Monday, Feb. 7, 2000, about 1:30 p.m. Music retailer HMV Canada’s bustling e-commerce site has abruptly and without warning gone haywire. Servers are running flat out but can’t cope with a sudden inundation of ostensibly legitimate requests. Memory buffers and hard disks overflow. Customers can’t make purchases or even access the site. HMV’s systems begin to grind to a halt.
The company is under attack by cyber vandals. The symptoms are identical to the so-called denial of service attacks on high-profile e-commerce sites in the United States. Victims of those attacks included top sites such as eBay and Amazon.com.
“We had a flood of requests from an unknown source — exponentially higher than normal traffic,” explains Rodney McBrien, Toronto-based director of Information Systems for HMV North America. “It was a spike in the millions [of page hits] that basically overwhelmed our site.”
The company makes the decision at this point to close the site. “We knew we couldn’t serve the public,” McBrien says. “So we brought our systems down to collect information on what was happening during the attack to analyse later.”
HMV puts log data on a tape and forwards it to the RCMP. An hour later the site is back up, business as usual. The hackers have disappeared into the ether, leaving few traces. (At press time, the case was still under investigation.)
A random act of cyber violence? Possibly. But the larger implications of this and other recent hacker attacks on e-commerce companies go well beyond the immediate impacts on victims, raising disturbing questions for consumers and e-tailers.
The victims, ironically, were known for their e-security savvy and had taken virtually every precaution they could. The same cannot be said of most e-tailers. Most could do a lot more to secure their sites. Perhaps these attacks are the wake-up call they need. And maybe that was their point.
INTERNET SLAVES DO THE DIRTY WORK
One of the most disturbing aspects of the recent attacks is the way hackers used other systems on the Internet as robots or slaves to multiply the ferocity, and also cover their tracks. “The power of the Internet,” observes e-security expert Adel Melek, a partner in Deloitte & Touche’s Toronto-based e-business consulting group, “was used against itself for the first time in these attacks. That is new.”
Hackers broke into dozens or hundreds of vulnerable systems on the Net, both corporate systems and home PCs, and planted zombie programs, all scheduled to begin flooding the target site with requests at a specific time. “Some [victims] experienced a gigabit of requests hitting their sites every second,” notes security consultant Eckhardt Kriel, a partner with Ernst & Young LLP in Toronto. “You can’t do that from a single computer.”
Using robots to do the dirty work in the attacks will also hinder investigators and prosecutors, Melek believes. They may in some cases be able to trace the attack back to a particular computer. But any computer owner, including the real hackers, could claim their system had been invaded and a zombie planted. And it would be difficult or impossible to prove otherwise.
One implication for the future of e-commerce security is the notion of being a “good Internet neighbour” securing your systems so they can’t be used as robots. Melek speculates that as awareness of the risks rises, PC manufacturers may begin to build firewalls into their products.
COST OF THE BREACH
The first, obvious impact on the victims was financial. The HMV site was down for about an hour and customers couldn’t use it for an undisclosed amount of time before that. Sales were lost. Some customers may have come back later in the day or the next day and completed transactions. But many would find other places to buy or decide not to buy, McBrien says. He can’t or won’t estimate the extent of the financial loss, although he admits it was not insignificant.
Nick Jones, e-commerce evangelist and new business manager for Web-based bookseller Chapters Online Inc. of Toronto, says that based on published revenue figures for Chapters’ fiscal 1999 third quarter, the company would stand to lose about $5,600 an hour if shut down by a denial of service attack.
“If we’re down for a day, that’s one 365th of our yearly revenue,” Jones notes. “So, yes, it’s definitely significant.”
Jones and O’Brien are both clearly conflicted when they talk about the threat of these kinds of attacks and their impacts. On the one hand, they don’t want to diminish the seriousness of what has happened or could happen. On the other, they fear the general public — or, more accurately, the on-line public — may believe the attacks are even more serious than in fact they are.
“It’s not an attack where you lose customer information or have a security breach,” McBrien is quick to point out. “It just means you can’t perform commerce.”
Jones blames the media for creating unnecessary alarm over what amounted to nuisance attacks. He says many newspapers erroneously reported that Amazon.com and others had been “hacked”. “It sounded so brutal. And there were implications that customer information had been revealed, when in fact [the e-commerce sites attacked] had just been smothered.”
“It was criminal what was done,” Jones hastens to add. “But system integrity was not breached. Consumers need to know their information was secure.”
Perhaps in these particular cases. But the question is, will on-line consumers understand or credit the distinction being made? And should they? After all, there certainly have been cases of hackers breaking into e-commerce systems and stealing customer credit card information.
In one of the most recent, in January, criminals hacked a system operated by eUniverse for its CDUniverse site, stole customer credit card information and then tried to blackmail the company. When eUniverse refused to play along and called the FBI, the hackers posted customer credit card information at a Web site. The site was shut down the same day, but for a short while, the data was freely available to anyone on the Net.
A QUESTION OF CUSTOMER CONFIDENCE
Whether or not consumers should be concerned about on-line credit card security, clearly many are. McBrien argues they aren’t as paranoid about using credit cards on the Internet as they were a couple of years ago, so won’t be influenced by these attacks. But recent studies suggest otherwise.
According to Winning The Online Consumer: Insights Into Online Consumer Behavior, a report by The Boston Consulting Group, based on research involving 12,000 Canadian and U.S. consumers, anxiety over credit card security is the main barrier to purchasing on-line, cited by 46 per cent of participants. The study surveyed both those who had made on-line purchases and those who hadn’t.
In another study, Ernst & Young’s 1999 Canada Internet Retailing: Buyer Survey Results, 19 per cent of consumers already buying on-line expressed concern about credit card information being stolen.
Whatever the level of fear, it exists. And the public spectacle of prominent e-commerce companies being humbled by sophisticated hackers certainly won’t do anything to reduce it.
DANGER OF LEAKED INFORMATION
“Many consumers may not be technically aware of the differences between denial of service attacks and hacker intrusions,” says Kriel. “Once they hear of a vulnerability some may jump to the conclusion that it isn’t safe yet to buy on-line.”
In fact, that conclusion may not always be wrong. While Melek says there is a clear distinction between companies that are vulnerable to “vandalization” and those negligent enough to allow data to be stolen, he also raises the possibility that denial of service “swarmings” could create vulnerabilities hackers can exploit to break in.
In an attack that is undetected or for whatever reason allowed to run its course — unlike the attack on HMV — a firewall could break down before the site itself shuts down entirely, giving hackers an entry point, Melek says. Or an application could begin to malfunction, “leaking” data even through a firewall.
Perhaps the most ominous implication of the recent attacks is that they may be only the thick edge of the wedge, as it were — the result of frustrated hackers throwing temper tantrums.
Melek believes denial of service attacks are most often the last resort of hackers who have been repelled by a company’s security systems and are looking for revenge or to humiliate their adversaries. It’s what D&T’s own ethical hackers — hackers hired to find the weak spots in a company’s security systems — do, he admits.
“It’s generally the last phase of an engagement. If we’ve tried everything and we can’t get in, then we try to bring the system down,” Melek says.
But the real and first objective of most hackers, he believes, is to intrude, to breach a system’s security and gain access to stored data and/or programs. The reason these e-commerce companies were hit with denial of service attacks may simply be that their security systems were too good and hackers couldn’t get in. But what of other systems they tried — or will try?
Melek is afraid many of his clients — as many as 70 per cent, he estimates — couldn’t even say for sure if their systems had been hacked after the fact. eUniverse apparently had no idea data had been stolen from its site until the hackers contacted the company with ransom demands.
Companies with properly configured security systems would be able to say, and “with a great degree of accuracy,” Melek says, whether or not hackers had intruded — and what they had done. In the aftermath of the denial of service attacks, e-commerce leaders such as Amazon.com and eBay were quick to state that no intrusion had occurred. Their disclaimers are probably credible, Melek says. “But I must tell you,” he adds, “not many companies I come across have that ability.”
THE NEW CYBER CRIMINAL
Meanwhile, the popular image of the hacker as a morally neutral teenage computer nerd just looking for a challenge — a kind of merry prankster — clearly no longer fits. There is often much more at stake, as the CDUniverse case shows. Cyber vandals is the wrong term: these are crooks.
In some cases, they may be after something other than financial gain, though — insights into how successful e-commerce companies work, for example, Melek suggests. Others say industrial espionage could be a motive. “Imagine being able to go into a system and get your competitor’s customer list,” says the CTO of one Toronto-area ISP, who requested anonymity for fear of being targeted by hackers.
Kriel believes the only intent of the attacks on HMV and others was to bring the sites down, but he too sees dark motives at work.
“We believe these attacks could be the work of hack-tivists,” he says. “People for example who are trying to pressure computer users to pay more attention to security: that could be one likely scenario. They could be people with an agenda. They could be competitors, or investors wanting to change the course of evaluations. It could even be hostile foreign governments behind these attacks, although that is probably very unlikely.”
COMPELLING NEED FOR PROTECTION
Whatever the motives or strategies of hackers, the onus clearly is on e-commerce companies to protect themselves — and their customers. All invariably claim they are doing that.
