________________________________________________________________________________ -- A Frenzy of Hacking Attacks -- Smells Like Mean Spirit -- Unscathed Ask, 'Who's Next?' -- 'If We Find Them, They'll Pay' -- Was Yahoo Smurfed or Trinooed? -- Security Firms Lick Their Chops -------------------------------------------------------------------------------- Wired News A Frenzy of Hacking Attacks by Lindsey Arent and Declan McCullagh 9:50 a.m. 9.Feb.2000 PST The Internet is under siege. In the largest malicious assault in the history of the Net, scofflaws have encircled some of the most popular Web destinations with armies of attacking computers that snarl networks and thwart millions of legitimate visitors. While this kind of blitzkrieg has been directed at smaller sites in the past, this is the first time that top-tier companies like Yahoo, Amazon, and eBay have come under fire from malicious software that has become steadily more fearsome over the last few years. The denial-of-service (DoS) war has spread to include CNN, eTrade, ZDNet, and Datek. Both ZDNet and Datek, which said it was offline for 35 minutes, were attacked Wednesday morning. Keynote Systems, a firm that tracks the reliability of popular Web sites, said within a few minutes of the attack against Amazon that only 1.5 percent of customers who wanted to could enter the site. Not helping matters is the rush to dot-com glory that has prompted many executives to consider security -- and erecting sturdy walls against DoS attacks -- as an afterthought, instead of viewing it as an integral part of their networks. Some of the tools apparently used in these wide-ranging assaults, like TFN, Stacheldraht, and trinoo, have been available since last fall, and their progenitors have been used in less-noticed barrages against smaller sites since 1997. It's not surprising that security experts have anticipated a more serious assault for some time. "The flaws that these people are exploiting are flaws that we have known about for more than five years, which there has been little instance in correcting," says Simson L. Garfinkel, an author and part owner of a security counter-measures firm. "This is really just the beginning. What we're seeing is as if a group of moral-less teenagers had discovered automatic weapons in an abandoned military site and were going around killing small animals with tremendous firepower," he said. In this World War Internet, the weaponry is simple and widely available: software distributed in underground areas of the Net that allows a large network of participating computers to overwhelm the target. It's relatively easy to use, though the attacker has to penetrate the security of each of the machines in order to enlist it in the campaign. The looming threat prompted Carnegie Mellon University's Computer Emergency Response Team to release an advisory last month. Stacheldraht agents have been spotted on Solaris machines, and a version appears to be available for Linux as well. One big difference -- or improvement, if you're the person using it -- is that unlike its cousins, Stacheldraht uses encrypted communications to cloak its intentions from administrators who might be monitoring the network. That isn't exactly heartening news for network administrators at the sites attacked this week. The latest list includes Buy.com, CNN.com, ZDNet, eTrade, and Datek Online Holdings, the No. 4 online broker. "At 7 p.m. EST [Tuesday], we were attacked by hackers," CNN Interactive said in a statement. "A denial-of-service attack occurred until 8:45 p.m. We were seriously affected. We were serving content but it was very inconsistent and very little." A spokesman for ZDNet said 70 percent of the ZD sites were down for two-and-a-half hours, beginning at 7:10 a.m. EST Wednesday. "We do believe that it was an attack, and it appears to be on the leading brands on the Internet," ZDNet CEO Dan Rosensweig said. Rosensweig says he thinks ZDNet was targeted because of its big-name recognition, but he says he has no idea what's driving the hackers. "The only thing we're sure of is that we're not sure," he said. Buy.com's site was offline for much of Tuesday, the same day as its successful IPO in which its share price nearly doubled to $25.125 from its asking price. Details are few. The FBI has tentatively scheduled a press conference for 2 p.m. EST, although companies have released little technical information about who -- or what -- was behind the mystery fusillade. Yahoo said that up to 50 different computers hooked up to the Internet were participating, and the rates reached a gigabyte per second -- an enormous increase over normal traffic patterns. Experts said that if history was any indication, the vast majority of unwitting systems that were taken over and are participating in the attack are inside university systems. The reason: Campuses have fast connections to the Internet -- necessary to overwhelm sites as large as Yahoo and Amazon -- and dorm and faculty computers have notoriously poor security. The FBI met Tuesday with Yahoo representatives and declined to comment. http://www.wired.com/news/business/0,1367,34234,00.html -------------------------------------------------------------------------------- Wired News Smells Like Mean Spirit by Leander Kahney 10:50 a.m. 9.Feb.2000 PST Hackers, who pride themselves on Web attacks with a purpose, are scornful of the "packet monkeys" responsible for this week's attacks on Yahoo, CNN, and other high-profile sites. The cracker or crackers responsible for the attacks have been contemptuously dubbed "packet monkeys" because their exploits involve flooding a site with packets of information and, detractors say, betray a distinctly simian intelligence. Like "script kiddies" who use well-documented techniques and readily available software to deface Web sites, packet monkeys are dismissed as adolescent vandals by a community that celebrates know-how, originality, and creativity. "There's no technical prowess whatsoever in these kind of attacks," said "Space Rogue," a research scientist with @Stake (formerly the highly respected L0pht Heavy Industries) and editor of the Hacker News Network. "This isn't anything new. This is old, tired technology someone is running in a big way." "This kind of thing is really frowned on," said YTCracker, a 17-year-old high school student from Colorado, who recently claimed responsibility for cracking a number of U.S. government sites. "It's a bunch of bored kids trying to show they have the guts to do this.... We don't like to be associated with these people." No one has come forward to claim responsibility for the attacks. Unlike a vandalized Web site, where the cracker usually leaves a moniker, says hi to his friends, or taunts law enforcement, a packet monkey attack leaves no public traces and no clue to the cracker's identity. Space Rogue said crackers typically advertise their exploits to gain acceptance with their peer group. In fact, this is frequently the motive for the attack. "It makes you wonder what kind of person is pulling this off and why they're doing this," he said. "There's no public record, no boasting, nothing left behind." Space Rogue said there is also very little gossip about the identity and motive of the attackers. "Rumors are scarce on this one," he said. "That's unusual.... My gut feeling tells me it's an individual and not a group, but I don't have any evidence to back that up." Although most hackers condemn the attacks, at least one poster to Slashdot professed his "grudging admiration" for what appears to be a concerted demonstration against the commercialization of the Internet. "This is the equivalent of a blockade -- a formal, organized protest," wrote "Swordgeek." "Not throwing rocks through windows so much as linking arms in front of a police line. "The brats and miscreants may have gotten their shit together and started to fight for something worthwhile, rather than simply for the hell of it." http://www.wired.com/news/business/0,1367,34228,00.html -------------------------------------------------------------------------------- Wired News Unscathed Ask, 'Who's Next?' by Lynn Burke 12:25 p.m. 9.Feb.2000 PST As one after another major Internet site is disabled by unknown computer vandals, Web companies which have so far managed to escape the so-called denial-of-service attacks are wondering who will be next. So far, Microsoft –- the third largest Web property according to Media Metrix -- has managed to escape relatively unscathed. "To my knowledge there have been no direct attempts at denial-of-service attacks as yet," said spokesman Tom Pilla. He said a Microsoft partner site was affected last night, but would not name the company. Like many companies afraid to inflame the vandals, Microsoft declined to comment on any heightened security measures that the company may have taken. America Online, the single largest Internet destination in the United States, has also been spared. AOL spokeswoman Tricia Primrose declined to speculate on why that is. "We're not seeing anything unusual but we're monitoring it very closely," she said. Lycos, ranked as the fourth-largest Web property (and the parent of Wired News), issued a statement saying it already takes "extensive precautions" to prevent security breaches, but declined to discuss further details. "It is our policy to be proactive in our continuous assessment of security across our network of sites," the statement read. Some sites bordered on arrogance in their approach. "We've grappled with this problem in the past but we've built safeguards," said Steve Torbett, e-commerce marketing director for UPS.com, which receives 1.75 million unique visitors a week. Asked if his site feared an attack, he replied, "It seems unlikely." Experts are at a loss to spot a trend. Asked if there were a pattern to the attacks, Keynote Systems official Matthew Parks said, "Unfortunately, no. "I could probably make a pattern out of the first four, which are the most heavily trafficked sites. And Buy.com is high-profile because it had its IPO yesterday. "Since then we haven't really seen any type of pattern -- the sites are all heavily trafficked but not the most heavily trafficked. So far, no one has claimed responsibility for the series of attacks. The hackers have managed to stay unknown by hopping from one computer network to another, and by erasing any data that might identify them, computer security experts said. The intensity of the attacks suggests a coordinated effort by more than one person, although copycat attacks or a plan carried out by a single individual have not been ruled out. Technology news site ZDNet is one of the latest sites to be hit, and company officials confirmed the site was down for 2.5 hours Tuesday morning, beginning at 7:10 a.m. EST. CEO and president Dan Rosensweig said it wasn't that surprising that ZDNet was chosen. "Clearly someone has an agenda, and in order to get the message out faster, they're targeting the leading brands on the Internet," he said. He admitted he was unsure why ZDNet was chosen over other big sites, like Microsoft or AOL. "The only thing we're sure of is that we're not sure," he said. ZDNet is talking with Yahoo and other attack victims about building a coalition to address denial-of-service attacks. While the U.S. Department of Justice moves forward with its large-scale investigation into the attacks, some security experts say the vandals might turn out to be amateurs, even children. Aharon Friedman, chairman of Fortress Technologies, says anyone with access to hacking programs known as "scripts" could be behind the attacks. "A 12- or 14-year-old with minimal computer skills can visit any of the 30,000 hacking Web sites and download quite sophisticated hacking programs and instructions for conducting these attacks," he said. But security expert and CEO of e-Certify Ed Andersdon says the attack is much too advanced to be the work of a bunch of teenage malfeasants. "This is a very sophisticated attack that's going on. It appears to be coming from multiple sources," he said. And the "smart firewall" technology necessary to prevent this kind of assault, he says, isn't available yet. "Today you can't link the end user to the IP packet, so you can't call up the FBI to shut them down because you don't know who they are," he said. As for companies who haven't been hit, he says there may be little they can do to prevent an attack. "Invincible is not a word I would use in connection with denial of service," he said. http://www.wired.com/news/business/0,1367,34231,00.html -------------------------------------------------------------------------------- Wired News 'If We Find Them, They'll Pay' by Declan McCullagh 12:50 p.m. 9.Feb.2000 PST WASHINGTON -- U.S. law enforcement officials are admitting they don't have a clue about attacks this week that disabled the world's most popular Internet sites. FBI and Justice Department representatives said they didn't know who was responsible, how many computers were involved, what the reason was, or from where the distributed denial-of-service attacks originated. "We are not aware of the motives behind these attacks," said Attorney General Janet Reno during press conference Wednesday afternoon. Government investigators are "working closely with the companies that are the victims," Reno said, and mentioned that President Clinton's budget released this week asks for more money for just that. FBI official Ron Dick was reduced to saying that "a 15-year-old kid could launch these attacks." Dick did not answer a reporter's question about which hacking tool -- smurf, trinoo, TFN -- was used. It's not that federal police are singularly incompetent or bumbling buffoons. These sorts of electronic broadsides typically involve scores of machines that have been hacked into and turned into unwitting launching pads for attacks on the targeted company. If a malicious hacker is clever enough, he might be able to conceal his footsteps from prying eyes and an investigation might reveal only that the attack originated at an anonymous dialup account. "We're in the process of collecting all the logs," said the FBI's Dick. The FBI said it has launched a criminal investigation, and penalties under federal law could include five years of prison time for the first offense. States usually have their own computer abuse laws with similar penalties. An FBI official said the applicable statute, Title 18 US Code Section 1030 (a) 5A, would be applied "when a person or persons knowingly transmits a program information code or command and as a result of such conduct intentionally causes damage." http://www.wired.com/news/politics/0,1283,34240,00.html -------------------------------------------------------------------------------- Wired News Was Yahoo Smurfed or Trinooed? by Declan McCullagh 1:10 p.m. 8.Feb.2000 PST Yahoo's agonizing three-hour crash was the most devastating reported attack of its kind in the history of the Net, but it won't be the last. Company officials said as-yet-unknown miscreants laid siege to the Internet's second most popular destination at about 10:30 a.m. PST Monday, snarling Yahoo's internal network and denying millions of visitors access to mail, schedules, and the directory service. What's particularly disturbing: There may not have been anything Yahoo could have done to prevent it. Any Web site is vulnerable to so-called denial of service (DoS)attacks, which have grown considerably more fearsome recently. Although their methods vary, all attempt to clog the networks of the company that's being targeted, sometimes with devastating effect. "What we're seeing is adolescent pranks going mainstream," says MIT network manager Jeff Schiller. "This is the electronic equivalent. It just has much more far-reaching impact." DoS attacks are a particular favorite of malcontents, since they can be done somewhat anonymously and since they require little technical skill. Some, like "smurfing" and "fragging," are named after the software that conducts the exploit. They've long been used to cripple Internet Relay Chat and other low-profile sites -- Wired News reported on one incident in January 1998. But they can also be used to assail even some of the best-defended corporations, something that's not exactly heartening to the millions of people who now rely on the Web for calendars, scheduling, and email. One popular attack is called "smurfing." It works this way: A perpetrator sends a stream of "echo" response-requests and pretends they're coming from the victim's computer. The multipled replies overwhelm the targeted network. They also cause havoc inside the broadcasting (aka smurf amplifying) computers that were used as unwitting reflectors. Depending on the size of the intermediate network, a clever attacker can easily increase the muscle of his assault. A 768 Kb/s stream of echo packets multipled by a broadcast network with 100 machines can generate a 76.8 Mb/s flood directed against the target -- more than enough to overwhelm any single computer. The good news is that defenses against this kind of assault are well-known. Computers can be modified to ignore echo requests. Cisco and 3Com have both released instructions to turn off broadcasting of them, and Internet Engineering Task Force RFC2644 says echo requests "must" be disabled in routers by default. Since "smurf" attacks became well-known in 1997, their