|
|
 |
|
 |
 |
| HACK ATTACK | |
 February 10, 2000 
|
||
|
|
Justice Department investigators are searching for the "hackers" who shut down several major Web sites this week. After a background report, Ray Suarez leads a discussion on the investigation and security measures.
|
|
RAY SUAREZ: Soon, the attack had spread to leading retailers. Buy.com, which sells everything from video games to golf gear, was shut down for six hours. Amazon.com, the bookseller, was out of commission for nearly four hours. And eBay, an auction site, was also struck. An eBay spokesman described the impact.
RAY SUAREZ: Two news sites were hit, CNN and ZDNet, which covers technology. So were Datek and E+trade, online brokerage firms. The attacks, which have been anonymous, have halted commerce on some sites and slowed traffic on other parts of the Internet. Yesterday, Attorney General Janet Reno said the FBI had launched a criminal investigation of the cybercrime.
|
 |
||||||||||||||||||
| A Criminal Investigation | ||||||||||||||||||||
|
RAY SUAREZ: But finding the cyber criminals isn't easy. Here's how
Internet experts think the attacks have been conducted: A computer user
taps into many, perhaps even hundreds, of other computers and surreptitiously
installs software. The newly attached software acts like a time bomb.
It prompts those FRANK CILLUFFO, Center for Strategic & International Studies: The tools and the software that's publicly available are so sophisticated and so user-friendly that you don't even have to be very good at hacking. All you have to do is know how to point and click on that mouse.
|
||||||||||||||||||||
| A Federal Investigation | ||||||||||||||||||||
|
ERIC HOLDER, Deputy Attorney General: Well, I would say that we've
made some progress in the investigation. We are still not at a point
where we have RAY SUAREZ: Is your investigation made more difficult by the fact that this is kind a borderless system with no centralized equipment, no centralized gatekeeper? I mean, people doing this could be in Bulgaria.
|
 |
|||||||||||||||||||
| Finding the culprits | ||||||||||||||||||||
|
ERIC HOLDER: There's no question about that. We're dealing with things that are really new to us, that's why we've tried to upgrade our system capabilities within the Justice Department, within the FBI, within our U.S. Attorney's Offices. It's why the President has asked for $2 billion from Congress, so that we can do those kinds of things, and why we've asked for an additional $37 million at the Justice Department. We need new tools, we need new resources, we need actually new knowledge to deal with these kinds of cases. RAY SUAREZ: Are you always finding out what you're missing by something going wrong and you having to investigate it with your computer crimes unit? ERIC HOLDER: We do actually, I think, pretty well. We've got some bright, young people there who are, I think, conversant with the state-of-the-art techniques, but in some ways we play catch up, in other ways, I think we're maybe a little ahead of the curve. These are not easy cases, make no mistake about that.
DAVID CLARK, Massachusetts Institute of Technology: Well, you can't say the exact event was predictable, but certainly we're headed down the path with the increasing commercial visibility and increasing number of people attached. We've seen these sorts of attacks building up over the last decade. So in some respects, this is an expectable direction to be going; it's something we have to worry about, but I'm not totally surprised this happened. RAY SUAREZ: So every time you have a sizable increase in the number of users, you have an increase that's proportionate in the number of people who are mischief makers or criminals?
RAY SUAREZ: Is there something materially different about it when you've got something that's simple and easily reproducible, as opposed to the kind of hacking that's done by people with very specialized knowledge? Is it more threatening that way? DAVID CLARK: Well, it's easy to replicate, so you don't have to be a technical whiz to do this kind of thing now. You just -- you can download the software and decide how you want to do it and turn it on. I don't know whether that's more threatening, but it certainly makes the probability that this is going to happen go up.
PATRICK HOUSTON, ZDNet: I don't think that will happen, Ray. You know,
we can filter for attacks like this to some extent. The problem in many
cases with sophisticated and high-profile Web sites like ours is that
RAY SUAREZ: If I understand this correctly, one of the aspects of the programs that are able to bombard you in this way, I think it's called a sin flood. PATRICK HOUSTON: We were the subject of a sin flood attack. RAY SUAREZ: What it does is it gives your own return address as the bounce-back point. So in fact you're cycling this information frantically and slowing yourself down.
|
 |
|||||||||||||||||||
| The ZDNet attack | ||||||||||||||||||||
|
RAY SUAREZ: So you put in a shield that eventually detects this kind of attack, it can slow you down. It takes up energy to figure out that you're under this kind of attack. PATRICK HOUSTON: It's overhead and it consumes resources. For example, we've installed filters for this particular attack. One of the problems with a denial of service attack is that we can filter for certain characteristics that are signatures of this particular attack, but if it mutates or someone changes it even slightly, then that limits our capability to filter. RAY SUAREZ: David Clark, a lot of people are sitting at home and they saw that graphic where unknown computers attach something to unwitting and waiting computers. If you go on the Web at all, if you surf at home, if you have a desktop computer at your office are you open to this kind of attack?
RAY SUAREZ: Well, Mr. Holder, one of the places where there's a lot of attention in this world is in the trading of information, in the unwitting awarding of information, people are upset when they find out how much people know about them because of the places they visit. But here it's just the opposite. People mask who they are when they set these things off. They change the aliases, they change the return addresses. It's covering up their trail for you, isn't it? ERIC HOLDER: Yes, that's what makes it so difficult for us to uncover
who's actually behind these kinds of cases. And so we'll have to work
as hard as we can. We're going to need partnerships quite frankly, with
industry, and the reports that I have been getting RAY SUAREZ: And can you do this without becoming the interlocutor, the go-between for a lot of the traffic, or is the Justice Department already a place where much of the traffic that's zipping through these wires passes through for a look-see? ERIC HOLDER: No, I don't want people to get that impression at all. When I was talking about people talking, it was really focusing more on statements that people might be making off-line, where you have people having normal conversations and saying one thing to somebody else. We're actually getting a fair number of people who are writing in to us or who are using their computers to send messages to us about things they are heard, and with time to accumulate these things, then we will run them down in due course. RAY SUAREZ: Is this something that lives very comfortably inside existing law, or have there had to be new laws to take account of this new way of communication?
RAY SUAREZ: Go ahead. PATRICK HOUSTON: This is the third significant wake-up call that we've received in the space of one year. It began last year with -- in March with the widespread Melissa virus that caused such damage out there. Then, as you know, we had the Y2K bug, which garnered so much attention in the public mind. Now we have these denial of service attacks. I think it's really going to escalate efforts on the part of the federal government, particularly, to try to develop a national plan for the protection of information systems. There was a version, a very early version in framework released in January, and I think that's going to become the subject of much scrutiny here as a result of many of these incidents. RAY SUAREZ: Does this set off something like an arms race, where once you make it tougher to do it to your site there are already people trying to figure out how to jump higher over the barrier you've put in place?
RAY SUAREZ: So David Clark, are there certain kinds of businesses that are more exposed than others -- that use the Web now for business to business contact, just in time inventory, and have sort of easily evolved their business to take advantage of this world that are suddenly now very vulnerable to being shut down? DAVID CLARK: Well, there are all sorts of businesses that have moved into this space. He used the phrase wake-up call. I think that's right. We have to decide to devote enough resources to this problem to try to deal with it, and I think we have technical means, they're not perfect, but the question is how much of your resources are you going to put here and how much do you put into being first to market? And I think it's part of a balanced approach as we put more emphasis on this stuff, we're just going to have to pay attention. And I think the companies that care about it are the ones that are the ones that are going to deal with it first. There are a lot of companies that is have really staked their plans on Internet access. PATRICK HOUSTON: You know, Ray, security breaches, computer security breaches are not anything new. What's different here is this: In the past when a bank's computer system was compromised, it was pretty much kept quiet for reasons of credibility, no one wanted to frighten customers. But now these incidents are very public. When a Web site, like a very high-profile Web site, like Yahoo!, like ZDNet goes down, there's no hiding it. So we are very much more aware of these kinds of security breaches and these incidents than we've ever been before. RAY SUAREZ: So Mr. Holder, what do you do next? ERIC HOLDER: Well, we will continue the investigation. We will try to work our way back through the whole computer process, but in addition to those other traditional things, as I've indicated. We've established really good partnerships with people in industry and we'll try to take advantage of those as well. I'm not at all certain this is something that will be resolved in a short period of time, but I do think ultimately we will get back to who was behind this. RAY SUAREZ: Eric Holder, Patrick Houston, David Clark, thanks a lot.
|
 |
|||||||||||||||||||
 |
    
|
|
| Support the kind of journalism done by the NewsHour...Become a member of your local PBS station. | ||
| ||
| PBS Online Privacy Policy Copyright ©1996- MacNeil/Lehrer Productions. All Rights Reserved. | ||
| ||
RAY
SUAREZ: The assault in cyberspace began Monday against Yahoo!, the largest
independent Web site. Millions of people use Yahoo as a portal, the
door, they go through to search the World Wide Web. Yahoo! Also provides
news, weather, and other services such as e-mail. 
PATRICK
TAYLOR, Internet Security System: We had a large number of computers
gang up on the Yahoo infrastructure and asked them to do more things
than they could ever do. 
KEVIN
PURSGLOVE, eBay Spokesman: It's a huge inconvenience for eBay users,
because essentially they're the ones that are listing the items and
selling the items. But for the most part, you can still conduct your
business. It's just that the process now is much, much slower than it
would have been at, say, 2:00 this afternoon. 
JANET
RENO, Attorney General: At this time we are not aware of the motives
behind these attacks. But they appear to be intended to interfere with
and to disrupt legitimate electronic commerce. That is the reason the
FBI has initiated a criminal investigation into these matters. 
computers
at a preset time to bombard the online sites with requests for information
or with junk mail. The result: system overload, shutting out access
to other users. The more computers controlled by the hacker, or hackers,
the greater the paralysis. And computer experts say committing the crime
isn't very hard. 
