Here's a sobering thought to end a week of hacking attacks: while attention has focused on the top-name e-commerce sites that were stunned by the denial-of-service attacks, thousands of computers with constant Internet access were compromised to carry out the cyber crimes. Those computers are most likely in corporate offices, small businesses, universities and, perhaps, homes with high-speed Internet access.
"I can say with absolute confidence that the vast majority of those corporations do not know that they have been breached," said Simon Perry, director of security at Computer Associates International (CA).
In other words, many, if not most, of the computers that were actually hacked remain compromised. It is worth bearing in mind, Perry noted, that computers at Yahoo, Amazon.com, eBay, CNN and other e-commerce and popular Internet news sites attacked last week were not the machines that were actually hacked into. Instead, hackers got into computers elsewhere and placed Trojans or zombie software in them, which were used to launch the attacks from those machines - and whose users are probably unwittingly going about their business.
Denial-of-service attacks do not involve stealing data or compromising personal information. Instead, hackers overload Internet sites with so much traffic that the sites cannot function and bona fide users cannot gain access. Security experts and security tools vendors have been warning that denial-of-service attacks are likely to be on the upswing.
Computers most vulnerable to be used in denial-of-service attacks have three characteristics, Perry said. They are turned on all of the time and connected to the Internet; they have high bandwidth access; and they are located at places like universities, small businesses, corporations and, increasingly, in homes with digital subscriber line or cable-modem service.
Hackers scan the Internet looking for computers that are always on and then select those from which to launch attacks. The hackers don't know, and don't care, where the computers are located. All they can see is that the machines are connected all the time and have high bandwidth, Perry said.
"They exploited well-known weaknesses," Perry said of the unknown hackers. "Who knows what else they did while they were there?"
The FBI undoubtedly would love to answer that question. The FBI has launched an investigation into the hack attacks, and President Bill Clinton, who has made protecting the national electronic infrastructure a priority, has called for a White House summit to explore the issue with government and Internet officials.
In the meantime, vigilant use of antivirus software, attack detection software and the like is the only way to begin guarding against such intrusions, according to vendors and security experts, who advise users to run antivirus and intrusion detection software daily. CA and other vendors offer such tools and software, capable of checking systems for Trojans, viruses and other malicious code, and which also can tell when a computer has been attacked or when an attempted attack has been made. Such tools typically will alert system administrators that a problem has been found, and also can help to reconfigure or reroute traffic to keep a system up and running.
"These organizations that have been attacked this week have suffered revenue loss," Perry said, but perhaps worse is that "their own customers' confidence in them has been shaken. It will have a ripple effect in the whole industry as far as confidence in e-commerce and e-commerce viability."
RSA Security has been working on countermeasures for denial-of-service attacks for two years now. The approach holds that detection software and tools might not be enough in this age of increasingly sophisticated and large attacks.
Mathematicians and cryptographers at RSA labs have been working on something called a "client puzzle protocol." When an attack is mounted or when network resources are being taxed to such a degree that it appears an attack is being attempted, cryptographic puzzles will be sent back to each computer requesting entry to a server. One puzzle would be sent per request, in effect, turning the flood of malicious traffic back on the computers sending it, while computers of legitimate users will be able to solve the puzzles quickly and gain access without much of a lag in connecting with the desired Internet site, explained Joe Uniejewski, RSA senior vice president of engineering.
The client puzzle approach would also mean that massive volumes of traffic sent back to unwitting computer owners would result in an increase in CPU utilization in their machines that could then alert them that they are part of a broader denial-of-service scheme.
The client-puzzle method is expected to be built into future RSA products, and the company said that it would offer additional details in coming months. More information on client puzzles and cryptographic theory is available at this page
Although tracking the cybercriminals seems a daunting task, Bill McQuaide, vice president of product marketing at RSA, said that miscreants always leave tracks.
"Eventually, you can uncover those footprints," he said.
CA, in Islandia, N.Y., can be reached at 516-342-5224 or www.ca.com/. RSA, in Bedford, Mass., can be reached at 781-301-5000 or www.rsa.com/.
RELATED LINKS
Denial of Service
Defining Strategies to Protect Against TCP SYN Denial of Service Attacks
Cisco.
CERT
Network security experts who provide 24-hour technical assistance for responding to computer security incidents.
EBay, Amazon, Buy.com hit by attacks
IDG News Service, 02/09/00.
Attack takes down Yahoo for three hours
IDG News Service, 02/08/00.
RELATED LINKS
