Cyber Crime

Business Week: February 21, 1000
Department: Cover Story
Headline: Cyber Crime
Deck: First Yahoo! Then eBay. The Net's vulnerability threatens e- commerce--and you
Byline: By IRA Sager in New York, with Steve Hamm and Neil Gross in New York, John Carey in Washington, D.C., and Robert D. Hof in San Mateo, Calif.

The scenario that no one in the computer security field likes to talk about has come to pass: The biggest e-commerce sites on the Net have been falling like dominoes. First it was Yahoo! Inc. On Feb. 6, the portal giant was shut down for three hours. Then retailer Inc. was hit the next day, hours after going public. By that evening, eBay,, and CNN had gone dark. And in the morning, the mayhem continued with online broker E*Trade and others having traffic to their sites virtually choked off.

The work of some super hacker? For now, law enforcement officials don't know, or won't say. But what worries experts more than the identity of this particular culprit or outlaw group is how easily these attacks have been orchestrated and executed. Seemingly, someone could be sitting in the warmth of their home and, with a few keystrokes, disrupting electronic commerce around the globe.

DEAD HALT. Experts say it's so easy, it's creepy: The software to do this damage is simple to use and readily available at underground hacker sites throughout the Internet. A tiny program can be downloaded and then planted in computers all over the world. Then, with the push of a button, those PCs are alerted to go into action, sending a simple request for access to a site, again and again and again--indeed, scores or hundreds of times a second. Gridlock. For all the sophisticated work on firewalls, intrusion-detection systems, encryption and computer security, e-businesses are at risk from a relatively simple technique that's akin to dialing a telephone number repeatedly so that everyone else trying to get through will hear a busy signal. ``We have not seen anything of this magnitude before--not only at eBay, but across so many sites,'' says Margaret C. Whitman, CEO of eBay.

No information on a Web site was snatched, no data corrupted, no credit-card numbers stolen--at least so far. Yet it's a deceptively diabolical trick that has temporarily halted commerce on some of the biggest Web sites, raising the question: How soft is the underbelly of the Internet? Could tricks like these jeopardize the explosive growth of the Web, where consumers and businesses are expected to transact nearly $450 billion in business this year? ``It's been war out there for some time, but it's been hidden,'' says James Adams, co-founder of iDEFENSE, an Alexandria, Va., company that specializes in cyber threats. ``Now, for the first time, there is a general awareness of our vulnerabilities and the nature of what we have wrought by running helter-skelter down the speed race of the Information Highway.''

To be sure, not even the most hardened cyber sleuths are suggesting the Net is going to wither overnight from the misdeeds of these wrongdoers. But the events of recent days are delivering a shrill wake-up call to businesses that they need to spend as much time protecting their Web sites and networks as they do linking them with customers, suppliers, contractors--and you. Consider just a quick smattering of recent events: In December, 300,000 credit-card numbers were snatched from online music retailer CD Universe. In March, the Melissa virus caused an estimated $80 million in damage when it swept around the world, paralyzing e-mail systems. That same month, hackers-for-hire pleaded guilty to breaking into phone giants AT&T, GTE, and Sprint, among others, for calling card numbers that eventually made their way to organized crime gangs in Italy. According to the FBI, the phone companies were hit for an estimated $2 million.

Cyber crime is becoming one of the Net's growth businesses. The recent spate of attacks that gummed up Web sites for hours--known as ``denial of service''--is only one type. Today, criminals are doing everything from stealing intellectual property and committing fraud to unleashing viruses and committing acts of cyber terrorism in which political groups or unfriendly governments nab crucial information. Indeed, the tactic used to create mayhem in the past few days is actually one of the more innocuous ones. Cyber thieves have at their fingertips a dozen dangerous tools, from ``scans'' that ferret out weaknesses in Web site software programs to ``sniffers'' that snatch passwords. All told, the FBI estimates computer losses at up to $10 billion a year.

