Friday, July 10, 2009
Web Attacks Highlight a Bigger Problem
DDoS attacks are a symptom of a common illness, albeit with an elusive cure.
By Anne-Marie Corley
Network-based visualization of a DDoS.
Credit: Sandia National Laboratories |
Mystery still surrounds this week's distributed denial of service (DDoS) attacks on U.S. and South Korean websites, and while speculation points to North Korea as the source, it's likely that we'll never know for certain. The use of a botnet--thousands of infected computers--by definition obscures the identity of the attacker, and with thousands of IP addresses involved, they're hard to trace back to the source.
An article in the Wall Street Journal points out politically motivating factors that implicate North Korea: the timing can be linked to North Korea's most recent missile launches, as well as new U.N. sanctions announced last week. Wednesday was also the fifteenth anniversary of the death of Kim Il-Sung, the former leader of the DPRK.
Even so, the attacks appear to be relatively unsophisticated. Jose Nazario of Arbor Networks, a company that monitors internet traffic and DDoS attacks calls them "amateurish" due to a mix of approaches cobbled together using a five- or six-year-old malcode that wasn't particularly well hidden. It's also only a moderately sized attack--at 25 megabits per second--though it involves just over 100,000 bots, concentrated heavily in South Korea. What's most interesting, says Nazario, is the coordination of attacks on both U.S. and South Korean government and commercial sites.
While the attacks made headlines, DDoS is a common problem that happens to big companies every day, and far more aggressively than these hits to government and commercial sites. The White House, NSA, State Department and Department of Defense, after all, are not high traffic moguls like Google or Amazon, which get attacked daily and have built up their own in-house defenses, says Hal Roberts, of Harvard's Berkman Center for Internet and Society. We just don't hear about Amazonor Google getting attacked, Roberts says, because it happens so frequently and doesn't bring down their sites. "There are literally hundreds, if not thousands [of attacks] going on in any given time," says Roberts.
If two governments were to really go at it in cyberspace, Arbor Networks' Nazario says they would more likely target key nodes like voice exchange points to inflict real pain or disrupt communications, or they could go after each other's secrets, similar to the "Titan Rain" attacks that began in 2003, where government and academic research computers were mined for secret project information. Stealing or modifying data, says Nazario, would have a much bigger impact than overwhelming websites.
Massachusetts Institute of Technology
Comments
The fault of the cyber vulnerability is three-fold. First, Microsoft has given the world a very flawed, very complex operating system that high school students and college students can easily crack.
Second, the majority of Windows users click on any offer that's shiny (Britney Spears photos!, funny videos, scandal exposes!) , allowing their computers to be turned into robots by Eastern European mafia types, Russian cyber war groups or Chinese zealot-hackers. At the drop of a mouse button, millions of robot computers, all over the world, can be instructed to send millions of messages to target servers that can't be handled, thus shutting them down.
Third, the Internet routers and the Internet communications backbone companies don't modify their software-based systems to detect and block cyber attacks.
Every Internet message to a server comes with the return address of the PC that sent the message. This information resides on the target server and the routers. It should be a federal offense for a PC to be used for a cyber attack. If you have the IP address of a cyber attacking PC you can send them a warning message. The apathetic PC owners whose PC's are used to threaten national security should be inconvenienced to the point that they install federally certified Internet security software. If their PC's are used repeatedly for cyber attacks they should be fined.
Google is preparing a new operating system, Chrome-OS. Hopefully it won't be a vulnerable as Windows. If it is safer, federally funded computers should be switched to the safer operating system as soon as practical. If Microsoft shapes up, good for them.
Cisco, Juniper, ATT, Quest, Verison, TimeWarner, Cox and the other Internet Service Providers (ISPs) should accept their responsibility and reconfigure their networks and software. If an ISP is being used by cyber attackers or hackers, it should be slowed down and then put off the air if it doesn't police its users. We know that the ISPs can detect high volume use.
Email systems should not be made so vulnerable. Mass mailing to everyone on the PC user's list should be slow and tedious, and maybe impossible.
The federal government and even major credit data companies should not have computers with secret or sensitive information connected directly to the Internet. Credit data companies, including large retailers should be required to encrypt all their data. How many more years will pass before these agencies and companies act responsibly.
Further the Obama Administration's Cyber security Czar should act quickly. Congress should hold hearings and embarrass the people that made this national security gap happen.
