FBI agents focus on university, business computers as cyber attack launch pads February 10, 2000 Web posted at: 9:06 p.m. EST (0206 GMT)

From staff and wire reports

WASHINGTON (CNN) -- The FBI is pursuing leads that a series of attacks on popular computer Web sites was launched from high-capacity computer systems at a university or at businesses. Officials believe the school or businesses were an unwitting launch pad for the string of attacks. Those programs in turn forced the university or business systems to send out millions of messages aimed at overloading the targeted Web sites.

Investigation scope

The massive federal investigation into this week's string of cyber attacks may extend overseas, Justice Department officials say.

Deputy Attorney General Eric Holder said there is "no indication at this point that we are looking at anything that comes from outside the country, though there have been previous, similar attacks that have been launched from outside the country, so that is a possibility we'll certainly have to consider."

Senior officials said the multistate investigation now includes major efforts by FBI field offices in four states, and involves "countless numbers" of agents in several others.

Motive still unknown

"These are people who are criminals," Holder told reporters at a Justice Department briefing Thursday.

"The collective loss, and the cost to respond to these kinds of attacks, can run into the tens of millions of dollars or more."

On Wednesday, online brokerage E-Trade Group and technology news site ZDNet became the latest victims. Their sites were knocked out for more than an hour.

The attacks began Monday against Yahoo!, the largest independent Web site. They spread Tuesday to CNN.com and leading retailers Buy.com, eBay and Amazon.com. The cyber bandits have been quick to exploit technology even as U.S. government investigators become more computer savvy.

"We need additional people," said Holder. "We need additional forensic capabilities. This is, as everybody understands, a fast-changing area."

It's both fast changing and potentially devastating to Internet commerce.

The Clinton administration is asking Congress to increase funding for the Justice Department's anti-cybercrime efforts by more than a third -- from roughly $100 million to $137 million.

Holder said investigators inside and outside the government were working together in a complex effort to track down the hackers. He said that while authorities do not yet know the motive of those responsible, officials consider the matter "very serious" and that the Justice Department may have to consider increasing penalties for cyber-criminals.

A senior Justice Department official involved in the probe said it's likely the hacker or hackers who clogged several popular Internet sites used "dozens or even hundreds" of computers to launch the attacks.

The official, asking not to be identified, said after officials discovered certain "distributed denial of service" tools in December, a warning was sent out.

Information: The FBI asks that any suspected criminal activity be reported to the NIPC Watch and Warning Unit (202) 323-3204/3205/3206 or nipc.watch@fbi.gov

FBI's recommended steps for victims of illegal computer intrusion: Respond quickly to greatly reduce potential damage and monetary losses. Consider activating Caller ID on inbound lines. Have pre-established points of contact for the general counsel, emergency response personnel, law enforcement, etc. Appoint one person to handle potential evidence. Establish a chain-of-custody. Do not "duel" with the hacker. This typically invites more attacks. Do not use your network's E-mail functions to discuss the incident. The mail server may have been compromised. If you reside within the Washington, D.C. Metropolitan area, contact the WFO IPCIS. Y2K daemons?

The official said these tools, called daemons, can be planted on hundreds of innocent third-party computers, and await a command issued much later from a remote location to launch attacks on a single target.

The official refused to comment on whether the daemons found in the intensive preparations to guard against Y2K problems were involved in the current attacks.

A Senate leader who has conducted a series of hearings on countering the cyber threat issued a statement Thursday saying the government had failed to be prepared for such cyber attacks, and he promised additional hearings. "Efforts to protect critical computer networks have unfortunately not kept pace with the march of technology," said Sen. Jon Kyl, R-Arizona.

"I have been a firm believer that it was always a question of when, not if, our vulnerabilities would be exploited by someone with malicious intent," Kyl said. "The events of the last three days confirm that view."

More vigilance catching intrusions

One positive development from the attacks is that some network administrators are being extra careful about checking possible intrusions.

The Los Angeles Times Web site, latimes.com, received a warning from its Internet service provider, GTE Internetworking, that there had been several attacks against the ISP and urged its customers to be more vigilant.

On Wednesday morning, engineers discovered that one of the latimes.com servers was running a "little abnormally," according to Dan Royal, operations manager for the site.

They found that someone had entered the server from the outside and placed an "Internet relay chat" program that took up so much bandwidth as to create a disturbance. The incident had no effect on users.

"It caused no damage, other than a whole lot of people pulling their hair out," Royal said.

Pentagon checking its computers

Pentagon officials stressed the military has not been hit by the denial of service attacks and said there's nothing to indicate the systems have been compromised.

"We've been watching with great interest," said Rear Adm. Craig Quigley at Thursday's Pentagon briefing. "We need to be aware of potential hacking into the DOD computer system and be able to defend against some of those attacks."

The Defense Department is putting out a message to its computer network administrators to check the hard drive systems.

Quigley said the Pentagon wants "to see if someone has planted some of this denial of service tools on the drives of Defense Department computers." The spokesman said the check is to make sure the Pentagon's computers could not have unwittingly been a part of the denial of service regime that's being used to clobber some of the other servers."

Pentagon computers were updated and prepared for any Y2K rollover glitches in a $3.6 billion fix over 18 months leading up to January 1.

There was no estimate on how long the new checks would take, but the spokesman said Pentagon officials will be on their toes and aware of what's happening.

The Defense Department is the federal government's single biggest user of computers. "We have no reason to suspect that any of our systems are in fact involved in this, but we're also not sure until we check."

-- Martin Thompson (mthom1927@aol.com), February 10, 2000

Answers

url for above/

http://www.cnn.com/2000/US/02/10/hacking.investigation.02/#2

Seems that I remember considerable talk before the rollover that the problem with hackers would come sometime after the rollover. After everyones guard was down. Hmmmmmmm

-- Martin Thompson (mthom1927@aol.com), February 10, 2000.