TCS Daily


How to Respond to Web Attacks

By James Freeman - May 1, 2000 12:00 AM

Two weeks ago, Canadian law enforcement officials arrested "Mafiaboy," the fifteen-year-old alleged author of February's wave of web attacks. The kid has since been charged with two counts of "mischief" for the February 8th attack on CNN.com. He'll be tried as a juvenile in a Canadian court and faces up two years in jail if convicted. What does the future hold for the victims of his alleged attacks, and for web consumers? Well, for one thing, people are beginning to realize that the real threat on the Internet involves security, not privacy. But how far should we go to ensure the security of our information and our property?

Regular TCS readers know that we don't like government intervention in the marketplace. But prosecuting crimes is one area where government absolutely should play a central role. So by all means let's have the FBI investigate when a crime is committed online. At the same time, let's be careful about getting government too far into the prevention business.

For one thing, the Internet moves too fast. On the same day in February that the White House called a meeting to figure out how to prevent the now-infamous denial-of-service web attacks, Network Associates posted a solution on its website, www.mycio.com.

You'll recall that criminals overwhelmed Yahoo, Amazon and other prominent websites by sending millions of bogus information requests. To generate all those bogus messages, the crooks used "Zombie" software to hijack the computers of thousands of unwitting Internet users and turn them against the leading websites.

Was your computer a launchpad for web attacks? Probably not, especially if you use a regular dial-up connection. If you have fast Internet access or you get online through a corporate network, it might be worth checking. Mycio.com will tell you if your machine has the infamous "Zombie" software or is vulnerable to being used for an attack. Based on a scan of my system, I can disclose to you that I did not attack Yahoo.

To prevent these attacks in the future, can we count on every Internet user to have the latest security software? No way, but that doesn't mean we need to panic, or give the FBI more wiretapping authority, or create new government security regulations.

There are lots of technical options to limit the problem, and companies and consumers can choose the best. ISPs can add new "caller ID"-type features to identify each Net user, making it harder for cyber-crooks to cover their tracks. Long-distance companies, which carry traffic on the Internet, can detect spikes in usage and cut off attacks in real time (with some risk that they cut off legitimate users in the process). Or equipment companies like Cisco can add more filtering features to their routers, assuming their customers think it's worth the extra money. Another option, probably the most difficult, is for websites to install security features which filter incoming traffic from the Internet.

In every case, there's a trade-off. Says Scott Schnell of RSA Security, which makes the encryption software in your web browser, "Security takes a certain amount of computing horsepower to implement." Security requires more money and probably more time if a website has to evaluate whether your visit is legitimate.

The point is that there are lots of ways to prevent such vandalism. Whether we want to spend the time and money on them depends on how much we're harmed by these distributed denial-of-service attacks. Before the next attack or the possible media circus surrounding Mafiaboy's trial, let's think now about possible trade-offs.

As cyber-attacks go, these were fairly benign. Nobody was able to compromise Amazon's database of credit card numbers, for example. The crooks just clogged up the system so legitimate book buyers had a hard time getting service. In fact, Mafiaboy's alleged shenanigans received much more attention than a more severe recent attack in which a Russian cyber-crook actually did get his hands on the credit-card database of CDUniverse and posted the numbers on the web.

Of course, ever since the February attacks, the FBI has been seeking more money and authority to battle cyber-crooks. Let's urge aggressive investigation and prosecution of the bad guys, but let's also allow consumers to decide how much security we want to buy online, just as we do in other areas of life. My instinct is to demand the best when it comes to protecting financial data, and to wait and see whether denial-of-service attacks really demand an expensive response. In any case, let's be sure that any new security measures are driven by consumer demand, not government edict.
Categories:
|

TCS Daily Archives