Cliff
Clifford W. Lazar
Lazar Developments
lazarcw
07/10/2009
Posts:1
It is totally a different situation today… People register to tens and possibly hundreds of accounts in their short online lifetime.
And having to define a different user id and password for each of these accounts is simply crazy to expect. And then to give away my mothers maiden name, pets name, my favorite restaurant, etc to a online website that can get hacked can not only compromise my online accounts but also my real accounts such as bank accounts where these are used many a time.
IT IS SCARY…..
I have not used social networking sites much and have switched from one to another regularly. I was on orkut, then got bored and switched to LinkedIn which sounded more professional and now use FaceBook regularly and come to think of it, I use the same password for all of these.
IT IS EVEN MORE SCARY NOW….
And this thought did not cross me now…it happened many months ago when the AOL story broke out and I wondered if there is a solution for this. And then I realized that the solution is not stronger password or having to tell the computer to remember it for me or to use my mother’s maiden name to recover it.
THE SOLUTION IS TO JUST DUMP THE PASSWORD……IT IS NO LONGER NEEDED.
Today’s USER AUTHENTICATION system is developed for DESKTOP COMPUTING not for CLOUD COMPUTING where people exchange information between each other more regularly.
Today, the computer is mobile be it the NetBook or your Smart Phone. You carry it where you go and with pervasive mobile internet connectivity, you can get connected from anywhere using Wi-Fi, or GPRS or EDGE.
SO PLEASE INTERNET SECURITY EXPERTS…..WAKE UP…WE ARE NO LONGER STUCK TO A DESKTOP. AND HENCE NOT NEED TO USE A USER ID/PASSWORD TO ACCESS OUR ACCOUNTS FROM A DIFFERENT COMPUTER. WE OWN A NETBOOK OR AN IPHONE FROM WHICH WE DO MOST OF OUR ONLINE ACCESS OR WORK EXCEPT FOR WHEN WE ARE WORKING IN OUR OFFICES WHERE THE COMPANY SPENDS ZILLIONS ON SECURITY ANYWAYS.
IBM had thought of a password free system many years back….they also filed a prior art on this.
http://www.priorartdatabase.com/IPCOM/000039794/
Others have followed… http://www.kirit.com/A%20simpl.....eb%20sites
And I have filed my own patent for EasySecured which offers a unique, simpler and completely SECURED way to achieve the same concept.
ISNT THIS AMAZING……NO PASSWORD TO REMEMBER, NO PASSWORD STORED ANYWHERE AWAITING TO BE HACKED?
IF PASSWORDS ARE NOT STORED ON THE SERVER OR YOUR COMPUTER, THERE IS NO WAY HACKERS CAN HACK INTO ONLINE ACCOUNTS.
AM I CRAZY? HOW DOES ONE AUTHENTICATE AN ACCOUNT IF THERE ARE NO PASSWORDS?
The solution is downright SIMPLE, your computer is your password. By this I mean not just a desktop, your netbook, your laptop, your smartphone, IPHONE anything that is a computer. YOU ARE NOT STUCK TO A SINGLE COMPUTER.
Your online account will open only from the computers you have registered to access. You do not have to define a password or remember it. Only your User ID which is like the PIN number of your Credit Card and which will work only from your computer or the computers you allow it to work.
ONCE AGAIN …..NO PASSWORD…. IS STORED IN YOUR COMPUTER…. OR THE HOST SERVER.
The password is a unique signature derived from the various parts of your computer mashed up using a patent pending technology that is generated real time every-time you try to login to you account from the registered computer.
The server authenticates by decrypting your user account details using this real-time generated password and granting you access to your account.
Hackers rely on stored user id and password on servers to hack accounts. In this case only your user id is stored on the server encrypted a real time generated password that is stored NOWHERE.
IF a hacker has to gain access to your online account, he or she has to also gain access to your computer or IPHONE or NetBook along with your original User ID.
As every User ID and critical user information such as credit card numbers etc are encrypted using a unique key generated by a physical device, there is NO WAY HACKERS CAN HACK INTO ONE ACCOUNT AND GET THE KEY TO HACK THE REST OF THE ACCOUNTS ON THE SERVER.
I have been working on this idea and concept for months and only need industry support to make this a reality and ONCE AND ON FOR ALL PUT AN END TO THE VULNERABILITY OF ONLINE ACCOUNTS.
You can twitter me @gurudatts to know more about this or email me.
gurudatts
07/31/2009
Posts:4