The Rise in Hacker Sabotage
The evening of Nov. 5 was one of the busiest nights of the year for most U.S. news organizations. The New York Times was no exception. Reporters and re-searchers scurried around, gathering data on returns and filing reports with their editors. Amid all the confusion, unbeknownst to anyone, the paper's Internet web pages were under attack by an anonymous hacker or group of hackers. The assault was launched through cyberspace as shadowy saboteurs attempted to bring down the Internet computers of the nation's most respected daily newspaper. The election night assault on the Times website slowed the pace of the already congested web traffic to a crawl, making life next to impossible for those seeking the latest election news. "We're sure that there was an intruder because of the bogus Internet address and the sheer volume of simultaneous requests," says Nancy Nielsen, a spokeswoman for the Times. "They were coming in at a very measured pace. It was so regular, it was as though a program was doing it."The incident, which went virtually unreported, was the latest example of a new and potentially devastating rash of attacks on Internet hosts around the country. In the past six months, Internet hackers have staged attacks on a variety of corporate, government and personal computers connected to the Internet. In August, the Department of Justice's website was defaced. In September, hackers struck the website of the Central Intelligence Agency. Web sites run by the Internet Chess Club and the Computer Daily News have also been assaulted and vandalized. For most Internet users, the damage so far to websites has been minimal. No data files were affected at the Times. The attack just made it harder for those who tried to access the page. But even that is a disturbing prospect for the more than 45,000 corporate websites now online. As commercial interests blindly push the Internet toward becoming the marketplace of the future, untold billions of dollars have been invested in websites. In the first quarter of 1995 alone, some $47 million in venture capital was invested in Internet companies. International Data Corporation, based in Framingham, Mass., estimates that $78 billion in purchases will take place over the Internet by the year 2000 -- a huge investment that is placed at serious risk by the new wave of Internet hackers. The Times incident is the most recent case of what is known as a "denial of service" attack. The destructive potential of such attacks first came to light two months ago, when PANIX, a Manhattan Internet service provider, went public with the fact that its servers were being attacked. This type of assault is especially pernicious, since it takes advantage of one of the Internet's most basic principles -- the open sharing of information with outsiders -- to cripple a company's server. The PANIX attack was so unexpected, concentrated and hard to repel that it nearly put the company out of business. The sharp rise of malicious hacking incidents recently poses serious questions about the continued unchecked development of the Internet. Can cyberspace be made to be safe and reliable? It's a question that the Internet community will have to grapple with seriously if it is ever to fulfill its promise as a serious vehicle for information gathering and dispersion.The assault on PANIX, first reported two months ago, was a frightening wakeup call to those who make their living in cyberspace. "This was a very nasty attack," says John Curran, chief technical officer for the Cambridge, Mass., Internet firm BBN Planet, one of the oldest Internet companies in the country. "The sources are very hard to track down, and the effects are hard to combat." Says Simona Nass, a PANIX representative: "Anybody with a chip on his shoulder can take out a site, at least temporarily." The PANIX assault was launched on Friday, Sept. 6 after 5 p.m., when most of the staffers were busy packing up for the weekend, as were most of the top-notch network engineers at Sprint and MCI, which provide PANIX's connection to the Internet. It was, in short, a perfect time for an attacker to launch a disabling assault.And that's exactly what happened. In technical lingo, the attack is known as a SYN -- short for synchronization -- attack. Whenever someone cruising the Internet tries to link up to another computer by calling up a web page, for example, the first thing that happens is a three-way handshake between the two computers to set up the connection. The user's computer sends out a signal, known as a SYN packet, saying "Hey, I want to connect to you." The server sends back another message called a "synchronization acknowledgment," or a SYN/ACK, essentially saying, "Where are you?" The server then waits for a final acknowledgment from the user -- an "Over here!" -- before allowing the connection to take place. Under normal conditions, these exchanges take place in less than one second.But this attack was not normal. The attacker's initial SYN packets contained a forged return address. As a result, PANIX's server was hurling a SYN/ACK packet out into cyberspace that would never find the user who made the initial request for a connection. Instead, the server would just sit there, waiting for a response. And waiting.And waiting. The standard procedure for UNIX -- the most common interface for Internet servers -- is to wait up to 75 seconds for a response to its SYN/ACK message before closing the open connection. Meanwhile, PANIX was receiving 150 fake requests per second. Given the finite number of connections available on each UNIX machine -- ranging from eight to 1,000 depending on the age of the equipment -- it is possible to jam the server with outstanding requests. While