threat seems to have decreased. One report says, "We have seen a reduction in average bandwidth used on a smurf attack from 80 Mbps to 5 Mbps. Additionally, there has been a [50 percent] reduction in the number of noticeable smurf attacks." But others have evolved to take their place. A December 1999 advisory from Carnegie Mellon University's Computer Emergency Response Team describes trinoo and Tribe Flood Network (TFN) -- two programs that perform the kind of distributed denial of service attacks Yahoo said it experienced on Monday. The design is astonishingly clever and simple. The idea: Instead of a single site launching an echo-packet-augmented attack, a large network can assault a target in a coordinated and much more destructive manner. Both trinoo and TFN rely on a master "handler" computer that signals a network of slave "agent" machines when it's time to start an attack. The human perpetrator must have already installed the trinoo or TFN daemons on the dozens -- or even hundreds -- of machines that will participate. The remedy is simple, as long as everyone does it: Besides the long-standing defenses against "smurf" attacks, system administrators should look for hidden copies of trinoo or TFN binaries squirreled away that might attack a remote site like Yahoo when called into action. Even newer programs have emerged that have in part replaced TFN, which seemed to have peaked in popularity around September 1999. Some of the more recent ones include stacheldraht -- German for "barbed wire" -- and an upgraded TFN2000. The threat prompted CERT to release an advisory last month. Stacheldraht agents have been spotted on Solaris machines, and a version appears to be available for Linux as well. One big difference -- or improvement, if you're the person using it -- is that stacheldraht uses encrypted communications to cloak its intentions from administrators who might be monitoring the network. In response, the federal government has become more involved. An alphabet soup of agencies, including the FBI's National Infrastructure Protection Center, the Critical Infrastructure Assurance Office, and FedCIRC are asking Congress for money and promising to defend the Net. But companies that have invented the technology that runs the Net don't seem to need help in fixing problems with it. A Yahoo source close to the problem told Wired News that they hadn't contacted the Feds during their trouble yesterday because it would do no good. Some measures the government is contemplating -- like increased surveillance of the Internet to snare wayward hackers -- alarms civil libertarians. The Electronic Privacy Information Center recently released documents it obtained that talk of increased electronic monitoring of Americans. "We have Feds that are overreacting to this," says MIT's Schiller, a member of the IETF steering committee. What needs to happen is for outdated rules to be repealed, he said. "There needs to be a way network operators can [work together] in a way that's immune from Sherman antitrust," he said. "We had a situation at IETF where we couldn't have two people in the same room together by themselves since they were representatives of big competitors." President Clinton's budget released Monday calls for sharply increased spending on computer security. http://www.wired.com/news/business/0,1367,34203,00.html -------------------------------------------------------------------------------- Wired News Security Firms Lick Their Chops by Lynn Burke 2:10 p.m. 9.Feb.2000 PST While the media remains riveted by the devastation wrought in the e-business world by a group of unknown hackers, the electronic security industry has reason to smile. "Security researchers have warned for years that we are building a house of cards," said computer security expert Simson L. Garfinkel, part owner of a security counter-measures firm in Cambridge, Massachusetts. "Companies spend far less on security than they should." Maybe companies have learned a lesson as a result of the attacks. But if they did, they'll probably be reaching deeper into their wallets for the protection they suddenly realize they need. Internet security stocks traded high late Wednesday. Among those seeing a spike were Keynote Systems (KEYN), up 4-7/16 to 118; ISS Group (ISSX), up 2-7/8 to 76-3/4; and Axent Technology (AXNT), up 2-15/16 to 26-3/16. Garfinkel said these attacks will finally focus attention on the aspects of security that have so far been largely neglected. "Much of the industry is focused inappropriately on technologies like the SSL encryption, but it has neglected to secure the endpoints. It's as if we were using armored cars to transfer money from one park bench shoebox to another park bench shoebox across town." Aharon Friedman, CEO of Fortress Technologies of Tampa, Florida, says it's about time Internet-based businesses started investing in security measures. "Businesses seem to be over confidant," he said. "They seem to not recognize the fact that they can be hacked and they will be hacked." The perpetrators behind the recent denial of service attacks have managed to stay unknown by hopping from one computer network to another, and by erasing any data that might identify them, computer security experts said. The intensity of the attacks suggests a coordinated effort by more than one person, although copycat attacks or a plan carried out by a single individual have not been ruled out. http://www.wired.com/news/business/0,1367,34244,00.html ________________________________________________________________________________ no copyright 2000 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. more information: mail to: majordomo@rolux.org, subject line: , message body: info. further questions: mail to: rolux-owner@rolux.org. archive: http://www.rolux.org