As grim as the security picture may appear today, it could actually get worse as broadband connections catch on. Then the Web will go from being the occasional dial-up service to being ``always on,'' much as the phone is. That concept may be nirvana to e-tailers, but could pose a real danger to consumers if cyber crooks can come and go into their computer systems at will. Says Bruce Schneier, chief technical officer at Counterpane Internet Security Inc. in San Jose, Calif.: ``They'll keep knocking on doors until they find computers that aren't protected.''

Sadly, the biggest threat is from within. Law enforcement officials estimate that up to 60% of break-ins are from employees. Take the experience of William C. Boni, a digital detective for PricewaterhouseCoopers in Los Angeles. Last year, he was called in by an entertainment company that was suspicious about an employee. The employee, it turns out, was under some financial pressure and had installed a program called Back Orifice on three of the company's servers. The program, which is widely available on the Internet, allowed him to take over those machines, gaining passwords and all the company's financial data. The employee was terminated before any damage could be done.

The dirty little secret is that computer networks offer ready points of access for disgruntled employees, spies, thieves, sociopaths, and bored teens. Once they're in a corporate network, they can lift intellectual property, destroy data, sabotage operations, even subvert a particular deal or career. ``Any business on the Internet is a target as far as I'm concerned,'' says Paul Field, a reformed hacker who is now a security consultant.

It's point and click, then stick 'em up. Interested in a little mayhem? Security experts estimate that there are 1,900 Web sites that offer the digital tools--for free--that will let people snoop, crash computers, hijack control of a machine, or retrieve a copy of every keystroke. Steve O'Brien, vice-president for information operation assessments at, an Annapolis (Md.)-based company that provides intrusion detection services and security solutions, says the number of ways to hack into computers is rising fast. He tracks potential threats both from hacker groups and from the proliferation of programs. Once a rare find, he now discovers at least three new nasty software programs or vulnerabilities every day. And those tools aren't just for the intellectually curious. ``Anyone can get them off the Internet--just point and click away,'' says Robert N. Weaver, a Secret Service agent in charge of the New York Area Electronic Crimes Task Force.

UNLOCKED DOORS. It's an issue that has crimefighters up in arms. At a hastily called press conference in Washington, D.C., on Feb. 9, Attorney General Janet Reno pledged to battle cyber crime. ``We are committed to tracking down those responsible and bringing them to justice'' and ensuring ``that the Internet remains a secure place to do business,'' she said. But Ron Dick, chief of the Computer Investigations & Operations Section of the National Infrastructure Protection Center, pointed out that Internet security can't be assured by the government alone. Companies need to vigilantly monitor their computers to ensure that hackers don't surreptitiously install programs from which to launch attacks. ``For the Internet to be a safe place, it is incumbent on everyone to remove these tools,'' he says. Using them, ``a 15-year- old could launch an attack.''

Make that an 8-year-old, once the Internet is always on via fat broadband connections. There are currently 1.35 million homes in America with fast cable modems, according to market researcher International Data Corp. By 2003, the number will grow to 9 million, and there will be an equal or larger number of digital subscriber line (DSL) connections.

That gives hackers a broad base from which to stage an attack. When a PC is connected to a conventional phone modem, it receives a new Internet address each time the user dials onto the Net. That presents a kind of barrier to hackers hoping to break in and hijack the PC for the kind of assault that crippled eBay, Yahoo, and others. In contrast, cable and DSL modems are a welcome mat to hackers. Because these modems are always connected to the Net, they usually have fixed addresses, which can be read from e-mail messages and newsgroup postings. Home security systems known as personal firewalls are widely available for cable and DSL subscribers. But until they reach nearly 100% penetration, they won't prevent intrusions.

In the coming age of information appliances, the situation could get worse. According to many analysts, the U.S. will soon be awash in Web-browsing televisions, networked game consoles, and smart refrigerators and Web phones that download software from the Net. ``These devices all have powerful processors, which could be used in an attack, and they're all connected to the Net,'' Schneier says.

True, broadband customers can switch off their Net connections. But as cool applications come onstream, nobody will want to do that. ``There will be streaming music and video, 24-hour news, and all kinds of broadband Web collaboration,'' says John Corcoran, an Internet analyst with CIBC World Markets. ``To take advantage of that, the door will be open 24 hours a day.''