that's happening, no one else can get into the system. During the initial assault, which lasted an entire week, none of PANIX's 7,000 paying clients could log in to the service. The server was too busy waiting for final acknowledgment signals that would never come. E-mail services stopped. Corporate websites were shut down. Business slowed to a crawl. "It basically was pretty overwhelming," says PANIX's Nass. "It was a big fight just to keep services running to our clients. After we went public with it, we realized that there were more sites that had been hit."By announcing that they were being assaulted by a hacker, PANIX called on the collective knowledge of the best security experts on the Internet. It turned out, to the embarrassment of some, that several of those experts had known about this kind of attack for years. In fact, the SYN attack was considered so debilitating that William Cheswick and Steven Bellovin, authors of the 1994 book Firewalls and Security: Repelling the Wily Hacker, decided not to include a chapter on SYN attacks because they didn't want to tip off the hackers. While the attack is fairly simple to envision, it requires a high level of expertise to write a program that can execute such an assault.Last summer, a month before the PANIX attack, a palm-sized hacker magazine, 2600, The Hacker Quarterly, made it a lot easier. In an article titled "Flood Warning," author Jason Fairlane described exactly how to write a program that will execute a SYN attack, with the following disclaimer: "Don't use this software without permission," Fairlane warned. "I'm serious. It's very very very bad. This is probably one of the worst Denial-Of-Service attacks there is. No one will be able to connect to your target's machine. It's bad."The attack on PANIX did not disappoint. PANIX president Alexis Rosen worried that the company might not be able to survive. "There was a concern that, if the attacks continued unabated, it would force us out of business," says PANIX's Nass. "There's only so long that customers are willing to pay for something that they aren't able to use."Luckily for PANIX, the crisis did not reach that point. With the help of Cheswick, Bellovin and other Internet security experts, PANIX has been able to minimize the effects of the hacker's attacks. There are ways to combat such attacks, such as filtering out packets from a particular address or reprogramming a server so that it will wait only 10 seconds for a response to its SYN/ACK message. But the attacks have continued. Because of the nature of the attack and the wide open platform of the Internet, it is impossible to trace the identity of the hacker or hackers. Since the messages have bogus return addresses, there are no fingerprints to identify the sender. And because there are so many different on-ramps to the Internet, experts have been unable to trace the messages back to their source. In fact, there's no way of telling whether the hacker is next door or across the globe.The experts who helped out PANIX know little about the attacker, but they expect that it's someone who knows computer programming. "The attacks mutated in response to some of the defensive measures we implemented," Nass says. In other words, the hacker did not stick with one method of attack. He assaulted PANIX's e-mail, websites and file-transfer-protocol services, combating technicians' efforts to weed out bogus messages as they came in. "The expertise of the hacker was fairly respectable," says Nass."We believe that there was more than one attacker," she says. "There may have been copycats, what we like to call ankle-biters, who know enough about what they're doing to copy the code and run the program. At least one person who really had the skill was mutating the attack."PANIX was able to call upon a pool of experts who managed to minimize the impact of the attacks. But PANIX was lucky -- and well-connected. Given the rapid expansion of the Internet, most sites don't have adequate safeguards or, in many instances, access to the expertise to throw up adequate defenses. "A lot of people just aren't protected against these kind of attacks," says Tom Sheldon, author of the Windows NT Security Handbook, which contains a chapter on how to fight back against hackers. "They don't happen a lot, but they can be very tough to deal with."Sheldon says there are other kinds of attacks that exploit the Internet's openness. For instance, hackers may be able to modify the size of the packet they are sending across the Internet and jam a server with too much information. A server is only equipped to handle a certain amount of information in each packet. "There are definitely tics in the system," says Sheldon.Even so, the Internet system continues to grow at a rapid clip. Last week, for example, 1,100 new commercial sites were registered on the World Wide Web. And there are growing efforts to ease the use of credit cards online and sell merchandise over the Internet. All of this has security experts busy developing new software to make transactions secure. Indeed, the growing commercialism of the Internet makes new security questions all the more pressing. "How vulnerable is the financial system?" Sheldon asks. "What if a hacker figured out how to shut down the power grid on the West Coast? The reality is, it's hard to say that it couldn't be done."What is a hacker's motivation? It might be the aura of notoriety achieved by other high-profile hackers, like Kevin Mitnick -- who The New York Times called "the most wanted man in cyberspace." Mitnick eluded the FBI for four years before he was tracked down by a security expert whose computer Mitnick had hacked. Mitnick's saga has been the subject of two major books this year. Tales of cyber-saboteurs