By Nitin ChittalAdmit it. There's a sadistic pleasure in watching hackers rip into the big boys of the dot.com world.
ZDNet, E*Trade, CNN, eBay, Amazon.com, Yahoo -- they all had seemed invincible, touting heavy security levels and sky-high market caps. Until along came February and their sites were crippled.
It's time to wake up and admit the obvious.
If they could take down Amazon, is anyone else really e-safe?
Research at the Federal Bureau of Investigations (FBI) indicates that 80 per cent of all computer crimes reported to the agency are committed using the Internet to break into an information database. Computer frauds are also on the rise. From a measly 3 per cent in 1997, Internet complaints have shot up to 24 per cent of all consumer complaints filed with the Federal Trade Commission. A rise of 500 per cent in just two years!
The vulnerability of Amazon, Yahoo or eBay to the recent attacks has not been due to their negligence. A fact fully understood by Wall Street. Even after the attack share prices refused to move down. The attacks actually came from several unprotected Internet servers, which hackers programmed to launch an information blitzkrieg on popular sites. Hackers were able to harness these servers because they were unprotected by firewalls or intrusion-detection software. Currently, of the 5-7 million US businesses hooked up to the Internet, only about 500,000 have installed security software.
The scenario is even more dangerous around the world. "There are 15 million corporate entities globally (hooked on to the Net), yet only 700,000 firewalls have ever been sold," Steve Fallin, director of Watchguard Technologies Rapid Response Team, a Seattle-based firewall software company was quoted as saying in a US newspaper. "That's an enormous gap."
"Hackers are exploiting the gap," said Fallin, "They've found companies that don't have firewalls and planted these seeds to attack Amazon. They can find this army to turn against anyone they want." Hackers are especially dangerous because they can copy data without leaving a trace. You could have all your documents stolen and never know it.
The hackers in this case, however, did not do any damage (other than disrupting services) either to target sites or the sites they actually hacked to conduct the raids. They may be just fooling around to embarrass you and get a notch on their belts for the next hackers' conference, opines an Internet security analyst.
Magnitude of loss
What the sites lost was potential business and maybe some amount of goodwill. Still, the estimated loss is mind-boggling. At the height of the attack, Yahoo's site was pounded with one gigabit or one billion bits of information (a gigabit is about 130-million characters of standard text) per second. This is roughly what some sites handle in an entire week. Since an estimated 100 million pages would have been viewed during the two hours Yahoo was down, the company could potentially have lost as much as $500,000, analysts said.
The whole affair, which lasted just over half a day, is estimated to have cost in excess of $1.2 billion.
Hackers could have targeted the unprotected servers themselves, harming these servers as well as others, which are connected to them. One or several of them could have been Indian. "Security on computer systems and networks even in large organisations in India is very poor", says Kumud Goel of Jaldi.com. "There are people who can hack VSNL or any other major server in India. We need a fiasco before people will wake up and organisations will spend money on security."
Abhay Mehta, a software consultant and author of Power Play, concurs with his view. "Internet security in India is effectively nil", he says. "VSNL is a prime example and most other companies (private or public) too don't have a clue about what is going on. On the other hand, the good news is that attackers are very few."
But, that might not be the case for too long, especially for the likes of the DDoS attackers of February. As the attack showed, you might not be attacked directly, but you can be easily used as a conduit for an attack launched from anywhere in the world.
Interesting findings
A study by Ernst & Young, though pertaining to the United Kingdom, throws light on the pathetic Internet security scenario. The study found that:
Only 32 per cent of respondents who believed the Internet offered them new business opportunities, expressed security concerns.
About 33 per cent of the respondents who suffered an external hacking attack in 1998 did not have a firewall installed at the time of the incident.
Although 76 per cent regarded security awareness training as very important, only 27 per cent took it up.
Almost 49 per cent of respondents use the Internet to transmit/ important financial information.
Only 57 per cent of UK firms have information security policies in place.
Only 29 per cent use a security risk management methodology to identify assets and scale controls.Even in the US, 44 per cent of the financial institutions surveyed by the US Congress's General Accounting Office were found to have taken insufficient steps to limit the risk factor associated with online banking. In its report, the GAO concluded that Internet banking is riskier than offline banking.
