Hackers' Web-site assaults take toll

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

[Fair Use: For Education and Research Only] Sunday, March 12, 2000, 04:22 p.m. Pacific

Hackers' Web-site assaults take toll; victims and experts call randomness frightening

by Peter Lewis Seattle Times technology reporter Compared with a street mugging, an attack on a Web site lacks a certain reality. The "crime" seems thin, the consequences soft.

Tell that to Blaine Hadlock, owner of a small, Bainbridge Island-based business that got hacked last year, allegedly by a total stranger who turned out to be a computer-science student in Boston. When Hadlock finished picking up the pieces, the tab exceeded $30,000.

It is a phenomenon expected to grow worse before it improves, said Richard Power, spokesman for the Computer Security Institute, a San Francisco-based association of information security professionals.

"As the cybercrime problem grows, the smaller and medium-sized businesses will be more targeted for fraud or malicious mischief," predicted Power, "simply because there will be more sharks in the water interested in smaller prey."

What's particularly disturbing is the apparent randomness of such attacks. Hackers can use fairly simple scanning programs to hunt for vulnerable systems.

"It did not put us out of business, but it stung real bad," recounted Hadlock, whose Zebra Marketing Online Services (ZMOS) has five full-time employees and has since moved to Federal Way. "You don't lose that kind of money without it hurting you. It caused me some significant problems."

Authorities contend the hacker is a Northeastern University student named Ikenna Iffih, who in federal charges filed recently in Boston was also accused of illegally entering federal computers at the National Aeronautics and Space Administration and the Defense Department.

Last spring, investigators with the FBI and the Department of Defense kept asking Hadlock, "Why you? Why him?"

And Hadlock had a stock answer: " 'Ask him (the hacker).'

"I really don't know from whence he came and why. I'd love to sit with him and ask 'Why?' "

Power, with the security institute, said the public often has difficulty understanding the motive behind such stranger-on-stranger cyber attacks. "People say, 'Well, why do they do this?' And the answer they can't understand is, 'Just because,' " Power said.

He said attacks on smaller businesses are particularly damaging because the owners cannot absorb the hit like a major corporation, and they generally lack insurance to cover such losses.

Assistant U.S. Attorney Steve Schroeder of Seattle, who helped investigate the ZMOS case, agrees.

"It's the smaller systems that can't afford to spend resources on security that are going to remain vulnerable," he said. "The little mom-and-pop sites. It (a hacker attack) would bury them."

Most of the hacking incidents Schroeder is aware of in Western Washington involve stranger-on-stranger attacks. Several remain under active investigation. But another threat comes from disgruntled employees.

That's what occurred to small-business owner Bud Robinson, who runs an ice-machine rental business called Automatic Ice Makers in San Diego. Two years ago, a disgruntled programmer "just walked out one day and said 'I'm going to own you,' " Robinson recalled.

Before leaving, the employee placed some malicious code in the system - a "logic bomb" that disabled access and caused about $50,000 in damage. It took nearly two years for Robinson to recover, repairing the system in stages as he could afford to.

James Crowell, a k a Jamie Crowell, ultimately pleaded guilty to a felony charge of recklessly damaging a protected computer. Crowell was sentenced to serve six months in a halfway house and ordered to make restitution, among other conditions.

In Hadlock's case, the intrusion influenced him to shift business models. Instead of hosting other companies' Web pages, ZMOS now acts as an "e-business facilitator," Hadlock said, meaning the company helps e-businesses figure out what their message is and provides marketing assistance.

Besides being disruptive, Hadlock said the attack caused him to realize how legally vulnerable he was as the guardian of other people's information. If a Web-hosting company is housing "hundreds or thousands or millions of dollars' worth of (intellectual-property) investment and somebody (a hacker) gets to you, guess who is on the line?" Hadlock asked rhetorically.

"So we changed after this little scenario," he said. "It led us to not being in that (Web-hosting) business."

As far as prosecutors know, ZMOS was the most seriously damaged victim. Iffih's other alleged unauthorized forays caused no disruption to the nation's defenses, no meddling with satellite control, and no improper use of personal information - including private information on about 9,000 students, faculty and alumni at Northeastern that Iffih is accused of downloading and copying.

The 28-year-old student now faces three felony counts related to unauthorized access to various computers. If convicted, he could serve up to 15 years in prison and pay a $250,000 fine.

Iffih was charged by criminal information instead of indictment, which generally is a sign that a plea agreement is in the works.

Authorities have asserted that Iffih also went by the hacker name "DigiAlmty" and that he was responsible for defacing an Interior Department Web page. On that page, Iffih is accused of writing in part: "Yes, you guessed it right, the WAR is on. The (expletive) FBI vs. everyone who calls him/herself a true hacker."

http://www.seattletimes.com/news/business/html98/hack_20000312.html

-- Martin Thompson (mthom1927@aol.com), March 12, 2000


Moderation questions? read the FAQ