Can the Internet ever be 100 per cent secure?

Recent attacks on companies like Yahoo! and have raised fears that no-one is safe from hackers, but how much damage...

Recent attacks on companies like Yahoo! and have raised fears that no-one is safe from hackers, but how much damage can they really do?

These are troubling times for the emerging dot com industry. While share prices of any internet business publicly floated have gone through the roof as investors look to the future, all is not rosy in the virtual garden of IT. Many industry observers and analysts are predicting that the Internet bubble will soon burst when the city realises that not all Internet businesses will be as huge a success as initially predicted. Competition is increasing rapidly as many traditional bricks and mortar companies take the plunge into the online world to reap the benefits the Internet can bring.

But on top of all this, there is a constant threat from malicious elements who have taken it upon themselves to fight back against the continuing corporatisation of the web. And now it seems it is even easier for those that wish to reek havoc to disrupt the running of a company's online operations.

Back in January, security vendor RSA hosted a conference in California. Many of the world's security specialists gathered together to discuss the latest threat to the Internet, DDos (distributed denial of service) attacks. These denial of service attacks on companies websites are nothing new, hackers have been trying to disrupt the service of the big corporations for years. What has changed is that tools, which make it far easier to carry out these attacks, have just started circulating the hacker community. Programs like trin00, Tribal Flood Network and Stacheldraht (German for barbed wire) have made it simple for hackers with even the most basic of knowledge to bring down large companies' e-commerce sites.

The tools allow hackers to command hundreds or thousands of separate clients, which can then be used to attack a website with masses of junk data, slowing the site down immensely, or even bringing it down altogether. Because the attack seems to be coming from hundreds of different sources, it also makes tracking down the perpetrator or perpetrators very difficult. The tools do not require the hacker to gain root access to any clients' system making the task neither difficult nor time consuming. This also means that the clients being used to carry out the attack rarely know that anything is happening. Linux boxes attached to DSL and cable modems are seen as particularly vulnerable to being used as the hacker's puppets.

Stopping the attacks is also quite difficult. Due to the distributed nature of the attack, the website cannot solve any disruption by killing the process. As long as the clients are still being controlled by the hacker, then the attack can be resumed. In fact, the only real way it can stop is if the infected clients realise what is happening and puts a stop to it at that end. But this is not easy and a hacker can always move onto other clients and restart an attack.

The most worrying evidence that came out of the conference was the ease of which the tools could be used. The scripted nature of the tools allows even the most unsophisticated of hackers to launch attacks anywhere in the world.

The security industry thrives on scare stories. The more people worry about the vulnerability of their businesses, the more security they want for their websites, and the more money the security industry makes from them. Barely a day will go by without one of the major anti-virus companies releasing a warning of yet another potentially dangerous virus that they have released protection for. So it is perhaps of little surprise that the warnings from the conference received little fanfare in the mainstream press. That soon changed a few weeks later when all hell broke loose on some of the biggest Internet sites around the world.

Early in February, Yahoo!, one of the biggest portal sites on the web, was taken down by a distributed denial of service attack. The site was out of service for several hours before it could be finally brought back online. Within the next couple of days,,, and eBay all suffered almost identical attacks with varying results. managed to survive the assault, although its service was slowed up considerably., which was hit just before Amazon, was only able to provide content at sporadic intervals during the attack. suffered an attack that brought its servers down for three hours. Auctioneer eBay was left with an incredibly slow site for some and a completely inaccessible one for others.

These attacks caused a feeding frenzy in the media over concerns about the safety of websites across the globe. It was assumed that if sites such as Yahoo! and, who were pioneers of Internet-based business, could fall to these attacks then almost any site in the world was vulnerable.

The initial prognosis from the security experts was not good either with Jim Magdych, head of security at Network Associates' PGP Security unit, saying: "At least one person or group of people has the ability to take down a site at any given time. If this is someone who has a large collection of sites waiting to attack, they could literally fire off one attack after another. They can probably take down pretty much any site on the Internet."

Comments like these were common place, with almost all analysts predicting the worse. What was a relief to most other businesses was that this seemed like a co-ordinated attack by a single person, or at most a single group of people. The attacks were focused at a small number of high profile e-companies over a short space of time. After that the attackers faded into the background once again.

Concerns for other e-commerce companies must also have been alleviated by the fact that these attacks are never more than troublesome, and at most may cause a period of down time. At no point is the attacker privy to any sensitive information or customers payment details. Security on Internet sites is so tight these days that any proper breaches where a hacker actually gains access to the network are very rare. This is for most the best they can do, and it is far less damaging than internal security breaches.

Nevertheless, these attacks can still be financially damaging. If a business relies heavily on transactions over the web, then downtime can cost a lot of money. So it was within a couple of days that the first prospective solutions to these denial of service attacks appeared.

Network Associates' response to the attacks was to offer its VirusScan product with the ability to detect and remove 'Zombie' code, the code which allows hackers to launch denial of service attacks from other's machines.

Vincent Gullotto, director of McAfee's anti-virus emergency response team, says: "It's important to note that the security problems that have emerged recently were not in the websites that went down, but in the multitude of servers which were unwitting participants in the effort to overwhelm them. The solution to the problem lies in taking back each computer that can add to a hacker's arsenal, by removing the DDos agent that makes it dangerous."

This is an admirable stance, but convincing people to pay money to protect other companies' websites may be a little hard. McAfee is keen to point out the potential legal pitfalls of being unwittingly involved in a denial of service attack, but so far there have been no test cases on this subject.

Security is always a race between hackers and the security companies to get one step ahead of each other, and no sooner had the threat of the DDos attacks subsided then Trend Micro were warning of an even more dangerous denial of service threat.

Troj_Trin00 is an altered version of one of the previously used tools, which allows access to Windows NT or 9x boxes that are connected to the Net via Broadband access. Previously most attacks had been launched from vulnerable Unix or Linux boxes The new variant allows hackers to access millions more clients than previously and also makes it much simpler to do. Trend claims that the Trojan has already been found roaming wild on the Internet, but so far no attack has resulted from its existence. It may only be a matter of time however before this changes.

In this day and age, it is almost impossible to protect yourself completely against malicious hackers. Better and better security measures can be implemented, but just as quickly, hackers will find ways around them. It is almost with relief that those wanting to hurt companies have resorted to denial of service attacks, where very little real damage can be done. There are very few hackers out there with the experience, guile or motivation to be able to break into a reasonably well protected network to gain confidential information. The recent spate of attacks on high profile companies has caused a lot of concern, but none of the companies involved are likely to suffer greatly as a result of the downtime caused by the attack. The Internet will never be 100 per cent secure, but with good vigilance it can be one of the safest places on earth to do business.

Paul Grant

Read more on IT risk management