The scenario that no one in the computer security field likes to talk
about has come to pass: The biggest e-commerce sites on the Net have
been falling like dominoes. First it was Yahoo! Inc. On Feb. 6, the
portal giant was shut down for three hours. Then retailer Buy.com
Inc. was hit the next day, hours after going public. By that evening,
eBay, Amazon.com, and CNN had gone dark. And in the morning, the
mayhem continued with online broker E*Trade and others having traffic
to their sites virtually choked off.
The work of some super hacker? For now, law enforcement officials
don't know, or won't say. But what worries experts more than the
identity of this particular culprit or outlaw group is how easily
these attacks have been orchestrated and executed. Seemingly, someone
could be sitting in the warmth of their home and, with a few keystrokes,
disrupting electronic commerce around the globe.
DEAD HALT. Experts say it's so easy, it's creepy: The software to
do this damage is simple to use and readily available at underground
hacker sites throughout the Internet. A tiny program can be downloaded
and then planted in computers all over the world. Then, with the push
of a button, those PCs are alerted to go into action, sending a simple
request for access to a site, again and again and again--indeed, scores
or hundreds of times a second. Gridlock. For all the sophisticated
work on firewalls, intrusion-detection systems, encryption and computer
security, e-businesses are at risk from a relatively simple technique
that's akin to dialing a telephone number repeatedly so that everyone
else trying to get through will hear a busy signal. ``We have not
seen anything of this magnitude before--not only at eBay, but across
so many sites,'' says Margaret C. Whitman, CEO of eBay.
No information on a Web site was snatched, no data corrupted, no
credit-card numbers stolen--at least so far. Yet it's a deceptively
diabolical trick that has temporarily halted commerce on some of the
biggest Web sites, raising the question: How soft is the underbelly
of the Internet? Could tricks like these jeopardize the explosive
growth of the Web, where consumers and businesses are expected to
transact nearly $450 billion in business this year? ``It's been war
out there for some time, but it's been hidden,'' says James Adams,
co-founder of iDEFENSE, an Alexandria, Va., company that specializes
in cyber threats. ``Now, for the first time, there is a general awareness
of our vulnerabilities and the nature of what we have wrought by running
helter-skelter down the speed race of the Information Highway.''
To be sure, not even the most hardened cyber sleuths are suggesting
the Net is going to wither overnight from the misdeeds of these wrongdoers.
But the events of recent days are delivering a shrill wake-up call
to businesses that they need to spend as much time protecting their
Web sites and networks as they do linking them with customers, suppliers,
contractors--and you. Consider just a quick smattering of recent
events: In December, 300,000 credit-card numbers were snatched from
online music retailer CD Universe. In March, the Melissa virus caused
an estimated $80 million in damage when it swept around the world,
paralyzing e-mail systems. That same month, hackers-for-hire pleaded
guilty to breaking into phone giants AT&T, GTE, and Sprint, among
others, for calling card numbers that eventually made their way to
organized crime gangs in Italy. According to the FBI, the phone companies
were hit for an estimated $2 million.
Cyber crime is becoming one of the Net's growth businesses. The
recent spate of attacks that gummed up Web sites for hours--known
as ``denial of service''--is only one type. Today, criminals are doing
everything from stealing intellectual property and committing fraud
to unleashing viruses and committing acts of cyber terrorism in which
political groups or unfriendly governments nab crucial information.
Indeed, the tactic used to create mayhem in the past few days is actually
one of the more innocuous ones. Cyber thieves have at their fingertips
a dozen dangerous tools, from ``scans'' that ferret out weaknesses
in Web site software programs to ``sniffers'' that snatch passwords.
All told, the FBI estimates computer losses at up to $10 billion a
As grim as the security picture may appear today, it could actually
get worse as broadband connections catch on. Then the Web will go
from being the occasional dial-up service to being ``always on,''
much as the phone is. That concept may be nirvana to e-tailers, but
could pose a real danger to consumers if cyber crooks can come and
go into their computer systems at will. Says Bruce Schneier, chief
technical officer at Counterpane Internet Security Inc. in San Jose,
Calif.: ``They'll keep knocking on doors until they find computers
that aren't protected.''
