Cyber Crime

First Yahoo! Then eBay. The Net's vulnerability threatens e-commerce--and you

The scenario that no one in the computer security field likes to talk about has come to pass: The biggest e-commerce sites on the Net have been falling like dominoes. First it was Yahoo! Inc. On Feb. 6, the portal giant was shut down for three hours. Then retailer Inc. was hit the next day, hours after going public. By that evening, eBay,, and CNN had gone dark. And in the morning, the mayhem continued with online broker E*Trade and others having traffic to their sites virtually choked off.

The work of some super hacker? For now, law enforcement officials don't know, or won't say. But what worries experts more than the identity of this particular culprit or outlaw group is how easily these attacks have been orchestrated and executed. Seemingly, someone could be sitting in the warmth of their home and, with a few keystrokes, disrupting electronic commerce around the globe.

DEAD HALT. Experts say it's so easy, it's creepy: The software to do this damage is simple to use and readily available at underground hacker sites throughout the Internet. A tiny program can be downloaded and then planted in computers all over the world. Then, with the push of a button, those PCs are alerted to go into action, sending a simple request for access to a site, again and again and again--indeed, scores or hundreds of times a second. Gridlock. For all the sophisticated work on firewalls, intrusion-detection systems, encryption and computer security, e-businesses are at risk from a relatively simple technique that's akin to dialing a telephone number repeatedly so that everyone else trying to get through will hear a busy signal. "We have not seen anything of this magnitude before--not only at eBay, but across so many sites," says Margaret C. Whitman, CEO of eBay.

No information on a Web site was snatched, no data corrupted, no credit-card numbers stolen--at least so far. Yet it's a deceptively diabolical trick that has temporarily halted commerce on some of the biggest Web sites, raising the question: How soft is the underbelly of the Internet? Could tricks like these jeopardize the explosive growth of the Web, where consumers and businesses are expected to transact nearly $450 billion in business this year? "It's been war out there for some time, but it's been hidden," says James Adams, co-founder of iDEFENSE, an Alexandria, Va., company that specializes in cyber threats. "Now, for the first time, there is a general awareness of our vulnerabilities and the nature of what we have wrought by running helter-skelter down the speed race of the Information Highway."

To be sure, not even the most hardened cyber sleuths are suggesting the Net is going to wither overnight from the misdeeds of these wrongdoers. But the events of recent days are delivering a shrill wake-up call to businesses that they need to spend as much time protecting their Web sites and networks as they do linking them with customers, suppliers, contractors--and you. Consider just a quick smattering of recent events: In December, 300,000 credit-card numbers were snatched from online music retailer CD Universe. In March, the Melissa virus caused an estimated $80 million in damage when it swept around the world, paralyzing e-mail systems. That same month, hackers-for-hire pleaded guilty to breaking into phone giants AT&T, GTE, and Sprint, among others, for calling card numbers that eventually made their way to organized crime gangs in Italy. According to the FBI, the phone companies were hit for an estimated $2 million.

Cyber crime is becoming one of the Net's growth businesses. The recent spate of attacks that gummed up Web sites for hours--known as "denial of service"--is only one type. Today, criminals are doing everything from stealing intellectual property and committing fraud to unleashing viruses and committing acts of cyber terrorism in which political groups or unfriendly governments nab crucial information. Indeed, the tactic used to create mayhem in the past few days is actually one of the more innocuous ones. Cyber thieves have at their fingertips a dozen dangerous tools, from "scans" that ferret out weaknesses in Web site software programs to "sniffers" that snatch passwords. All told, the FBI estimates computer losses at up to $10 billion a year.

As grim as the security picture may appear today, it could actually get worse as broadband connections catch on. Then the Web will go from being the occasional dial-up service to being "always on," much as the phone is. That concept may be nirvana to e-tailers, but could pose a real danger to consumers if cyber crooks can come and go into their computer systems at will. Says Bruce Schneier, chief technical officer at Counterpane Internet Security Inc. in San Jose, Calif.: "They'll keep knocking on doors until they find computers that aren't protected."

Sadly, the biggest threat is from within. Law enforcement officials estimate that up to 60% of break-ins are from employees. Take the experience of William C. Boni, a digital detective for PricewaterhouseCoopers in Los Angeles. Last year, he was called in by an entertainment company that was suspicious about an employee. The employee, it turns out, was under some financial pressure and had installed a program called Back Orifice on three of the company's servers. The program, which is widely available on the Internet, allowed him to take over those machines, gaining passwords and all the company's financial data. The employee was terminated before any damage could be done.

