instance, the hacker obtained the credit card number of Microsoft Chairman Bill Gates, posted it on the Internet, then e-mailed Gates about the incident. Raphael Gray was arrested and charged for the Gates card incident, which was allegedly a part of a series of attacks that brought down 26,000 credit card accounts and the security of nine e-commerce sites on three continents over several months, according to British press reports.
Gray said he was able to get the credit card information due to a security glitch in Microsoft products. As this incident shows, companies that do all of their business on the Internet are caught in a sort of Catch-22 situation. On the one hand, they want to make sure that people have ample access to the online store so they can place orders. In other words, they have to offer plenty of lines coming into the system.
But they also have to ensure that nobody gets through the store to the back office, and that transactions are secure. To protect back-office systems, companies need to make sure that there is very little physical connectivity to the file server that holds inside information. One way to do that is to put a firewall between the Web server and the file server that limits communication between the two devices. The firewall is a filtering mechanism that determines what can go in and out of the system. The items on the back-office server, such as a company's financials, usually have encryption as an additional layer of security.
If a company is accepting credit card orders over the Internet, the transaction server is on the public Internet. Hackers may be able to obtain the administrator password to the transaction server by guessing or by running a password generator program that can be found on any hacking site on the Internet. Friedman recommends that companies remove credit card information from their Web servers as soon as possible.
But, no matter what you do to protect your servers and important customer information, keep in mind that hackers are likely to find a new way to circumvent your protective measures and gain access with a more sophisticated attack. Just as in the medical world bacteria become resistant to drugs and researchers have to come up with new antibiotics to fight them, in the computer world technicians must constantly be on the lookout for new types of attacks and figure out ways to combat them.
Government steps In
With both government and commercial sites at risk, the U.S. government is also looking at tightening its control over the Internet. The Justice Department, Attorney General Janet Reno, President Clinton and many state and local law enforcement officials stepped up anti-cyber crime efforts following the "denial of service" attempts. Reno has even compared the Internet to the "Wild West." The Justice Department may seek the ability to issue national warrants to facilitate cyber crime investigations. Currently, law enforcement officers must get warrants state-by-state.
Though the government could be successful in getting national warrants, it's unlikely that there will be any government-imposed restrictions that could slow down the growth of e-commerce, according to Scott Moritz, director, Cyber Fraud, PwC Investigations at PricewaterhouseCoopers, New York. Another limiting factor with U.S. government intervention is that Internet attacks can occur from around the globe, not just in the U.S. So a hacker could break U.S. laws, but be located where U.S. law enforcement officials have no jurisdiction.
Part of that problem was addressed late last year when the U.S. government sought to enhance online security by removing virtually all restrictions on high-tech companies selling powerful encryption software overseas. Previously, 128-bit encryption--the strongest available--could only be sold to specific companies in specific countries. Now U.S. companies can sell this technology to all but seven countries banned for alleged terrorist activities: Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba. "The problem is that, as with other forms of crime, there are more people attempting it than there are resources to fight it," Moritz says. "To effectively fight the crime, the private sector and the public sector have to work together."
Any security breach can shake the public's confidence in conducting Internet transactions. So there are actually more security breaches than those that are publicized because many companies want to keep a lid on any negative publicity about doing business on the Internet, according to Elad Yoran, executive vice president, RIPTech, Secure Solutions, Alexandria, Va. An additional problem, according to Yoran, is that some companies move quickly onto the Internet without sufficiently checking security systems and procedures. "They're lured by the potential of e-commerce," Yoran says. "It's like a child running across the street to the park without looking for oncoming traffic."
Some companies have tightened internal security procedures, which Internet security experts say is just as important, if not more important, than dealing with external security. "The most dangerous attack comes from the inside," Friedman says. "A temporary employee taking and selling inside information is not much different than hackers coming through firewalls."
There have been incidents of employees obtaining inside information, including passwords and ways around company firewalls, and distributing it via e-mail or other means. Yet professionals who work with physical security tools--such as badges to gain access to buildings--have yet to work closely with Internet security professionals.
"It used to be that to steal a file, you had to break into some sort of filing cabinet," Friedman says. "Computers and the Internet make it easier to steal files. The problem is that when you give an employee a password, you have no control over what he can do."
Yoran adds that passwords need to have a combination of numbers and letters that isn't easy for unauthorized people to figure out. In an examination of a financial service provider's security system, for example, RIPTech professionals were able to determine 75 percent of passwords within a day. Twenty percent of the employees used their name as their password. Another 10 percent used "password" as the password. Yoran recommends that passwords be changed regularly. Friedman also recommends thorough background checks of people with access to company computers.
Traditional security professionals have been frozen out of cyber security on the assumption that they don't understand computers and the Internet, Friedman explains. While that may be true to some extent, security professionals do understand the human interface with the systems. "I think this is the year that those two groups create a policy that is seamless," Friedman says. "Right now we're starting to get into cases where we're focusing on people inside the company stealing information. We've created very sophisticated systems and very good ways to protect the perimeter from an outside attack, but very few good systems inside the organization."
Friedman expects companies to use more control mechanisms that track what happens to information after it is decrypted.
Some other security products that are in the development stage include biometrics, smart cards and smart card readers, though widespread usage is probably still several years away. Biometrics, which uses a unique characteristic, such as a fingerprint or eye pattern as a type of password, prevents unauthorized users from accessing hardware devices. For example, Compaq now sells PCs equipped with fingerprint scanners. Only the authorized person may gain access by pressing the finger pad on the computer. According to Samir Nanavanti, a partner in the International Biometric Group, New York, in addition to providing security, such a device also is convenient for the user, who doesn't have to remember a myriad of PINS and passwords to access different sites.
Though popular use of these developments is still several years away, they represent part of the Internet security axiom that technology and techniques need to continue to advance to stay ahead of hackers and other security threats.