Sadly, the biggest threat is from within. Law enforcement officials
estimate that up to 60% of break-ins are from employees. Take the
experience of William C. Boni, a digital detective for PricewaterhouseCoopers
in Los Angeles. Last year, he was called in by an entertainment company
that was suspicious about an employee. The employee, it turns out,
was under some financial pressure and had installed a program called
Back Orifice on three of the company's servers. The program, which
is widely available on the Internet, allowed him to take over those
machines, gaining passwords and all the company's financial data.
The employee was terminated before any damage could be done.
The dirty little secret is that computer networks offer ready points
of access for disgruntled employees, spies, thieves, sociopaths, and
bored teens. Once they're in a corporate network, they can lift intellectual
property, destroy data, sabotage operations, even subvert a particular
deal or career. ``Any business on the Internet is a target as far
as I'm concerned,'' says Paul Field, a reformed hacker who is now
a security consultant.
It's point and click, then stick 'em up. Interested in a little
mayhem? Security experts estimate that there are 1,900 Web sites that
offer the digital tools--for free--that will let people snoop, crash
computers, hijack control of a machine, or retrieve a copy of every
keystroke. Steve O'Brien, vice-president for information operation
assessments at Info-Ops.com, an Annapolis (Md.)-based company that
provides intrusion detection services and security solutions, says
the number of ways to hack into computers is rising fast. He tracks
potential threats both from hacker groups and from the proliferation
of programs. Once a rare find, he now discovers at least three new
nasty software programs or vulnerabilities every day. And those tools
aren't just for the intellectually curious. ``Anyone can get them
off the Internet--just point and click away,'' says Robert N. Weaver,
a Secret Service agent in charge of the New York Area Electronic
Crimes Task Force.
UNLOCKED DOORS. It's an issue that has crimefighters up in arms. At
a hastily called press conference in Washington, D.C., on Feb. 9,
Attorney General Janet Reno pledged to battle cyber crime. ``We are
committed to tracking down those responsible and bringing them to
justice'' and ensuring ``that the Internet remains a secure place
to do business,'' she said. But Ron Dick, chief of the Computer Investigations
& Operations Section of the National Infrastructure Protection Center,
pointed out that Internet security can't be assured by the government
alone. Companies need to vigilantly monitor their computers to ensure
that hackers don't surreptitiously install programs from which to
launch attacks. ``For the Internet to be a safe place, it is incumbent
on everyone to remove these tools,'' he says. Using them, ``a 15-year-
old could launch an attack.''
Make that an 8-year-old, once the Internet is always on via fat
broadband connections. There are currently 1.35 million homes in America
with fast cable modems, according to market researcher International
Data Corp. By 2003, the number will grow to 9 million, and there will
be an equal or larger number of digital subscriber line (DSL) connections.
That gives hackers a broad base from which to stage an attack.
When a PC is connected to a conventional phone modem, it receives
a new Internet address each time the user dials onto the Net. That
presents a kind of barrier to hackers hoping to break in and hijack
the PC for the kind of assault that crippled eBay, Yahoo, and others.
In contrast, cable and DSL modems are a welcome mat to hackers. Because
these modems are always connected to the Net, they usually have fixed
addresses, which can be read from e-mail messages and newsgroup postings.
Home security systems known as personal firewalls are widely available
for cable and DSL subscribers. But until they reach nearly 100% penetration,
they won't prevent intrusions.
In the coming age of information appliances, the situation could
get worse. According to many analysts, the U.S. will soon be awash
in Web-browsing televisions, networked game consoles, and smart refrigerators
and Web phones that download software from the Net. ``These devices
all have powerful processors, which could be used in an attack, and
they're all connected to the Net,'' Schneier says.
True, broadband customers can switch off their Net connections.
But as cool applications come onstream, nobody will want to do that.
``There will be streaming music and video, 24-hour news, and all kinds
of broadband Web collaboration,'' says John Corcoran, an Internet
analyst with CIBC World Markets. ``To take advantage of that, the
door will be open 24 hours a day.''
