Year 2000 is ending as it began, with a DDoS attack threatening a large part of the Internet and failing security efforts fueling IT fears.
The latest distributed denial-of-service attempt was broken up last week in Denmark, where hackers took control of at least 50 zombie servers and were preparing an assault on that countrys systems. Authorities arrested a 17-year-old suspected of being connected to the attempt, which was broken up by the Danish section of the Computer Emergency Response Team, according to a report in the Danish newspaper Ingeniøren.
Its only one of an alarming number of news reports last week that demonstrate that the fight for online security and privacy has woefully regressed in every area except one—awareness. Other bad news from last week:
• Creditcards.com was hacked, and 55,000 card numbers were held hostage for $100,000. When the extortion attempt failed, the hacker posted the card numbers on the Web. The company has since put up a Web site where merchants and customers can check for fraudulent transactions.
• At the University of Washington Medical Center, thousands of medical records for heart patients, which included names and Social Security numbers, were accessed. Officials first denied, then confirmed the hack.
• Experts from @stake Inc., in Cambridge, Mass., warned that America Online Inc.s AOL Instant Messenger is harboring serious security flaws.
More significant, most experts concur that things will only get worse next year.
“The scariest part to me is theres not enough qualified security talent out there,” said a security administrator at a major Midwestern mortgage bank. “Thats why were losing ground. I built my infrastructure and many of the programs methodically. But I regularly do security audits, and its getting to the point they cant even address our security because they dont understand it.”
The situation is worse than most people think, said Chris Rouland, director of Internet Security Systems Inc.s X-Force security advisory team, in Atlanta. “There are a high level of DDoS agents out there right now, on the order of tens of thousands of servers in zombie configuration,” said Rouland, who also said he sees at least one data hostage situation per month. “Ive had high-level talks with the government. I can tell you theres concern.”
Indeed, the FBI has been vocal on the data security front, taking efforts to warn corporations, universities and consumers of higher levels of hack attempts and virus launches around the holidays. Hackers thrive this time of year because they can prey on the large number of e-mail greeting attachments—usually accompanied by higher levels of seasonal trust and goodwill—to launch viruses and because of the high level of online shopping.
“Social engineering is still the weakest part of the equation,” said Stacey Lum, CEO of security vendor InfoExpress Inc., in Mountain View, Calif.
But with the shopping season nearing its end, the only real attack so far has come from Navidad, a virus that in two months time became the seventh most prevalently reported virus on anti-virus vendor Sophos plc.s list of top viruses for the year.
“Hackers are smart,” said Graham Cluley, senior technology officer at Sophos, in London. “If you say to users watch out for this time of year, the hackers will wait until right after this time of year. Users should be equally paranoid all the time.”
And, all experts agreed, users should prepare for an even knottier year coming, as hackers are getting more sophisticated, both technologically and socially.
“It has surprised me how savvy some of the hacks have been,” said ISS Rouland. “They know economics, shutting down a Web site on the day of an IPO [initial public offering] and targeting Christmas for credit card hacks.”
Others said the schemes being used by hackers lately have shown a step up in sophistication. One security expert said some of the new attacks move far beyond the simple e-mail attachments that dominated this year. He cited the Bymer worm, which, similar to Trinity Version 3, is an automated attack worm that scans for certain types of servers with vulnerabilities and implants itself on the weak systems, increasing the efficiencies of hacking.
Other worms, such as the years most prevalent virus, Kakworm, and the recently discovered Forgotten.A, up the clever quotient by launching when an e-mail is opened, not the attachment.
Experts also worry about chat clients in the coming year. They provide nearly total anonymity, they can quickly and anonymously send rogue files to other chat clients or chat servers and the companies that run them, and the networks are always available.
Another headache for next year, ironically, will be encryption. Virtual private networks for broadband users and increased acceptance of encrypted e-mail mean sentries at the gateways wont see malicious code and will let the encrypted bits waltz in or out the front door.
“Theres no easy answer to this,” said Sophos Cluley. “If something like ILoveYou happened in a world where encrypted e-mail was accepted, it could have been … catastrophic.”
What can enterprise administrators do? This latest round of malcontentment could be enough to stir up paranoia and despondency among IT managers, but @stakes Weld Pond preached calm and vigilance in the face of what looks like impending chaos.
“Awareness is way up. Thats good, especially with privacy. Users are getting cynical,” said Pond, the companys R&D manager. “You know car manufacturers are required to recall products when they fail. Not so in software or the Internet yet. So you have to challenge your vendors. Assume security in their products is bad and ask them what theyre doing about it. Be disciplined in your practices. Dont act without thinking.”