Corrections or additions?
Published in U.S. 1 Newspaper on February 16, 2000. All rights
reserved.
Welcome to HarshReality.com
At the University of Pennsylvania last week, students
protesting university store policies staged a sit-in at the
president’s
office. At the same time hackers on the World Wide Web staged their
own version of a sit-in, sending millions of messages to several
globally
prominent websites to clog up ISPs and slow down service to thousands
of customers.
E-Trade and Yahoo, two of the sites hit by cyber-vandals, emerged
relatively unscathed (no files were destroyed or corrupted), but the
prevailing confidence in online security suffered more serious wounds.
What was most disturbing about the "Denial of Service"
(D.O.S.)
attacks is that they managed to cripple service in spite of all the
high-tech security measures, says Mark Meara, president of Princeton
Internet Group (PInG) at 13 Roszel Road.
"These hackers weren’t amateurs, they were professionals,"
says Meara. "Standard configurations include firewalls and other
security related methods, but these attacks were not breaking into
systems or cracking security codes — they were flooding the
bandwidth."
"Hack-tivists" are more inclined to attack big sites, but
any website is vulnerable to sabotage — and there’s little that
ISPs can do about it, says Meara, who sends his customers to the
Jersey
City office of Exodus Communications, the California-based ISP that
offers secure website hosting for clients like hosts Hotmail, Lycos,
and Nordstrom. "We personally have not been affected, nor have
our clients," he says. "But I don’t care how good you are
— you are going to be impacted if you are a target. If our servers
had been a target we would have had the same problems that they
experienced.
Anybody is at risk, if somebody wants to be malicious."
That a web-based economy could also be a fragile economy is something
that no one has wanted to admit. But Sergio Heker, president of
NextGen
Internet at 311 Enterprise Drive, hopes that last week’s siege will
bring Internet security to public attention. "People need to think
that Internet security issues matter," says Heker, who founded
of one of the earliest private Internet service providers, Global
Enterprise Services. NextGen has partnered with General Motors, IBM,
EDS, and PriceWaterhouse to make GM E-commerce ready in Mexico, and
it hosts the websites for about 100 clients.
NextGen offers a range of security options, but no
matter
how many security methods are in place, says Heker, nobody is
impervious.
"What was unique about this hacker attack was the deliberate
attempt
to get public attention," he says. "These things happen every
day."
The first well-publicized D.O.S. attack was back in 1996, when a
single
computer sent thousands of housekeeping messages to cripple
Panix.com’s
ISP. Internet-security experts have known for some time that the Web
is vulnerable to D.O.S attacks, but it wasn’t until recently that
hackers’ techniques for launching an all-out attack became so
sophisticated.
Now, by enlisting the help of hundreds or thousands of other computers
to send bogus messages, hackers can totally overwhelm a company’s
website. Moreover, they can do their dirty work so that there’s no
return address on the "packets" of information being sent
to the site under attack. Thus, ISPs are unable to trace the messages
and stop the perpetrators.
In 1998, the Justice Department and FBI formed a unit called the
National
Infrastructure Protection Center to help protect American businesses
and organizations from cyber-terrorism. Ultimately, though, the onus
is on ISPs to stop cyber-vandals by weeding out messages with phony
return addresses, or at the very least, providing a way of deflecting
these attacks. One way, says Meara, is to have a back-up server on
which to deflect cyber assaults. "Like Amazon.com, you would try
to divert the traffic to other servers," says Meara. "That
is really the only approach in a situation like that. Having extra
hardware may help give you some immediate relief."
Heker, whose company provides bimonthly seminars on security issues,
says that if you are concerned about security, you should check with
your web hosting company to see what layers of security it offers.
The first line of defense is the firewall. "The firewall could
be used as an enforcement system to track every packet that goes
by,"
he says. "Once the machine’s resources are overloaded, with a
firewall you can identify what address it is coming from and filter
it." Websites could have two firewalls working together or even
up to three firewalls, costing as much as $10,000 per month. Yet,
all could be attacked.
The next line of defense is the router, and your ISP could be ready
to also put a filter on the router. "If someone targeted the
router,
the router is the only device that separates you from your ISP,"
says Heker. "You could only depend on the ISP." Other security
measures could include encryption, perimeter security, and antivirus
URL screening, to protect against "malicious" Java applets.
If your business requires "mission critical protection," Heker
suggests you need redundant access, more than one ISP. Security
attacks
are unavoidable, says Heker, now that business is transitioning so
fast into E-business, and preventing hacker attacks won’t necessarily
keep your website safe. An even greater risk for security, says Heker,
is internal — a company’s own employees.
Corrections or additions?
This page is published by PrincetonInfo.com
— the web site for U.S. 1 Newspaper in Princeton, New Jersey.
Facebook Comments