Analysis: Hacker Attack on Yahoo! Points Out Biggest E-Commerce Weakness

One of the most popular Internet content and commerce sites, Yahoo!, was taken down for three gut-wrenching hours on Monday by a malicious hacker attack. The cyber-assault was of a genre known as “denial-of-service,” in which a Web site cannot function normally because its system is overloaded with data requests sent by the hacker.

In the wake of the incident emerged the disturbing realization that the current state of the Internet is such that hackers can wreak system-wide havoc upon virtually any Web site, including, Yahoo!, evidently, and certainly upon the vast majority of e-commerce sites.

Hacker Weapon D’Jour

Yahoo’s denial-of-service attack was a “distributed coordinated attack,” in which the hacker activated a program that sends a crippling barrage of data to the target Web site. The Web server receiving the data requests is duped into responding to them, as though they are normal data requests from legitimate Web site visitors. However, the sheer volume of those requests, which are sent almost simultaneously, is enough to overwhelm even the most powerful Web servers.

Throughout the attack, the hacker program disguises the origin of the malicious data by “pretending” that the data requests are being sent from multiple, legitimate ISPs. This also has the effect of preventing the hacker’s identity from being revealed, and makes it extremely difficult for even sophisticated network security software to ward off the attack.

The type of hacker “tool” used in the Yahoo! attack is available freely on the Internet, and requires relatively little computer expertise to operate. Hence, the problem

E-tailers Exposed

Like all Web sites, e-commerce stores are highly vulnerable to denial of service attacks. However, unlike many other Web sites, continuous Web service is crucial to online merchants’ ability to conduct business. Furthermore, an e-tailer’s reputation for security can be severely tarnished by a hacker attack and the losses from an attack incident may be both immediate and long-term, through loss of customers. The conclusion that an online merchant who is susceptible to hacker attacks may be also placing its customers’ personal data at risk, is not far-fetched, albeit unfortunate.

What’s an Online Merchant To Do?

According to CERT (Carnegie Mellon University’s Computer Emergency Response Team), solutions to denial of service attacks fall into these general categories:

Awareness of the problem, prompt detection of the attack, prevention through sound security practices, and quick response by using specially developed security software. For an expanded discussion of these issues and to download security software, visit the CERT Web site at www.cert.org/advisories/CA-2000-01.html.

In practice, however, it is doubtful that the vast majority of Web sites can remain continuously protected against this type of hacker assault. As new Internet software is developed, so too, new system vulnerabilities are discovered by hackers. There is currently no software that eliminates all security vulnerabilities, and none in sight.

FBI Woefully Inadequate

In the U.S., public perception is that the Federal Bureau of Investigation (FBI) has the ability to deter cyber-crime by prosecuting computer hackers. While the agency does, indeed, have the legal authority to combat hackers, it sorely lacks the resources to do anything at all in the majority of cases.

The CERT Web site instructs citizens to contact their local FBI office to report cyber attacks, but one doing so can expect no action, in reality, unless the damage caused by the attacker amounts to a huge sum of money. Otherwise, getting past the initial complaint desk to an “actual” agent is just wishful thinking.

The FBI itself, like a besieged Web server under attack, is just too busy to function normally, even when the victim of the hacker attack can provide the FBI with the origin of the assailant. Sounds too incredible to be true? Unfortunately, this is the case. At least at the Los Angeles office of the FBI, as of January 2000.

It is the hope of the Internet community that, as an increasingly larger portion of the economy shifts to electronic commerce and communication, sufficient resources will be found to address the rising tide of cyber-crime. But, for the meanwhile, as it stands today, the score is Hackers:1 Yahoo:0.