Corrections or additions?

Published in U.S. 1 Newspaper on February 16, 2000. All rights


Welcome to

At the University of Pennsylvania last week, students

protesting university store policies staged a sit-in at the


office. At the same time hackers on the World Wide Web staged their

own version of a sit-in, sending millions of messages to several


prominent websites to clog up ISPs and slow down service to thousands

of customers.

E-Trade and Yahoo, two of the sites hit by cyber-vandals, emerged

relatively unscathed (no files were destroyed or corrupted), but the

prevailing confidence in online security suffered more serious wounds.

What was most disturbing about the "Denial of Service"


attacks is that they managed to cripple service in spite of all the

high-tech security measures, says Mark Meara, president of Princeton

Internet Group (PInG) at 13 Roszel Road.

"These hackers weren’t amateurs, they were professionals,"

says Meara. "Standard configurations include firewalls and other

security related methods, but these attacks were not breaking into

systems or cracking security codes — they were flooding the


"Hack-tivists" are more inclined to attack big sites, but

any website is vulnerable to sabotage — and there’s little that

ISPs can do about it, says Meara, who sends his customers to the


City office of Exodus Communications, the California-based ISP that

offers secure website hosting for clients like hosts Hotmail, Lycos,

and Nordstrom. "We personally have not been affected, nor have

our clients," he says. "But I don’t care how good you are

— you are going to be impacted if you are a target. If our servers

had been a target we would have had the same problems that they


Anybody is at risk, if somebody wants to be malicious."

That a web-based economy could also be a fragile economy is something

that no one has wanted to admit. But Sergio Heker, president of


Internet at 311 Enterprise Drive, hopes that last week’s siege will

bring Internet security to public attention. "People need to think

that Internet security issues matter," says Heker, who founded

of one of the earliest private Internet service providers, Global

Enterprise Services. NextGen has partnered with General Motors, IBM,

EDS, and PriceWaterhouse to make GM E-commerce ready in Mexico, and

it hosts the websites for about 100 clients.

NextGen offers a range of security options, but no


how many security methods are in place, says Heker, nobody is


"What was unique about this hacker attack was the deliberate


to get public attention," he says. "These things happen every


The first well-publicized D.O.S. attack was back in 1996, when a


computer sent thousands of housekeeping messages to cripple’s

ISP. Internet-security experts have known for some time that the Web

is vulnerable to D.O.S attacks, but it wasn’t until recently that

hackers’ techniques for launching an all-out attack became so


Now, by enlisting the help of hundreds or thousands of other computers

to send bogus messages, hackers can totally overwhelm a company’s

website. Moreover, they can do their dirty work so that there’s no

return address on the "packets" of information being sent

to the site under attack. Thus, ISPs are unable to trace the messages

and stop the perpetrators.

In 1998, the Justice Department and FBI formed a unit called the


Infrastructure Protection Center to help protect American businesses

and organizations from cyber-terrorism. Ultimately, though, the onus

is on ISPs to stop cyber-vandals by weeding out messages with phony

return addresses, or at the very least, providing a way of deflecting

these attacks. One way, says Meara, is to have a back-up server on

which to deflect cyber assaults. "Like, you would try

to divert the traffic to other servers," says Meara. "That

is really the only approach in a situation like that. Having extra

hardware may help give you some immediate relief."

Heker, whose company provides bimonthly seminars on security issues,

says that if you are concerned about security, you should check with

your web hosting company to see what layers of security it offers.

The first line of defense is the firewall. "The firewall could

be used as an enforcement system to track every packet that goes


he says. "Once the machine’s resources are overloaded, with a

firewall you can identify what address it is coming from and filter

it." Websites could have two firewalls working together or even

up to three firewalls, costing as much as $10,000 per month. Yet,

all could be attacked.

The next line of defense is the router, and your ISP could be ready

to also put a filter on the router. "If someone targeted the


the router is the only device that separates you from your ISP,"

says Heker. "You could only depend on the ISP." Other security

measures could include encryption, perimeter security, and antivirus

URL screening, to protect against "malicious" Java applets.

If your business requires "mission critical protection," Heker

suggests you need redundant access, more than one ISP. Security


are unavoidable, says Heker, now that business is transitioning so

fast into E-business, and preventing hacker attacks won’t necessarily

keep your website safe. An even greater risk for security, says Heker,

is internal — a company’s own employees.

Previous Story Next Story

Corrections or additions?

This page is published by

— the web site for U.S. 1 Newspaper in Princeton, New Jersey.

Facebook Comments