Corporations are no better off. There, security is becoming an expensive necessity. ``At least 80% of a corporation's intellectual property is in digital form,'' says Boni. Last year, Corporate America spent $4.4 billion on sales of Internet security software, including firewalls, intrusion-detection programs, digital certificates, and authentication and authorization software, according to International Data. By 2003, those expenditures could hit $8.3 billion.

And still computer crime keeps spreading. When the FBI and the Computer Security Institute did their third annual survey of 520 companies and institutions, more than 60% reported unauthorized use of computer systems over the past 12 months, up from 50% in 1997. And 57% of all break-ins involved the Internet, up from 45% two years ago.

As big as those numbers sound, no one really knows how pervasive cyber crime is. Almost all attacks go undetected--as many as 60%, according to security experts. What's more, of the attacks that are exposed, maybe 15% are reported to law enforcement agencies. Companies don't want the press. When Russian organized crime used hackers to break into Citibank to steal $10 million--all but $400,000 was recovered- -competitors used the news in marketing campaigns against the bank.

That makes the job even tougher for law enforcement. Most companies that have been electronically attacked won't talk to the press. A big concern is loss of public trust and image--not to mention the fear of encouraging copycat hackers. Following the attacks on Feb. 8 and Feb. 9, there was a telling public silence from normally garrulous Internet executives from E*Trade to Those that had not been attacked yet were reluctant to speak for fear of painting a target on their site, while others wanted no more attention.

And even when the data are recovered, companies are sometimes reluctant to claim their property. Secret Service agent Bob Weaver waves a CD- ROM confiscated in a recent investigation. The disk contains intellectual property--software belonging to a large Japanese company. Weaver says he called the company, but got no response.

Thieves and hackers don't even need a computer. In many cases, the physical world is where the bad guys get the information they need for digital break-ins. Dallas FBI agent Mike Morris estimates that in at least a third of the cases he's investigated in his five years tracking computer crime, an individual has been talked out of a critical computer password. In hackerland, that's called ``social engineering.'' Or, the attackers simply go through the garbage--dumpster diving--for important pieces of information that can help crack the computers or convince someone at the company to giving them more access.

``PAGEJACKING.'' One problem for law enforcement is that hackers seem to be everywhere. In some cases, they're even working for so-called computer security firms. One official recalls sitting in on the selection process for the firm that would do the Web site security software for the White House. As the company's employees set up to make their pitch, one person walked into the room and abruptly walked out. It turns out one of the people in the audience was with law enforcement, and had busted that person for hacking.

It's not just on U.S. shores that law enforcement has to battle cyber criminals. Attacks from overseas, particularly eastern European countries, are on the rise. Indeed, the problem was so bad for America Online Inc. that it cut its connection to Russia in 1996. Nabbing bad guys overseas is a particularly thorny issue. Take Aye.Net, a small Jeffersonville (Ind.)-based Internet service provider. In 1998 intruders broke into the ISP and knocked them off the Net for four days. Steve Hardin, director of systems engineering for the ISP, discovered the hackers and found messages in Russian. He reported it to the FBI, but no one has been able to track down the hackers.

As if worrying about hackers weren't enough, online fraud is also on the rise. The Federal Trade Commission, which responds to consumer complaints about bogus get-rich schemes or auction goods never delivered, says it filed 61 suits last year. How many did it have back in 1994, when the Net was in its infancy? One. So far, the actions have resulted in the collection of more than $20 million in payments to consumers and the end of schemes with annual estimated sales of over $250 million.

The FTC doesn't want to stop there. On Feb. 9, commissioners testified before a Senate panel, seeking an increase in the commission's budget in part, to fund new Internet-related policies and fight cyberfraud. The money is needed to go after ever more creative schemes. In September, for example, the FTC filed a case against individuals in Portugal and Australia who engaged in ``pagejacking'' and ``mousetrapping'' when they captured unauthorized copies of U.S.-based Web sites (including those of PaineWebber Inc. and The Harvard Law Review) and produced lookalike versions that were indexed by major search engines. The defendants diverted unsuspecting consumers to a sequence of porno sites that they couldn't exit. The FTC obtained a court order stopping the scheme and suspending the defendants' Web-site registrations.

All of this is not to suggest it's hopeless. Experts say the first step for companies is to secure their systems by searching for hacker programs that might be used in such attacks. They also suggest formal security policies that can be distributed to employees letting them know how often to change passwords or what to do in case of an attack. An added help: Constantly updating software with the latest versions and security patches. Down the road, techniques that can filter and trace malicious software sent over the Web may make it harder to knock businesses off the Net. Says Novell Inc. CEO Eric Schmidt: ``Security is a race between the lock makers and the lock pickers.'' Regulators say that cybercrime thrives because people accord the Internet far more credibility than it deserves. ``You can get a lot of good information from the Internet--95% of what you do there is bona fide,'' says G. Philip Rutledge, deputy chief counsel of the Pennsylvania Securities Commission. ``Unfortunately, that creates openings for fraud.''

And other forms of mayhem. That's evident from the attacks that took down some of the biggest companies on the Net. If blackouts and other types of cyber crime are to be avoided, then Net security must be the next growth business.


Business Week: February 21, 1000
Department: Cover Story
Headline: TABLE: How This Happened to Yahoo!, eBay, and E*Trade

Disrupting the Net isn't child's play, but it isn't rocket science, either. And cleaning up the mess takes teamwork.


An individual or group downloads software that is readily available at scores of underground Web sites specializing in hacker tools. The software is easy to use; it's all point-and-click.


They break into scores of computers on the Web and plant a portion of the downloaded program, allowing the hacker to control the machine. Unfortunately, there are plenty of machines on the Net that lack the proper security to stop this.


They pick a target--Yahoo!, eBay, or then sit back in the privacy of their homes and instruct the computers they've hijacked to send requests for information to that site. One or two messages won't do it. But send enough of them at the same time and the resulting congestion clogs networks or brings computer servers and router systems to their knees. It's like constantly dialing a telephone number so that no one else can get through.


Responding can take hours. Tracing attackers is hard because they use fake addresses from scores of computers. But as systems administrators sift through the traffic, they can identify the general location-- say, an Internet service provider. This takes a coordinated effort involving the company, its ISP, and telecom suppliers. After identifying the machines, the company writes a program to reject the requests- -and prays that it doesn't get another flood of messages.


Business Week: February 21, 1000
Department: Cover Story
Headline: TABLE: Storming the Fortress



This is becoming a common networking prank. By hammering a Web site' s equipment with too many requests for information, an attacker can effectively clog the system, slowing performance or even crashing the site. This method of overloading computers is sometimes used to cover up an attack.


Widespread probes of the Internet to determine types of computers, services, and connections. That way the bad guys can take advantage of weaknesses in a particular make of computer or software program.


Programs that covertly search individual packets of data as they pass through the Internet, capturing passwords or the entire contents.


Faking an e-mail address or Web page to trick users into passing along critical information like passwords or credit-card numbers.


A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software.


In case the original entry point has been detected, having a few hidden ways back makes reentry easy--and difficult to detect.


Tiny programs, sometimes written in the popular Java computer language, that misuse your computer's resources, modify files on the hard disk, send fake e-mail, or steal passwords.


Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection.


An instruction in a computer program that triggers a malicious act.


A technique for crashing or gaining control of a computer by sending too much data to the buffer in a computer's memory.


Software that can guess passwords.


A tactic used to gain access to computer systems by talking unsuspecting company employees out of valuable information such as passwords.


Sifting through a company's garbage to find information to help break into their computers. Sometimes the information is used to make a stab at social engineering more credible.



They're the good guys who get turned on by the intellectual challenge of tearing apart computer systems to improve computer security.


Joyriders on the Net. They get a kick out of crashing systems, stealing passwords, and generally wreaking as much havoc as possible.


Hackers for hire who break into computer systems to steal valuable information for their own financial gain.


Wannabe hackers with little technical savvy who download programs- -scripts--that automate the job of breaking into computers.


Employees, disgruntled or otherwise, working solo or in concert with outsiders to compromise corporate systems.


Business Week: February 21, 1000
Department: Cover Story
Headline: ONLINE ORIGINAL: Take an Information-Systems Security Test
Deck: Find out how little or how much you should be worried

For most companies, protecting their corporate assets from computer crime is an afterthought -- usually only given priority after something bad happens. The problem, security experts say, is that most executives don't realize how lax their computer security is or how tough it is to protect data in a wired world. So here's a test to take to see just how well protected your company is from computer crime.

A perfect "10" is the ideal score, but if your company is like most others experts have seen, at best you'll answer an unqualified "yes" to only four of the following questions. Look below for your score.

1. Do you have a security policy?

Yes No

2. Does your company have a firewall?

Yes No

3. Has your company installed an intrusion-detection system?

Yes No

4. Do you require the use of antivirus software?

Yes No

5. Is someone responsible for monitoring intrusion-detection systems and

antivirus software?

Yes No

6. Do you do regular security audits?

Yes No

7. Do you have procedures for reporting -- and acting upon -- security problems?

Yes No

8. Do you have guidelines governing password selection and changes?

Yes No

9. Do your system administrators have time to keep up with the continual flow of security advisories?

Yes No

10. When an employee leaves for any reason, are there procedures in place to:

(a) cut off computer and building access?

(b) put computer files under the control of a manager?

(c) change all passwords, access codes, etc., that the employee might have known?

Yes No

Eight "yes" answers or more: Security is clearly a top priority. Relax, but not too much.

Six or more: You're close, but that's not good enough. Security experts say a breach is sure to happen, it's just a question of when.

One to five: Think flashing red lights and sirens. Your information systems are extremely vulnerable. Chances are your network has already been compromised -- and you don't even know it.



Business Week: February 21, 1000
Department: Cover Story
Headline: ONLINE ORIGINAL: Why Internet Security Stocks Could Be a Safe Play
Deck: Not everyone agrees, but the recent attacks could spur businesses to crank up their buying of security products and services
Byline: By Amey Stone in New York

Opportunistic investors often take advantage of major news events for short-term gains. That clearly happened after a series of attacks took down some of the biggest sites on the Web on Feb. 8 and 9. While shares of victims like Yahoo! (YHOO), E*Trade (EGRP), and Amazon (AMZN) fell as business on their sites was disrupted, stocks of companies that provide Internet security software and services got a big bounce. That continued on Feb. 10, even as the attacks abated.

In those three days alone, VeriSign, the leading Internet security stock, ran up 20%, closing on Feb. 10 at 219 3/4. And Check Point Software Technologies (CHKP) gained 30%, closing at 180 7/32. Smaller online security companies like WatchGuard Technologies (WGRD) and SonicWall (SNWL) boasted even bigger gains, rising 60% and 70%, respectively, Feb. 8 through Feb. 10. WatchGuard closed on Feb. 10 at 50, and SonicWall at 99.

But rather than cheering, the price hikes left many Wall Street analysts who cover Internet security chuckling. The fact is the kinds of solutions those companies provide -- encryption to protect credit-card data or firewalls to ward off hackers -- have little to do with the recent problems at major sites. These sites were taken down by an orchestrated deluge of bogus traffic. This time, at least, no data was stolen or sites corrupted.

"WHAT'S THE STORY?" "What does this have to do with security?" asks an amused Mark Fernandes, a Merrill Lynch analyst who follows VeriSign and its smaller competitor, Entrust Technologies (ENTU). He has an "accumulate" rating on both stocks (valuation concerns keep him from rating them a "buy"), and he hasn't altered his opinion or estimates as a result of the recent attacks. "Is somebody going to go out and buy their products to fix these problems? No," he says. "Are earnings and revenues going to change? No. What's the story here?"