The dirty little secret is that computer networks offer ready points of access for disgruntled employees, spies, thieves, sociopaths, and bored teens. Once they're in a corporate network, they can lift intellectual property, destroy data, sabotage operations, even subvert a particular deal or career. "Any business on the Internet is a target as far as I'm concerned," says Paul Field, a reformed hacker who is now a security consultant.

It's point and click, then stick 'em up. Interested in a little mayhem? Security experts estimate that there are 1,900 Web sites that offer the digital tools--for free--that will let people snoop, crash computers, hijack control of a machine, or retrieve a copy of every keystroke. Steve O'Brien, vice-president for information operation assessments at, an Annapolis (Md.)-based company that provides intrusion detection services and security solutions, says the number of ways to hack into computers is rising fast. He tracks potential threats both from hacker groups and from the proliferation of programs. Once a rare find, he now discovers at least three new nasty software programs or vulnerabilities every day. And those tools aren't just for the intellectually curious. "Anyone can get them off the Internet--just point and click away," says Robert N. Weaver, a Secret Service agent in charge of the New York Area Electronic Crimes Task Force.

UNLOCKED DOORS. It's an issue that has crimefighters up in arms. At a hastily called press conference in Washington, D.C., on Feb. 9, Attorney General Janet Reno pledged to battle cyber crime. "We are committed to tracking down those responsible and bringing them to justice" and ensuring "that the Internet remains a secure place to do business," she said. But Ron Dick, chief of the Computer Investigations & Operations Section of the National Infrastructure Protection Center, pointed out that Internet security can't be assured by the government alone. Companies need to vigilantly monitor their computers to ensure that hackers don't surreptitiously install programs from which to launch attacks. "For the Internet to be a safe place, it is incumbent on everyone to remove these tools," he says. Using them, "a 15-year-old could launch an attack."

Make that an 8-year-old, once the Internet is always on via fat broadband connections. There are currently 1.35 million homes in America with fast cable modems, according to market researcher International Data Corp. By 2003, the number will grow to 9 million, and there will be an equal or larger number of digital subscriber line (DSL) connections.

That gives hackers a broad base from which to stage an attack. When a PC is connected to a conventional phone modem, it receives a new Internet address each time the user dials onto the Net. That presents a kind of barrier to hackers hoping to break in and hijack the PC for the kind of assault that crippled eBay, Yahoo, and others. In contrast, cable and DSL modems are a welcome mat to hackers. Because these modems are always connected to the Net, they usually have fixed addresses, which can be read from e-mail messages and newsgroup postings. Home security systems known as personal firewalls are widely available for cable and DSL subscribers. But until they reach nearly 100% penetration, they won't prevent intrusions.

In the coming age of information appliances, the situation could get worse. According to many analysts, the U.S. will soon be awash in Web-browsing televisions, networked game consoles, and smart refrigerators and Web phones that download software from the Net. "These devices all have powerful processors, which could be used in an attack, and they're all connected to the Net," Schneier says.

True, broadband customers can switch off their Net connections. But as cool applications come onstream, nobody will want to do that. "There will be streaming music and video, 24-hour news, and all kinds of broadband Web collaboration," says John Corcoran, an Internet analyst with CIBC World Markets. "To take advantage of that, the door will be open 24 hours a day."

Corporations are no better off. There, security is becoming an expensive necessity. "At least 80% of a corporation's intellectual property is in digital form," says Boni. Last year, Corporate America spent $4.4 billion on sales of Internet security software, including firewalls, intrusion-detection programs, digital certificates, and authentication and authorization software, according to International Data. By 2003, those expenditures could hit $8.3 billion.

And still computer crime keeps spreading. When the FBI and the Computer Security Institute did their third annual survey of 520 companies and institutions, more than 60% reported unauthorized use of computer systems over the past 12 months, up from 50% in 1997. And 57% of all break-ins involved the Internet, up from 45% two years ago.

