@RISK Online - The Security Blog

Web Hosting by Netfirms | Free Domain Names by Netfirms

[Previous entry: "Risk e-Business"] [Main Index] [Next entry: "Passwords: The Weak Link"]

03/17/2000: "Hack Attacks: Who's responsible?"

• Massive attack knocks Yahoo! Offline
• Leading Web sites under attack
• Hacker steals 100,000 credit card numbers, threatens to post them online

I'm sure you've all heard about these recent episodes. Several major web sites were crippled early last month, making them unavailable for several hours. Additionally, there have been recent incidents of web extortion where hackers have stolen up to 100,000 credit numbers from e-commerce sites. The data was then held ransom in the hopes that the compromised sites would pay up to save public humiliation and loss of customer confidence. These high-visibility events have helped to make the average computer user more aware of the security issues associated with being online. People are starting to ask, "Who's responsible?"


Hackers? Sure, but how do you find them? How do you prosecute to recoup losses? These questions and more are currently being pondered by various aspects of the Internet industry, e-commerce, and IT Security. Unfortunately, there is no single answer to this question. Most would agree that hackers are responsible. After all, they are the perpetrators of the crime. They spend hours searching, seeking out those vulnerable systems, compromising them, and installing backdoors so they can come and go as they wish. They have compromised literally, thousands of computers around the world. These compromised systems can be used as a jumping off point for further attacks, or they can be used cumulatively for major denial of service attacks such as those mentioned above. If they aren't responsible, then who is?

ISPs? Internet Service Providers; how could they be responsible? One argument is that ISPs do not properly manage or monitor their networks. Perhaps they're after a fast buck, just setting up massive networks with little thought to security. Perhaps they're just overworked and understaffed, with little resources available to the ongoing task of managing the security of these rapidly changing environments. Either way, some would argue that they're providing the opportunity for hackers to work freely at their conscienceless task. If ISPs properly secured their networks, hackers wouldn't have the opportunity to navigate so freely and with such anonymity. Who else may bear some of this responsibility?

Universities? What do they have to do with this? University networks are established to enable the free sharing of information and ideas (that's one of the Internets earliest purposes). Unfortunately, this means that the network is wide open, with minimal security. The argument is that greater security would simple get in the way of what they are trying to accomplish. The problem here is that many attacked have been launched from compromised university machines! The very openness that they require makes them vulnerable to this form of exploitation. So what about other compromised machines?

CIO's? Why not? After all, they're responsible for the security of their corporate networks. Shouldn't they be held responsible if the network they manage is compromised and used in an attack against someone else? If the security of their network is so bad that a bunch of kids can break in and take over machines at will, shouldn't the CIO be held responsible? Where will it end?

Bill Gates? Yes, what about Mr. Microsoft? But what about Linux systems? Should we add Linus Torvalds to this list? Perhaps we should just include the designers, developers and marketers of ANY major operating system. If it weren't for the buggy implementation, poor programming, and the push to get products to market this problem wouldn't even exist... right?

Clearly, there's no definite place to lay the blame. There are many factors that contribute to the poor state of security on the Internet. The more "wired" you are, the more vulnerable you become. Everyone will have to participate in the clean up effort... sort of a Cyber Green-up Day. So, let's all grab a trash bag and get started.

Navigation:

My Blogroll:

Security Advisories:

Defacements Archive:

Security News:

Security Tools: