@RISK Online - The Security Blog

[Previous entry: "PKI: It's all about Trust"] [Main Index] [Next entry: "Hack Attacks: Who's responsible?"]

02/26/2000: "Risk e-Business"

Well, it's finally happened. I had my first close encounter with real life crackers! A good friend of mine recently went to work for a small Internet startup company (I generally refer to them as "3 Men and a Web Server"). I sent him an email Tuesday morning after the long President's Day weekend. His response came as a complete surprise, "Hey, I was just thinking about calling you. We've been hacked! Can you help us out?"


It seems a bunch of teenagers had an evening to waste, since there was no school on Monday. They stayed up late Sunday night, giving them time to orchestrate the break- in. Why do I say it was teenagers? Well, basically they "broke in, had a party, and ransacked the place". What am I talking about? Let me explain. Someone compromised a commercial web server, then uploaded some files allowing them to run a chat server. They had a nice party with a few dozen of their closest friends. When it was all over, instead of cleaning up after their party and leaving everything as they found it, they crippled the server! When my friend and his coworkers arrived at work Tuesday morning, their server was not working. Furthermore they couldn't even gain access to the server to resolve the problem... even after rebooting!

Many are probably wondering how this can happen. How can a "bunch of kids" take down a critical commercial web server and use it for fun and games? My more important question is; how can any company place an unsecured machine on the Internet? Sure, "Three Men and a Web Server, Inc" probably doesn't have a lot of capital on hand to hire an expensive security consultant to make sure everything is set up properly, but is that what's really necessary? Let's take a closer look...

Is Internet Security really that important, or is it all hype? Simply put, it really is important. ANY system connected to the Internet can be compromised! And I mean ANY system! In the case I've told you about here, the damage is fairly obvious: Loss of revenue due to the server downtime. The company provides web-based advertising. No server = No ads. No ads = No revenue! Furthermore, this incident may be enough to put this little company out of business. Why? Not because the loss of revenue is that damaging, but because it erodes customer confidence! This little startup may go out of business because a bunch of kids took over their server one weekend.

But it can get worse! Let's suppose that the server was taken over by someone with more than chat rooms in mind. I'm sure everyone remembers the massive Denial of Service attacks last month. Those attacks brought down major sites like eBay, Amazon, Yahoo, and many others. Those attacks were launched from compromised machines connected to the Internet. I can easily imagine a point in the near future when victims of these attacks will seek monetary compensation from the losses associated with these attacks. And since it's so hard to find the actual attackers, they'll come after the people whose machines were used in the attack. After all, if they had taken proper precautions in setting up the security of their network, these attacks would never have been possible, right?

This may sounds far-fetched, but let me point out one other fact... Hacker Insurance is already being sold. And how do insurance companies cover their losses when they have to pay out on a policy? They sue! Now, do you still want that full-time cable or DSL Internet connection in your home

Navigation:

My Blogroll:

Security Advisories:

Defacements Archive:

Security News:

Security Tools: