Battling hackers
DAYTON | Ronnie Wagers, the University of Dayton's network security officer, checks the on-screen status of UD’s Internet connection and finds it running at less than half its normal speed — only 456 kilobytes of information transmitted per second.
Wagers suspects a problem he has seen many times before: Hackers have tapped into UD’s network and are hogging most of the lanes in the university's electronic freeway to the Internet.
Wagers calls up a current list of the top 10 Internet users among the 10,000 computers on campus and quickly spots a vulnerable machine in the School of Business Administration — a server shared by UD students that has not been given a password.
Sure enough, another screen shows the server engaged in a frenzy of Internet activity. Hackers are using the machine to store, trade and retrieve voluminous MP3 music files and illegal software. To keep it from tying up the Internet connection, Wagers assigns the machine the network’s lowest priority. Instantly, UD’s connection speed soars to 1.9 megabytes per second — a four-fold increase. Computer life at UD is back in the fast lane.
Score a small victory for the White Hats in the never-ending battle between overworked security specialists and the growing number of cyber intruders who hack, plunder, cripple or crash computer networks. Their victims range from elementary schools and mom-and-pop businesses to the nation’s biggest banks and vital defense operations.
Although home computer users have less to fear than computer networks, no one is immune. If you are connected to the Internet, chances are you've been attacked by hackers, Eric Thomas, a student at San Jose State University and member of the College of Cyber Defenders program, told The Learning Channel.
With more powerful computers and tools than ever at their fingertips, cyber intruders are inflicting billions of dollars in financial losses and computer down-time on a wired nation. They’re stealing trade secrets and credit card numbers, defrauding banks, defacing Web sites, disrupting computer operations and bombarding consumers with millions of unwanted, sometimes offensive and often fraudulent e-mail ads.
Despite the rapid growth of the computer security industry, cyberspace may be more vulnerable than ever. Software companies release ever-more sophisticated programs but often neglect to plug the security holes their elaborate features create. And new easy-access technologies, such as high-speed DSL and cable modems and wireless connections, provide more opportunities for hackers to break in.
Most attacks come from within
Wh
ile most hacking attempts are made from the outside, FBI statistics show that 80 percent of successful attacks are committed from within a company. "Nowadays, you can reprimand an employee for not doing something they were supposed to do, and then watch your computer system go down the next day," said Robert Simpson, chief technology officer for SDG Inc., a computer security firm based in Lexington, Ky.
In 2002, nine in 10 organizations — including corporations, financial institutions, hospitals and universities — said they had detected at least one computer security breach in the past 12 months, and eight of 10 suffered financially as a result, according to a survey of 503 respondents conducted by the FBI and the Computer Security Institute, an association of information security experts.
In the past five years, financial losses reported by survey participants have more than quadrupled, from $100 million in 1997 to $456 million last year. Hacking is no longer just a problem "of juveniles on joy-rides in cyberspace," said CSI director Patrice Rapalus. "There is much more illegal and unauthorized activity going on . . . than corporations admit to their clients, stockholders or business partners, or report to law enforcement. Incidents are widespread, costly and commonplace."
Cyber intrusions occur daily in the Miami Valley and around the world, but the vast majority never make the headlines.
The Northmont School District's entire 1,400-computer network crashed for more than a week in early February after a school employee downloaded the Nimda virus from an innocent-looking e-mail. Doug Cozad, technology supervisor for the school district, said his department was still cleaning virus from machines a month later.
"The lost productivity was huge," Cozad said. "Teachers could do nothing. They couldn't access the server where a lot of their files were. They couldn't access their e-mails."
Viruses and worms are the most common attacks, and the best-known among computer users. The percentage of FBI survey respondents hit by viruses peaked in 2001 at 94 percent, as the "I Love You" virus poured into nearly every e-mail box in America. Although the percentage of victims dropped to 85 percent in 2002, the average loss climbed to an all-time high of $283,000 per organization.
The global financial cost of viruses alone could rescue the economies of several Third World countries. Computer Economics estimates the global impact of "I Love You" at $8.7 billion. The estimated cost of all viruses unleashed since 1999 is more than $15 billion.