Corporations are no better off. There, security is becoming an
expensive necessity. ``At least 80% of a corporation's intellectual
property is in digital form,'' says Boni. Last year, Corporate America
spent $4.4 billion on sales of Internet security software, including
firewalls, intrusion-detection programs, digital certificates, and
authentication and authorization software, according to International
Data. By 2003, those expenditures could hit $8.3 billion.
And still computer crime keeps spreading. When the FBI and the
Computer Security Institute did their third annual survey of 520 companies
and institutions, more than 60% reported unauthorized use of computer
systems over the past 12 months, up from 50% in 1997. And 57% of all
break-ins involved the Internet, up from 45% two years ago.
As big as those numbers sound, no one really knows how pervasive
cyber crime is. Almost all attacks go undetected--as many as 60%,
according to security experts. What's more, of the attacks that are
exposed, maybe 15% are reported to law enforcement agencies. Companies
don't want the press. When Russian organized crime used hackers to
break into Citibank to steal $10 million--all but $400,000 was recovered-
-competitors used the news in marketing campaigns against the bank.
That makes the job even tougher for law enforcement. Most companies
that have been electronically attacked won't talk to the press. A
big concern is loss of public trust and image--not to mention the
fear of encouraging copycat hackers. Following the attacks on Feb.
8 and Feb. 9, there was a telling public silence from normally garrulous
Internet executives from E*Trade to priceline.com. Those that had
not been attacked yet were reluctant to speak for fear of painting
a target on their site, while others wanted no more attention.
And even when the data are recovered, companies are sometimes reluctant
to claim their property. Secret Service agent Bob Weaver waves a CD-
ROM confiscated in a recent investigation. The disk contains intellectual
property--software belonging to a large Japanese company. Weaver says
he called the company, but got no response.
Thieves and hackers don't even need a computer. In many cases,
the physical world is where the bad guys get the information they
need for digital break-ins. Dallas FBI agent Mike Morris estimates
that in at least a third of the cases he's investigated in his five
years tracking computer crime, an individual has been talked out of
a critical computer password. In hackerland, that's called ``social
engineering.'' Or, the attackers simply go through the garbage--dumpster
diving--for important pieces of information that can help crack the
computers or convince someone at the company to giving them more access.
``PAGEJACKING.'' One problem for law enforcement is that hackers seem
to be everywhere. In some cases, they're even working for so-called
computer security firms. One official recalls sitting in on the selection
process for the firm that would do the Web site security software
for the White House. As the company's employees set up to make their
pitch, one person walked into the room and abruptly walked out. It
turns out one of the people in the audience was with law enforcement,
and had busted that person for hacking.
It's not just on U.S. shores that law enforcement has to battle
cyber criminals. Attacks from overseas, particularly eastern European
countries, are on the rise. Indeed, the problem was so bad for America
Online Inc. that it cut its connection to Russia in 1996. Nabbing
bad guys overseas is a particularly thorny issue. Take Aye.Net, a
small Jeffersonville (Ind.)-based Internet service provider. In 1998
intruders broke into the ISP and knocked them off the Net for four
days. Steve Hardin, director of systems engineering for the ISP, discovered
the hackers and found messages in Russian. He reported it to the FBI,
but no one has been able to track down the hackers.
As if worrying about hackers weren't enough, online fraud is also
on the rise. The Federal Trade Commission, which responds to consumer
complaints about bogus get-rich schemes or auction goods never delivered,
says it filed 61 suits last year. How many did it have back in 1994,
when the Net was in its infancy? One. So far, the actions have resulted
in the collection of more than $20 million in payments to consumers
and the end of schemes with annual estimated sales of over $250 million.
The FTC doesn't want to stop there. On Feb. 9, commissioners testified
before a Senate panel, seeking an increase in the commission's budget
in part, to fund new Internet-related policies and fight cyberfraud.
The money is needed to go after ever more creative schemes. In September,
for example, the FTC filed a case against individuals in Portugal
and Australia who engaged in ``pagejacking'' and ``mousetrapping''
when they captured unauthorized copies of U.S.-based Web sites (including
those of PaineWebber Inc. and The Harvard Law Review) and produced
lookalike versions that were indexed by major search engines. The
defendants diverted unsuspecting consumers to a sequence of porno
sites that they couldn't exit. The FTC obtained a court order stopping
the scheme and suspending the defendants' Web-site registrations.
