ANALYSIS: Computer Hackers - Dealing with sneaky cyberspace invaders. Microsoft was tight-lipped last month in reaction to its hacker problems. But, as Joe McKee reports, there might be better ways to respond

In the B-movies of the 1980s, hackers were introduced to the US as teenage cyber-trespassers with poor personal hygiene. 'That image no longer applies,' warns Chad Dougherty of the Computer Emergency Response Team (CERT) at Carnegie Mellon University. 'Today's computer attacks are more sophisticated, and much more dangerous.'

In the B-movies of the 1980s, hackers were introduced to the US as teenage cyber-trespassers with poor personal hygiene. 'That image no longer applies,' warns Chad Dougherty of the Computer Emergency Response Team (CERT) at Carnegie Mellon University. 'Today's computer attacks are more sophisticated, and much more dangerous.'

In the B-movies of the 1980s, hackers were introduced to the US as teenage cyber-trespassers with poor personal hygiene. 'That image no longer applies,' warns Chad Dougherty of the Computer Emergency Response Team (CERT) at Carnegie Mellon University. 'Today's computer attacks are more sophisticated, and much more dangerous.'

Two weeks ago, Microsoft (a frequent hacker target) found out just how dangerous when its international Web sites were vandalized and its US sites were attacked. On January 24, the first reports of users having problems accessing some of Microsoft's Web sites appeared on Web news services. Within two days, the suite of Microsoft sites - MSN.com, Expedia.com, Hotmail.com, MSNBC.com, and Microsoft.com - was inaccessible to tens of millions of daily users and IT professionals.

Microsoft had no official PR response until three days after the first news stories. Rick Devenuti, Microsoft vice president and chief information officer, said in a statement that the company accepted 'full responsibility for the inconvenience.' He added, 'Microsoft's Web servers ... continued to operate normally during this event.'

The curious statement is true. Microsoft's Web servers were operating normally and were accessible if users typed in the numerical IP address for the Web sites instead of using the more common URL-name approach.

But most people don't know IP addresses, and Microsoft made no effort to inform its users that there was an option. Also, the problem-solving Web sites used by IT professionals who run Microsoft products were available through Google.com - a competing search engine. Google. com catches Web content on private servers unaffected by the attack.



Timing is everything

Although no customer data was compromised, the Microsoft attack couldn't have come at a worse time. The company had just launched a dollars 100 million dollar campaign to promote the security and reliability of its networking software. And the attack threatened the public perception of the company's new .NET strategy, which encourages users to store documents and applications online with Microsoft instead of on their desktop computers.

Unfortunately, this is just the latest in a long line of techno-woes for the software giant. Last October, an intruder gained access to Microsoft's corporate network using a Trojan horse program that infiltrated security through a user's e-mail. The program sent password data back to an anonymous e-mail address in Russia. The company kept quiet about the break-in for two weeks. When the story broke, CEO Steve Ballmer admitted that blueprint codes for projects under development were viewed and possibly copied.

A few weeks later, Microsoft's attempts at back-pedaling backfired when statements denying that the intruder copied source codes were widely criticized. Stories and chatrooms were filled with experts who speculated about the safety of current and future Microsoft products.

'We are no longer commenting on October's incident,' Microsoft spokesman Rick Miller said weeks after that attack. Microsoft also declined to comment on recent attacks.

But news stories continue to criticize Microsoft and its response.

Not all companies attacked by hackers handle the PR issues as poorly as Microsoft has. Last September, Western Union faced a more serious problem when 15,700 customer credit card numbers were stolen from their online money transfer site.

'I got the call on a Friday,' says Pete Ziverts, vice president of corporate communications. 'That's when we learned we'd been hacked. It quickly became the busiest, most stressful weekend of my professional life.

'At the time,' explains Ziverts, 'we weren't sure if customer data had been copied, only that it might have been. We decided to contact customers anyway, so they could take steps to protect themselves.'

Western Union initiated a fast response, using e-mail, its Web site, and call center operators to inform customers of what happened and how to protect themselves. The move was heralded as pioneering, because most financial companies refuse to even acknowledge security incidents.

'It was a risk,' says Michael Yerington, president of Western Union North America. 'But in the end, it was about trust. Customers entrust us with their funds, so we felt we had to respond in a trustworthy way.'



What of damaging the Western Union brand?

'We felt taking a low profile would have resulted in real long-term damage,' answers Yerington. 'Because we acted quickly, the damage to our business was minimal. We did the right thing, and the business results appear to support it.'

'We didn't go to the media first,' adds Ziverts. 'Our key strategic decision was to treat our customers with respect, and doing so avoided even the slightest appearance of impropriety.'

Western Union's quick, honest response seems to have created the least damaging path out of the PR quagmire.

'Western Union is the poster child of how a company needs to handle hacker attacks,' says one Internet security expert.

While Microsoft and Western Union are high-profile targets, smaller online companies have also fallen prey. In one of the largest data heists in hacker history, CDUniverse.com found itself facing a dollars 300,000 ransom demand last January from a hacker named Maxim, who claimed to have stolen 300,000 credit card numbers.

When CDUniverse refused to pay, 25,000 numbers showed up on hacker sites.

The FBI is still investigating. Experts doubt that Maxim will be caught, because the company has been accused of mishandling evidence. CDUniverse's parent company sold the unit last year and refused to comment.



Similarities signal a trend

While these three cases are different, they show a trend in computer attacks: many now involve former Soviet bloc countries. With poor performing economies, some Soviet-trained programmers have become more entrepreneurial, forming a network known as the 'khackeri.' CDUniverse's data-thief, Maxim, is a well-respected khackeri member whose exploits are told in mythic prose on hacker Web sites.

But the dangers of hacking attacks can be more serious than data-heists and PR problems.

In early November, prosecutors charged a California man with breaking into hundreds of systems, including National Aeronautics and Space Administration's satellite control computers. At the time of the break-in, the Shuttle Atlantis was in orbit. NASA's quick acknowledgement of the break-in allowed the agency to explain why the shuttle's systems were never at risk.

'These kind of serious attacks,' says CERT's Chad Dougherty, 'are becoming more common. While the sophistication of the attacks is increasing, the ease of launching an attack is decreasing. Easy-to-use programs are widely available. Some even have point-and-click interfaces.'

Despite these trends, experts agree most break-ins and service interruptions result from simple negligence.

According to Dougherty, 99% of incidents reported to CERT occur from known security weaknesses in software or hardware devices.

'Companies can avoid a lot of hassle and a lot of cost,' explains Dougherty, 'if they just watch for patches and updates from vendors. Being vigilant is really the best protection.'





Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in

Would you like to post a comment?

Please Sign in or register.