Yet the true cost of cyber intrusion is unknown because the battle is largely hidden from the public. Fearful that their image will be damaged and their competitors given an edge, only a fraction of businesses and other organizations report cyber crimes.
In last year's CSI/FBI survey, only one in three respondents (34 percent) reported security breaches to law enforcement officials, and fewer than half (44 percent) were willing or able to quantify their financial losses. But of those 223 respondents who provided an estimate, damages totalled nearly a half-billion dollars ($455,848,000).
Software, consumers both to blame
There is plenty of blame to go around, and not just at hackers and virus writers. Software companies too often emphasize catchy new features over security, releasing programs they know have security holes and failing to release timely patches to fix them, said Sushil Jajodia, director of the Center for Secure Information Systems at George Mason University in Fairfax, Va.
The government should enforce safety recalls in the software industry just as it does for other vital consumer products such as cars and tires, Jajodia said.
But consumers are just as responsible for opening the door to cyber intruders, said Chey Cobb, author of Network Security for Dummies (John Wiley and Sons, 2002). "People take their computers out of the box and plug them in and think that's all they have to do to ensure security," she said. They don't bother to install their firewall programs, download security patches or update virus protection programs. And, she said, they often resort to lazy passwords or, worse, none at all.
"Information security is only as strong as its weakest link, and that link is often the human factor," Simpson said. "People just don't understand the threat and the risk right now."
The nation’s computer security experts warn that cyber intrusion will only accelerate unless there is closer cooperation between law enforcement officials and the private sector, as well as a greater public awareness of the problem.
In 1996, the Cleveland FBI office was the first to offer guarantees of confidentiality and expert training to encourage corporate security specialists to meet and discuss details of attacks on their computer systems. There are now 70 so-called InfraGard chapters across the country, including one recently formed in the Dayton area.
Despite the FBI confidentiality guarantees, Dayton InfraGard members still are hesitant to talk about specific attacks against their networks. "I don't think we would go to that level," said Sammy Spurlock, Senior Security Consultant for Standard Register Inc. Instead, he said, the Dayton group is more likely to share tips on the latest security techniques.
Membership in InfraGard got a boost from the 9/11 attacks and the looming prospect of cyber terrorism. "There seems to be a greater appreciation for how much information security means, not only to each individual enterprise but also to the economy itself and to society as a whole," CSI's Rapalus said.
The fear is that terrorists may be able to shut down traffic control towers at airports, take control of the stock market or cut off electricity or phone service to whole regions of the country — armed with nothing more deadly than a keyboard and a hard drive.
FBI establishes protection center
To help protect the vital role computers play in our nation's infrastructure — everything from designing prescription drugs to launching nuclear warheads — the FBI established the National Infrastructure Protection Center in 1998. As a joint venture among private industry and federal agencies, the NIPC takes the lead in preventing and responding to cyber-terrorist threats to the nation's telecommunications, energy, transportation, banking and emergency services.
Last month, the NIPC issued a warning to its members that an increase in global hacking may result from the impending war between the United States and Iraq.
Sheikh Omar Bakri Muhammad, a Syrian-born fundamentalist cleric with ties to several of the 9/11 hijackers, recently stated that the use of "all types of technologies" is justified in the defense of Muslim lands.
While many American corporations are still afraid to share security details, hackers themselves are sharing more strategies and tools than ever. Simpson estimates there are now more than 100,000 Web sites devoted to hacking and its tools — up from 40,000 sites just a year ago.
Hackers insist the term "hacking" has been misused by the media. Not all hackers are malicious. Many engage in harmless exploration of networks out of curiosity and to learn more about computer programming. Hackers say the intruders who break into computers to steal or destroy data and create havoc should be called "crackers" instead.
Hacker Web sites include lines of codes and whole programs that young teenagers with time on their hands and a malicious bent could easily copy and try against computer networks.
Sites also list scanning programs that look for vulnerabilities in computer systems — as well as "password guessers" that churn through long lists of predictable passwords to gain access to networks and "password sniffers" that can detect and snag passwords in the flow of data.
The goal for many young cyber intruders is to penetrate and control as many computers as possible, both for bragging rights on the Internet and for the added power it gives them for storage space or for attacking their opponents.