RAY
SUAREZ: And joining me now are United States Deputy Attorney General
Eric Holder; David Clark, one of the original designers of the Internet
-- he is currently a senior research scientist at MIT and chair of the
Computer Science and Telecommunications Board at the National Academy
of Sciences -- and Patrick Houston, executive producer of ZDNet News,
the news division of ZDNet, a high-tech information Web site, and one
of the sites hit yesterday. Mr. Holder, are you in that uncomfortable
spot for any criminal investigator where it actually gets harder to
find your person if they don't do it again? 
any
hard suspects, and yet I think over the course of this afternoon we
have made not something I would call substantial progress, but at least
some progress. It's going to take some time. This is not going to be
an easy case to crack. But I'm actually confident based on the briefing
that I've had as recently as about two, three hours ago that ultimately
we will bring the appropriate people to justice. 
RAY
SUAREZ: David Clark, was this something that was almost predictable
by the very open nature of the Internet? 
DAVID
CLARK: Well, not only do you have an increase in the number of people
but the event becomes more visible and the excitement becomes more attractive.
We don't yet know quite why this event happening, whether it's something
for the fun of it, or there's going to be some economic motive that
comes out. But clearly a lot of this is done for sort of bragging rights,
as one of your... as you said earlier. You can pick up the software
to do this on the Net, and people get a lot of jollies of putting it
out there and saying hey, look at the wonderful thing I've got.
RAY
SUAREZ: Patrick Houston, I'm sure part of the attraction for sites like
your own is that they're easy to get to. And I'm wondering if ZDNet
and other places become more hardened targets, do we sort of lose something,
part of the charm? 
you
can... if you filter to any great extent, you can only raise the fire
wall so high without overtaxing or devoting too many of your resources
to the protection of it and less resources to your users. We want to
make sure our Web site is accessible and is fast, able to fulfill requests
as fast as possible. So we're limited in how many barriers we can throw
up between ourselves and our users. 
PATRICK
HOUSTON: Right. Here's what happened in our case, Ray. We got within
a five-second period yesterday morning some 100,000 requests for connections.
Now, what a Web server does in these cases, it sends back an acknowledgment.
Imagine that it's a telephone directory assistance operator that 100,000
people have called. The operator would say may I help you and wait for
a response. Well, in this case, those information or those requests
came in, in disguise. They were... they had some other fake address
in front of them. So our servers kept asking for a period of three minutes
for each one of those requests may I help you? May I help you? May I
help you? And received no response. That only exacerbated the flood
of requests we got. So we were down for about two hours and 32 minutes,
or unavailable I should say.
DAVID
CLARK: In principle, especially if you're attached to the Internet over
a high speed connection and your machine is on all the time. There's
certain operating systems that is are more popular as targets here.
But, yes, in principle any machine that's on the net, especially with
a high speed connection is susceptible to these kind of attacks. The
attackers try addresses at random, essentially, like picking a random
phone number and calling it and seeing if somebody answers. And they'll
try the machine, try to figure out what kind it is, and they'll send
you a few test messages and they are a certain number of well known
faults; they'll see if they can exploit them, if it doesn't work, they
go onto another machine. If they succeed in breaking in, they go in
your machine, they lodge a program there, they set a timer, the way
you described it, it's a time bomb, then they go away. And any connection
between them and your machine is long gone by the time this program
starts. So I think part of what's interesting about this attack is there
are a lot of unwitting machines out there on the Net, or machines belonging
to unwitting people who have been subverted. 
indicate
that people in industry have really been cooperating with us. We've
really been heartened by the response we have gotten. But it also means
we have to use traditional techniques as well. It's not just a question
of trying to get back to the computers; you have to do the other things
that we do -- figure out who's talking to who, get into chat rooms,
things like that -- always respecting people's privacy. I want to make
sure that everybody understands that, but do the investigative things
that we would do in other investigations to see who, for instance, is
bragging about something that they did and then follow that lead. 
ERIC
HOLDER: Well, there have been attempts at trying to deal with these
new situations, and some of the laws that are on the books are of relative
recent vintage. But I have to tell you, as I look at the statute that's
most applicable here, we're looking at a statute that has a penalty
of five years, a fine of about $250,000 or so. And given the nature
of what we have seen over the last three days, it seems entirely possible
to me that those kinds of penalties aren't adequate. And so we might
be looking at thinking about doing something with those penalty provisions
in these statutes that, as I said, are relatively new. 
PATRICK
HOUSTON: Yeah, I think that's true. But you know what, the significance
in these incidents is they've underscored two things for us, Ray. One
is our utter dependence on computer systems these days, especially in
this new era of E-commerce, and two, our increasing vulnerability to
disruptions of the kind we've seen, either from virus producers, from
unintended bugs, like the Y2K bug, and from malicious mischief makers,
perhaps, as was the case in these denial of service attacks.