have been much romanticized by the mainstream press. Mitnick, for all the hype surrounding his case, says he never used his knowledge of computers to make money. And he certainly could have. For instance, when he was arrested, federal agents discovered a database he had allegedly stolen from Netcom, a west coast Internet firm, that contained some 20,000 credit card numbers. Pop culture movies like The Net and Hackers have expanded the notion of the hacker as a prankster with an almost universal knowledge of computer systems who posed no real threat to society.The very origin and evolution of the term "hacker" defines the debate. In the 1960s, hackers were the fledgling computer programmers at MIT and other universities who comprised the first wave of computer gurus. In the 1980s, they were teenagers with Commodore-64 computers who broke into the phone system's computers and hunted around for information about what made the system tick. That generation, which included Mitnick, also became known for their mischief. The most basic of the hacker tricks was to build what came to be known as a "red box," which imitated the sound of a quarter in a pay phone, allowing the user to make free phone calls. A hacker could also use his or her knowledge of the phone system to eavesdrop on people's phone calls. Mitnick became famous for turning one target's home phone into a pay phone, making it so that an operator's voice said "please deposit 25 cents," each time someone in his victim's house picked up the phone. Kevin Poulsen, another hacker, rigged a Los Angeles radio show contest back in 1990 by seizing control of the radio station's phone lines and making sure he was the 102nd caller. His efforts won him a Porsche 944. He later pleaded guilty to wire fraud charges and was sentenced to 51 months in jail. In media coverage of the hacker culture at least, a hacker "ethic" emerged. Its most basic tenet: "Hack but don't crack." It was acceptable, in other words, to root around in a system and learn how it worked, but it was taboo to use that knowledge to knock out phone service for the East Coast of the U.S. Of course, that has not stopped hackers like Poulsen and Mitnick from bragging about their expertise. Hence the first natural law of hackerdom: It's no fun to be an expert hacker if nobody knows about it. With the rapid expansion of the Internet into mainstream use by corporations and government agencies, it is easier than ever for hackers to make their handiwork well-known. This past Aug. 16, the Department of Justice's website was vandalized by a hacker. The page was replaced with another page titled "US (Japan's) Department of Injustice Home Page." In what appeared to be a protest against the Communications Decency Act, the hacker replaced the site's normal array of press releases and government links with pictures of George Washington, Adolf Hitler and a doctored topless photo of Friends star Jennifer Aniston, along with a diatribe against free speech restrictions on the Internet.The site's background tableau was replaced with Nazi swastikas. The Justice Department shut down the site for a entire weekend until computer engineers could clean up the mess.A month later, the Central Intelligence Agency's website was hacked. It was replaced with a site for what the culprits called the "Central Stupidity Agency." The vandals styled themselves as a group called Power By Resistance, a name that was meaningless to law enforcement agencies. The trashed site reportedly contained links to a European hacker group that has done battle with the Swedish government. So far, none of the saboteurs have been caught. But U.S. government officials have warned that punishment for such computer crimes could be severe. These incidents, while embarrassing, have accomplished little except to show how vulnerable the Internet is to intrusions. Investigators say vandals also have made assaults on commercial sites, changing prices or interest rate information posted on the World Wide Web. And the Internet is also an increasingly accessible vehicle for misinformation -- hacking of a completely different sort. Last week, ABC News correspondent Pierre Salinger shocked a gathering of French officials by revealing that sources had told him that the government knew that TWA Flight 800 was downed accidentally by a case of friendly fire from a U.S. Navy ship on maneuvers off the Long Island coast. His source: a months-old posting on a Usenet newsgroup on the Internet. Other attacks, while not as serious as the PANIX incident, have crossed the line from mischief to outright harassment. For instance, this year several famous people and Internet journalists became the targets of a hacker known affectionately as the Unamailer. The Unamailer's modus operandi is to subscribe his target to thousands of electronic mail discussion lists, flooding his victims with thousands and thousands of junk e-mail messages. In some cases, the only way to end the deluge of messages is to send out individual messages to the source of each mailing list, asking to unsubscribe from the list, a time-consuming process. Among the hacker's victims were President Clinton, Emmanuel Goldstein, editor of 2600, Joshua Quittner, associate editor of the web-culture electronic magazine The Netly News and John Markoff, Internet reporter for the Times and MTV.The damage done by such incidents may come from an unexpected quarter. Although the assaults on the CIA and Justice Department websites have been compared to the work of graffiti artists, there is concern among many of the Internet's civil libertarian defenders that such incidents will create new pressures to impose more government regulation of the Internet. "The usual analogy is that the