As big as those numbers sound, no one really knows how pervasive cyber crime is. Almost all attacks go undetected--as many as 60%, according to security experts. What's more, of the attacks that are exposed, maybe 15% are reported to law enforcement agencies. Companies don't want the press. When Russian organized crime used hackers to break into Citibank to steal $10 million--all but $400,000 was recovered--competitors used the news in marketing campaigns against the bank.

That makes the job even tougher for law enforcement. Most companies that have been electronically attacked won't talk to the press. A big concern is loss of public trust and image--not to mention the fear of encouraging copycat hackers. Following the attacks on Feb. 8 and Feb. 9, there was a telling public silence from normally garrulous Internet executives from E*Trade to Those that had not been attacked yet were reluctant to speak for fear of painting a target on their site, while others wanted no more attention.

And even when the data are recovered, companies are sometimes reluctant to claim their property. Secret Service agent Bob Weaver waves a CD-ROM confiscated in a recent investigation. The disk contains intellectual property--software belonging to a large Japanese company. Weaver says he called the company, but got no response.

Thieves and hackers don't even need a computer. In many cases, the physical world is where the bad guys get the information they need for digital break-ins. Dallas FBI agent Mike Morris estimates that in at least a third of the cases he's investigated in his five years tracking computer crime, an individual has been talked out of a critical computer password. In hackerland, that's called "social engineering." Or, the attackers simply go through the garbage--dumpster diving--for important pieces of information that can help crack the computers or convince someone at the company to giving them more access.

"PAGEJACKING." One problem for law enforcement is that hackers seem to be everywhere. In some cases, they're even working for so-called computer security firms. One official recalls sitting in on the selection process for the firm that would do the Web site security software for the White House. As the company's employees set up to make their pitch, one person walked into the room and abruptly walked out. It turns out one of the people in the audience was with law enforcement, and had busted that person for hacking.

It's not just on U.S. shores that law enforcement has to battle cyber criminals. Attacks from overseas, particularly eastern European countries, are on the rise. Indeed, the problem was so bad for America Online Inc. that it cut its connection to Russia in 1996. Nabbing bad guys overseas is a particularly thorny issue. Take Aye.Net, a small Jeffersonville (Ind.)-based Internet service provider. In 1998 intruders broke into the ISP and knocked them off the Net for four days. Steve Hardin, director of systems engineering for the ISP, discovered the hackers and found messages in Russian. He reported it to the FBI, but no one has been able to track down the hackers.

As if worrying about hackers weren't enough, online fraud is also on the rise. The Federal Trade Commission, which responds to consumer complaints about bogus get-rich schemes or auction goods never delivered, says it filed 61 suits last year. How many did it have back in 1994, when the Net was in its infancy? One. So far, the actions have resulted in the collection of more than $20 million in payments to consumers and the end of schemes with annual estimated sales of over $250 million.

The FTC doesn't want to stop there. On Feb. 9, commissioners testified before a Senate panel, seeking an increase in the commission's budget in part, to fund new Internet-related policies and fight cyberfraud. The money is needed to go after ever more creative schemes. In September, for example, the FTC filed a case against individuals in Portugal and Australia who engaged in "pagejacking" and "mousetrapping" when they captured unauthorized copies of U.S.-based Web sites (including those of PaineWebber Inc. and The Harvard Law Review) and produced lookalike versions that were indexed by major search engines. The defendants diverted unsuspecting consumers to a sequence of porno sites that they couldn't exit. The FTC obtained a court order stopping the scheme and suspending the defendants' Web-site registrations.

All of this is not to suggest it's hopeless. Experts say the first step for companies is to secure their systems by searching for hacker programs that might be used in such attacks. They also suggest formal security policies that can be distributed to employees letting them know how often to change passwords or what to do in case of an attack. An added help: Constantly updating software with the latest versions and security patches. Down the road, techniques that can filter and trace malicious software sent over the Web may make it harder to knock businesses off the Net. Says Novell Inc. CEO Eric Schmidt: "Security is a race between the lock makers and the lock pickers." Regulators say that cybercrime thrives because people accord the Internet far more credibility than it deserves. "You can get a lot of good information from the Internet--95% of what you do there is bona fide," says G. Philip Rutledge, deputy chief counsel of the Pennsylvania Securities Commission. "Unfortunately, that creates openings for fraud."

And other forms of mayhem. That's evident from the attacks that took down some of the biggest companies on the Net. If blackouts and other types of cyber crime are to be avoided, then Net security must be the next growth business.