All of this is not to suggest it's hopeless. Experts say the first
step for companies is to secure their systems by searching for hacker
programs that might be used in such attacks. They also suggest formal
security policies that can be distributed to employees letting them
know how often to change passwords or what to do in case of an attack.
An added help: Constantly updating software with the latest versions
and security patches. Down the road, techniques that can filter and
trace malicious software sent over the Web may make it harder to knock
businesses off the Net. Says Novell Inc. CEO Eric Schmidt: ``Security
is a race between the lock makers and the lock pickers.'' Regulators
say that cybercrime thrives because people accord the Internet far
more credibility than it deserves. ``You can get a lot of good information
from the Internet--95% of what you do there is bona fide,'' says G.
Philip Rutledge, deputy chief counsel of the Pennsylvania Securities
Commission. ``Unfortunately, that creates openings for fraud.''
And other forms of mayhem. That's evident from the attacks that
took down some of the biggest companies on the Net. If blackouts and
other types of cyber crime are to be avoided, then Net security must
be the next growth business.
Business Week: February 21, 1000
Department: Cover Story
Headline: TABLE: How This Happened to Yahoo!, eBay, and E*Trade
Disrupting the Net isn't child's play, but it isn't rocket science,
either. And cleaning up the mess takes teamwork.
An individual or group downloads software that is readily available
at scores of underground Web sites specializing in hacker tools. The
software is easy to use; it's all point-and-click.
They break into scores of computers on the Web and plant a portion
of the downloaded program, allowing the hacker to control the machine.
Unfortunately, there are plenty of machines on the Net that lack the
proper security to stop this.
They pick a target--Yahoo!, eBay, or Amazon.com--and then sit back
in the privacy of their homes and instruct the computers they've hijacked
to send requests for information to that site. One or two messages
won't do it. But send enough of them at the same time and the resulting
congestion clogs networks or brings computer servers and router systems
to their knees. It's like constantly dialing a telephone number so
that no one else can get through.
Responding can take hours. Tracing attackers is hard because they
use fake addresses from scores of computers. But as systems administrators
sift through the traffic, they can identify the general location--
say, an Internet service provider. This takes a coordinated effort
involving the company, its ISP, and telecom suppliers. After identifying
the machines, the company writes a program to reject the requests-
-and prays that it doesn't get another flood of messages.
Business Week: February 21, 1000
Department: Cover Story
Headline: TABLE: Storming the Fortress
DENIAL OF SERVICE
This is becoming a common networking prank. By hammering a Web site'
s equipment with too many requests for information, an attacker can
effectively clog the system, slowing performance or even crashing
the site. This method of overloading computers is sometimes used to
cover up an attack.
Widespread probes of the Internet to determine types of computers,
services, and connections. That way the bad guys can take advantage
of weaknesses in a particular make of computer or software program.
Programs that covertly search individual packets of data as they pass
through the Internet, capturing passwords or the entire contents.
Faking an e-mail address or Web page to trick users into passing along
critical information like passwords or credit-card numbers.
A program that, unknown to the user, contains instructions that exploit
a known vulnerability in some software.
In case the original entry point has been detected, having a few hidden
ways back makes reentry easy--and difficult to detect.
Tiny programs, sometimes written in the popular Java computer language,
that misuse your computer's resources, modify files on the hard disk,
send fake e-mail, or steal passwords.
Programs that automatically dial thousands of telephone numbers in
search of a way in through a modem connection.
An instruction in a computer program that triggers a malicious act.
A technique for crashing or gaining control of a computer by sending
too much data to the buffer in a computer's memory.
Software that can guess passwords.
A tactic used to gain access to computer systems by talking unsuspecting
company employees out of valuable information such as passwords.
Sifting through a company's garbage to find information to help break
into their computers. Sometimes the information is used to make a
stab at social engineering more credible.
They're the good guys who get turned on by the intellectual challenge
of tearing apart computer systems to improve computer security.
