Attack tools are becoming easier to source, quicker to deploy and are evolving at a rate that allows them to bypass traditional security measures, writes Stuart Eaton from Centrinet.

Trends Whilst the Internet has created a number of opportunities for companies to save costs and improve marketing, at the same time it has exposed companies to much greater risk to both their cost-base and brand. Below are some of the more common ways in which companies can suffer from the more disreputable section of the ‘information society’.

Trend 1: Automation and speed of attack tools The level of automation in attack tools continues to increase. Automated attacks commonly involve four phases, each of which is changing:  scanning for potential victims;  compromising vulnerable systems;  propagation of the attack;  co-ordinated management of attack tools.

Trend 2: Increasing sophistication of attack tools Attack tool developers are using more advanced techniques than previously, including:  anti-forensics;  dynamic behaviour;  modularity of attack tools.

Trend 3: Faster discovery of vulnerabilities The number of newly discovered vulnerabilities reported to the CERT/CC (CERT Co-ordination Centre) continues to more than double each year.1 It is difficult for administrators to keep up to date with patches. Additionally, new classes of vulnerabilities are discovered each year.

Trend 4: Increasing permeability of firewalls Firewalls are often relied upon to provide primary protection from intruders. However, technologies such as IPP (Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning), as well as certain protocols marketed as being firewall-friendly, are designed to bypass typical firewall configurations.

Trend 5: Increasingly asymmetric threat Security on the Internet is, by its very nature, highly interdependent. Because of the advances in attack technology, a single attacker can easily employ a large number of distributed systems to launch devastating attacks against a single victim.

Trend 6: Increasing threat from infrastructure attacks Infrastructure attacks broadly affect key components of the Internet. Three types of infrastructure attack are:  distributed denial of service;  worms;  attacks on the Internet Domain Name System (DNS).

Proliferation of attack tools and ‘script kiddies’ ‘Script kiddies’ can be thought of as cyber joyriders. They are often not looking for a specific company or seeking particular information. They focus on using a small number of known vulnerabilities and scan indiscriminately in order to find and exploit them. A small minority of script kiddies possess the required technical knowledge to produce the scripts they use. The majority, however, will use ready-made tools that are easily downloadable from the Internet. Perversely this majority can be the most dangerous as they lack the required understanding of the effect of their actions on corporate systems. Regardless of which camp the script kiddies fall into, they often default to the same strategy, namely a random search for a specific weakness followed by exploitation. The fact that the attacks and scans are random means that the script kiddies are a threat. As night follows day, your systems will be scanned. Projects, such as Honeynet, have taken place that concluded that an average system is often scanned seven to eight times a day.

This pattern further underlines the proliferation of automated tools that scan whole IP (Internet Protocol) ranges for vulnerabilities. PoizonB0x, a notorious group of hackers, created iisautoexp.pl, an automated tool that handles all the groundwork required to gain access to sites and perform defacing operations. To deface a website the user simply has to give the name of the website to the script and then run it. If the website is vulnerable the front page is changed to read ‘PoizonB0x Ownz YA’ (sic). A known tactic is to create files with the names of target websites, thereby producing mass defacement. The frightening fact is that, with so many users on the Internet employing these tools, it is no longer a question of if you will be probed, but when; and if the vulnerabilities are there they will be found and exploited. Indeed the Computer Security Institute (CSI) reported2 that 85 per cent of primarily large corporations and government agencies detected computer security breaches within the last 12 months.

Lack of awareness of the value of data The realisation of the value of data has been slow in coming. The retail industry realised that by introducing loyalty cards they could gain intelligence on customers and then use it to better target marketing and improve their understanding of buying relationships and trends. This data was worth millions and, it is claimed, allowed Tesco to overtake Sainsbury’s in the UK supermarket sector. In what Microsoft has called a ‘deplorable act of industrial espionage’, their network was compromised and it is suspected that attackers may have stolen source codes to some of Microsoft’s products. The attack was first noticed when passwords were seen leaving the Microsoft campus, destined for a location in St Petersburg, Russia.3 A 2001 FBI and CSI report4 listed the most serious financial losses that occurred through theft of proprietary information (34 respondents reported US$151,230,100) and financial fraud (21 respondents reported US$92,935,500).

Companies increasingly trade on brand How much is a brand name worth? Corporate accountants claim that they are worth billions, and corporate lawyers spend millions on defending them. Business Week5 believes that the top two global brands, Coca-Cola and Microsoft, are worth over US$60 billion each. The protection of brand names therefore is of critical concern. During the Firestone scandal, analysts predicted that the Ford motor company brand would lose up to US$6.3 billion in market value. Whilst the Internet has given companies a cost-effective and powerful platform on which to market and to establish brand value, it has in turn exposed brands to greater risk. The very fact that hacking tools are freely available and are in essence automatic makes 2 ‘2001Computer Crime and Security Survey’, CSI/FBI. 3 Reuters, 27 October 2000. 4 ‘2001Computer Crime and Security Survey’, CSI/FBI. 5 Business Week, ‘The world’s 10 most valuable brands’, Interbrand Corp., JP Morgan Chase & Co. them ideal for groups with a specific grudge against a company. The anti-capitalism movement has long been aware of the power of hacking. At the World Economic Forum in Switzerland in 2001, a man was arrested due to his part in a hack that allowed access to dignitaries’ credit card details, which were then delivered to a newspaper. The political motivations of this were mentioned during the case.

The following cases further illustrate the risk:  A hacker/extortionist breached security at the online electronics store TheNerds.net, making off with customer credit card information. The thief sent emails to some of the affected customers. TheNerds.net is notifying all its customers that their personal data may have been compromised. The hacker allegedly broke into the site through an SQL (structured query language) server. The company will not meet any extortion demand and is working with the FBI and the US Secret Service on the case. Someone using the same hacker handle broke into three other websites over the past eight months, and has demanded up to US$50,000 to keep quiet about the breach.  On 21 June 2000, the domain name ‘nike.com’was hijacked and redirected to a new site dedicated to a protest that occurred on 11 September 2000. Nike successfully regained control of their domain by 12pm that day, but visitors were still receiving the hijacked information for some time afterwards.  During the second week of February 2001, hackers broke into such prominent websites as the New York Times, Compaq, Intel, AltaVista, Hewlett-Packard and Go.Com. Centrinet are a leading provider of Internet and network security solutions based on the innovative use of the best products and services. Our passion for customer service and technical excellence, combined with a no-nonsense approach to business, provides our clients with a refreshing and unique experience. For further information contact: Centrinet Limited, Witham Park House, Waterside South, Lincoln, Lincolnshire LN5 7JN. Tel:

+44 (0)1522 559 600; Fax: +44 (0)1522 533 745; Email: enquiries@centri.net; Website: www.centri.net