Computer Hacking Made Easy

A few years ago it would have been difficult to pull off an Internet attack like the one that knocked out the Twitter microblogging service in early August. A hacker would have needed either the tech savvy to hijack thousands of computers simultaneously or tens of thousands of dollars to pay someone else to do it. Not today. The tools for taking down Web sites like Twitter are getting so cheap and easy to use that many more people are now able to wreak havoc. "The barrier of entry is becoming so low that literally anyone can carry out these attacks," says Gunter Ollmann, vice-president for research at Damballa, an Atlanta Web security firm.

In the Twitter episode, hackers were trying to silence a single blogger, Georgy Jakhaia, who is known online as Cyxymu and has been critical of the Russian government. They launched a "denial-of-service" attack, in which thousands of computers try to communicate with the target Web site at the same time so the site's computers are overwhelmed and can't handle legitimate requests. In what appears to be collateral damage, the hackers took down the entire Twitter service, and hobbled the blogging site LiveJournal and Facebook, where Jakhaia also posted. Patrick Peterson, head security researcher for Cisco Systems (CSCO), compares the assault to using "a hand grenade to silence a fly."

It may be a sign of things to come: Criminal groups and hackers have infected tens of millions of computers around the world with viruses that allow them to control the machines to launch attacks or send spam. These networks of zombie computers, called "botnets," are then rented out on a per-machine and per-day basis through Web sites that make executing a denial-of-service (DOS) attack almost as easy as getting a book from Amazon (AMZN). No password cracking or software coding is necessary.

Security experts say the explosive growth of these botnets has led to a price war among underground suppliers. Two years ago, Ollmann says, there were about a half-dozen networks with a million or more hijacked computers, but now there are dozens with that many. The cost of renting out 10,000 machines—enough to cripple a site like Twitter—has tumbled to $200 a day from between $2,000 and $5,000. "We have seen the price points dropping fast," says Ollmann.

That's contributed to a surge in attacks. On Aug. 10 there were about 1,300 reported DOS attacks, according to a survey done by Chelmsford (Mass.) security firm Arbor Networks. On the same day two years ago, there were 700.

Attackers have a variety of motives. Some, like the Twitter assault, appear to be political campaigns to silence critics. Others help cover up fraud. Security consultant Kevin Mandia says the banks that hire him often come under attack when hackers have stolen ATM information and don't want victims to be able to see their diminishing balances on a bank's Web site. With the declining cost, DOS attacks may be used by a wider variety of people. A disgruntled employee could hammer his company's site; a car dealership could knock out a rival's site on a busy Saturday.

It would take perhaps an hour. A search on Google (GOOG) for "botnet" or "bot rent," leads to one of dozens of hacking forums, where there are postings to lease botnets. After downloading software that includes a control panel, a would-be attacker enters the name of the target Web site and manages the precise timing of the assault. Transactions are usually paid for with digital money transfers through Western Union.

Companies have been adding extra capacity to their computer networks to protect against DOS attacks. But security experts say the growing armies of botnets mean more creative approaches are needed. "Think like the bad guy," says Cisco's Peterson.

    Before it's here, it's on the Bloomberg Terminal.