Hacker attack danger grows

Security not adequate to protect networks against intruders

February 11, 2000|By Mark Guidera | Mark Guidera,SUN STAFF

As the FBI focuses its vast resources on ferreting out who is behind an unprecedented wave of attacks on high-profile Web sites this week, Internet security experts warn that the incidents may be just the beginning of a cascade of similar or worse attacks aimed at crippling the booming e-commerce industry.

The reason, say experts: The tools for invading and disrupting Web sites are growing cunningly sophisticated at an alarming rate.

Meanwhile, business executives have -- at least until this week's attacks -- placed spending on network security low on priority lists.

This week, hackers disrupted some of the highest profile sites on the Web, including Yahoo!, E*Trade, eBay and Amazon.com, by flooding them with so much data that they froze up or collapsed.

Such attacks are successful because computer servers for the site being attacked cannot separate false data from those of customers trying to access the site for legitimate purposes.

While executives for the companies hit this week say no customer data was stolen or compromised in these "denial of service" attacks, there is little doubt that business, and perhaps some credibility among customers, was lost.

No new major incidents were reported yesterday, but the White House said President Clinton will meet next week with the nation's top computer security experts and technology executives.

The White House said the meeting was not called directly in response to this week's attacks but was organized on the heels of the president's budget proposal for $2.03 billion to protect the country's most important computer systems from cyber attacks.

Yesterday, Internet security experts said the culprits in the attack most likely installed intrusion software on hundreds of computers in college computer labs or other poorly secured locations, perhaps even people's home computers, in effect turning them into "slaves."

A "master" computer then remotely ordered the slaves to attack Web sites with vast reams of data at a certain time.

"Whoever is behind this chose these high-profile sites to obviously send a message. But all we're talking about here is an inconvenience to customers," said Patrice Rapalus, director of the Computer Security Institute, a professional organization in San Francisco that annually surveys corporations to assess how often intruders breach networks.

But in the near future, security experts warn, hackers could just as easily cripple more vital services -- a pharmaceutical company's global drug delivery and production schedule, a hospital's patient records, a train or trucking company's shipping and transportation schedule.

"Someone with a more defined agenda interested in doing some serious economic harm could easily do this," said Rapalus. "I think we're bound to see more of this in the future."

One reason for the growing danger, said Eugene Spafford, a computer science professor at Purdue University and director of the Center for Education and Research in Internet Security, is the large number of people working at home who leave their computers on 24 hours a day, with little or no firewall protection or understanding of proper security measures. That leaves their computers open to becoming "slaves."

Also, he said, many companies outsource the management and "hosting" of their Web sites, yet many of the contractors do not have strong security systems.

No one is sure how widespread the network-penetration problem is. As Rapalus and other Internet security experts point out, most computer network intrusion incidents are never reported to law enforcement authorities.

Rapalus said secrecy by company executives and information technology managers, fearful of losing credibility and customers, has made it difficult to get a handle on how widespread the problem is.

Fred Rica, a New York-based computer hacking expert and partner at consulting giant PricewaterhouseCoopers LLP, said computer network intrusions are becoming widespread in corporate America.

And to drive home the point of vulnerability, Rica said his technology security team has a near-flawless rate of breaking into client security systems or "firewalls" when conducting tests.

The most common problem, said Rica: While many companies install strong firewalls to prevent intruders from getting directly into their data networks from the Internet, they often leave an opening in a phone system or other communications avenue. Also, many data networks he reviews do not have adequate alarm systems to detect an intrusion.

"We call it being hard on the outside, but gooey soft on the inside," said Rica. "It's the old saying, you're only as strong as your weakest link."

Mark Gembicki, co-founder of WarRoom Research LLP, a Baltimore-based computer network security consultant, said it would take no more than three or four people with expertise in computer security, hacking and information technology to wreak havoc on industries far more crucial to everyday life than a book delivery from Amazon or a stock trade at E*Trade.

"The real challenge we face isn't catching who's behind these attacks, but on getting the hacking tools off the market. They are way too easy to access," said Gembicki, a former Internet security expert with the National Security Agency. "I could sit someone down and in two hours teach them how to launch a denial of service attack."

Another cause for worry, said Gembicki, is the trend in new hacker tools being developed at a faster pace than new Internet and network security technology.

According to CNET News.com, an online Internet trade magazine, a flood of new programs that can take over otherwise innocent computers to attack a target have recently been released on the Web. These include Tribal Flood Network and Stacheldradt -- German for "barbed wire."

"These are weapons of mass destruction," said Gembicki. "The right attack could easily bring a company or group of companies to its knees."

Wire services contributed to this article.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.