MARGARET WARNER: The popular Internet web site Yahoo crashed for nearly three hours yesterday, falling victim to what the company says was a coordinated attack by computer hackers. Millions of customers use Yahoo to help them search the worldwide web. Yahoo also provides news, weather and other information, and a growing array of customized services, like E-mail and personal calendars.
With some 42 million visitors per month, it's the world's second busiest Internet site after America Online. Yesterday, Yahoo said it was suddenly bombarded with millions of bogus requests for information from multiple computers worldwide. This coordinated flood jammed the web site, making it impossible for legitimate users to get through until Yahoo devised a filter to block the phony requests.
MARGARET WARNER: For more on all this, we're joined by Dan Schrader, vice president of new technology at Trend Micro Inc., the country's third largest maker of anti- virus software, and John Schwartz, technology reporter for the "Washington Post." Dan Schrader, explain this a little more for us. How could someone from the outside penetrate, do this to a site as large and apparently sophisticated as Yahoo.
DAN SCHRADER, Trent Micro, Inc.: Penetrate is the wrong term. Its hackers need not have been very sophisticated. You know, one of my favorite urban legends is that the worldwide web is designed to withstand a nuclear blast. That may be, but it's not designed to survive infinite amounts of traffic, and it's very easy for one computer to generate and awful lot of traffic to program it in the right way. Well, there are tools out there that kids, hackers, crackers, vandals can download that allows them to generate a lot of traffic not just on one computer but on many computers and, in a coordinated fashion, point all that traffic at one site. That's exactly what happened.
MARGARET WARNER: All right. How much traffic are we talking about?
DAN SCHRADER: Talking about in the neighborhood of a gig a byte of data per second.
MARGARET WARNER: What is that?
DAN SCHRADER: That's equivalent to say the entire Encyclopedia Britannica being thrown at a site every second. It's a huge amount of data.
MARGARET WARNER: And how can one hacker, even a group of hackers coordinate - I mean, Yahoo said it came from many computers all over the world at the same time.
DAN SCHRADER: This is the type of a attack called the distributed denial of service attack. And what they apparently did - and this is still speculation - was they put Trojans software on a lot of different people's computers without them knowing about this. They did this in advance and then they set the computers at the same time and the same place send the data all over to the Yahoo site.
MARGARET WARNER: John Schwartz, do you agree it doesn't take much sophistication to do something like this?
JOHN SCHWARTZ, The Washington Post: Hackers and the people that design intrusion software love to share and the Internet is a place where it's easy to share. Whenever somebody comes up with something new becomes available. If you know what you are looking for you can download it, get the instructions and set it in play yourself.
MARGARET WARNER: So, in other words, the software to do this is right out there for anyone?
JOHN SCHWARTZ: Sure, just like Bill Gates says information at your fingertips. It's a wonderful place.
MARGARET WARNER: Now you in your story in the Post this morning you quoted hackers saying they couldn't really believe that a site as large as Yahoo -- that this could be done from the outside.
JOHN SCHWARTZ: They were incredulous. They said the size of the pipe going into this company is so great that any denial of service attack attempt ought to be a statistical blip for them, but in fact if you put enough pipes together you can flood any pipe no matter how big.
MARGARET WARNER: Dan Schrader, how does a company guard against something like this happening?
DAN SCHRADER: Well, it's nearly impossible to defend. Yahoo is famous for its size of the pipe going in, for how well they bulletproof their network, and I think that's exactly why they were targeted. I think there is a group of hackers or crackers out there, call them what you will, who are patting themselves on the back and boosting that they are the ones who took down Yahoo. We are depending on everyone running safe computing practices and good computer security in all of our computers. And, of course, most people don't do that, don't think about it until after the fact. What we need to do is we need to think about putting computer security tools right on the backbone of the Internet so that Internet service providers like America Online or US West or Sprint or others will scan all the data coming and going for malicious code. That will make it hard for these hackers or crackers to put their malicious software on a lot of people's computers and to do these coordinated attacks.
MARGARET WARNER: But to ask a very elementary question, whenever I boot up my compute terse says scanning for viruses and so on. Isn't that part and parcel of most services now?
