Hackers Attack Top Web Sites For Third By John Schwartz, Ariana Eunjung Cha and David A. Vise Hackers attacked some of America's most popular Web sites yesterday for the third day in a row, walling off frustrated consumers from companies that provide news and stock trading as law enforcement officials launched a nationwide criminal investigation. Attorney General Janet Reno announced the investigation--but the nation's top law enforcement officials admitted that they don't yet know who is mounting the attacks, why they are happening or what to expect next. "At this time, we are not aware of the motives behind these attacks," Reno said. "We are committed in every possible way to tracking down those responsible." The computer attacks earlier this week temporarily blocked access to Web sites that read like a Who's Who of the new economy, including Yahoo, eBay, Amazon, CNN.com and Buy.com. Then, at daybreak yesterday, ZDNet, a popular technology news site, and online brokerage E-Trade went down. ZDNet was inaccessible for about 2 1/2 hours; the sheer volume of traffic overwhelmed software just installed to monitor such attacks. The attacks seemed to come from "hundreds of thousands" of computers, said Keith Rodwell, technical director for the site. At E-Trade, the No. 2 online broker, business was stalled for more than an hour at the opening of trading, first by hackers and then by frantic investors. One customer said that he was on hold for half an hour as the stock he was trying to sell dropped by 6 percent. "I will never place an order online again," he pledged. The crescendo of assaults this week exposed the widespread, if temporary, vulnerability of some of the largest and most sophisticated electronic commerce sites to hackers' incursions at a time when consumers are flocking to the Web. The incidents also marked a major escalation in the ongoing electronic combat between hackers and computer security officials. Law enforcement officials are far behind in this contest, according to experts. "What is scary about this is as we've become more dependent on technology and its availability, we become more vulnerable to any 18-year-old in a garage anywhere in the world," said Mark Rasch, a former federal prosecutor who is a computer security consultant at Global Integrity in Reston. Law enforcement officials said the techniques used this week were fundamentally simple, but other experts said sophisticated programming and cunning were required to launch the huge volume of Internet messages required to swamp major sites such as Yahoo and Amazon. The attacks--known as a "distributed denial of service"--do not involve breaking into target computer systems or getting access to customer accounts, e-mail or credit-card numbers. It more closely resembles piling trash up in front of the door so that others can't get in. These attacks have been used by hackers against smaller Web sites for several years. The new twist is "distributing" the effort over tens or even hundreds of other computers in a coordinated torrent, like the mini-broomsticks in "The Sorcerer's Apprentice." Hackers might drop malicious software into those computers days or weeks before the actual strike and then activate the programs remotely. Security experts close to the investigations at several companies said the attackers used fake return addresses on messages sent to the targets. In addition, they said the hackers laundered their location through several layers of computers, jumping from computer system to computer system to hide the software that caused the problems. While this hiding technique is common, the perpetrators used an extraordinary number of layers. Paul Vixie, senior vice president of Internet services for Metromedia Fiber Network, which hosts two sites that were attacked--eBay and Remarq--said some of the fake addresses were actually secret internal ones used by companies to direct traffic within their own networks. Fixing systems once an attack has taken place is not especially difficult, said Monty Mullig, CNN's vice president for Internet technologies. Tuesday's 7 p.m. attack was beaten back before 9 with cooperation from the company's Internet service provider. "I'm not saying we're made of steel now," Mullig said. "But we're a little stronger than we were yesterday." Jed Pickel, a member of the technical staff at the federally funded Coordination Center at Carnegie Mellon University, said CERT has made defensive software available on its www.cert.org site. Along with measures that companies can take to shore themselves up against attack, CERT also offers guidelines aimed at helping Web sites keep themselves from passing along the bogus messages that make up such attacks. "There's not anything you can do to prevent being a victim of this sort of attack," Pickel said, "but there are things you can do to plan for it and respond to it." This point was echoed many times at yesterday's Department of Justice briefing, where officials pleaded for online businesses to shore up their security systems in order to halt the spread of the attacks. "Security in the Internet is a community effort," said Ron Dick, who heads the FBI's computer crime nvestigations. The hacking incidents constitute serious federal crimes, FBI officials said, and will be investigated fully. Computer hacking is a federal crime that carries a maximum five-year prison term for first-time offenders and 10 years for repeat offenders, who also are subject to criminal fines of up to $250,000 plus civil penalties. President Clinton suggested that there might be limits to what Washington can do to fix the problem. "But I have asked people who know more about it than I do whether there is anything we can do about it," he said. Former FBI agent John Guido, who retired in December after 30 years with the bureau, said law enforcement agencies "can't keep