Focus: Technology

From the Cincinnati Business Courier

Online invaders come in all shapes and sizes Hacking has become expected as part of business Dorothy Stonely Courier Contributor There's a war going on in cyberspace. It's the hackers vs. practically everyone else. Wherever there's a computer, there's a potential target.

"Hacking attempts at popular sites have become so common they are considered an expected part of doing business." said Paul Henry, manager of Asian operations for Fort Lauderdale, Fla.-based Cyberguard Corp., a provider of online security systems.

Curious students and teenagers initiate a large part of hacking activities, often invading systems at businesses and universities, said Henry.

"It's not simply the obvious goal of stealing software or intellectual property," said Henry. "In many instances, it is the lure of solving the puzzle. Many simply want the bragging rights; others want to break in and destroy."

Earlier this year, Yahoo Inc., eBay Inc., Amazon.com, E-Trade Group Inc. and other high-profile Web service companies sustained electronic attacks.

Late last year, Richard Pryce, a music student in London, hacked into the U.S. Air Force computer system.

Then there's notorious computer hacker Kevin Mitnick, who went on a two-and-a-half-year hacking spree while on probation for hacking.

He hacked into corporate systems, scrambled phone networks, and broke into the U.S. National Defense Warning System, as well as home computers.

The U.S. Department of Justice has charged a small Internet bookseller with intercepting and storing e-mail from Amazon.com to its customers.

"In this case, an Internet service provider (the bookseller) intercepted mail passing through its network to gain a business advantage," said U.S. attorney Donald Stern.

Obviously, the race for profits underlies some of the hacking.

That race "has spawned an unprotected and unregulated infrastructure that has overwhelmingly ignored consumer privacy and security," said Jacques Francoeur, director of trust practices for NetFront Communications Inc., a Sunnyvale, Calif.-based online security systems provider. "Consumers are fully justified in their mistrust: Privacy abuse and security breaches are the norm and not the exception."

Another reason for so much hacking is that it's easy for someone to acquire the weapons to do it. The latest hacking tools are freely shared over the Internet. One Web site boasts: "My manuals teach you how to hack, crack and more. This is the information they do not want you to have."

Hackers have a variety of strategies. With one, they take software programs developed to test a computer system's integrity, and turn them back on the system by exploiting the vulnerability exposed by the software.

The hackers' software tools scan a range of addresses to expose a vulnerable service -- meaning one with mistakes, oversights or mislinkings. When they see one, they launch an attack against it.

Then there's the "denial-of-service" attack.

Under this assault, a targeted site is bombarded with data until it runs out of memory. The targeted system is then unresponsive to the queries of legitimate customers.

Under a strategy called the "Ping of Death," the attacker sends a packet containing more information than the operating system can handle, thereby crashing the system.

A new version of the ping attack, called "Smurf," takes advantage of misconfigured networks by sending the ping packet to numerous systems instead of to one.

Some attack scripts are written by hackers and posted on the Internet for novice hackers to use. Called "script kiddies," these users needn't know anything about hacking or programming; they must merely know how to download and run the script.

Even when an attack is launched for bragging rights rather than monetary gain, companies can end up paying a heavy price. In e-business, every lost connection could be a lost sale. An hour of downtime can cost millions.

There's yet another expense involved in these attacks: To cover their tracks, many hackers erase entire file systems. In a majority of such attacks, the files have no backups and so massive destruction ensues.

When the Melissa virus first appeared on the Internet in March 1999, it spread rapidly throughout computers worldwide, causing an estimated $80 million in damage to computers in one-fifth of the country's largest businesses.

"Many companies won't admit getting hacked -- it's the dirty little secret of the digital age," said Robert Peizer, manager of marketing communications for NetFront. "In 1999, an American Society of Industrial Security report called it a $45 billion problem for the Fortune 1000 companies alone."

There are many unanswered questions concerning the legal liability of organizations whose unsecured computers are used by hackers as launchpads for mayhem. This is because the Internet, and Internet law, are both evolving.

As in any other kind of crime, the perpetrator must be caught before the law can be invoked. Hackers generally launch their programs from computers far distant from their actual location, typically using university or library computers.

Tracking hackers is the job of a new breed of detective.

The Justice Department has established the Computer Crime and Intellectual Property Section to address issues of computer intrusion.

And the FBI has created the National Infrastructure Protection Center to support investigations of computer hacking.

Most Silicon Valley companies are understandably unwilling to discuss the state of their systems security. However, with increased focus on Internet security, quality security systems are available to firms of all sizes. But they won't be the final solution.

Hackers will keep trying to outsmart the system, "absolutely forever," said Peizer. "The best we can do is stay one step ahead."

Anyone connected to the Internet today is vulnerable. Large companies still find their files compromised as a result of the denial-of- service problem. The home user is vulnerable to hackers erasing files, or getting on their hard drive and grabbing data such as a tax return or banking information.

Summing it up best, eBay's Web site security statement closes by stating: "Perfect security does not exist on the Internet."

http://www.bizjournals.com/cincinnati/stories/2000/06/05/focus4.html

-- Martin Thompson (mthom1927@aol.com), June 05, 2000