Sunday December 24, 2000
The United States adopted a national plan for protecting computer
networks, and corporations survived a variety of attacks. That doesn't
mean they're taking security seriously.
The apocalypse widely expected to bring the tech world to its knees
at the new millennium didn't occur. But security experts agree that
disaster still looms.
The Year 2000 bug was squashed by a massive international effort that
monopolized most of 1999. The distributed denial-of-service attacks
that slowed traffic to several high-profile sites in February
amounted to a momentary stall in the fast ascent of e-commerce.
The "LoveLetter" virus paused e-mail traffic for, at most, a few
days in May. Microsoft acknowledged in October that an intruder
explored its internal network a dozen times, but the company's
claims that the hacker window-shopped but didn't steal were
accepted, and the matter was dropped.
Security experts say the corporate and government sites that escaped
permanent damage in 2000 got lucky. But they warn that it may take
a major Internet disaster to persuade businesses and governments to
work together to secure the online world for the future.
"It is going to take an economic incentive," said Eugene Spafford,
professor of computer science at Purdue University and the author
of several texts on security. "Right now, not enough people have
suffered enough pain. It is either going to take a large disaster
or we are going to have to get to the point where people realize
how much they are spending online and see that it's worth doing
something differently."
It's a grim thought that's somewhat surprising, considering all the
things that went wrong in 2000.
While the Y2K bug failed to materialize, President Clinton made
cybersecurity a national priority -- at least on paper -- with the
release of the National Plan for Critical Infrastructure Protection.
Cyberspace was calm for all of a month.
Chaos, but no disaster
By the end of the week, eight major sites--including CNN, eBay and
ZDNet--had watched their Web traffic slow to a crawl or halt.
In April, the Royal Canadian Mounted Police and the FBI arrested a
15-year-old Montreal-area boy, who used the name "Mafiaboy" online,
and charged him with the attack on CNN.com. Authorities later charged
him in the other DDoS attacks as well.
The Internet suffered another attack in May, this time in the form of
a virus that panicked users and corporations alike. The LoveLetter
virus, also known as the "ILOVEYOU worm" and the "Love Bug," swept
through corporations in a surge of e-mail, obliterating files and
leaving chaos in its wake.
Given what they had learned from the "Melissa" virus of 1999, most
companies were able to quickly control the LoveLetter virus. The
creator was tracked to a suburb of Manila. The Philippines had no
law to deal with such a crime, but the government vowed to charge
the suspect with credit card fraud.
In August, a public relations wire suffered the first major media
hack. A false press release distributed over the Internet Wire
announced that network equipment maker Emulex Corp.
(Nasdaq:EMLX - news) would restate its earnings and fire its CEO.
Within hours, the trumped-up news caused the company's stock to
plummet almost $70 to near $40 a share. The share price recovered
once the hoax was discovered. The hacker pleaded innocent to charges
of securities fraud in October.
Even Microsoft couldn't fend off Internet attacks. Frequently taken
to task for bugs in its software, at the end of October the software
giant revealed that an attacker had gained access to its internal
network. Microsoft steadfastly denied that the intruder gained
access to its software source code, but many questions remained.
And those were only the highlights in 2000.
While each of the incidents caused a brief uproar, security
protection policies received scant attention, said Purdue's
Spafford.
For example, the DDoS attacks brought many industries together to
share information among themselves, but few could suppress their
competitive urges, Spafford said. "You have a lot of groups who
didn't talk to each other and cooperate."
Meanwhile, the National Plan gained little ground in political
circles. Some funds have been earmarked for the National
Infrastructure Protection Center, the Federal Intrusion Detection
Network, and the Scholarship for Service program dubbed
"Cyber Corps," but most of the initiatives outlined in the document
remain dead in the water.
"It certainly does not show that we learned a lot," Spafford said.
David Farber, professor at the University of Pennsylvania and a
well-known Internet technologist, agreed, saying that most of the
United States relies on software with no security model to fulfill
key functions.
Instead of building secure systems with less functionality, companies
have settled for patching the holes. And that has to stop, Farber
said.
"It's kind of like patching a leaky roof," he said. "At some point,
you're going to have to replace the roof."
Security a low priority in Y2K
By Robert Lemos, ZDNet News
On Feb. 7, starting with Yahoo!, major Internet sites found their
servers choked by massive streams of data from an unknown source in
a series of distributed denial-of-service (DDoS) attacks.
There were numerous smaller virus attacks, thefts of several
credit-card databases and extortion to top it all off.