But Wall Street may be thinking too literally. The larger message of the attacks is that the Internet remains vulnerable to determined hackers. Even the biggest, beefiest sites can be taken down. "Clearly, these companies have let us down," says Michael Dubrow, senior analyst at the Jacob Internet Fund who said he was particularly surprised that a leading financial site like E*Trade wasn't better prepared. Yahoo! and Amazon lost revenues for the hours their sites were down, and, missed out on a one-time opportunity -- a huge surge in traffic it anticipated getting the day of its initial public offering (see BW Online, 2/9/00/ "Buy.Com's IPO Soared, While Its Site Stalled" ).

"There's nothing like an event like this to drive home the message to CEOs that they need to spend money to make sure their sites are robust and durable," says William E. Whyman, an analyst at Legg Mason' s Precursor Group. This may be the front-page, cover-grabbing event that changes the popular mind-set. And security, which has been receding as a major concern in recent years, could become the Internet's next growth business as a result.

SMALL-BIZ LINK. There's another angle to security stocks that analysts, who tend to focus on the largest companies in the group, may have also overlooked. Although it's unclear how the attacks were done, one theory is that hackers infiltrated the computer systems of small businesses and consumers, and used them to barrage the big sites with data. Part of the solution to preventing such attacks could be to make sure that even small companies have firewalls in place to prevent their systems from being hacked, says Dubrow. That would fuel sales at the security companies that cater to small businesses -- an idea that many investors apparently caught on to. The biggest gains in security stocks went to companies like WatchGuard and SonicWall, which sell security solutions to small businesses.

Now is probably not the right time for serious long-term investors to jump into Net security stocks. After a few days of sharp gains, the shares are likely to slide back near-term as the same traders who drove them up take profits. Even before this week, many analysts judged VeriSign a little too pricey. It now has a $22.5 billion market capitalization, but its 1999 revenues were only $85 million, and net income was a scant $4 million. If hackers don't return, the spate of attacks could amount to "a one-time marketing blip" for security companies, says Whyman.

And even if the attacks continue, security experts will have to know exactly how the hackers pulled off the attacks before investors can figure out which companies will be responsible for coming up with solutions to prevent them. Fernandes believes companies that sell sites products to control traffic, like F5 Networks (FFIV) and Alteon WebSystems (ATON), may ultimately come up with the solution to ward off these kinds of attacks. Whyman says Web-hosting services that can show they can ward off such attacks could also prosper. "It could drive a shift to high-quality outsourcing," he says. Exodus Communications (EXDS), probably the main public company in the hosting business, is keeping pretty quiet so far. Dubrow thinks networking companies may be able to design more intelligent routers and faster switches to solve the problem.

NOT A QUITE A QUILT. It's really too early to say which companies will come out on top, says Ashok Kumar, an analyst at U.S. Bancorp Piper Jaffray. He believes Internet companies ultimately will have to come up with a whole new kind of solution to protect against hackers. While sites mainly protect their front door from security breaches, "To really have a low failure rate and a high level of protection, the security has to permeate the backbone, at the spine of the network." That will require all kinds of companies to work together. "Right now, everybody has their own patchwork solution, but there is nothing that stitches all these into a quilt," he says.

But it's clear that the business world's attitude toward Net security won't be the same after seeing sites like Yahoo!, Amazon, and E*Trade so easily taken down. Investing close on the heels of major news can often backfire, and the security stocks that have run up the fastest will probably slide back as short-term traders focus on the next big news event. Still, taking a closer look at these companies makes sense now -- even if you wait until the sector cools to jump in. Some analysts may be chuckling, but renewed concern over security is the kind of change in the Net zeitgeist that long-term investors should take seriously.

Copyright 1000 by The McGraw-Hill Companies, Inc. All rights reserved.

By IRA Sager in New York, with Steve Hamm and Neil Gross in New York, John Carey in Washington, D.C., and Robert D. Hof in San M, Cyber Crime., 02-21-2000.

Copyright 1999, by The McGraw-Hill Companies Inc. All rights reserved.
Terms of Use   Privacy Policy