Feel secure? Don't be sure -- even MS got hacked
- — 01 November, 2000 10:53
The hacker front has been just a bit too quiet lately. We haven't had a splashy denial-of-service (DoS) attack since February when Yahoo and eBay were hit. The Love Bug was the last really bad outbreak (although lots of lesser threats are released every week).
Could it be that young computer brainiacs have decided to spend less time hacking and more time chasing sports or the opposite sex? Probably not, say security experts.
Microsoft's recent attack may not be the work of youthful cybervandals, however. Reports that the intruders enjoyed undetected access to Microsoft's network for nearly two weeks bolsters some security experts' observation that those were not curious kids.
"These people knew where they were going," says Michael Erbschloe, vice president of Research at Computer Economics. "If someone has source code, they will have an easier time breaking into other Microsoft-based systems in the future."
Don't be fooled just because the Microsoft trespassers apparently used the Qaz Trojan, a widely available program for taking control of a PC. That may literally be a Trojan horse, so Microsoft would think the recent hackers were young adventurers.
Trojans gather at the gates
Another low-profile but serious threat is the VBS.Kak worm, which is wriggling through PCs, harvesting their information, and sending data back to its originators.
Those are just two of the common Trojans being busily planted by hackers in anticipation of a year-end blowout, says security consultant Jim Weaver, owner of Cyber Resources. The sources he monitors indicate that hackers are seeking out millions of vulnerable PCs to control like zombies in a sizeable denial-of-service attack on a popular Web site this year, Weaver says.
The upshot is, hackers are definitely up to something, Weaver says. He spots would-be Trojan planters scanning the ports of his own systems 80 to 100 times each day.
"They are just biding their time and building up," Weaver says.
Targeted attacks expected
The next big DoS attack could be "legitimate," perhaps an orchestrated protest, Billington suggests. The attack might be disguised as typical request that's exaggerated, so it cripples a particular site or company, he adds.
For example, one or more political action groups will simply get all their members to simultaneously request the same GIF file from a target Web site, or deluge some high-profile business with e-mail, says Billington, who operates the DoSHelp.com Web site for denial-of-service victims.
Neither Weaver, Billington, nor several other security experts have much faith in the inviolability of the 128-bit Secure Socket Layer encryption that protects Internet financial transactions. Both Billington and Weaver report hackers tackling 128-bit encryption by trying to get enough computers hooked together to crack SSL.
Other targets are Web Application Protocol (WAP) used on personal digital assistants and mobile phones, and the XML page-description language, which is moving to replace HTML on Web servers.
The passwords typically used to protect financial files and entry to company LANs, intranets, and extranets usually pose only a minor hacking challenge, experts say. They expect computer security problems will increase dramatically as the Internet becomes a more prevalent feature of PDAs, mobile phones, and pagers, and migrates to video game consoles and TV.
"There are many times more mobile phones and pagers than computers, and once hackers get into a consumer device at any level, they can initiate communication," warns Paul Robertson, a senior developer at ICSA.net, a security consulting organisation. "My pager can run programs. Imagine what will happen when your refrigerator is Internet-enabled for ordering groceries."
Consumer-oriented electronics industries are still learning about virus protection, and it isn't yet part of their infrastructure, Robertson says. Current security measures for those devices may simply not yet be sufficient, Robertson warns.
The world shrinks
Security for the digital devices in your home and office is really only as good as law enforcement in, say, China or the Philippines, experts point out.
That's because prosecution often must occur under the laws of the country where the crime is perpetrated. The Qaz Trojan, for example, originally opened a back door to your PC and broadcasted data back to its creator -- in China. The Philippines, on the other hand, is the suspected birthplace of the I Love You virus (or Love Bug), one of the most destructive viruses ever released and a great example of hacker resourcefulness, says Erbschloe.
The Love Bug isn't a particularly innovative piece of programming, Erbschloe says. But putting an "ILOVEYOU" message -- or one of its 40 variants -- in an e-mail subject line really tapped a human vulnerability. It enabled the Love Bug to hop across an estimated 55 million PCs in its first 24 hours in the wild and simply outrun the antivirus software writers who were chasing it.
The experience cost businesses $US6.7 billion during Love Bug's first five days on the loose, Computer Economics estimates. The total hit $US8.7 billion by the time the virus was tamed. Watch for a "Merry Christmas" virus as the calendar ticks down, say Erbschloe and other security analysts.
Is your welcome mat out?
So, how susceptible are you to these attacks? The short answer for most people is "very," say the experts.
You can reduce your vulnerability to a negligible amount if you frequently update your antivirus and firewall software, turn off your broadband connection when not using it, and scrupulously avoid chat rooms, Usenet news groups, and e-mail (especially with attachments) from strangers.
But almost 45 per cent of those who log onto the Internet regularly still don't have antivirus software engaged, even when it's installed, according to a recent audit of home-based PCs by PC Data. Those surfers are totally exposed.
PC Data didn't measure the number of home PCs with personal firewall software. But that software strategy is still fairly young, so it's likely to be low. At the same time, the number of always-on home broadband connections that need firewall protection is rising faster than expected.
In the meantime, the hackers are out there, surfing and searching, with varying degrees of skills and success, for their next targets.
Using automated tools, hackers scan large numbers of IP addresses to find PCs with open ports where they can plant BackOrifice, BrownOrifice, or other Trojans. These programs allow the intruders to control a PC and enlist it for denial-of-service attacks.
They're succeeding. The ports on four out of ten PCs have a Windows File Share vulnerability that opens the computers to infiltration, according to according to authorised scans of PCs conducted by The Symantec Antivirus Research Centre (SARC).
Unless you're electronically updating your PC's antivirus and firewall components regularly, their efficacy is in serious question. But even an update as recent as 24 hours prior wouldn't have protected many PCs from the fast-moving LoveBug, Erbschloe points out.
Electronic trespassing is really a psychological game, he says. Virus hoaxes also are on the rise, and hackers sometimes use them before a real viral release to get potential victims to let down their guard.
Viruses infect the workplace
Meanwhile, back at the workplace, viruses are spreading with vigor. The number of US companies reporting computer virus infections rose by more than 20 per cent during the past 12 months, according to ICSA.net's sixth annual virus tracking study. Two-thirds of the 850,000 company PCs that ICSA.net polled had experienced file problems caused by viruses during the past 12 months, compared to 50 per cent during the prior year.
Forty per cent of the companies interviewed actually lost data in the past year -- a 23 per cent increase from the previous year. The price of virus infection is also rising: Cleaning up costs between $US100,000 and $US1 million per company per year, ICSA.net says.
Computer Economics estimates that virus infections will cost all companies a total of about $US17 billion in ruined PCs and lost productivity before the end of this year. And that's assuming that infections remain routine and don't include another really serious outbreak like the Love Bug.
Staving off hackers and halting viruses is not just a matter of combating individual outbreaks. Today, PC users must be concerned with the cumulative weight of so many bad actors out in the wild. SARC has counted some 48,000 viruses, worms, Trojans, and other forms of malicious code at large, and the count grows by about a thousand each month. Downloading the latest antivirus definitions involves a file that averages 4MB in size.
"The problem is that, just like real viruses, we can't stamp out computer strains," says ICSA.net's Robertson. "Viruses never go away, and what we don't need is 1 million virus signatures in virus scanners."
Security experts agree the technological advantage continues to swing back and forth between themselves and hackers. The security consultants expect to have jobs for life. (So, perhaps, do their adversaries).