Worse at home
In India the situation is much worse. For one, cyber laws in India are yet to emerge. There are no secure payment mechanisms and everybody is in a rush to set up e-commerce or e-broking sites. The lack of security consciousness is compounded by the fact that even the much-touted secure sites in India have antiquated encryption standards. Except for a handful of banks, whichever sites do have encryption rely on 40-bit encryption technology. Experts agree that 40 bit encryption does not provide an adequate level of safety and there have been several publicised hacks. A panel of cryptographic experts including Whitefield Diffie, the inventor of public key cryptography, issued a report in January 1996. It said that a minimum of 75 bits was necessary for "adequate protection against the most serious threats" and 90 bits was necessary to thwart advances in hacking techniques for the next 20 years.
Encryption is required to prevent an intruder from deciphering information even if he is able to eavesdrop on the network. Theoretically, eavesdropping is a possibility, but requires very high skill, even if the information is not encrypted.
Forget about encryption. Fact is many of us still use outdated technology to run our servers on (see expert comment by Shuvam Misra).
Even with Secure Socket Layer (SSL) technology, the 40-bit encrypted sites are not exactly safe. The highest threat to sensitive information is the actual storage of information. Till around last year, 80 per cent of security threats were from inside the organisations. The threat multiplies if the information (may be names, addresses, passwords or credit card information) is stored in text or easily decipherable formats.
Potential menace
In India, yet another threat is the usage of one's credit card information by an unauthorised party to make purchases over the Net. Most sites like rediff.com, satyamonline.com, tsnshop.com just ask for the credit card number, name and expiry date for conducting e-commerce. There is no validating mechanism to find out whether it is the actual card owner who has conducted the transaction.
Some time back, a teenager from Romania went on a shopping spree on major US sites by generating valid credit card numbers using a credit-card number generator freely available on the Net. This highlighted the ease with which credit card fraud can be accomplished even in the West. The credit card company, Crane Federal Credit Union, had the unenviable task of sorting out the mess. In the West, the final incidence of the loss is borne by the sellers, as they are fully responsible for the "card-not-present" transaction.
Even large websites have been duped by credit card cons. Last December, Amazon.com had referred a case to the FBI in which a Russian citizen was suspected of using 63 pilfered card numbers to buy electronic gear worth $70,000.
In the US, anyway, the liability of the credit card holder is limited to $50 in the case of bogus purchases. Furthermore, US merchants use an Address Verification service to confirm any US cardholder's name and billing address. Yet, Visa reports that even though only 2 per cent of its credit card business is related to the Net, 50 per cent of its disputes and discovered frauds are in this area.
There are ways to circumvent traps laid down by credit card companies and merchants. For instance, crooks used unauthorised credit card numbers to buy e-tickets from Expedia.com, an online travel agent, and picked them up at the airport, thus avoiding a common red flag in credit card fraud: different billing and shipping address. Expedia.com is expected to lose $6 million on bogus airline tickets.
According to the National Consumer League, a non-profit consumer organisation, last year alone consumers and business were defrauded of $3.2 billion through Internet frauds. The Securities and Exchange Commission receives about 2000 e-mails a day identifying potential Internet frauds. The Federal Trade Commission identified 18,660 Internet frauds last year.
How much are you liable?
In India, the liabilities are not very clear. It would not be out of place to assume that even for an unauthorised transaction the credit card company might set a goon on a legitimate user of the card. Some sites are doing a bit to protect the gullible credit card holder. For example, rediff.com claims to take full responsibility for fraudulent purchases of not more than Rs.1,000. Is that enough? What about big ticket sales items or even shoes and shirts, which usually cost more than Rs 1,000?
There are ways in which security can be enhanced and the incidence of frauds, credit card or otherwise can be minimised. For one, encryption standards should be enhanced. Secondly, a mechanism should be evolved for authentication and verification of credit cards. One simple way is to ask for the billing address of the credit card holder so that it can be verified with the credit card customer. Unless the impostor is close to the credit card owner, there is no way he will be able provide correct information. In the West, technology is being developed to combat credit card frauds. Expedia.com, for example, has deployed profiling software to root out questionable purchases. The software can analyse data, make comparisons and give a red signal for suspicious transactions.
The security market will continue to grow as the Internet expands and e-commerce takes off. Estimates by International Data Corporation point to an Internet user figure of 502 million by 2003 from 142 million in 1998. Alongwith the growth in e-commerce, security concerns and cyber frauds are also bound to multiply. As Stephen Arnold, author of the book, Publishing on the Internet: A New Medium for the New Millenium puts it, "One can never be too thin, too rich or too secure".