Joyriders on the Net. They get a kick out of crashing systems, stealing
passwords, and generally wreaking as much havoc as possible.
Hackers for hire who break into computer systems to steal valuable
information for their own financial gain.
Wannabe hackers with little technical savvy who download programs-
-scripts--that automate the job of breaking into computers.
Employees, disgruntled or otherwise, working solo or in concert with
outsiders to compromise corporate systems.
Business Week: February 21, 1000
Department: Cover Story
Headline: ONLINE ORIGINAL: Take an Information-Systems Security Test
Deck: Find out how little or how much you should be worried
For most companies, protecting their corporate assets from computer
crime is an afterthought -- usually only given priority after something
bad happens. The problem, security experts say, is that most executives
don't realize how lax their computer security is or how tough it is
to protect data in a wired world. So here's a test to take to see
just how well protected your company is from computer crime.
A perfect "10" is the ideal score, but if your company is like most
others experts have seen, at best you'll answer an unqualified "yes"
to only four of the following questions. Look below for your score.
1. Do you have a security policy?
2. Does your company have a firewall?
3. Has your company installed an intrusion-detection system?
4. Do you require the use of antivirus software?
5. Is someone responsible for monitoring intrusion-detection systems
6. Do you do regular security audits?
7. Do you have procedures for reporting -- and acting upon -- security
8. Do you have guidelines governing password selection and changes?
9. Do your system administrators have time to keep up with the continual
flow of security advisories?
10. When an employee leaves for any reason, are there procedures in
(a) cut off computer and building access?
(b) put computer files under the control of a manager?
(c) change all passwords, access codes, etc., that the employee might
Eight "yes" answers or more: Security is clearly a top priority. Relax,
but not too much.
Six or more: You're close, but that's not good enough. Security experts
say a breach is sure to happen, it's just a question of when.
One to five: Think flashing red lights and sirens. Your information
systems are extremely vulnerable. Chances are your network has already
been compromised -- and you don't even know it.
Business Week: February 21, 1000
Department: Cover Story
Headline: ONLINE ORIGINAL: Why Internet Security Stocks Could Be a Safe Play
Deck: Not everyone agrees, but the recent attacks could spur businesses to crank up their buying of security products and services
Byline: By Amey Stone in New York
Opportunistic investors often take advantage of major news events
for short-term gains. That clearly happened after a series of attacks
took down some of the biggest sites on the Web on Feb. 8 and 9. While
shares of victims like Yahoo! (YHOO), E*Trade (EGRP), and Amazon (AMZN)
fell as business on their sites was disrupted, stocks of companies
that provide Internet security software and services got a big bounce.
That continued on Feb. 10, even as the attacks abated.
In those three days alone, VeriSign, the leading Internet security
stock, ran up 20%, closing on Feb. 10 at 219 3/4. And Check Point
Software Technologies (CHKP) gained 30%, closing at 180 7/32. Smaller
online security companies like WatchGuard Technologies (WGRD) and
SonicWall (SNWL) boasted even bigger gains, rising 60% and 70%, respectively,
Feb. 8 through Feb. 10. WatchGuard closed on Feb. 10 at 50, and SonicWall
But rather than cheering, the price hikes left many Wall Street analysts
who cover Internet security chuckling. The fact is the kinds of solutions
those companies provide -- encryption to protect credit-card data
or firewalls to ward off hackers -- have little to do with the recent
problems at major sites. These sites were taken down by an orchestrated
deluge of bogus traffic. This time, at least, no data was stolen or
"WHAT'S THE STORY?" "What does this have to do with security?" asks
an amused Mark Fernandes, a Merrill Lynch analyst who follows VeriSign
and its smaller competitor, Entrust Technologies (ENTU). He has an
"accumulate" rating on both stocks (valuation concerns keep him from
rating them a "buy"), and he hasn't altered his opinion or estimates
as a result of the recent attacks. "Is somebody going to go out and
buy their products to fix these problems? No," he says. "Are earnings
and revenues going to change? No. What's the story here?"