screaming hordes are overtaking the castle," says security expert Tom Sheldon. "The other is that of one person slipping in during the dark of night and attacking from within. Now, I guess one person might be able to simulate an attack on all fronts."Such antics seem to be awakening many to the realization that the Internet's days as a lawless frontier are numbered. The courts are starting to take notice of individual rights in cyberspace. There has been a spate of junk e-mail distributors, for instance, who send electronic mail out to massive lists of unwary Internet users. Generally described as "spam" for its annoying and useless quality, junk e-mail has long been one of the facts of life in cyberspace. Last week, a federal court upheld the right of America Online -- the largest Internet access provider in the world -- to ban junk e-mail distributors from using its service. Since the Internet's beginnings, its advocates have resisted any attempt to assert boundaries in cyberspace. All that may be changing, however, as the Internet grows and demand for basic security increases. The impact of hackers, spammers and others may be forcing Internet users to develop a new level of maturity -- and start dealing with potentially costly intruders more aggressively.Ultimately, that may be the lesson of the recent wave of cyber-sabotage. "It's a wakeup call that the Internet is not without its problems, and there are nasty people out there," says PANIX's Nass. "It shows that there are some vulnerabilities. The Internet is being forced to grow up."How open should the Internet be? Or, perhaps more importantly, how open should people be on the Internet? "It means I may want to be careful about my behavior online, the same way that I would walking down the streets of New York. You may not want to invite strangers into your house. And you may not want to invite strangers into your site," Nass adds.The Internet, however, tends by its nature to defy such behavior modification. Right now, if you are online, you can be accessed from across the globe. It is possible to build security against unwanted entrance -- called firewalls -- but none are foolproof. Besides, the purpose of the Internet is the open exchange of information. Still, the growing dependence on the network makes the hacker threat more disturbing to some. "I'm a telecommuter," says Sheldon from his West Coast home. "I live out here in the wilderness, and I depend on this system. How vulnerable are we making ourselves? It is very fragile."At the same time, he points out, the system is also very adaptive. The Internet was built as a decentralized system, like millions of paper clips linked together throughout the country and now the world. When one link in the chain is broken, the data can simply re-route itself and take another path to its destination. Because of that, Sheldon says, it would take a monumental effort to bring the entire Internet down. But even that fact has a downside. It means that everyone on the network basically has the same level of technology at their disposal. "The Internet was basically developed as a peer network," says BBN's Curran. "Your computer may be equal to the computer at your Internet service provider. That's unique among comparable systems. Your telephone is not equal to the phone switch at the phone company. The features and what you can do are controlled in other systems."In the past, the dangers inherent in such a system were somewhat mitigated because of the expertise required to navigate the network. Now every software company's goal is to make it so that first-time users can find their way around the web with ease. "Now the Internet is so prevalent, you're talking about millions of people on the network and tens of thousands of network adventurers," Curran says. As a result the unspoken rules of the Internet -- for instance, the taboo against posting messages to thousands of strangers at once -- are no longer sacrosanct, if they ever were."We have people who think they are instant experts in the Internet," Curran says. "They don't have the time to learn the culture. As a result, we can't rely on cultural norms for protection. We have to close security holes pro-actively."That, of course, is a direct challenge to the utopian view of the Internet that still prevails. Curran points out that the reason people are able to modify the return addresses on their e-mail or web addresses was initially meant to allow them to change their Internet Protocol addresses as they moved around the country. The rarely-used loophole that has now come back to haunt the Internet.One of the technical solutions to the PANIX-style assault would be to make each Internet service provider check the return addresses on the outgoing messages from its computers. That would cut down bogus return addresses at the source and prevent people from exploiting that loophole. The Internet community could shun those providers who did not agree to participate by refusing to accept connections or e-mail from their clients. "We've been doing it for some time now," says PANIX's Nass. "It's just a matter of good 'net citizenship." Such a solution would also make it easier to track the sources of child pornography, another nagging Internet problem.The idea that participation in the Internet community might come with some strings attached -- that outlaws would not be tolerated -- cuts against the grain for those who would prefer the Internet to remain a place without rules or standards. But the threat of cyber-saboteurs is real -- and in reality, every community throughout history has been forced to constrain certain kinds of behavior in order to accommodate the greater public good. Cyberspace, it is beginning to seem, is no different.