HMV has “an aggressive security policy,” according to McBrien. He estimates the company has spent in excess of $100,000 on security-related infrastructure, including firewalls and intrusion detection software. McBrien has three people devoted to operations and security and is in the process of hiring a fourth.
Says Chapters’ Jones, “The number one concern for consumers is privacy. Ipso facto, it’s our number one concern. We’ve spent thousands of hours and millions of dollars on hardware and software, and the result is we have a world-class system for making purchases on-line.”
There is no reason to disbelieve such claims, but customers may be excused for being skeptical. It’s worth noting that in the very press release in which eUniverse admitted it had lost customer credit card information, company chairman Brad Greenspan asserted that, “We take great pains to safeguard the privacy of our customers’ information.”
Chapters Online will not adopt any new security measures specifically in response to the recent attacks, but the firm is constantly upgrading security, Jones says. McBrien says his company did undergo an audit recently by a security consulting firm and will implement some new systems.
PERCEIVED AND ACTUAL SECURITY
What should e-commerce companies be doing to secure their sites? Jones, a marketing guy, has an interesting take. He distinguishes between “perceived” and “actual” security.
Perceived security includes things such as having or building a trusted brand-name, prominently posting security and privacy information at your site, publicizing relationships with trusted partners such as credit card companies, and having an e-commerce security audit firm — TRUSTe (www.etrust.com), for example, or WebTrust.com (www.webtrust.com) — certify your site so you can post their supposedly trusted symbols.
All good ideas no doubt, but they won’t keep hackers out. Jones is a bit vague about “actual” security — deliberately so. Like many other e-commerce firms, Chapters won’t talk in any detail about what it’s doing to secure its site against cyber crooks. It fears hackers may be able to use any information it gives out.
Actual security in Jones’ admittedly crude scheme of things involves three levels: facility, hardware and software. Some companies, he notes, overlook the simplest level, security on the building where they keep their servers. He himself can’t get into the computer room at the AT&T facility Chapters uses, he notes.
Hardware and software for security basically comprises firewalls, SSL (Secure Socket Layer) transaction encryption — and the possibility in the future of using SET (Secure Electronic Transaction), a more advanced transaction security system.
But there is a good deal more to it than that. Good security, Kriel and Melek stress, starts at the top with an enterprise security policy. The policy identifies the assets to be protected, the procedures for protecting them, and the technologies used to support those procedures.
Melek says security policies should address four distinct phases: prevention, detection, reporting and correction. Too many companies focus only on prevention, he notes. “They say, ‘Oh, yeah, we’ve got a firewall,’ but that’s it. That’s all they have.”
More and more companies have intrusion detection software, but still need to do a lot more work on reporting and correction, he says.
HMV is currently evaluating SecureWay Risk Manager, a new product from IBM subsidiary Tivoli Systems Inc. that adds innovative IBM intrusion detection technology but also gathers alerts and reports from various security systems, including non-IBM products, and presents them in a single interface.
INVOLVING ISPs AND LAW ENFORCEMENT
Reporting doesn’t just mean reporting internally, though. It also means reporting to law enforcement and “up the chain,” as Kriel puts it, to ISPs and Internet backbone operators. If IP addresses of slave systems can be identified quickly enough, it should be possible to block packets from those systems, or at least call the owners to report the misuse.
Kriel says security systems vendors are working on automating this kind of reporting outside the organization. In the meantime, it’s a question of picking up a phone and calling your ISP — and the RCMP — when you determine you’re under attack.
All of which should be spelled out in any good e-security policy, Melek says. Too often companies find themselves under attack and have no guidelines for how to respond. Decisions end up being made under pressure by relatively junior employees, he says.
Policies and procedures, such as making sure employees are trained, making sure all key programs and operating systems have the latest security upgrades, subscribing to sources such as Carnegie Melon University’s CERT (www.cert.org) or Ernst & Young’s eDefense to keep up on recently discovered system vulnerabilities, are as important as having the latest security tools.
The fact is there is no technological silver bullet for hacker attacks now, Kriel says, and likely never will be. Hacker and e-security technology will continue to leapfrog each other at intervals. “I don’t think we’ll ever be at a simple state where we can say, ‘Yeah, we’ve fixed the security problem,'” he says.
But nobody was driven out of business by the recent rash of denial of service attacks. Nobody, apparently, lost valued assets as a result. So what’s all the fuss about? Jones and McBrien are right in a sense: these attacks were more a nuisance than a serious threat to the bottom line.
But if from that you conclude there is nothing to worry about and nothing more you need do to secure your e-commerce operations, your survival is already in doubt.
Tony Martell is a freelance writer specializing in information technology and IT management. He is based in London, Ont.