Hackers who get into arguments in Internet chat rooms sometimes will unleash a burst of information from all their machines at once to overwhelm and crash their opponent's computer.
Attack at UD
Three months ago, just such an attack crashed UD's network after a UD student argued with a hacker in a chat room. It took UD's technicians an hour to get the network up and running again and eight more hours to shield the system from further attacks.
Far more insidious and dangerous are targeted hackers — those who have specific sites and specific mischief in mind. Usually, they are adept at writing their own computer code and are more devious in their methods.
Since November, Wagers has been battling an ingenious hacker who has secretly captured at least 125 computers at UD. The hacker loads a "Trojan Horse" on each machine — an apparently innocuous program that contains code designed to access the computer without the user's knowledge.
So far, the hacker has used the UD computers only to store or run his own programs. That may sound harmless, but captured machines run more slowly and also put an added strain on UD's Internet connection.
Every time a machine is compromised, "our productivity is reduced," Wagers said. He also fears the hacker may be emboldened to steal or corrupt data at the university.
The hacker has devised an automatic method of spreading his control. With the press of a button, he can spew dozens of copies of a password-sniffing program, dubbed task32/gg.bat, that migrates throughout the UD network looking for passwords to vulnerable machines.
Wagers found he could kill the hacker's programs by sending them to the machine's debugger. But that's only the first step in cleaning up a compromised machine. The hacker has inserted another code, called FireDaemon, that reinstalls his programs every time the infected computer is rebooted.
To clean up the machine completely, a UD technician must go into every folder in the computer and delete every program the hacker has installed — a tedious process that can take several hours.
Recently, with the help of a new high-speed filtering device from TippingPoint Technologies, Wagers was able to trace the source of his remaining compromised machines to a single culprit — an Internet address at a communications firm in Washington, D.C. Wagers says he plans to provide the information to the FBI for a criminal investigation.
Wagers may have been lucky. Hacking can seldom be pinned to its perpetrator. Often, intruders work from cyber cafes and libraries rather than their own computers, or they disguise their Internet address (a technique called "spoofing") or "leap" through other systems to their targets. They also know how to clean their computers of any traces of where they've been.
Spam also a problem
Spammers who bombard computers daily with junk e-mail ads may be less intrusive than hackers, but they, too, pose a rising threat to the Net. Their unwanted messages — often advertising phony get-rich schemes, pornography, bogus health remedies and other products of dubious legality — have become the bane of the Internet.
It's not just a matter of overflowing our private mailboxes, experts say. Spammers are clogging the Internet and slowing access for more legitimate uses.
"Spammers are gaining control of the Internet," Barry Shein, president of an ISP called World, told the 2003 Spam Conference last month.
David Mezera, vice president of DONet, Dayton's locally based Internet service provider, said 60 percent of the 100,000 to 150,000 e-mails received each day by DONet are now spam.
Cyber intrusion of all types has triggered a boom in the computer security industry. Simpson said SDG has seen its consulting business triple in the last two years.
To protect themselves, businesses and institutions are putting up firewalls around their networks, updating their virus protection, adding intrusion detection systems and churning out policy and procedure manuals for their employees. Worldwide spending on computer security is expected to rise to $45 billion by 2006 — three times the $17 billion companies spent in 2001, according to International Data Corp.
But no matter how sophisticated the network defenses, careless employees can leave the back door open to hackers.
"Human beings want everything easy," Cobb said. "We don't want to remember two different passwords. We don't want to change our passwords every three or four months. And we don't want to be trained."
Even the tightest security and the most cooperative employees cannot totally eliminate the risk of cyber intrusion. Given its complexity, software coding always will have security holes, and the freedom of the Internet always will allow hackers to prowl for them.
Still, good security practices "are certainly better than someone who leaves the front door unlocked," Cobb said.
Keeping computers secure means staying one step ahead of the intruders, and that can be a moving target.
"Information security is not a point in time," Simpson said. "It's a learning process that never ends."
Contact Jim DeBrosse at 225-2437 or jdebrosse@coxohio.com
Cybercrime News Archive