But Wall Street may be thinking too literally. The larger message
of the attacks is that the Internet remains vulnerable to determined
hackers. Even the biggest, beefiest sites can be taken down. "Clearly,
these companies have let us down," says Michael Dubrow, senior analyst
at the Jacob Internet Fund who said he was particularly surprised
that a leading financial site like E*Trade wasn't better prepared.
Yahoo! and Amazon lost revenues for the hours their sites were down,
and Buy.com, missed out on a one-time opportunity -- a huge surge
in traffic it anticipated getting the day of its initial public offering
(see BW Online, 2/9/00/ "Buy.Com's IPO Soared, While Its Site Stalled"
"There's nothing like an event like this to drive home the message
to CEOs that they need to spend money to make sure their sites are
robust and durable," says William E. Whyman, an analyst at Legg Mason'
s Precursor Group. This may be the front-page, cover-grabbing event
that changes the popular mind-set. And security, which has been receding
as a major concern in recent years, could become the Internet's next
growth business as a result.
SMALL-BIZ LINK. There's another angle to security stocks that analysts,
who tend to focus on the largest companies in the group, may have
also overlooked. Although it's unclear how the attacks were done,
one theory is that hackers infiltrated the computer systems of small
businesses and consumers, and used them to barrage the big sites with
data. Part of the solution to preventing such attacks could be to
make sure that even small companies have firewalls in place to prevent
their systems from being hacked, says Dubrow. That would fuel sales
at the security companies that cater to small businesses -- an idea
that many investors apparently caught on to. The biggest gains in
security stocks went to companies like WatchGuard and SonicWall, which
sell security solutions to small businesses.
Now is probably not the right time for serious long-term investors
to jump into Net security stocks. After a few days of sharp gains,
the shares are likely to slide back near-term as the same traders
who drove them up take profits. Even before this week, many analysts
judged VeriSign a little too pricey. It now has a $22.5 billion market
capitalization, but its 1999 revenues were only $85 million, and net
income was a scant $4 million. If hackers don't return, the spate
of attacks could amount to "a one-time marketing blip" for security
companies, says Whyman.
And even if the attacks continue, security experts will have to know
exactly how the hackers pulled off the attacks before investors can
figure out which companies will be responsible for coming up with
solutions to prevent them. Fernandes believes companies that sell
sites products to control traffic, like F5 Networks (FFIV) and Alteon
WebSystems (ATON), may ultimately come up with the solution to ward
off these kinds of attacks. Whyman says Web-hosting services that
can show they can ward off such attacks could also prosper. "It could
drive a shift to high-quality outsourcing," he says. Exodus Communications
(EXDS), probably the main public company in the hosting business,
is keeping pretty quiet so far. Dubrow thinks networking companies
may be able to design more intelligent routers and faster switches
to solve the problem.
NOT A QUITE A QUILT. It's really too early to say which companies
will come out on top, says Ashok Kumar, an analyst at U.S. Bancorp
Piper Jaffray. He believes Internet companies ultimately will have
to come up with a whole new kind of solution to protect against hackers.
While sites mainly protect their front door from security breaches,
"To really have a low failure rate and a high level of protection,
the security has to permeate the backbone, at the spine of the network."
That will require all kinds of companies to work together. "Right
now, everybody has their own patchwork solution, but there is nothing
that stitches all these into a quilt," he says.
But it's clear that the business world's attitude toward Net security
won't be the same after seeing sites like Yahoo!, Amazon, and E*Trade
so easily taken down. Investing close on the heels of major news can
often backfire, and the security stocks that have run up the fastest
will probably slide back as short-term traders focus on the next big
news event. Still, taking a closer look at these companies makes sense
now -- even if you wait until the sector cools to jump in. Some analysts
may be chuckling, but renewed concern over security is the kind of
change in the Net zeitgeist that long-term investors should take seriously.
Copyright 1000 by The McGraw-Hill Companies, Inc. All rights reserved.
By IRA Sager in New York, with Steve Hamm and Neil Gross in New York, John Carey in Washington, D.C., and Robert D. Hof in San M, Cyber Crime., 02-21-2000.
Copyright 1999, by The McGraw-Hill Companies Inc. All rights reserved.