DAN SCHRADER: Well, it's part and parcel of most personal computers. Unfortunately, we are seeing about three hundred new viruses and Trojans and other malicious tools written every month. That means two or three days after you've uploaded your anti-virus software it's already out of date for a dozen new viruses. And I'm using viruses in the broader, generic term. That is why we can't rely on running desktop virus protection. That's why we need to be putting tools for detecting these malicious programs not on the desktop but at the E-mail server at the Internet gateway or, even better, out to the Internet service provider.
MARGARET WARNER: Okay. John Schwartz, how common is that kind of attack and what is usually the motive?
JOHN SCHWARTZ: Well, the denial of service attack has been around for several years, and they are very common. Cert at Carnegie Melons says they get daily calls on the denial of service attack. The distributed attack, which is where you get it coming in from lots and lots of computers, has only been observed since late last year. They are becoming -- they are showing up more and more. But what interests Cert what is a great technological advance this is for the folks that want to do mischief. And you ask why they want to do it. It is to do mischief. This is this is the same basic sense that underlies a kid going up, ringing someone's doorbell and running away. They've found a way to do it several million time minutes. And then they get to brag about it. Someone is going to be dining off of this experience for months.
MARGARET WARNER: And not caught?
JOHN SCHWARTZ: Could happen.
MARGARET WARNER: How hard is it, Dan Schrader, to track down the perpetrators of this?
DAN SCHRADER: It is very difficult. Is there a lot of tools they can use, tree freely public tools to hide all traces of where they came from. And, again, the computers that were sending out these streams probably had no idea -- the people who owned those computers had no idea their computers were used for their attack.
MARGARET WARNER: But we're told - in fact, in Ray's segment we had an echo that every click we make, everything we do on the Internet someone is tracking. Why doesn't that apply in even, I know what you are saying. They use other robot computers to attack the target, why can't that all be tracked?
DAN SCHRADER: To some extent it can be. When you connect to the internet our compute -- your computer is given an IP address. And a sophisticated tracker can change that information so misinformation is being sent out over the Internet or they can simply go over to a public library and or cyber café and simply borrow a computer.
MARGARET WARNER: So it's normal people like us, John Schwartz, that doesn't know how to cover their tracks - but it's really quite easy?
JOHN SCHWARTZ: And some people who are fairly sophisticated don't cover their tracks well either. What you hope for is somebody who is smart but stupid like the fellow that loaded the Melissa virus. He left a few traces. The fellows doing stock scams out of the University of California Library, they left a few traces, and so law enforcement officials who do this sort of thing look for the stupid slip and hope it's there, it might not be.
MARGARET WARNER: Dan Schrader, finally, Yahoo yesterday and you made the same point yesterday when I used the wrong word in my first question about penetrating Yahoo stressed that the hackers didn't get any data, for instance if you had your personal calendar, your E-mail on Yahoo, they didn't get into that. But if you have the ability to do what happened yesterday, can penetration real penetration and theft of data be far behind? Are they totally different kinds of operations?
DAN SCHRADER: Well, they are different kinds of operations. They are done for different purposes. Just recently a major music site on the Internet had something like 300,000 credit card numbers stolen off their site and the hacker was trying to blackmail them saying they would release the numbers if they didn't pay up. So, yes, this kind of thing happens --happens all the time but in this case it appears no data was stolen and no one's personal information was taken.
MARGARET WARNER: But, I mean, should people who are mostly worried not only about being denied access to their favorite site but worried that information they might store on that site, John, should they be troubled here that the next step could be get into our personal calendar in Yahoo?
JOHN SCHWARTZ: Well, I think there are enough stories about intrusion to make people think twice about leaving a credit card number with a company on-line. A lot of companies allow you to do it one at a time -- that is one time only credit card use. And folks who are worried about that can simply opt for the services that offer that kind of security as opposed to storing it on the site. You can get your credit card stolen in a restaurant as well, so most of us opt to life dangerously and conveniently.
MARGARET WARNER: All right. Well, thank you very much Dan Schrader and John Schwartz.