Y2K In Hindsight: The year of the killer hackers (footnote on a security and economics case study)

Tuesday December 19, 2000
The year of the killer hackers
By Scott Berinato, eWEEK

And other tales of security woes facing IT

Year 2000 is ending as it began, with a DDoS attack threatening a large part of the Internet and failing security efforts fueling IT fears.

The latest distributed denial-of-service attempt was broken up last week in Denmark, where hackers took control of at least 50 zombie servers and were preparing an assault on that country's systems. Authorities arrested a 17-year-old suspected of being connected to the attempt, which was broken up by the Danish section of the Computer Emergency Response Team, according to a report in the Danish newspaper Ingeniøren.

It's only one of an alarming number of news reports last week that demonstrate that the fight for online security and privacy has woefully regressed in every area except one -- awareness. Other bad news from last week:

Creditcards.com was hacked, and 55,000 card numbers were held hostage for $100,000. When the extortion attempt failed, the hacker posted the card numbers on the Web. The company has since put up a Web site where merchants and customers can check for fraudulent transactions.

At the University of Washington Medical Center, thousands of medical records for heart patients, which included names and Social Security numbers, were accessed. Officials first denied, then confirmed the hack.

Experts from @stake Inc., in Cambridge, Mass., warned that America Online Inc.'s (NYSE:AOL - news) AOL Instant Messenger is harboring serious security flaws.

More significant, most experts concur that things will only get worse next year.

"The scariest part to me is there's not enough qualified security talent out there," said a security administrator at a major Midwestern mortgage bank. "That's why we're losing ground. I built my infrastructure and many of the programs methodically. But I regularly do security audits, and it's getting to the point they can't even address our security because they don't understand it."

The situation is worse than most people think, said Chris Rouland, director of Internet Security Systems Inc.'s (Nasdaq:ISSX - news) X-Force security advisory team, in Atlanta. "There are a high level of DDoS agents out there right now, on the order of tens of thousands of servers in zombie configuration," said Rouland, who also said he sees at least one data hostage situation per month. "I've had high-level talks with the government. I can tell you there's concern."

Indeed, the FBI has been vocal on the data security front, taking efforts to warn corporations, universities and consumers of higher levels of hack attempts and virus launches around the holidays. Hackers thrive this time of year because they can prey on the large number of e-mail greeting attachments (usually accompanied by higher levels of seasonal trust and goodwill) to launch viruses and because of the high level of online shopping.

"Social engineering is still the weakest part of the equation," said Stacey Lum, CEO of security vendor InfoExpress Inc., in Mountain View, Calif.

But with the shopping season nearing its end, the only real attack so far has come from Navidad, a virus that in two months' time became the seventh most prevalently reported virus on anti-virus vendor Sophos plc.'s list of top viruses for the year.

"Hackers are smart," said Graham Cluley, senior technology officer at Sophos, in London. "If you say to users 'watch out for this time of year,' the hackers will wait until right after this time of year. Users should be equally paranoid all the time."

And, all experts agreed, users should prepare for an even knottier year coming, as hackers are getting more sophis ticated, both technologically and socially.

"It has surprised me how savvy some of the hacks have been," said ISS' Rouland. "They know economics, shutting down a Web site on the day of an IPO [initial public offering] and targeting Christmas for credit card hacks."

Others said the schemes being used by hackers lately have shown a step up in sophistication. One security expert said some of the new attacks move far beyond the simple e-mail attachments that dominated this year. He cited the Bymer worm, which, similar to Trinity Version 3, is an automated attack worm that scans for certain types of servers with vulnerabilities and implants itself on the weak systems, increasing the efficiencies of hacking.

Other worms, such as the year's most prevalent virus, Kakworm, and the recently discovered Forgotten.A, up the clever quotient by launching when an e-mail is opened, not the attachment.

Experts also worry about chat clients in the coming year. They provide nearly total anonymity, they can quickly and anony mously send rogue files to other chat clients or chat servers and the companies that run them, and the networks are always available.

Another headache for next year, ironically, will be encryption. Virtual private networks for broadband users and increased acceptance of encrypted e-mail mean sentries at the gateways won't see malicious code and will let the encrypted bits waltz in or out the front door.

"There's no easy answer to this," said Sophos' Cluley. "If something like ILoveYou happened in a world where encrypted e-mail was accepted, it could have been ... catastrophic."

What can enterprise administrators do? This latest round of malcontentment could be enough to stir up paranoia and despondency among IT managers, but @stake's Weld Pond preached calm and vigilance in the face of what looks like impending chaos.

"Awareness is way up. That's good, especially with privacy. Users are getting cynical," said Pond, the company's R&D manager. "You know car manufacturers are required to recall products when they fail. Not so in software or the Internet yet. So you have to challenge your vendors. Assume security in their products is bad and ask them what they're doing about it. Be disciplined in your practices. Don't act without thinking."

Back To The Study