up" with the fast-paced world of cyber-criminals. With the booming economy, federal and local law enforcement agencies have had difficulty attracting and retaining the computer experts they need to track computer crime. "Law enforcement is way behind the curve," Guido said. "The business of computer crime for the present and future is the biggest challenge. . . . The technology is just ahead of us." The difficulty encountered by the FBI is one of the factors behind FBI Director Louis J. Freeh's push for Congress to grant the bureau more power to make the nation's telephone and computer networks more wiretap-friendly so that hackers and other computer criminals can be identified more easily. But the FBI's Dick said: "I'm very confident we are going to be able to solve this. . . . A lot of people are sharing information with us, and there is a lot of information coming in to us, and we are chasing those leads down." FBI Deputy Director Thomas J. Pickard predicted Internet crimes and hacking will increase over time as use of the Internet grows, and cooperation with industry will grow as well. Despite the limits on the FBI's technical capabilities, he said the bureau is working closely with the private sector to preserve and protect e-commerce. "I can't replace the technical ability of the Microsofts and Lucents, but by the same token I've got great investigators who can understand where they are going with this technology and can work with industry," Pickard said. Corporate executives, he said, "don't want this to be a problem and realize how important it is for this to work on a national and international level." CERT's Pickel noted that even though the means are available to fight hackers and plug holes in system security, too few companies take full advantage of them. "If you're a hacker, you rely on the fact that even though these things can be fixed, they won't be," Rasch said. "People have competing pressures. You want to get the product made, get it out the door--security is an afterthought." This eternal tension between functionality and security, Rasch suggested, is a little like "the Volvo versus the Ferrari"--safety against performance. "It's a question of priorities. But that's shortsighted, because security is an essential component of e-commerce." Moreover, some corporations, fearful of losing their competitive advantage and wary about cooperating with federal law enforcement, have been skeptical about giving the FBI proprietary information about their software--and privacy advocates have strongly objected to expanding the bureau's wiretapping and surveillance abilities. That touchy relationship between high-tech companies and government only makes the job of policing the online world harder, Rasch said. To track hackers, he said, "what you really need is intense cooperation among [Internet service providers], and law enforcement is essentially the wrong entity to do that. . . . There's a fundamental mistrust in the Internet community of law enforcement because they come at it from opposite directions." One source involved in the investigation noted that past investigations of virus makers and online stock manipulators have been solved even though the perpetrators thought they were acting anonymously. As with any crime, a little sloppiness can make the difference between true anonymity and hiding in plain sight. "Stupidity helps law enforcement," the law enforcement official said. Security experts and hackers alike pondered why anyone would do such a thing--besides the usual bragging rights that accompany a successful exploit. Some hackers claim to be serving society by showing flaws in system defenses, but a comment on a security discussion group asked the anonymous attacker: "What's your point? . . . You're shouting really loud but nobody's getting the message." Although culprits and motive were nowhere to be found, some longtime observers of hackers suggested that the timing might not been exactly random. Many of the country's top security experts were at the the North American Network Operators' Group conference in San Jose when the attacks began. The assault on Yahoo began just minutes after one of the Internet's most respected security graybeards, Steve Bellovin of AT&T Labs, finished a speech on denial-of-service attacks and how to secure sites against them. "Whether or not it was a conspiracy or a coincidence I don't know, but people are certainly asking," said Mark Gebert, one of the organizers of the conference. Staff writer Ianthe Jeanne Dugan contributed to this report. Online Overload Recent attacks that have temporarily blocked access to Web sites are known as "distributed denial of service." This technique doesn't involve actually breaking into the target computer system -- it more closely resembles piling trash up in front of the door so that others can't get in. 1. The attacker hijacks a group of computers and secretly installs special software that runs automatically and invisibly. 2. Hosts instruct broadcasters to simultaneously send messages to flood the target site using fake source addresses (like ringing someone's doorbell and running away). Hacker's Computer: Hosts Several computers under hacker's direct control Target site: Broadcasters Hundreds of servers that run the code generating the denial-of-service SOURCES: ZDNet, news reports Web Troubles Here are some of the major sites that have been the targets of cyberattacks: Monday: Yahoo: Down from 10:30 a.m. to 1:30 p.m. Tuesday: Amazon.com: Increased traffic slowed site around 5 p.m. CNN.com: Down from about 7 to 9 p.m. EBay: Starting at 3:20 p.m., down for most of the day. Buy.com: Jammed from about 10:50 a.m. until after 2 p.m. Yesterday: ZDNet: Off-line about 7 a.m. until about 9:30 a.m. E-Trade: Sporadic outages in the morning. Back up at 10 a.m. © Copyright 2000 The Washington Post Company |
||